Download Security Threats

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
Document related concepts

Java performance wikipedia , lookup

Transcript 
Chapter 5
5
Security Threats to
Electronic Commerce
Electronic Commerce
1
Objectives
 Important
5
computer and electronic
commerce security terms
 Why secrecy, integrity, and necessity
are three parts of any security program
 The roles of copyright and intellectual
property and their importance in any
study of electronic commerce
2
Objectives
 Threats
5
and counter measures to
eliminate or reduce threats
 Specific threats to client machines, Web
servers, and commerce servers
 Enhance security in back office products,
such as database servers
 How security protocols plug security
holes
 Roles encryption and certificates play
3
Security Overview
 Many
fears to overcome
Intercepted e-mail messages
 Unauthorized access to digital intelligence
 Credit card information falling into the
wrong hands

5
 Two
types of computer security
Physical - protection of tangible objects
 Logical - protection of non-physical objects

4
Security Overview
Figure 5-1
 Countermeasures
5
are procedures,
either physical or logical, that
recognize, reduce, or eliminate a threat
5
Computer Security Classification
 Secrecy

5
Protecting against unauthorized data
disclosure and ensuring the authenticity of
the data’s source
 Integrity

Preventing unauthorized data modification
 Necessity

Preventing data delays or denials
(removal)
6
Copyright and
Intellectual Property
 Copyright

5
Protecting expression
 Literary
and musical works
 Pantomimes and choreographic works
 Pictorial, graphic, and sculptural works
 Motion pictures and other audiovisual works
 Sound recordings
 Architectural works
7
Copyright and
Intellectual Property
 Intellectual

5
property
The ownership of ideas and control over
the tangible or virtual representation of
those ideas
 U.S.
Copyright Act of 1976
Protects previously stated items for a fixed
period of time
 Copyright Clearance Center

 Clearinghouse
for U.S. copyright information
8
Copyright Clearance Center Home Page
Figure 5-2
5
9
Security Policy and
Integrated Security
 Security
5
policy is a written statement
describing what assets are to be
protected and why, who is responsible,
which behaviors are acceptable or not
Physical security
 Network security
 Access authorizations
 Virus protection
 Disaster recovery

10
Specific Elements of
a Security Policy
 Authentication

5
Who is trying to access the site?
 Access

Control
Who is allowed to logon and access the
site?
 Secrecy

Who is permitted to view selected
information
11
Specific Elements of
a Security Policy
 Data

5
integrity
Who is allowed to change data?
 Audit

What and who causes selected events to
occur, and when?
12
Intellectual Property Threats
 The
Internet presents a tempting target
for intellectual property threats
5
Very easy to reproduce an exact copy of
anything found on the Internet
 People are unaware of copyright
restrictions, and unwittingly infringe on
them

 Fair
use allows limited use of copyright
material when certain conditions are met
13
The Copyright Website Home Page
Figure 5-3
5
14
Intellectual Property Threats
 Cybersquatting

5
The practice of registering a domain name
that is the trademark of another person or
company
 Cybersquatters
hope that the owner of the
trademark will pay huge dollar amounts to
acquire the URL
 Some Cybersquatters misrepresent
themselves as the trademark owner for
fraudulent purposes
15
Electronic Commerce Threats
 Client

5
Threats
Active Content
 Java
applets, Active X controls, JavaScript,
and VBScript
 Programs that interpret or execute instructions
embedded in downloaded objects
 Malicious active content can be embedded into
seemingly innocuous Web pages
 Cookies remember user names, passwords,
and other commonly referenced information
16
Java, Java Applets,
and JavaScript
 Java
5
is a high-level programming
language developed by Sun
Microsystems
 Java code embedded into appliances
can make them run more intelligently
 Largest use of Java is in Web pages
(free applets can be downloaded)
 Platform independent - will run on any
computer
17
Java Applet Example
Figure 5-4
5
18
Sun’s Java Applet Page
Figure 5-5
5
19
Java, Java Applets,
and JavaScript
 Java
sandbox
Confines Java applet actions to a security
model-defined set of rules
 Rules apply to all untrusted applets,
applets that have not been proven secure

