Presentation is loading. Please wait.

Presentation is loading. Please wait.

ITEC5611S. Kungpisdan 1 Course Outline Revisited 1.Overview of Electronic Commerce 2.E-Marketplace 3.Retailing in Electronic Commerce 4.Consumer Behavior,

Published byWilfred Bond Modified over 9 years ago

Similar presentations

Presentation on theme: "ITEC5611S. Kungpisdan 1 Course Outline Revisited 1.Overview of Electronic Commerce 2.E-Marketplace 3.Retailing in Electronic Commerce 4.Consumer Behavior,"— Presentation transcript:

1 ITEC5611S. Kungpisdan 1 Course Outline Revisited 1.Overview of Electronic Commerce 2.E-Marketplace 3.Retailing in Electronic Commerce 4.Consumer Behavior, Market Research, and Advertisement 5.Business-to-Business E-Commerce 6.Public B2B Exchanges and Support Services 7.E-Supply Chains, Collaborative Commerce, Intrabusiness EC, and Corporate Portals 8.Project1 Presentation#1 (29/7/07) 9.Project1 Presentation#2 (5/8/07) 10.EC Architectural Framework & EC Security (19/8/07) 11.Electronic Payment Systems (19/8/07) 12.Search Engines, Directory Services and Internet Advertising (26/8/07) 13.Mobile Commerce and Pervasive Computing (2/9/07) 14.Building EC Applications and Infrastructure (9/9/07) 15.Project Presentation#1 (16/9/07)

2 Chapter 11 EC Architectural Framework and EC Security

3 ITEC5611S. Kungpisdan 3 Outline EC Architectural Framework EC Security –Basic Security Issues –Security Incidences –Securing EC Communications –Securing EC Networks –Securing Web Servers

4 ITEC5611S. Kungpisdan 4 E-commerce Applications Catalog based retail, Marketing & Advert., Banking& Investments, Supply Chain Management, Auctions, Home shopping, procurements E-commerce Applications Catalog based retail, Marketing & Advert., Banking& Investments, Supply Chain Management, Auctions, Home shopping, procurements EC Framework

5 ITEC5611S. Kungpisdan 5 Network Infrastructure The Internet Superhighway is responsible for seamless, reliable transportation on Information among host devices. Local Area Networks, IEEE 802.3 Standards and Ethernet Wide Area Networks The Seamless Interface is offered through –Internet and TCP/IP Model –IP Addressing and Domain Naming System –Internet Industry Structure

6 ITEC5611S. Kungpisdan 6 Information Distribution Technologies Standard Protocols for Information Distribution on Internet File Transfer Protocol (FTP) Simple Mail Transfer Protocol (SMTP) Hyper Text Transfer Protocol (HTTP) Web Server Implementations –Apache Web Server –Microsoft’s IIS

7 ITEC5611S. Kungpisdan 7 Multimedia Publishing Technologies Information Publishing and Web Browsers –Hyper Text Markup Language (HTML) –Forms and Common Gateway Interface –Active Server Pages (ASP), Cold Fusion Markup Language –Dynamic HTML –HTML Editors –XML Multimedia Content –Graphics and Image Formats –Web Image Formats –Other Multimedia objects VRML

8 ITEC5611S. Kungpisdan 8 Security and Encryptions Importance of security for Electronic Commerce and Inherent vulnerability of Internet Protecting the Web (HTTP) Service The Issues in Transaction Security –Cryptography and Cryptanalysis –Symmetric key cryptographic Algorithms –Public Key Algorithms –Authentication protocols –Integrity and Non-repudiation Digital Certificates and Signatures Electronic Mail Security –PGP, S/MIME Security protocols for Web Commerce –SSL, TLS

9 ITEC5611S. Kungpisdan 9 Payment Services Payment Systems Characteristics of Online Payment Systems –Pre-Paid Electronic Payment Systems –Instant-paid Electronic Payment Systems –Post-Paid Electronic Payment Systems Some Electronic Payment Systems –Secure Electronic Transaction (SET) for Credit Cards –Ecash –NetCheque

10 ITEC5611S. Kungpisdan 10 Business Service Infrastructure Searching and Locating Information on Web Space Information Directories –Purpose –Organization –Information Location in Information Directories Search Engines –Purpose –Organization –Location of Information using Search Engines Improving the search results Internet Advertising –Importance –Models

