1. E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level 2 2013-2014 Try to be the Best

2. Elements of Lecture Introduction Why SecurityBasic Security IssuesSecurity Risk ManagementTypes of threats and attackSecurity Technologies

4. Introduction Why Security  With the rapid growth of EC, things have changed, consumers use their credit cards to purchase goods and services online, they also use their email account to conduct business. “This needs a serious protection of the data being transferred over the internet, so security needed.”

6. Basic Security Issues AuthenticationAuthorizationAuditingPrivacyIntegrity

7. Basic Security Issues Authentication

8. Basic Security Issues  The Process to verify (assure) the real identity of an individual, computer, computer program, or EC Web site  Authentication requires evidence in the form of identifications, which can take a variety of forms including something known; something possessed or something unique such as passwords, smartcards and signatures. Authentication

9. Basic Security Issues Authorization Allow Not Allow

10. Basic Security Issues Process of determining what the authenticated entity is allowed to access and what operations it is allowed to perform Authorization

11. Basic Security Issues Auditing

12. Basic Security Issues If a person or program accesses a web site, various pieces of information are noted in a log file. If a person or program queries a database, the action is also noted in a log file. Process of recording information about what Web site, data, file, or network was accessed, when, and by whom or what. Auditing

13. Basic Security Issues It’s the collection of information about accessing particular resources, using particular privileges, or performing other security actions is known as auditing. Auditing

14. Basic Security Issues Privacy

15. Basic Security Issues Privacy: information that is private or sensitive should not be disclosed to unauthorized individuals, some examples are business plans, credit card numbers and even fact that a person visited a particular web site. This information is confidential and private. Privacy

16. Basic Security Issues Integrity

17. Basic Security Issues Integrity: the ability to protect data from being altered or destroyed in an unauthorized or accidental manner is called integrity. Data can be altered or destroyed while it's in transit of after it is stored. Integrity

19. Security Risk Management Risk Management consists of four phases, assessment, planning, implementation and monitoring phases. To understand these phases a few definitions are in order.

20. Security Risk Management Assets: Anything of value that is worth securing. They can include tangible goods and intangible. Threat: Any eventuality that represents a danger to an asset. Vulnerability: Weakness in software or other mechanism that threatens the confidentiality, integrity, or availability of an asset. It can be directly used by a hacker to gain access to a system or network

21. Security Risk Management In this phase, organizations evaluate their security risks by determining their assets, threats, and vulnerabilities.

22. Security Risk Management HOW

23. Security Risk Management 1)Determine organizational objective: it's possible to safeguard against every eventuality, safeguards should be selected on the basis of an organization's objectives and requirements. 2)Inventory Assets: should be itemize all of the critical tangible and intangible assets on the network. The relative value and criticality of these assets also needs to be determined.

24. Security Risk Management 3)Delineate threats: potential risks can come from any person or thing that can use the network to harm an organization's assets, including hackers, viruses, human errors 4)Identify Vulnerabilities

25. Security Risk Management 5)Quantify the value for each risk: this is what is meant by quantitative risk analysis, in which equations used to assign a numerical value to a risk. The calculated values of the various risks are used to prioritize those risks that need safeguarding. Risk= Assets X Threat X Vulnerability.

26. Security Risk Management In this phase, the primary goal of this phase is to arrive at a set of security policies defining which threats are tolerable and which are not.

27. Security Risk Management HOW

28. Security Risk Management 1)Define Specific Policies: each policy needs to detail how a particular safeguard will be instituted, why the safeguard is being implemented, when it will be responsible for the safeguard.

29. Security Risk Management 2)Establish processes for audit and review: security is an ongoing activity that needs to be adapted to changes in an organization's objectives, assets, threats and vulnerabilities. This requires regular reviews in order to determine the effectiveness of particular policies.

30. Security Risk Management 3)Establish an incident response team and contingency plan.

31. Security Risk Management In this phase, particular technologies are chosen to counter high-priority threats. The selection of particular technologies is based on the general guidelines established in the planning phase. A first step of this phase is selecting generic types of technology for each of the high priority threats. Given the generic types, particular software from particular vendors can then be selected.

32. Security Risk Management It's ongoing process that is used to determine which measures are successful. Which measures are unsuccessful and need modification, whether there are any new types of threat, whether there have been advances or changes in technology and whether there are any new business requirements that need securing.

34. Types of threats and attacks

37. Security Tehcnologies