5
 Signed

Java applets
Contain embedded digital signatures
which serve as a proof of identity
20
ActiveX Controls
 ActiveX
5
is an object, called a control,
that contains programs and properties
that perform certain tasks
 ActiveX controls only run on Windows
95, 98, or 2000
 Once downloaded, ActiveX controls
execute like any other program, having
full access to your computer’s
resources
21
ActiveX Warning Dialog box
Figure 5-6
5
22
Graphics, Plug-ins, and
E-mail Attachments
 Code
5
can be embedded into graphic
images causing harm to your computer
 Plug-ins are used to play audiovisual
clips, animated graphics

Could contain ill-intentioned commands
hidden within the object
 E-mail
attachments can contain
destructive macros within the document
23
Netscape’s Plug-ins Page
Figure 5-7
5
24
Communication
Channel Threats
 Secrecy
Threats
Secrecy is the prevention of unauthorized
information disclosure
 Privacy is the protection of individual rights
to nondisclosure
 Theft of sensitive or personal information
is a significant danger
 Your IP address and browser you use are
continually revealed while on the web

5
25
Communication
Channel Threats
 Anonymizer
A Web site that provides a measure of
secrecy as long as it’s used as the portal
to the Internet
 http://www.anonymizer.com

5
 Integrity
Threats
Also known as active wiretapping
 Unauthorized party can alter data

 Change
the amount of a deposit or withdrawal
26
Anonymizer’s Home Page
Figure 5-8
5
27
Communication
Channel Threats
 Necessity
Threats
Also known as delay or denial threats
 Disrupt normal computer processing

5
 Deny
processing entirely
 Slow processing to intolerably slow speeds
 Remove file entirely, or delete information from
a transmission or file
 Divert money from one bank account to
another
28
Server Threats
 The
5
more complex software becomes,
the higher the probability that errors
(bugs) exist in the code
 Servers run at various privilege levels
Highest levels provide greatest access
and flexibility
 Lowest levels provide a logical fence
around a running program

29
Server Threats
 Secrecy
5
violations occur when the
contents of a server’s folder names are
revealed to a Web browser
 Administrators can turn off the folder
name display feature to avoid secrecy
violations
 Cookies should never be transmitted
unprotected
30
Displayed Folder Names
Figure 5-9
5
31
Server Threats
 One
5
of the most sensitive files on a
Web server holds the username and
password pairs
 The Web server administrator is
responsible for ensuring that this, and
other sensitive files, are secure
32
Database Threats
 Disclosure
5
of valuable and private
information could irreparably damage a
company
 Security is often enforced through the
use of privileges
 Some databases are inherently
insecure and rely on the Web server to
enforce security measures
33
Oracle Security Features Page
Figure 5-10
5
34
Other Threats
 Common
Gateway Interface (CGI)
Threats
5
CGIs are programs that present a security
threat if misused
 CGI programs can reside almost
anywhere on a Web server and therefore
are often difficult to track down
 CGI scripts do not run inside a sandbox,
unlike JavaScript

35
Other Threats
 Other
programming threats include
Programs executed by the server
 Buffer overruns can cause errors
 Runaway code segments

5
 The
Internet Worm attack was a runaway code
segment

Buffer overflow attacks occur when control
is released by an authorized program, but
the intruder code instructs control to be
turned over to it
36
Buffer Overflow Attack
Figure 5-11
5
37
Computer Emergency Response
Team (CERT)
 Housed
5
at Carnegie Mellon University
 Responds to security events and
incidents within the U.S. government
and private sector
 Posts CERT alerts to inform Internet
users about recent security events
38
CERT Alerts
Figure 5-12
5
39
Related documents
Customer markets
Customer markets
Slayt 1
Slayt 1
A. Explain the nature of marketing plans. B. Explain the role
A. Explain the nature of marketing plans. B. Explain the role
MKT 450 Group Project
MKT 450 Group Project
A. Explain the nature of marketing plans. B. Explain the role of
A. Explain the nature of marketing plans. B. Explain the role of
SECURITY IN THE BALTIC SEA REGION 1. Lecture
SECURITY IN THE BALTIC SEA REGION 1. Lecture
The Great Smoky Mountains - St.Mary's Parish Annapolis
The Great Smoky Mountains - St.Mary's Parish Annapolis
4a Targets Key Points - Conservation Gateway
4a Targets Key Points - Conservation Gateway
E-Commerce and Bank Security
E-Commerce and Bank Security
Data Warehouse
Data Warehouse
3 - School-Portal.co.uk
3 - School-Portal.co.uk
Web server software
Web server software