Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 11 E-COMMERCE SECURITY. Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall1 Learning Objectives Explain EC-related.

Similar presentations


Presentation on theme: "Chapter 11 E-COMMERCE SECURITY. Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall1 Learning Objectives Explain EC-related."— Presentation transcript:

1 Chapter 11 E-COMMERCE SECURITY

2 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall1 Learning Objectives Explain EC-related crimes and why they cannot be stopped. Describe an EC security strategy and why a life cycle approach is needed. Describe the information assurance security principles. Describe EC security issues from the perspective of customers and e- businesses.

3 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall2 Learning Objectives Identify the major EC security threats,vulnerabilities,and risk. Identify and describe common EC threats and attacks. Identify and assess major technologies and methods for securing EC communications. Identify and assess major technologies for information assurance and protection of EC networks.

4 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall3 Stopping E-Commerce Crimes Six major reasons why is it difficult for e-tailers to stop cyber criminals and fraudsters: 1.Strong EC security makes online shopping inconvenient for customers 2.Lack of cooperation from credit card issuers and foreign ISPs 3.Online shoppers do not take necessary precautions to avoid becoming a victim 4.IS design and security architecture are vulnerable to attack 5.Software vulnerabilities (bugs) are a huge security problem 6.Managers sometimes ignore due standards of care

5 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall4 Stopping E-Commerce Crimes

6 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall5 Stopping E-Commerce Crimes Exposure exists when a computing system: Allows an attacker to conduct information gathering activities. Allows an attacker to hide activities. Includes a capability that behaves as expected,but can be easily compromised. Is a primary point of entry that an attacker may attempt to use to gain access to the system or data or, Is considered a problem according to some reasonable security policy.

7 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall6 E-Commerce Security Strategy and Life Cycle Approach THE INTERNETS VULNERABLE DESIGN THE SHIFT TO PROFIT-MOTIVATED CRIMES TREATING EC SECURITY AS A PROJECT

8 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall7 E-Commerce Security Strategy and Life Cycle Approach IGNORING EC SECURITY BEST PRACTICES Computing Technology Industry Association (CompTIA) Nonprofit trade group providing information security research and best practices.

9 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall8 Information Assurance information assurance (IA) The protection of information systems against unauthorized access to or modification of information whether in storage, processing, or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.

10 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall9 Information Assurance confidentiality Assurance of data privacy and accuracy. Keeping private or sensitive information from being disclosed to unauthorized individuals, entities, or processes. integrity Assurance that stored data has not been modified without authorization; and a message that was sent is the same message that was received. availability Assurance that access to data, the Web site, or other EC data service is timely, available, reliable, and restricted to authorized users.

11 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall10 Information Assurance authentication Process to verify (assure) the real identity of an individual, computer, computer program, or EC Web site. authorization Process of determining what the authenticated entity is allowed to access and what operations it is allowed to perform.

12 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall11 Information Assurance nonrepudiation Assurance that an online customer or trading partner cannot falsely deny (repudiate) their purchase or transaction. digital signature or digital certificate Validates the sender and time stamp of a transaction so it cannot later be claimed that the transaction was unauthorized or invalid.

13 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall12 Information Assurance

14 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall13 Information Assurance

15 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall14 Enterprisewide E-Commerce Security and Privacy Model SENIOR MANAGEMENT COMMITMENT AND SUPPORT EC SECURITY AND TRADING EC SECURITY PROCEDURES AND ENFORCEMENT SECURITY TOOLS: HARDWARE AND SOFTWARE

16 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall15 Basic E-Commerce Security Issues and Perspectives From the users perspective: How can the user know whether the Web server is owned and operated by a legitimate company? How does the user know that the Web page and form have not been compromised by spyware or other malicious code? How does the user know that an employee will not intercept and misuse the information? From the companys perspective: How does the company know the user will not attempt to break into the Web server or alter the pages and content at the site? From both parties perspectives: How do both parties know that the network connection is free from eavesdropping by a third party listening on the line? How do they know that the information sent back and forth between the server and the users browser has not been altered? From both parties perspectives: How do both parties know that the network connection is free from eavesdropping by a third party listening on the line? How do they know that the information sent back and forth between the server and the users browser has not been altered?

17 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall16 Threats and Attacks SOCIAL NETWORKING MAKES SOCIAL ENGINEERING EASY TECHNICAL ATTACKS Denial of service,Zombies,and Phishing Botnets Malicious Code:Viruses,Worms,and Trojan Horses

18 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall17 Securing E-Commerce Communications Access control Passive tokens,are storage devices that contain a secert code. Active tokens, usually are small stand-alone electronic devices that generate one-time passwords.

19 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall18 Securing E-Commerce Communications public key infrastructure (PKI) A scheme for securing e-payments using public key encryption and various technical components. encryption plaintext ciphertext encryption algorithm key (key value) keyspace

20 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall19 Securing E-Commerce Communications

21 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall20 Securing E-Commerce Communications Public (asymmetric) key encryption Method of encryption that uses a pair of matched keysa public key to encrypt a message and a private key to decrypt it, or vice versa. public key private key RSA

22 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall21 Securing E-Commerce Communications Digital Signatures and Certificate Authorities Hash message digest (MD) digital envelope certificate authorities (CAs) Secure Socket Layer (SSL) Protocol that utilizes standard certificates for authentication and data encryption to ensure privacy or confidentiality.

23 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall22 Securing E-Commerce Networks Defense in depth Need-to-access basis Role-specfic security Monitoring Patch management Incident response team

24 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall23 Securing E-Commerce Networks firewall A single point between two or more networks where all traffic must pass (choke point); the device authenticates, controls, and logs all traffic. packet packet-filtering routers packet filters application-level proxy bastion gateway proxies

25 Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall24 Securing E-Commerce Networks virtual private network (VPN) A network that uses the public Internet to carry information but remains private by using encryption to scramble the communications, authentication to ensure that information has not been tampered with, and access control to verify the identity of anyone using the network. intrusion detection systems (IDSs) A special category of software that can monitor activity across a network or on a host computer, watch for suspicious activity, and take automated action based on what it sees.


Download ppt "Chapter 11 E-COMMERCE SECURITY. Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall1 Learning Objectives Explain EC-related."

Similar presentations


Ads by Google