Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prentice Hall, 2002 1 E-Commerce Security Notes based on Laudon&Laudon.

Published byPriscilla Willis Modified over 9 years ago

Similar presentations

Presentation on theme: "Prentice Hall, 2002 1 E-Commerce Security Notes based on Laudon&Laudon."— Presentation transcript:

1 Prentice Hall, 2002 1 E-Commerce Security Notes based on Laudon&Laudon.

2 Prentice Hall, 2002 2 Learning Objectives Document the rapid rise in computer and network security attacks Understand the factors contributing to the rise in EC security breaches Explain the basic types of network security attacks

3 Prentice Hall, 2002 3 Learning Objectives (cont.) Discuss the major steps in developing a security risk management system Describe the major types of attacks against EC systems Discuss some of the major technologies for securing EC

4 Prentice Hall, 2002 4 Bringing Down an EC Site: Mere Child’s Play Distributed Denial of Service (DDoS) attacks can inundate a site with so many requests that legitimate traffic is virtually halted Attacker used software to send a flood of data packets to the target computer(s) with the aim of overloading its resources

5 Prentice Hall, 2002 5 Figure 13-1 Using Zombies in a Distributed Denial of Service Attack Source: Scambray et al. (2000)

6 Prentice Hall, 2002 6 Bringing Down an EC Site: Mere Child’s Play (cont.) Distributed Denial of Service (DDoS) attacks Zombie—machine on which the DDoS software is loaded, unknown to the owner Home computers with cable modems or DSL service that are left on all the time Business Web servers located outside the firewall Availability of free tools and scripts make it easy to mount a DDOS attack

7 Prentice Hall, 2002 7 Figure 13-2 Attack Sophistication vs. Intruder Technical Knowledge Source: Special permission to reproduce the CERT ©/CC graphic © 2000 by Carnegie Melon University, in Electronic Commerce 2002 in Allen et al. (2000).

8 Prentice Hall, 2002 8 The Need for Security Data from Computer Security Institute and FBI indicate: Cyber attacks are on the increase Internet connections are increasingly a point of attack The variety of attacks is on the rise The reporting of serious crimes to law enforcement has declined

9 Prentice Hall, 2002 9 Table 13-2 Incidents and Vulnerabilities Reported to CERT Figures from Computer Emergency Response Team (CERT)

10 Prentice Hall, 2002 10 Why Now? Security systems are only as strong as their weakest points Security and ease of use (or implementation) are antithetical to one another Security takes a back seat to market pressures

11 Prentice Hall, 2002 11 Why Now? (cont.) Security of an EC site depends on the security of the Internet as a whole Security vulnerabilities are increasing faster than they can be combated Security compromised by common applications

12 Prentice Hall, 2002 12 Basic Security Issues User’s perspective Is Web server owned and operated by legitimate company? Web page and form contain some malicious code content? Will Web server distribute the user’s information to another party? Company’s perspective Will the user attempt to break into the Web server or alter the site? Will the user try to disrupt the server so it isn’t available to others? Issues at a simple marketing site:

13 Prentice Hall, 2002 13 Basic Security Issues (cont.) Issues at a simple marketing site: User and company perspective Is network connection free from eavesdropping? Has information sent back and forth between server and browser been altered?

14 Prentice Hall, 2002 14 Basic Security Issues (cont.) Major security issues in EC Authentication Authorization Auditing Confidentiality or privacy Integrity Availability Non-repudiation

15 Prentice Hall, 2002 15 Security Risk Management Required to determine security needs 4 phases of risk management Assessment Planning Implementation Monitoring Definitions involved in risk management Assets—anything of value worth securing Threat—eventuality representing danger to an asset Vulnerability— weakness in a safeguard

16 Prentice Hall, 2002 16 Security Risk Management (cont.) Assessment phase—evaluation of assets, threats, vulnerabilities Determine organizational objectives Inventory assets Delineate threats Identify vulnerabilities Quantify the value of each risk

17 Prentice Hall, 2002 17 Table 13-3 Security Risks for EC & Other Internet Sites

18 Prentice Hall, 2002 18 Security Risk Management (cont.) Planning phase of risk management— arrive at a set of security policies Define specific policies Establish processes for audit and review Establish an incident response team and contingency plan

19 Prentice Hall, 2002 19 Security Risk Management (cont.) Implementation phase of risk management—choose particular technologies to deal with high priority threats Monitoring phase of risk management— ongoing processes used to determine which measures are successful, unsuccessful and need modification

20 Prentice Hall, 2002 20 Types of Threats and Attacks Nontechnical vs. technical attacks Steps in a hacker’s attack Discover key elements of network Scan for vulnerabilities Hack in and gain administrator privileges Disable auditing & traces from log files Steal files, modify data, steal source code, etc. Install back doors, etc to permit undetectable reentry Return at will to do more damage

21 Prentice Hall, 2002 21 Types of Threats and Attacks (cont.) The players Hackers Crackers Script kiddies Systems and software bugs and misconfigurations