11 ITEC5611S. Kungpisdan 11 Public Policy and Legal Infrastructure Universal Access to Network Infrastructure Model Law for Electronic Commerce Taxation Issues in Electronic Commerce Need for Public Key Infrastructure (PKI) Digital Certificates and Digital Signatures

12 ITEC5611S. Kungpisdan 12 Outline EC Architectural Framework EC Security –Basic Security Issues –Security Incidences –Securing EC Communications –Securing EC Networks –Securing Web Servers

13 ITEC5611S. Kungpisdan 13 Basic Security Issues What kinds of security questions arise? –From the user’s perspective: Is Web server owned and operated by a legitimate company? Does Web page and form contain any malicious or dangerous code or content? Will the owner of the Web site will not distribute the information the user provides to some other party?

14 ITEC5611S. Kungpisdan 14 Basic Security Issues What kinds of security questions arise? –From the company’s perspective: How does the company know the user will not attempt to break into the Web server or alter the pages and content at the site? How does the company know that the user will not try to disrupt the server so that it is not available to others?

15 ITEC5611S. Kungpisdan 15 Basic Security Issues What kinds of security questions arise? –From both parties’ perspectives: How do both parties know that the network connection is free from eavesdropping by a third party “listening” on the line? How do they know that the information sent back- and-forth between the server and the user’s browser has not been altered?

16 ITEC5611S. Kungpisdan 16 Basic Security Issues Authentication Authorization Auditing Confidentiality (Privacy) Integrity Availability Non-repudiation

17 ITEC5611S. Kungpisdan 17 Exhibit 11.1 General Security Issues at EC Sites

18 ITEC5611S. Kungpisdan 18 Outline EC Architectural Framework EC Security –Basic Security Issues –Security Incidences –Types of Threats and Attacks –Securing EC Communications –Securing EC Networks –Securing Web Servers

19 ITEC5611S. Kungpisdan 19 Threats and Vulnerabilities

20 ITEC5611S. Kungpisdan 20 Security Incidences Probe –A probe is characterized by unusual attempts to gain access to a system or to discover information about the system. –Sometimes followed by a more serious security event, but they are often the result of curiosity or confusion. Scan –A large number of probes done using an automated tool. –Often a prelude to a more directed attack on systems whose security can be breached. Account Compromise –Unauthorized use of a computer account by someone other than the account owner, without involving system-level or root-level privileges. It might expose the victim to serious data loss, data theft, or theft of services. –The lack of root-level access means that the damage can usually be contained, but a user-level account opens up avenues for greater access to the system.

21 ITEC5611S. Kungpisdan 21 Security Incidences (cont’d) Root Compromise –Similar to an account compromise, except that the account that has been compromised has special privileges on the system. Packet Sniffer –A program that captures data from information packets as they travel over the network.

22 ITEC5611S. Kungpisdan 22 Security Incidences (cont’d) denial-of-service (DoS) attack An attack on a Web site in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources distributed denial-of-service (DDoS) attack A denial-of-service attack in which the attacker gains illegal administrative access to as many computers on the Internet as possible and uses the multiple computers to send a flood of data packets to the target computer

23 ITEC5611S. Kungpisdan 23 Exhibit 11.2 Using Zombies in a Distributed Denial-of-Service Attack

24 ITEC5611S. Kungpisdan 24 Security Incidences (cont’d) Exploitation of Trust –Computers on the networks enjoy trust relationships with one another. –If attackers can forge their identity, they may be able to gain unauthorized access to other computers. Malicious Code –A generic term for programs that cause undesired results on a system when executed. Such programs are generally discovered after the damage is done. Malicious code includes Trojan horses, viruses, and worms. Internet Infrastructure Attacks –These attacks involve key components of the Internet infrastructure rather than specific systems on the Internet. The attacks are rare but have serious implications on a large portion of Internet.

