We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byKaylyn Fane
Modified over 2 years ago
Chapter 11 E-Commerce Security
Electronic CommercePrentice Hall © 2006 2 Learning Objectives 1.Document the trends in computer and network security attacks. 2.Describe the common security practices of businesses of all sizes. 3.Understand the basic elements of EC security. 4.Explain the basic types of network security attacks. 5.Describe common mistakes that organizations make in managing security. 6.Discuss some of the major technologies for securing EC communications. 7.Detail some of the major technologies for securing EC networks components.
Electronic CommercePrentice Hall © 2006 3 The Continuing Need for E-Commerce Security Computer Security Institute (CSI) Nonprofit organization located in San Francisco, California, that is dedicated to serving and training information, computer, and network security professionals Computer Emergency Response Team (CERT) Group of three teams at Carnegie Mellon University that monitor the incidence of cyber attacks, analyze vulnerabilities, and provide guidance on protecting against attacks
Electronic CommercePrentice Hall © 2006 4 Security Is Everyone’s Business The DHS (Department of Homeland Security) strategy includes five national priorities: 1.A national cyberspace security response system 2.A national cyberspace security threat and vulnerability reduction program 3.A national cyberspace security awareness and training program 4.Securing governments’ cyberspace 5.National security and international security cooperation
Electronic CommercePrentice Hall © 2006 5 Security Is Everyone’s Business Accomplishing these priorities requires concerted effort at five levels: –Level 1—The Home User/Small Business –Level 2—Large Enterprises –Level 3—Critical Sectors/Infrastructure –Level 4—National Issues and Vulnerabilities –Level 5—Global
Electronic CommercePrentice Hall © 2006 6 Security Is Everyone’s Business National Cyber Security Division (NCSD) A division of the Department of Homeland Security charged with implementing U.S. cyberspace security strategy
Electronic CommercePrentice Hall © 2006 7 Basic Security Issues What kinds of security questions arise? –From the user’s perspective: How can the user be sure that the Web server is owned and operated by a legitimate company? How does the user know that the Web page and form do not contain some malicious or dangerous code or content? How does the user know that the owner of the Web site will not distribute the information the user provides to some other party?
Electronic CommercePrentice Hall © 2006 8 Basic Security Issues What kinds of security questions arise? –From the company’s perspective: How does the company know the user will not attempt to break into the Web server or alter the pages and content at the site? How does the company know that the user will not try to disrupt the server so that it is not available to others?
Electronic CommercePrentice Hall © 2006 9 Basic Security Issues What kinds of security questions arise? –From both parties’ perspectives: How do both parties know that the network connection is free from eavesdropping by a third party “listening” on the line? How do they know that the information sent back- and-forth between the server and the user’s browser has not been altered?
Electronic CommercePrentice Hall © 2006 10 Basic Security Issues authentication The process by which one entity verifies that another entity is who he, she, or it claims to be authorization The process that ensures that a person has the right to access certain resources auditing The process of collecting information about attempts to access particular resources, use particular privileges, or perform other security actions
Electronic CommercePrentice Hall © 2006 11 Exhibit 11.1 General Security Issues at EC Sites
Electronic CommercePrentice Hall © 2006 12 Types of Threats and Attacks nontechnical attack An attack that uses chicanery to trick people into revealing sensitive information or performing actions that compromise the security of a network
Electronic CommercePrentice Hall © 2006 13 Types of Threats and Attacks Nontechnical Attacks: Social Engineering social engineering A type of nontechnical attack that uses social pressures to trick computer users into compromising computer networks to which those individuals have access –A multiprong approach should be used to combat social engineering Education and training Policies and procedures Penetration testing
Electronic CommercePrentice Hall © 2006 14 Types of Threats and Attacks technical attack An attack perpetrated using software and systems knowledge or expertise common (security) vulnerabilities and exposures (CVEs) Publicly known computer security risks, which are collected, listed, and shared by a board of security- related organizations (cve.mitre.org) National Infrastructure Protection Center (NIPC) A joint partnership under the auspices of the FBI between governmental and private industry; designed to prevent and protect the nation’s infrastructure
Electronic CommercePrentice Hall © 2006 15 Types of Threats and Attacks denial-of-service (DoS) attack An attack on a Web site in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources distributed denial-ofservice (DDoS) attack A denial-of-service attack in which the attacker gains illegal administrative access to as many computers on the Internet as possible and uses the multiple computers to send a flood of data packets to the target computer