22 Prentice Hall, 2002 22 Types of Threats and Attacks (cont.) IP fragmentation (teardrop, bonk, boink, nestea, and others) DNS spoofing Ping of death Smurf attack SYNFlood Buffer overflows Denial-of-service (DoS) attacks

23 Prentice Hall, 2002 23 Types of Threats and Attacks (cont.) Input validation attacks Intercepted transmissions Malicious code Viruses Worms Macro viruses and macro worms Trojan horses Malicious mobile code

24 Prentice Hall, 2002 24 Security Technologies Tools Available to Achieve Site Security Encryption Network Security Protocols Virtual Private Networks and Tunneling Firewalls and Proxy Systems Host security tools Policies and Management: Access control, authentication, monitoring and intrusion detection.

25 Prentice Hall, 2002 25 Figure 14-2 Private Key Encryption

26 Prentice Hall, 2002 26 Public Key Encryption Size of key RSA algorithm Speed of Key Rijndael algorithm

27 Prentice Hall, 2002 27 Digital Signatures: authenticity and nondenial Analogous to handwritten signature Based on public keys Used to: Authenticate the identity of the sender of a message or document Ensure the original content of the electronic message or document is unchanged Security for E-Payments (cont.)

28 Prentice Hall, 2002 28 Security for E-Payments (cont.) Digital Signatures: authenticity and nondenial (cont.) Benefits : Portable Cannot be easily repudiated or imitated Can be time stamped

29 Prentice Hall, 2002 29 Figure 14-4 Digital Signatures

30 Prentice Hall, 2002 30 Security for E-Payments (cont.) Digital certificates Identifying the holder of a public key (Key-Exchange) Issued by a trusted certificate authority (CA) Name : “Richard” key-Exchange Key : Signature Key : Serial # : 29483756 Other Data : 10236283025273 Expires : 6/18/04 Signed : CA’s Signature

31 Prentice Hall, 2002 31 Security for E-Payments (cont.) Secure socket layer/transport layer security Secure socket layer (SLL)—handle on Web browser, utilizing CAs and data encryption Encryption Digital certificates Digital signatures In 1996 SSL was standardized and named transport layer security (TSL) Operates at TCP/IP layer (base layer for Internet) IPSec—secure version of IP protocol

32 Prentice Hall, 2002 32 SSL Secure Socket Layer (SSL) SSL protocol may use a certificate, but there is no payment gateway. Merchants need to receive ordering information and credit card information (capturing process initiated by merchants)

33 Prentice Hall, 2002 33 Security Technologies Firewalls and access control Firewall—network node that isolates private network from public network Packet-filtering routers Application-level proxies Screened host firewall

34 Prentice Hall, 2002 34 Figure 13-6 Application-Level Proxy (Bastion Gateway Host)

35 Prentice Hall, 2002 35 Figure 13-7 Screened Host Firewall

36 Prentice Hall, 2002 36 Figure 13-8 Screened Subnet Firewall (with DMZ)

37 Prentice Hall, 2002 37 Security Technologies (cont.) Virtual private networks (VPNs)—use public Internet to carry information but remains private Encryption—scramble communications Authentication—ensure information remains untampered with and comes from legitimate source Access control—verify identity of anyone using network

38 Prentice Hall, 2002 38 Security Technologies (cont.) Protocol tunneling—ensure confidentiality and integrity of data transmitted Point-to-point tunneling (PTP) Layer 2 tunneling protocol (L2PT) Intrusion Detection Systems (IDS)

39 Prentice Hall, 2002 39 Managerial Issues Recognize the business consequences of poor security Security through obscurity doesn't work It’s the business that counts, not the technology Security is an on-going, closed-loop process Even for EC sites, internal breaches are more prevalent than external breaches

Download ppt "Prentice Hall, 2002 1 E-Commerce Security Notes based on Laudon&Laudon."

Similar presentations

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall
CS5038 The Electronic Society

CS5038 The Electronic Society
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Computer and Network Security Mini Lecture by Milica Barjaktarovic.

Computer and Network Security Mini Lecture by Milica Barjaktarovic.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Copyright © 2009 Pearson Education, Inc. Publishing as Prentice HallCopyright © 2009 Pearson Education, Inc. Slide 5-1 Online Security and Payment Systems.

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice HallCopyright © 2009 Pearson Education, Inc. Slide 5-1 Online Security and Payment Systems.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Chapter 5 Security and Encryption

Chapter 5 Security and Encryption
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Copyright © 2004 Pearson Education, Inc. Slide 5-1 E-commerce Kenneth C. Laudon Carol Guercio Traver business. technology. society. Second Edition.

Copyright © 2004 Pearson Education, Inc. Slide 5-1 E-commerce Kenneth C. Laudon Carol Guercio Traver business. technology. society. Second Edition.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Prentice Hall, 2002 1 Chapter 13 E-Commerce Security.

Prentice Hall, Chapter 13 E-Commerce Security.

Similar presentations

Ads by Google