Presentation is loading. Please wait.

Presentation is loading. Please wait.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

Similar presentations


Presentation on theme: "E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006."— Presentation transcript:

1 E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006

2 Yesterday’s topics E-business and its advantages For customers For customers For businesses For businesses For business partners and suppliers For business partners and suppliers Security goals Protect confidentiality Protect confidentiality Maintain integrity Maintain integrity Assure availability Assure availability Security problems Accidental data loss Accidental data loss Malware MalwareVirusesWorms Trojan horses How to deal with Malware

3 Today Intruders How to deal with intruders Overall security measures Secure payment Conclusions

4 Intruders

5 What can go wrong? Security issues Intruders Casual prying (read other peoples e-mail, documents, etc.) Casual prying (read other peoples e-mail, documents, etc.) Snooping by insiders Snooping by insiders Determined attempt to make money Determined attempt to make money Commercial or military espionage Commercial or military espionage Simply for fun or to prove it can be done Simply for fun or to prove it can be done How to deal with intruders Identify every user Advise users to log off when they leave their desk Limit the privileges of users Log files to monitor users activity Encryption Etc.

6 Insiders What could some of the employees do? Read other people’s emails Read other people’s emails Attempt to read documents and access information that is NOT intended for their eyes Attempt to read documents and access information that is NOT intended for their eyes Commercial espionage Commercial espionage Install unauthorised software Install unauthorised software How to prevent all of the above? Each employee should log in the system using a unique username / password Each employee should log in the system using a unique username / password Advice all employees not to disclose their password to anyone Advice all employees not to disclose their password to anyone Advice all employees to log off when they leave their desk Advice all employees to log off when they leave their desk Advice all employees to change their password regularly Advice all employees to change their password regularly Limit privileges of employees allowing them to perform only authorised tasks and obtain only authorised information Limit privileges of employees allowing them to perform only authorised tasks and obtain only authorised information Put in place a system that tracks employees actions and network resources accessed Put in place a system that tracks employees actions and network resources accessed Encrypt or password protect all confidential documents / data Encrypt or password protect all confidential documents / data Any other measures? Any other measures?

7 Outsiders What could they do? As a hobby, prove that “it can be done” As a hobby, prove that “it can be done” Commercial and military espionage Commercial and military espionage Access bank accounts Access bank accounts Access and use other people’s credit card details Access and use other people’s credit card details Shut down systems, etc. Shut down systems, etc. How to prevent outsiders gaining access to resources Identify every user of the system Identify every user of the system Put in place a system that tracks users actions and network resources accessed Put in place a system that tracks users actions and network resources accessed Encrypt confidential documents / data Encrypt confidential documents / data Put firewalls in place to protect the network Put firewalls in place to protect the network Keep all software and operating systems up to date to prevent hackers exploit security holes Keep all software and operating systems up to date to prevent hackers exploit security holes

8 Overall key security measures

9 Have a security policy in place and ENFORCE it Have clear guidelines as how security should be implemented Management has to make sure that all IT technicians apply all the security measures Management has to make sure that all employees are aware of the security measures and apply them Technology used to implement security guidelines Sophisticated tools used to analyse, interpret, configure and monitor the state of the network security Sophisticated tools used to analyse, interpret, configure and monitor the state of the network security

10 Identify each user Clearly identify all network users Technologies used to assure identity Username and passwords Username and passwords Advice employees to : use alphanumeric passwords use alphanumeric passwords to keep them private to keep them private to change them regularly to change them regularly Biometrics Biometrics Install access control programs and physical security devices on all systems. Access control programs run extra checks on users before allowing access. Physical security devices include biometric scanning devices fitted to a computer which check a user’s face, retina, fingerprint, hand, voice, typing rhythm, signature and so on against a set of stored data for all legitimate users. Install access control programs and physical security devices on all systems. Access control programs run extra checks on users before allowing access. Physical security devices include biometric scanning devices fitted to a computer which check a user’s face, retina, fingerprint, hand, voice, typing rhythm, signature and so on against a set of stored data for all legitimate users. Make sure to delete the accounts of employees no longer working for the company