Electronic CommercePrentice Hall © 2006 16 Exhibit 11.2 Using Zombies in a Distributed Denial-of-Service Attack
Electronic CommercePrentice Hall © 2006 17 Types of Threats and Attacks malware A generic term for malicious software A number of factors have contributed to the overall increase in malicious code. Among these factors, the following are paramount: –Mixing data and executable instructions –Increasingly homogenous computing environments –Unprecedented connectivity –Larger clueless user base
Electronic CommercePrentice Hall © 2006 18 Types of Threats and Attacks –As the number of attacks increases, the following trends in malicious code are emerging: Increased speed and volume of attacks Reduced time between the discovery of a vulnerability and the release of an attack to exploit the vulnerability Remotely-controlled bot networks are growing E-commerce is the most frequently targeted industry Attacks against Web application technologies are increasing A large percent of Fortune 100 companies have been compromised by worms
Electronic CommercePrentice Hall © 2006 19 Types of Threats and Attacks virus A piece of software code that inserts itself into a host, including the operating systems, in order to propagate; it requires that its host program be run to activate it worm A software program that runs independently, consuming the resources of its host in order to maintain itself, that is capable of propagating a complete working version of itself onto another machine
Electronic CommercePrentice Hall © 2006 20 Managing EC Security Common mistakes in managing security risks: –Undervalued information –Narrowly defined security boundaries –Reactive security management –Dated security management processes –Lack of communication about security responsibilities
Electronic CommercePrentice Hall © 2006 21 Managing EC Security Security Risk Management security risk management A systematic process for determining the likelihood of various security attacks and for identifying the actions needed to prevent or mitigate those attacks –Security risk management consists of three phases: Asset identification Risk assessment Implementation
Electronic CommercePrentice Hall © 2006 22 Securing EC Communications access control Mechanism that determines who can legitimately use a network resource passive tokens Storage devices (e.g., magnetic strips) that contain a secret code used in a two-factor authentication system active tokens Small, stand-alone electronic devices that generate one-time passwords used in a two-factor authentication system
Electronic CommercePrentice Hall © 2006 23 Securing EC Communications biometric systems Authentication systems that identify a person by measurement of a biological characteristic, such as fingerprints, iris (eye) patterns, facial features, or voice physiological biometrics Measurements derived directly from different parts of the body (e.g., fingerprint, iris, hand, facial characteristics) behavioral biometrics Measurements derived from various actions and indirectly from various body parts (e.g., voice scans or keystroke monitoring)
Electronic CommercePrentice Hall © 2006 24 Securing EC Communications fingerprint scanning Measurement of the discontinuities of a person’s fingerprint, which are then converted to a set of numbers that are stored as a template and used to authenticate identity iris scanning Measurement of the unique spots in the iris (colored part of the eye), which are then converted to a set of numbers that are stored as a template and used to authenticate identity
Electronic CommercePrentice Hall © 2006 25 Securing EC Communications public key infrastructure (PKI) A scheme for securing e-payments using public key encryption and various technical components encryption The process of scrambling (encrypting) a message in such a way that it is difficult, expensive, or time- consuming for an unauthorized person to unscramble (decrypt) it plaintext An unencrypted message in human-readable form
Electronic CommercePrentice Hall © 2006 26 Securing EC Communications ciphertext A plaintext message after it has been encrypted into a machine-readable form encryption algorithm The mathematical formula used to encrypt the plaintext into the ciphertext, and vice versa key The secret code used to encrypt and decrypt a message
Electronic CommercePrentice Hall © 2006 27 Securing EC Communications symmetric (private) key system An encryption system that uses the same key to encrypt and decrypt the message Data Encryption Standard (DES) The standard symmetric encryption algorithm supported the NIST and used by U.S. government agencies until October 2, 2000 Rijndael The new Advanced Encryption Standard used to secure U.S. government Communications since October 2, 2000
Electronic CommercePrentice Hall © 2006 28 Exhibit 11.4 Symmetric (Private) Key Encryption
Electronic CommercePrentice Hall © 2006 29 Securing EC Communications Public (Asymmetric) Key Encryption public key encryption Method of encryption that uses a pair of matched keys—a public key to encrypt a message and a private key to decrypt it, or vice versa public key Encryption code that is publicly available to anyone
