Download Chapter 10: Electronic Commerce Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
Document related concepts

Malware wikipedia , lookup

Airport security wikipedia , lookup

Cyberwarfare wikipedia , lookup

Next-Generation Secure Computing Base wikipedia , lookup

Trusted Computing wikipedia , lookup

Deep packet inspection wikipedia , lookup

Unix security wikipedia , lookup

Web of trust wikipedia , lookup

Information security wikipedia , lookup

Cryptanalysis wikipedia , lookup

Cyberattack wikipedia , lookup

Wireless security wikipedia , lookup

Cryptography wikipedia , lookup

Hacker wikipedia , lookup

History of cryptography wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Certificate authority wikipedia , lookup

Security-focused operating system wikipedia , lookup

International cybercrime wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Mobile security wikipedia , lookup

Distributed firewall wikipedia , lookup

Computer security wikipedia , lookup

Cybercrime wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Chapter 10:
Electronic Commerce Security
Online Security Issues Overview
 Computer security
 The protection of assets from unauthorized access, use,
alteration, or destruction
 Physical security
 Includes tangible protection devices
 Logical security
 Protection of assets using nonphysical means
 Threat
 Any act or object that poses a danger to computer assets
Terms - Countermeasure
Managing Risk
 General name for a procedure that recognizes, reduces, or
eliminates a threat
 Eavesdropper
 Person or device that can listen in on and copy Internet
transmissions
 Crackers or hackers
 Write programs or manipulate technologies to obtain
unauthorized access to computers and networks
Computer Security Classification
 Secrecy/Confidentiality
 Protecting against unauthorized
data disclosure
 Technical issues
 Privacy
 The ability to ensure the use of
information about oneself
 Legal Issues
 Integrity
 Preventing unauthorized data
modification by an unauthorized
party
 Necessity
 Preventing data delays or denials
(removal)
 Nonrepudiation
 Ensure that e-commerce
participants do not deny (i.e.,
repudiate) their online actions
 Authenticity
 The ability to identify the identity
of a person or entity with whom you
are dealing on the Internet
Some solutions --
Exercise
 Visit the Copyright Web site:
 http://www.benedict.com/
 Check out examples of copyright infringement:
 Audio arts
 Visual arts
 Digital arts
 Read comments Under “Info”
Security Threats in the
E-commerce Environment
Three key points of vulnerability
 the client
 communications pipeline
 the server
Active Content
 Active content refers to
programs embedded
transparently in Web pages
that cause an action to occur
 Scripting languages
 Provide scripts, or commands,
that are executed
 Applet
 Small application program
 Java
 Active X
 Trojan horse
 Program hidden inside another
program or Web page that
masks its true purpose
 Zombie
 Program that secretly takes
over another computer to
launch attacks on other
computers
 Attacks can be very difficult
to trace to their creators
Viruses, Worms, and Antivirus Software
 Virus
 Software that attaches itself to another program
 Can cause damage when the host program is activated
 Macro virus
 Type of virus coded as a small program (macro) and is
embedded in a file
 Antivirus software
 Detects viruses and worms
Digital Certificates
 A digital certificate is a
program embedded in a Web
page that verifies that the
sender or Web site is who or
what it claims to be
 Main elements:
 Certificate owner’s identifying
information
 Certificate owner’s public key
 A certificate is signed code or
messages that provide proof
that the holder is the person
identified by the certificate
 Dates between which the
certificate is valid
 Certification authority (CA)
issues digital certificates
 Name of the certificate issuer
 Serial number of the
certificate
 Digital signature of the
certificate issuer
Communication Channel Security
 Recall that - Secrecy is the prevention of unauthorized information disclosure
 Privacy is the protection of individual rights to nondisclosure
 Sniffer programs
 Provide the means to record information passing through a
computer or router that is handling Internet traffic
Demonstration of working of a Java implementation of a Packet Sniffer
Other Threats
Integrity
 Integrity threats exist when an
unauthorized party can alter a
message stream of information
 Cybervandalism
 Electronic defacing of an existing
Web site’s page
 Masquerading or spoofing
 Pretending to be someone you are
not
 Domain name servers (DNSs)
 Computers on the Internet that
maintain directories that link
domain names to IP addresses
Anonymizer
A Web site that provides a
measure of secrecy as long
as it’s used as the portal to
the Internet
http://www.anonymizer.com
Necessity
 Purpose is to disrupt or deny
normal computer processing
 DoS attacks
 Remove information altogether
 Delete information from a
transmission or file
Wireless Network Threats
 Wardrivers
 Attackers drive around using their
wireless-equipped laptop computers
to search for accessible networks
 Warchalking
 When wardrivers find an open
network they sometimes place a
chalk mark on the building
Tools Available to Achieve Site Security
Encryption

Transforms plain text or data into cipher text that cannot be
read by anyone outside of the sender and the receiver.
Purpose:



Cipher text


to secure stored information
to secure information transmission.
text that has been encrypted and thus cannot be read by anyone
besides the sender and the receiver
Symmetric Key Encryption

DES standard most widely used
Group Exercise
 Julius Caesar supposedly used secret codes known
today as Caesar Cyphers. The simplest replaces A
with B, B with C etc. This is called a one-rotate
code. The following is encrypted using a simple
Caesar rotation cypher. See if you can decrypt it:
 Mjqqt hfjxfw. Mtb nx dtzw hnumjw? Xyfd fbfd
kwtr ymj xjsfyj ytifd.
Encryption

Public key cryptography




uses two mathematically related digital
keys: a public key and a private key.
The private key is kept secret by the
owner, and the public key is widely
disseminated.
Both keys can be used to encrypt and
decrypt a message.
A key used to encrypt a message, cannot
be used to unencrypt the message
Public Key Cryptography with Digital Signatures
Public Key Cryptography: Creating a Digital Envelope
Securing Channels of Communications


Secure Sockets Layer (SSL)
is the most common form of
securing channels
Secure negotiated session


client-server session where
the requested document
URL, contents, forms, and
cookies are encrypted.
Session key is a unique
symmetric encryption key
chosen for a single secure
session
Firewalls
 Software or hardware and
software combination installed on a
network to control packet traffic
 Packet-filter firewalls
 Provides a defense between the
network to be protected and the
Internet, or other network that
could pose a threat
 Characteristics
 Gateway servers
 All traffic from inside to outside
and from outside to inside the
network must pass through the
firewall
 Only authorized traffic is allowed
to pass
 Firewall itself is immune to
penetration
 Trusted networks are inside the
firewall
 Untrusted networks are outside
the firewall
 Examine data flowing back and
forth between a trusted network
and the Internet
 Firewalls that filter traffic based
on the application requested
 Proxy server firewalls
 Firewalls that communicate with
the Internet on the private
network’s behalf
Security Policy and Integrated Security
 A security policy is a written
statement describing:
 Which assets to protect and
why they are being protected
 Who is responsible for that
protection
 Which behaviors are
acceptable and which are not
 First step in creating a
security policy
 Elements of a security policy
address:
 Authentication
 Access control
 Secrecy
 Data integrity
 Audits
 Determine which assets to
protect from which threats
Protection of Information Assets CISA 2006 Exam Preparation
Tension Between Security and Other Values

Ease of use

Often security slows down processors and adds significantly to
data storage demands. Too much security can harm profitability;
not enough can mean going out of business.

Public Safety & Criminal Use

claims of individuals to act anonymously vs. needs of public
officials to maintain public safety in light of criminals or
terrorists.
Some questions
 Can internet security measures actually create
opportunities for criminals to steal? How?
 Why are some online merchants hesitant to ship to
international addresses?
 What are some steps a company can take to thwart cybercriminals from within a business?
 Is a computer with anti-virus software protected from
viruses? Why or why not?
 What are the differences between encryption and
authentication?
 Discuss the role of administration in implementing a
security policy?
Security for Server Computers
 Web server
 Can compromise secrecy if it allows automatic directory
listings
 Can compromise security by requiring users to enter a
username and password
 Dictionary attack programs
 Cycle through an electronic dictionary, trying every word
in the book as a password
Other Programming Threats
 Buffer
 An area of memory set aside to hold data read from a file
or database
 Buffer overrun
 Occurs because the program contains an error or bug that
causes the overflow
 Mail bomb
 Occurs when hundreds or even thousands of people each
send a message to a particular address
Organizations that Promote Computer Security
 CERT
 Responds to thousands of security incidents each year
 Helps Internet users and companies become more knowledgeable
about security risks
 Posts alerts to inform the Internet community about security
events
 www.cert.org
 SANS Institute
 A cooperative research and educational organization
 SANS Internet Storm Center
 Web site that provides current information on the location and
intensity of computer attacks
 Microsoft Security Research Group
 Privately sponsored site that offers free information about
computer security issues
Related documents
E-Commerce and Bank Security
E-Commerce and Bank Security
ITS_8_Security Vocab Answers
ITS_8_Security Vocab Answers
Association for Molecular Pathology Certificate of
Association for Molecular Pathology Certificate of
Webinar - Association for Molecular Pathology
Webinar - Association for Molecular Pathology
Network Infrastructure Security
Network Infrastructure Security
Association for Molecular Pathology Certificate of Attendance
Association for Molecular Pathology Certificate of Attendance
Networking Support Certificate C25340B
Networking Support Certificate C25340B
Social Media Marketing Certificate
Social Media Marketing Certificate
Firewall Configuration
Firewall Configuration
CS572: Computer Security
CS572: Computer Security
Mod_7-Ch11
Mod_7-Ch11
CH10 E-Commerce Fraud and Security
CH10 E-Commerce Fraud and Security