11 Monitor the network Security monitor Test and monitor the state of the network security Test and monitor the state of the network security Technology used to monitor the network Network log files that record Network log files that record Who logged in, for how long, from which computer, what resources they have accessed, etc. Network vulnerability scanners Network vulnerability scanners Antivirus software Antivirus software Disaster recovery backup technology Disaster recovery backup technology Check security logs and audit trails regularly Conduct regularly a through risk analysis of the network Have a disaster recovery plan

12 Monitor and restrict access from outside into the network Monitor remote access into the network by Allowing only a limited number of attempts to log in Allowing only a limited number of attempts to log in Block the account if all attempts to log in are unsuccessful Block the account if all attempts to log in are unsuccessful Use log files to monitor the resources accessed by remote users Use log files to monitor the resources accessed by remote users Put firewalls in place before allowing Internet access

13 Maintain data privacy Data privacy Information must be protected from eavesdropping Information must be protected from eavesdropping Data must be communicated in confidentiality Data must be communicated in confidentiality Technologies used to assure data privacy Password protect confidential documents Password protect confidential documents Encryption Encryption Use secure protocols Use secure protocols ssh (secure shell) https (http scheme) = http with encryption

14 Encryption Computer encryption is based on the science of cryptography Encryption systems Symmetric key encryption Symmetric key encryption A computer uses a key to encrypt a message before sending it over the network The destination computer uses the same key to decode it The same key has to be installed on both computers Public key encryption Public key encryption A computer uses a combination of private key and public key to encrypt a message. The private key is known only to the computer, while the public key is given to any computer that wants to communicate securely with. The destination computer decodes the message using the public key provided by the sending computer and its own private key

15 Where is encryption used? Digital signatures A way to ensure that an electronic document (a, word document, excel spreadsheet, etc.) is authentic A way to ensure that an electronic document (a, word document, excel spreadsheet, etc.) is authentic Standard used - Digital Signature Standard which is based on a public-key encryption Standard used - Digital Signature Standard which is based on a public-key encryption If anything is changed in the document after the signature is attached to it, the value the digital signature compares with changes and therefore it will be obvious that changes have been made If anything is changed in the document after the signature is attached to it, the value the digital signature compares with changes and therefore it will be obvious that changes have been made Electronic payment

16 E-business and electronic payment go hand in hand What are the benefits of electronic payment? One could pay: On the spot by providing credit card information On the spot by providing credit card information On the spot using e-check (account number and bank number) On the spot using e-check (account number and bank number) By direct debit using credit card or bank account By direct debit using credit card or bank account Via specialised companies like PayPal Via specialised companies like PayPal Concerns about electronic payment Identity theft Identity theft To prevent fraud, confidential information has to be transmitted and stored encrypted

17 Secure methods of payment SSL Stands for Secure Sockets Layer Stands for Secure Sockets Layer Uses public-key encription Uses public-key encription SSL is an Internet Security Protocol used by browsers and web servers to transmit sensitive information SSL is an Internet Security Protocol used by browsers and web servers to transmit sensitive information SSL is part of an overall security protocol known as Transport Layer Security SSL is part of an overall security protocol known as Transport Layer Security

18 How can a customer know his/her payment information is securely transmitted? Look for the s after http in the web address before making the payment. In other words, the web address should read: https// Look for the padlock symbol in the status bar, at the bottom of the browser window

19 Conclusions Security – High priority issue As a manager, what can you do? Have a security policy in place and enforce it Have a security policy in place and enforce it Assure user authentication Assure user authentication Look at secure payment methods Look at secure payment methods Keep customers happy by providing secure transactions Keep customers happy by providing secure transactions

20 Recommended reading material Otuteye,E., A systematic approach to E-business security available on-line at the following address: http://ausweb.scu.edu.au/aw03/papers/otuteye/paper.html http://ausweb.scu.edu.au/aw03/papers/otuteye/paper.html Robinson, R., Managing Secure eBusiness available on-line at the following address: http://www.novell.com/news/press/net_security_whitepaper.pdf http://www.novell.com/news/press/net_security_whitepaper.pdf Otuteye, E., Framework for E-Business Information Security Management available on-line at the following address: http://e-commerce.mit.edu/papers/ERF/ERF136.pdf


Download ppt "E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006."

Similar presentations


Ads by Google