Presentation is loading. Please wait.

Presentation is loading. Please wait.

ECT 582 Secure Electronic Commerce Professor Robin Burke.

Published byKaren Parker Modified over 9 years ago

Similar presentations

Presentation on theme: "ECT 582 Secure Electronic Commerce Professor Robin Burke."— Presentation transcript:

1 ECT 582 Secure Electronic Commerce Professor Robin Burke

2 Introductions About me http://josquin.cs.depaul.edu/~rburke/ About you Student information sheet

3 Resources Course on-line discussion forum grades Course home page

4 Security 1. freedom from danger, risk, etc.: safety 2. freedom from care, apprehension or doubt; well-founded confidence 3. something that secures or makes safe; protection; defense 4. precautions taken to guard against theft, sabotage, the stealing of military secrets, etc – Webster’s Encyclopedic Unabridged Dictionary of the English Language

5 E-Commerce the process of electronically buying and selling goods, services and information, and the maintenance of all the relationships, both personal and organizational, required for an electronic marketplace to function.

6 What are we securing?

7 Post-9/11 realities Aspects of business operations may impact public safety E-commerce opens a hole for interacting with an organization

8 What can we do to improve security?

9 Key concepts Risk Trust

10 Risk What are the possible losses we are guarding against?

11 Trust Must choose where trust is to be placed

12 Risk management Risk analysis Risk mitigation Risk transfer

13 What are the primary risks? 1. Disclosure of proprietary information 2. Denial of service 3. Virus attacks 4. Insider net abuse 5. Financial fraud 6. Sabotage - CSI/FBI 2003 Computer Crime and Security Survey

14 Disclosure of Proprietary Info Customer data exposure Data theft Sensitive information

15 Fraud Payment account abuse Transfer funds without authorization Destroy or hide financial records Customer impersonation

16 Secondary risks Damage to relations with customer or business partners Legal, public relations, or business resumption cost Public relations damage Uptake failure due to lack of confidence

17 How is e-commerce different? Need for physical proximity Differences in document

18 Physical documents Semi-permanence of ink embedded in paper fibers Particular printing process letterhead watermark Biometrics of signature Time stamp Obviousness of modifications, interlineations, and deletions

19 Computer documents Computer-based records can be modified freely and without detection Supplemental control mechanisms must be applied to achieve a level of trustworthiness comparable to that on paper Less permanent, too

20 Legal differences In some cases, possession matters negotiable document of title cash money

21 Attack Any action that compromises the security of information systems Normal flow Info source Info destination

22 Interruption Attack on availability Info source Info destination

23 Interception Attack on confidentiality Info source Info destination

24 Modification Attack on integrity Info source Info destination

25 Fabrication Attack on authenticity Info source Info destination

26 Passive vs active Passive Monitor communication Disclose contents but also traffic analysis Active Interfere with communication

27 Active attacks: masquerade Masquerade: one entity pretends to be a different entity Example: Session Hijacking Taking over an existing active session. It can bypass the authentication process and gain access to a machine

28 Active attacks: replay Passive capture of data Later retransmission to produce an unauthorized effect Example: Password sniffing Program capture user id / password info Case in Tokyo – sniffer installed at Internet cafe. 16 million Yen stolen.

29 Active attacks: modification Some portion of a legitimate message is altered, or that message are delayed or reordered, to produce an unauthorized effect Example: Spam Return-To header on spam email is always forged to prevent tracking the sender

30 Active attacks: DoS Denial of service prevents or inhibits the normal use or management of communication facilities Example: SYN flooding send open request for TCP connection but don’t respond to handshake do this over and over again

31 Security properties What do we want out of a secure e- commerce system? Confidentiality Authentication Integrity Non-repudiation Access control Availability

32 Confidentiality Protects against interception Ensures that a message is only readable by intended recipient Technology Encryption

33 Authentication Protects against fabrication Ensures that the origin of a message or electronic document is correctly identified, with assurance that the identity is not false Technology User Id/Password Digital certificates

34 Integrity Protects against modification Ensures that only authorized parties are able to modify an electronic document or Allow modification to be detected Technology Digital signatures

35 Non-repudiation Protects against an e-commerce participant acting in bad faith Require that neither the sender nor the receiver of a message be able to deny the transmission Technology (Complicated)

36 Access control Protects against unauthorized access Allows the establishment of fine- grained control over access to files and applications for different users and groups Technology (Various, usually tied to authentication)

37 Availability Protects against interruption Requires that computer system asset be available to authorized parties when needed Technology (Many)

38 The big picture Security is a multi-faceted feature of information systems An organization needs A security strategy tailored for its particular needs A security architecture that addresses that strategy Security technology to realize the architecture

39 Security strategy Threats what is valuable? who might want it? Vulnerabilities where is the organization exposed? Defenses what can be done to manage the risks? Legal what liabilities and legal requirements exist?

40 Security architecture People how are they hired, trained, monitored, audited? Systems what systems exist? how are systems connected to each and to the larger Internet? Procedures how are systems used? who gets access to what under what circumstances?

41 Security technology Main focus of this course Specific technologies for achieving security-related goals But meaningless in the absence of a strategy and an architecture

42 Assignment #1 Create a web page for your assignments I will link these to the course page Subscribe to CERT Advisory mailing list Post on the "Test" forum Due before class starts No late assignments!

43 Next week Cryptography Reading Ford & Baum, Ch. 4 Risks Digest Should be prepared for discussion

Download ppt "ECT 582 Secure Electronic Commerce Professor Robin Burke."

Similar presentations

Network Security Chapter 1 - Introduction.

Network Security Chapter 1 - Introduction.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
NS-H0503-02/11041 Attacks. NS-H0503-02/11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.

NS-H /11041 Attacks. NS-H /11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Cryptography and Network Security Chapter 1

Cryptography and Network Security Chapter 1
Chapter 1 This book focuses on two broad areas: cryptographic algorithms and protocols, which have a broad range of applications; and network and Internet.

Chapter 1 This book focuses on two broad areas: cryptographic algorithms and protocols, which have a broad range of applications; and network and Internet.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.

IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.
Chapter 1 – Introduction

Chapter 1 – Introduction
CSA 223 network and web security Chapter one

CSA 223 network and web security Chapter one
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
6/9/2015Madhumita. Chatterjee1 Overview of Computer Security.

6/9/2015Madhumita. Chatterjee1 Overview of Computer Security.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Introduction (Pendahuluan)  Information Security.

Introduction (Pendahuluan)  Information Security.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 CSE 651: Introduction to Network Security Steve Lai Spring 2010.

1 CSE 651: Introduction to Network Security Steve Lai Spring 2010.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Similar presentations

Ads by Google