Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Systems Security Information Security for Web- based Applications.

Published byMelvyn Elliott Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Systems Security Information Security for Web- based Applications."— Presentation transcript:

1 Information Systems Security Information Security for Web- based Applications

2 The full picture

3 Securing web sites Reduce the attack surface of the web server Prevent unauthorized access to web sites and applications Isolate web sites and applications Configure user authentication Encrypt confidential data exchanged with clients Maintain web sites and application security

4 Securing web sites Reduce the attack surface of the web server Enable only essential OS components and services Enable only web server components and services Enable only MIME types Configure OS security settings

5 Securing web sites Prevent unauthorized access to web sites and applications Store content on a dedicated disk volume Set web site permissions Set IP address and domain name restrictions Set NTFS file system permissions

6 Securing web sites Isolate web sites and applications To prevent multiple web sites and applications from adversely affect with one another Have to create application pool, assign web sites and applications to them, and assign proper service account and permission Complicated procedure

7 Securing web sites Configure user authentication Select appropriate authentication method Digest Advanced digest Integrated windows Client certificates MS.NET passport

8 Securing web sites Encrypt confidential data exchanged with clients Use of Secure Socket Layer (SSL) Install server certificate https instead of http Use IPSec or VPN for remote administration

9 Securing web sites Maintain web sites and application security Obtain up-to-date security updates Enable server security logs Enable web server application logs Review security policies, processes and procedures

10 Reading Microsoft: Improving Web Application Security: Threats and Countermeasures Chapter 1 “Web Application Security Fundamentals” Chapter 4 “ Design Guidelines for Secure Web Applications” is good but a bit too advanced for most students

11

12 Problem in e-Commerce The transaction is done online. The customer and the company cannot see each other. How can they trust each other? Who are you? Can I trust you? What if I cannot receive my goods? What if I cannot receive the payment?

13 Certificate Authority Now the CA comes in. It give a digital identity to all concerned party. It verifies the company is okay to do business with, and the customer is also okay This is not done by the government but by some commercial organizations PKI is used as the technology to provide the digital identification

14 What is PKI The set of hardware, software, people and procedures need to create, store, distribute, revoke key/certificates based on public key cryptography

15 PKI infrastructure and software development PKI uses of public key cryptography for authentication and access control of a user, guaranteeing the integrity and non- repudiation of documents signed by the user, and confidentiality of data.

16 PKI infrastructure and software development Certificate Authority Registration Authority Certificate Name Issuing CA Expiration date Public key Certificate Revocation List

17 X.509 Certificate structure

18 PKI PKI employs a pair of keys for each user: a private key which is known only to the user himself, and a public key which is published by some authority, in the form of a digital certificate (certificate for short).

19 PKI In signing a document or an e-mail, a user signs using his own private key so that others can use the signer's public key to verify the authenticity and non-repudiation of documents or e-mail. Since only the user has his own private key to sign, non- repudiation is established

20 PKI The use of PKI saves the trouble of maintaining and distributing the same encryption/decryption key between the sender and the receiver

21 Authentication using certificates

22 Secure online payment Credit card payment Secure Socket Layer Secure Electronic Transaction (SET) PayPal E-purse

23 Credit Card Invented in 1950s Only becomes profitable after 20 years when the customers reach a critical mass

24 Credit Card Payment This is the usual payment method used in eCommerce 4 parties are involved: Cardholder (payer) Merchant (payee) Issuing Bank Acquiring Bank

25 Measures to stop fraud Hot card lists Merchant floor limits – authorization required when a certain amount is exceeded Expiry date used as password Delivered to cardholder’s address Card verification value (MAC) Intrusion detection (anomaly detection)

26 SSL: Secure Socket Layer Developed by Netscape to secure HTTP sessions Provides Data encryption Server authentication Message integrity Optional client authentication NOT a payment system in itself

27 SSL: Secure Socket Layer Authentication of server by use of digital certificate Use public key technology to exchange a session key (symmetric) between server and client used only for that session After the buyer sends information thro the secure channel, the merchant processes the transaction in the usual manner

28 SSL Client to Server Name C, transaction serial no. C#, nonce Nc Server to Client Name S, transaction serial no. S#, nonce Ns, public key KS Client to Server Pre-mastered secret key encrypted by KS {Ko} KS

29 SSL Client to Server Finished message, MAC for all messages to date {finished, MAC(K1, everything_to_date)}Kcs Server Compute k1=h(Ko, Nc, Ns) Server to Client {finished, MAC{k1,every_to_date)}Ksc, {data}Ksc

