Download 10.2 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Wireless security wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Multilevel security wikipedia , lookup

Information privacy law wikipedia , lookup

Cyberwarfare wikipedia , lookup

Airport security wikipedia , lookup

Cyberattack wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Mobile security wikipedia , lookup

Information security wikipedia , lookup

International cybercrime wikipedia , lookup

Security-focused operating system wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Social engineering (security) wikipedia , lookup

Computer security wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript
Lecture 6
ReF: chapter 10
Copyright © 2015 Springer Education
E -Commerce Security and Fraud
Issues and Protections
Learning Objectives
1.
2.
4.
5.
6.
7.
8.
Copyright © 2015 Springer Education
3.
Understand the importance and scope of security of information
systems for EC.
Understand about the major EC security threats, vulnerabilities,
and technical attacks.
Understand Internet fraud, phishing, and spam.
Describe the information assurance security principles.
Describe the major technologies for protection of EC networks.
Describe various types of controls and special defense
mechanisms.
Discuss enterprise wide implementation issues for EC security.
Understand why it is so difficult to stop computer crimes.
4-2
Copyright © 2015 Springer Education
10.1 THE INFORMATION
SECURITY PROBLEM
10.1 THE INFORMATION SECURITY
PROBLEM
Computer security:
The protection of data, networks, computer
programs, computer power, and other elements of
computerized information systems.

Computer security aims to prevent, or at least
minimize, the attacks.
Copyright © 2015 Springer Education
Information security:
A variety of activities and methods that protect
information systems, data, and procedures from
any action designed to destroy, modify, or
degrade the systems and their operations.
4-4
10.1 THE INFORMATION SECURITY
PROBLEM
Types of Attacks:
1.
Corporate Espionage:
2.
Political Espionage and Warfare:
Political espionage and cyberwars are increasing in
magnitude. Sometimes, these are related to
corporate espionage.
Copyright © 2015 Springer Education
Many attacks target energy-related companies
because their inside information is valuable.
4-5
Copyright © 2015 Springer Education
10.2 BASIC E-COMMERCE
SECURITY ISSUES
AND LANDSCAPE
10.2 BASIC E-COMMERCE SECURITY
ISSUES AND LANDSCAPE
The EC Security Battleground:
Components of Battleground:
1. The attacks, the attackers, and their strategies.
2. The assets that are being attacked (the targets)
in vulnerable areas.
3. The security defense, the defenders, and their
methods and strategy.
Copyright © 2015 Springer Education
The essence of EC security can be viewed as a
battleground between attackers and defenders
and the defenders’ security requirements.
4-7
10.2 BASIC E-COMMERCE SECURITY
ISSUES AND LANDSCAPE
Copyright © 2015 Springer Education
Unintentional Threats Categories:
1.
Human errors:
They can occur in the design of the hardware, software, or
information systems. It can also occur in programming ,
testing and data collection.
2.
Environmental Hazards:
Include natural disasters and other environmental conditions
outside of human control; sand storms, floods and fires.
3.
Malfunctions in the Computer System:
Defects can be the result of poor manufacturing, defective
materials, memory leaks, and outdated or poorly
maintained networks.
4-8
10.2 BASIC E-COMMERCE SECURITY
ISSUES AND LANDSCAPE
Copyright © 2015 Springer Education
EC Security Requirements:
The following set of security requirements are used to assure
success and to minimize EC transaction risks:
1.
Authentication:
A process used to verify (assure) the real identity of an EC
entity, which could be an individual, software agent,
computer program, or EC website.
2.
Authorization:
The provision of permission to an authenticated person to
access systems and perform certain operations in those
specific systems.
4-9
10.2 BASIC E-COMMERCE SECURITY
ISSUES AND LANDSCAPE
Availability
Assuring that systems and information are available to the user
when needed and that the site continues to function.
4.
Non repudiation: (Close to authentication)
The assurance that online customers or trading partners will
not be able to falsely deny their purchase, transaction, sale, or
other obligation.
5.
Copyright © 2015 Springer Education
EC Security Requirements :
3.
Auditing
When a person or program accesses a website or queries a
database, various pieces of information are recorded or logged
into a file.
4-10
10.2 BASIC E-COMMERCE SECURITY
ISSUES AND LANDSCAPE
1.
2.
3.
Deterrent methods: countermeasures that make criminals
abandon their idea of attacking a specific system.
Prevention measures: help stop unauthorized people
from accessing the EC system.
Detection measures: help find security breaches in
computer systems.
Copyright © 2015 Springer Education
The Defense: Defenders, Strategy, and Methods:
EC security strategy consists of multiple layers of defense that
includes several methods.
 This defense aims to deter, prevent, and detect unauthorized
entry into an organization’s computer and information
systems.
4-11
Copyright © 2015 Springer Education
10.5 THE INFORMATION
ASSURANCE MODEL
AND DEFENSE STRATEGY
10.5 THE INFORMATION ASSURANCE MODEL
AND DEFENSE STRATEGY
Information Assurance (IA) model:
A point of reference used to identify problem areas and
evaluate the information security of an organization.
 The use of the model includes three necessary attributes:
1.
Confidentiality.
2.
Integrity.
3.
Availability.
The success and security of EC can be measured by these
attributes.
Copyright © 2015 Springer Education
Information Assurance (IA):
- Making sure that a customer is safe and secure while
shopping online is a crucial part of improving the online
buyer’s experience.
- Measures taken to protect information systems and their
processes against all risks. In other words assure the
systems’ availability when needed. The assurance includes
all tools and defense methods.
4-13
10.5 THE INFORMATION ASSURANCE MODEL
AND DEFENSE STRATEGY
Confidentiality:
The assurance of data secrecy and privacy. Namely, the data
is disclosed only to authorized people (encryption and
passwords).
2.
Integrity:
The assurance that data are accurate and that they cannot
be altered. The integrity attribute needs to be able to
detect and prevent the unauthorized creation,
modification, or deletion of data or messages in transit.
3.
Availability:
The assurance that access to any relevant data, information
websites, or other EC services and their use is available
in real time, whenever and wherever needed.
1.
Copyright © 2015 Springer Education
4-14
10.5 THE INFORMATION ASSURANCE MODEL
AND DEFENSE STRATEGY
Copyright © 2015 Springer Education
E-Commerce Security Strategy:
EC security needs to address the IA model and its components.
The Phases of Security Defense:
1.
Prevention and deterrence (preparation):
Good controls may prevent criminal activities and human error
from occurring.
2.
Initial Response:
Verifying if there is an attack. If so, determine how the intruder
gained access to the system and which systems and data are
infected or corrupted.
3.
Detection:
The earlier an attack is detected, the easier it is to fix the
problem, and the smaller amount of damage is done.
4.
Containment (contain the damage):
It is to minimize or limit losses once a malfunction has occurred.
4-15
10.5 THE INFORMATION ASSURANCE MODEL
AND DEFENSE STRATEGY
Copyright © 2015 Springer Education
The Phases of Security Defense:
5.
Eradication:
Remove the malware from infected hosts.
6.
Recovery:
Recovery needs to be planned for to assure quick return to
normal operations at a reasonable cost. One option is to
replace parts rather than to repair them.
7.
Correction:
Finding the causes of damaged systems and fixing them.
8.
Awareness and compliance:
All organization members must be educated about possible
hazards and must comply with the security rules and
regulations.
4-16
Copyright © 2015 Springer Education
10.9 IMPLEMENTING
ENTERPRISEWIDE
E-COMMERCE SECURITY
10.9 IMPLEMENTING ENTERPRISEWIDE
E-COMMERCE SECURITY
Drivers for EC security management:
The laws and regulations with which
organizations must comply.
 The conduct of global EC.
 Information assets have become critical to the
operation of many businesses.
 New and faster information technologies are
shared throughout organizations.
 The complexity of both the attacks and the
defense require an organization wide
collaboration approach.

