1. 1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University

2. 2 Network Security $ 10 billion worth of data stolen every year Huge number of credit card numbers get stolen 50% of the computer crimes are committed by “insiders” Many cases are not reported Network security is a major issue Still, not accorded the priority it deserves - low budget allocations, for example. Enterprise network security goals need to be set at the highest level

3. 3 Main Issues Security of Internal Networks Security of Networks Connected to the Internet Secure E-commerce Issues Network Security Transaction Security Privacy – no unauthorized access Confidentiality – deletion after use Integrity – no tampering

4. 4 Internet Security Terms Authentication – a way to verify that message senders are who they say they are Integrity – ensuring that information will not be accidentally or maliciously altered or destroyed Reliability – ensuring that the system will perform consistently and at an acceptable level of quality Encryption – a process of making information indecipherable except to those with a decoding key

5. 5 Internet Security Terms Firewall – a filter between a corporate network and the Internet that keeps the corporate network secure from intruders but allows authenticated corporate users access to the Internet Spoofing – a way of creating counterfeit packets with private IP (Intranet) addresses in order to gain access to private networks and steal information Denial of service – an attack on the information and communication services by a third party that prevents legitimate users from using the infrastructure

6. 6 Figure 13-4 Security vs. Productivity Balance

7. 7 Network Security Essentials of Network Security Policy Identification/authorization - authorized users access resources Access control - even authorized users allowed appropriate access Privacy - no eavesdropping Data integrity - that data is genuine and cannot be altered without proper controls Non-repudiation - users do not deny occurrence of given events or transactions

8. 8 Network Security Steps in security policy development Identify assets Identify threats Identify vulnerabilities Consider the risks Take protective measures

9. 9 Network Security Policy Development Process Executive’s and Management’s Responsibility for Protection of Information Resources Set acceptable-use policy for the entire organization State the value of information as a corporate resource Require security awareness training Assess the consequences of security breach Find optimal balance between security and productivity needs Lead by example

10. 10 Virus Protection Virus - a malicious computer program Computer viruses are most common microcomputer security breach Frequent occurrences Complete recovery from a virus infection costs on an average of $8100 and 44 hr over 10 working days Over 10,000 known viruses, 200 new viruses per month Viruses need some kind of a trigger (time bomb, logic bomb) Logic bomb may appear as a button in a program Trojan Horses hide viruses (e.g. Concept, Melissa)

11. 11 Virus Protection Different categories of virus File infectors: attach themselves to a variety of executable files System/boot infectors: attack the files of the operating system or boot sector Antivirus Strategies Install virus scanning software at possible points of attack Scan diskettes at stand-alone PCs Outsider lap-tops – same as diskettes Prohibit, control, or scan shareware programs Vendors must run their demos on own machines

12. 12 Figure 13-17 Virus Infection Points of Attack and Protective Measures

13. 13 Virus Protection Antivirus Technology Relies On Virus scanning - primary method - checks for unique signatures of known viruses and removes them Emulation technology - runs programs to examine and identify potentially unknown viruses Programs are run in a safe environment to detect virus-like activities

14. 14 Authorization and Access Control Assures that only authorized users are able to access those files, directories, and applications to which they are entitled Simplest method is requiring users to use passwords Further security can be enforced by making the users choose passwords with certain features, requiring them to change passwords at intervals Modern authentication systems use smart cards Future trends - biometric authentication (fingerprints and retinal patterns) Access to resources can be restricted by giving different levels of access permissions

15. 15 Encryption Encryption involves changing of data into an indecipherable form Decryption - changing the code back into original message DES (Data Encryption Standard) - Private Key Encryption 64 bit encryption - 2 to the 64th power number of combinations Both the sender and the receiver must know the private key If private key is intercepted, encryption system is compromised

16. 16 Encryption RSA Standard (Rivet-Shamir-Alderman) - Public Key Encryption Makes use of a public/private key combination Digital Signature Encryption An original document is processed using a hash algorithm The unique hash string is encoded using the sender’s private key Recipient re-generates the original document to compare it with the document received