30 Secure Electronic Transaction A joint effort of VISA and MasterCard to develop a more secure internet payment system in 1997 (credit card no not kept) SET makes use of public key technology and each participants are assigned public key/private key pairs

31 Secure Electronic Transaction Legal entity formed by MasterCard. Visa, American Express and JCB in 12/97 A protocol designed for electronic payment with credit card Key idea Merchant does not need to know payment details Bank does not need to know order details

32 SET Client to Server C, Nc, CC(Cert of client) Server to Client S, S#, CS(merchant) CB(bank) Client to Server {Order} KS, {Payment} KB, Sig KC {h(Order), h(Payment)}

33 SET Server to Bank ( Summary} KB, {Payment} KB Bank to Server Sig KS {Auth_response}

34 SET Disgrace of SET Nothing for the credit card holders Huge cost in building PKI Benefits less than expected

35 EDI Electronic Data Interchange Used for B2B transactions Build on Value-Added Networks International and national message standards Expensive

36 EDI transactions EDI, or Electronic Data Interchange, provides trading partners with an efficient business tool for the automatic transmission of commercial data from one computer system directly to another. Through the use of EDI message standards such as X.12, UN/EDIFACT, or EANCOM, data may be communicated quickly, efficiently and accurately irrespective of the users' internal hardware and software equipment.

37 EDI in Hong Kong TRAXON for air-cargo CargoNet for shipping EZ*TRADE for retail, manufacturing and trading Tradelink for HK Government chiefly for the Customs Department

38 EDI Infrastructure VAN (Valued Added Networks) / VPN (Virtual Private Networks) i-EDI (Web Based EDI Systems)

39 EDI example: SWIFT RGP = Regional General Processor

40 PayPal Virtual bank in Internet Cater for small merchants that cannot open account with banks Provides other services such as shopping cart Problem of jurisdiction

41 E-purse Pre-paid debit cards that can work offline Not many business successes Mondex Most successful case Octopus Pre-paid phone cards

42 The Internet Payment Processing System Acquiring bank Credit card association Customer issuing bank Internet merchant accounts Payment gateway Processor

43 Parties to Internet transaction Customer Merchant Issuing Bank Merchant’s Acquiring Bank Payment Gateway Processor

44 The transaction process Credit Card NO. Transaction info Request for payment Authorization OK

45 Transaction initiation Customer decides to make a purchase on merchant’s web site, proceeds to check out and inputs credit card information Merchant’s web site receives customer information and send transaction information to Payment Gateway Payment Gateway route information to processor

46 Payment authorization Processor send information to the Merchant’s Acquiring Bank Acquiring Bank sends transaction information to the credit card holder’s Issuing Bank Issuing Bank sends transaction result (authorization or decline) to Acquiring Bank Acquiring Bank send transaction result to Processor

47 Payment authorization Processor routes information to the Payment Gateway Payment Gateway passes result to the Merchant Merchant accepts and ships goods or rejects transaction

48 The payment process Request for payment Credit Merchant A/C Debit Consumer A/C

49 Payment settlement Merchant requests Payment Gateway to settle a payment Payment Gateway sends all transactions to be settled to the Processor Processor send settlement payment details to customer’s credit card Issuing Bank, and to the Merchant’s Acquiring Bank

50 Payment settlement Issuing Bank includes the Merchant’s charge on the customer’s credit card statement while Acquiring Bank credits the Merchant’s account

51 Payment Processing

52 PCI DSS Payment Card Industry Data Security Standard It is developed by PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International

53 PCI DSS It is a security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This is intended to help organizations proactively protect customer account data.

54 Requirements Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters

55 Requirements Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks

56 Requirements Maintain a Vulnerability Management Program Use and regularly update anti-virus software Develop and maintain secure systems and applications

57 Requirements Implement Strong Access Control Measures Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data

58 Requirements Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes

59 Requirements Maintain an Information Security Policy Maintain a policy that addresses information security

60 Reading Refer Verisign Online Payment Processing Guide

Download ppt "Information Systems Security Information Security for Web- based Applications."

Similar presentations

CP3397 ECommerce.

CP3397 ECommerce.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Cryptography and Network Security

Cryptography and Network Security
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Chapter 13 Paying Via The Net. Agenda Digital Payment Requirements Fraud Detection Online Payment Methods Online Payment Types The Future Payment.

Chapter 13 Paying Via The Net. Agenda Digital Payment Requirements Fraud Detection Online Payment Methods Online Payment Types The Future Payment.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter 8 Web Security.

Chapter 8 Web Security.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Traditional and Electronic Payment Methods Chapter 3.

Traditional and Electronic Payment Methods Chapter 3.

Similar presentations

Ads by Google