25 ITEC5611S. Kungpisdan 25 Security Incidences (cont’d) Social Engineering social engineering A type of nontechnical attack that uses social pressures to trick computer users into compromising computer networks to which those individuals have access Two types of social engineering: human-based and computer-based –A multiprong approach should be used to combat social engineering Education and training Policies and procedures Penetration testing

26 ITEC5611S. Kungpisdan 26 Outline EC Architectural Framework EC Security –Basic Security Issues –Security Incidences –Securing EC Communications –Securing EC Networks –Securing Web Servers

27 ITEC5611S. Kungpisdan 27 Securing EC Communications access control Mechanism that determines who can legitimately use a network resource Something you know: password Something you have: smartcard, tokens Something you are: biometrics passive tokens Storage devices (e.g., magnetic strips) that contain a secret code used in a two-factor authentication system active tokens Small, stand-alone electronic devices that generate one-time passwords used in a two-factor authentication system

28 ITEC5611S. Kungpisdan 28 Securing EC Communications biometric systems Authentication systems that identify a person by measurement of a biological characteristic, such as fingerprints, iris (eye) patterns, facial features, or voice physiological biometrics Measurements derived directly from different parts of the body (e.g., fingerprint, iris, hand, facial characteristics) behavioral biometrics Measurements derived from various actions and indirectly from various body parts (e.g., voice scans or keystroke monitoring)

29 ITEC5611S. Kungpisdan 29 Securing EC Communications fingerprint scanning Measurement of the discontinuities of a person’s fingerprint, which are then converted to a set of numbers that are stored as a template and used to authenticate identity iris scanning Measurement of the unique spots in the iris (colored part of the eye), which are then converted to a set of numbers that are stored as a template and used to authenticate identity

30 ITEC5611S. Kungpisdan 30 Securing EC Communications encryption The process of scrambling (encrypting) a message (plaintext) into ciphertext in such a way that it is difficult, expensive, or time-consuming for an unauthorized person to unscramble (decrypt) it plaintext + encryption algorithm + key  ciphertext

31 ITEC5611S. Kungpisdan 31

32 ITEC5611S. Kungpisdan 32 Securing EC Communications symmetric (private) key system An encryption system that uses the same key to encrypt and decrypt the message Data Encryption Standard (DES) The standard symmetric encryption algorithm supported the NIST and used by U.S. government agencies until October 2, 2000 Rijndael The new Advanced Encryption Standard used to secure U.S. government Communications since October 2, 2000

33 ITEC5611S. Kungpisdan 33 Exhibit 11.4 Symmetric (Private) Key Encryption

34 ITEC5611S. Kungpisdan 34 Securing EC Communications Public (Asymmetric) Key Encryption public key encryption Method of encryption that uses a pair of matched keys—a public key to encrypt a message and a private key to decrypt it, or vice versa public key Encryption code that is publicly available to anyone

35 ITEC5611S. Kungpisdan 35 Securing EC Communications Digital Signatures digital signature An identifying code that can be used to authenticate the identity of the sender of a document hash A mathematical computation that is applied to a message, using a private key, to encrypt the message

36 ITEC5611S. Kungpisdan 36 Securing EC Communications Digital Signatures message digest A summary of a message, converted into a string of digits, after the hash has been applied digital envelope The combination of the encrypted original message and the digital signature, using the recipient’s public key

37 ITEC5611S. Kungpisdan 37 Exhibit 11.5 Digital Signatures

38 ITEC5611S. Kungpisdan 38 Securing EC Communications public key infrastructure (PKI) A scheme for securing e-payments using public key encryption and various technical components digital certificate Verification that the holder of a public or private key is who he or she claims to be certificate authorities (CAs) Third parties that issue digital certificates

39 ITEC5611S. Kungpisdan 39 Securing EC Communications Secure Socket Layer (SSL) Protocol that utilizes standard certificates for authentication and data encryption to ensure privacy or confidentiality Transport Layer Security (TLS) As of 1996, another name for the SSL protocol

40 ITEC5611S. Kungpisdan 40 Outline EC Architectural Framework EC Security –Basic Security Issues –Security Incidences –Securing EC Communications –Securing EC Networks –Securing Web Servers

41 ITEC5611S. Kungpisdan 41 Securing EC Networks The selection and operation of these technologies should be based on certain design concepts, including: –Layered security –Controlling access –Role-specific security –Monitoring –Keep systems patched –Response team