Copyright © 2015 Springer Education
4-18
10.9 IMPLEMENTING ENTERPRISEWIDE
E-COMMERCE SECURITY
Copyright © 2015 Springer Education
EC Security Policies and Training:
 An important security task is developing an
organizational EC security policy, as well as
procedures for specific security and EC activities
such as access control and protecting customer
data.
 The policies need to be disseminated throughout
the organization and necessary training needs to
be provided.
4-19
10.9 IMPLEMENTING ENTERPRISEWIDE
E-COMMERCE SECURITY
Copyright © 2015 Springer Education
EC Security Policies and Training:
First example,
 To protect privacy during data collection, policies need to
specify that customers should:
 Know that data is being collected.
 Give their permission for the data to be collected.
 Have knowledge and some control over how the data is
controlled and used.
 Be informed that the information collected is not to be
shared with other organizations.
Second example,
 To protect against criminal use of social media, you can:
 Develop policies and procedures to exploit opportunities but
provide customer protection.
 Educate employees and others about what is acceptable
and what is not acceptable.
4-20
10.9 IMPLEMENTING ENTERPRISEWIDE
E-COMMERCE SECURITY
Copyright © 2015 Springer Education
The major reasons Internet crime is so difficult to stop:
 Making Shopping Inconvenient.
 Lack of Cooperation by Business Partners.
 Shoppers’ Negligence.
 Ignoring EC Security Best Practices.
 Design and Architecture Issues.
 Lack of Due Care in Business Practices.
4-21