42 ITEC5611S. Kungpisdan 42 Exhibit 11.6 Layered Security

43 ITEC5611S. Kungpisdan 43 Security at Each Layer

44 ITEC5611S. Kungpisdan 44 Securing EC Networks firewall A network node consisting of both hardware and software that isolates a private network from a public network packet-filtering routers Firewalls that filter data and requests moving from the public Internet to a private network based on the network addresses of the computer sending or receiving the request

45 ITEC5611S. Kungpisdan 45 Securing EC Networks packets Segments of data and requests sent from one computer to another on the Internet; consist of the Internet addresses of the computers sending and receiving the data, plus other identifying information that distinguish one packet from another packet filters Rules that can accept or reject incoming packets based on source and destination addresses and the other identifying information

46 ITEC5611S. Kungpisdan 46 Securing EC Networks application-level proxy A firewall that permits requests for Web pages to move from the public Internet to the private network bastion gateway A special hardware server that utilizes application-level proxy software to limit the types of requests that can be passed to an organization’s internal networks from the public Internet proxies Special software programs that run on the gateway server and pass repackaged packets from one network to the other

47 ITEC5611S. Kungpisdan 47 Exhibit 11.7 Application Level Proxy (Bastion Gateway Host)

48 ITEC5611S. Kungpisdan 48 Securing EC Networks demilitarized zone (DMZ) Network area that sits between an organization’s internal network and an external network (Internet), providing physical isolation between the two networks that is controlled by rules enforced by a firewall. personal firewall A network node designed to protect an individual user’s desktop system from the public network by monitoring all the traffic that passes through the computer’s network interface card.

49 ITEC5611S. Kungpisdan 49 Exhibit 11.8 Demilitarized Zone (DMZ)

50 ITEC5611S. Kungpisdan 50 Securing EC Networks virtual private network (VPN) A network that uses the public Internet to carry information but remains private by using encryption to scramble the communications, authentication to ensure that information has not been tampered with, and access control to verify the identity of anyone using the network

51 ITEC5611S. Kungpisdan 51 Securing EC Networks intrusion detection systems (IDSs) A special category of software that can monitor activity across a network or on a host computer, watch for suspicious activity, and take automated action based on what it sees honeypots Production systems (e.g., firewalls, routers, Web servers, database servers) designed to do real work but that are watched and studied as network intrusions occur

52 ITEC5611S. Kungpisdan 52 Outline EC Architectural Framework EC Security –Basic Security Issues –Security Incidences –Securing EC Communications –Securing EC Networks –Securing Web Servers

53 ITEC5611S. Kungpisdan 53 HTTP Server (aka Web Server) -- If the site is well secured, only interaction will happen through this service counter HTTP Servers bind to a privileged port (80), thus run as a root. This provides them unlimited access to the host system. Run in chrooted environment –%chroot /www /etc/httpd/bin/httpd will set the root file system of httpd as /www only files under the /www can be accessed by the webserver –User can not serve files from Home directories Web Server Security

54 ITEC5611S. Kungpisdan 54 Web Server Security Each HTTP Server has 4 configuration files –Access.conf Access Control –httpd.confServer Configuration –mime.typesFile extension and meanings –srm.confOptions including directories and Users. Define in httpd.conf ServerRoot/var/httpd/ Define in srm.conf /var/httpdocs

55 ITEC5611S. Kungpisdan 55 Each HTTP Server has 4 configuration files –Access.conf Access Control –httpd.confServer Configuration –mime.typesFile extension and meanings –srm.confOptions including directories and Users. Define in httpd.conf ServerRoot/var/httpd/ Define in srm.conf /var/httpdocs Root Serverroot Documentroot Web Server Security

56 Questions? Next lecture: Electronic Payment Systems

Download ppt "ITEC5611S. Kungpisdan 1 Course Outline Revisited 1.Overview of Electronic Commerce 2.E-Marketplace 3.Retailing in Electronic Commerce 4.Consumer Behavior,"

Similar presentations

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Security Controls and Systems in E-Commerce

Security Controls and Systems in E-Commerce
Chapter 11 E-Commerce Security.

Chapter 11 E-Commerce Security.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Chapter 11 E-Commerce Security

Chapter 11 E-Commerce Security
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Similar presentations

Ads by Google