Electronic CommercePrentice Hall © 2006 30 Securing EC Communications Digital Signatures digital signature An identifying code that can be used to authenticate the identity of the sender of a document hash A mathematical computation that is applied to a message, using a private key, to encrypt the message
Electronic CommercePrentice Hall © 2006 31 Securing EC Communications Digital Signatures message digest A summary of a message, converted into a string of digits, after the hash has been applied digital envelope The combination of the encrypted original message and the digital signature, using the recipient’s public key
Electronic CommercePrentice Hall © 2006 32 Exhibit 11.5 Digital Signatures
Electronic CommercePrentice Hall © 2006 33 Securing EC Communications digital certificate Verification that the holder of a public or private key is who he or she claims to be certificate authorities (CAs) Third parties that issue digital certificates
Electronic CommercePrentice Hall © 2006 34 Securing EC Communications Secure Socket Layer (SSL) Protocol that utilizes standard certificates for authentication and data encryption to ensure privacy or confidentiality Transport Layer Security (TLS) As of 1996, another name for the SSL protocol
Electronic CommercePrentice Hall © 2006 35 Securing EC Networks policy of least privilege (POLP) Policy of blocking access to network resources unless access is required to conduct business
Electronic CommercePrentice Hall © 2006 36 Exhibit 11.6 Layered Security
Electronic CommercePrentice Hall © 2006 37 Securing EC Networks The selection and operation of these technologies should be based on certain design concepts, including: –Layered security –Controlling access –Role-specific security –Monitoring –Keep systems patched –Response team
Electronic CommercePrentice Hall © 2006 38 Securing EC Networks firewall A network node consisting of both hardware and software that isolates a private network from a public network packet-filtering routers Firewalls that filter data and requests moving from the public Internet to a private network based on the network addresses of the computer sending or receiving the request
Electronic CommercePrentice Hall © 2006 39 Securing EC Networks packets Segments of data and requests sent from one computer to another on the Internet; consist of the Internet addresses of the computers sending and receiving the data, plus other identifying information that distinguish one packet from another packet filters Rules that can accept or reject incoming packets based on source and destination addresses and the other identifying information
Electronic CommercePrentice Hall © 2006 40 Securing EC Networks application-level proxy A firewall that permits requests for Web pages to move from the public Internet to the private network bastion gateway A special hardware server that utilizes application-level proxy software to limit the types of requests that can be passed to an organization’s internal networks from the public Internet proxies Special software programs that run on the gateway server and pass repackaged packets from one network to the other
Electronic CommercePrentice Hall © 2006 41 Exhibit 11.7 Application Level Proxy (Bastion Gateway Host)
Electronic CommercePrentice Hall © 2006 42 Securing EC Networks demilitarized zone (DMZ) Network area that sits between an organization’s internal network and an external network (Internet), providing physical isolation between the two networks that is controlled by rules enforced by a firewall. personal firewall A network node designed to protect an individual user’s desktop system from the public network by monitoring all the traffic that passes through the computer’s network interface card.
Electronic CommercePrentice Hall © 2006 43 Exhibit 11.8 Demilitarized Zone (DMZ)
Electronic CommercePrentice Hall © 2006 44 Securing EC Networks virtual private network (VPN) A network that uses the public Internet to carry information but remains private by using encryption to scramble the communications, authentication to ensure that information has not been tampered with, and access control to verify the identity of anyone using the network protocol tunneling Method used to ensure confidentiality and integrity of data transmitted over the Internet, by encrypting data packets, sending them in packets across the Internet, and decrypting them at the destination address
Electronic CommercePrentice Hall © 2006 45 Securing EC Networks intrusion detection systems (IDSs) A special category of software that can monitor activity across a network or on a host computer, watch for suspicious activity, and take automated action based on what it sees
Electronic CommercePrentice Hall © 2006 46 Securing EC Networks honeynet A way to evaluate vulnerabilities of an organization by studying the types of attacks to which a site is subjected using a network of systems called honeypots honeypots Production systems (e.g., firewalls, routers, Web servers, database servers) designed to do real work but that are watched and studied as network intrusions occur
Electronic CommercePrentice Hall © 2006 47 Managerial Issues 1.Have we budgeted enough for security? 2.What are the business consequences of poor security? 3.Which e-commerce sites are vulnerable to attack? 4.What is the key to establishing strong e-commerce security? 5.What steps should businesses follow in establishing a security plan? 6.Should organizations be concerned with internal security threats?
Electronic CommercePrentice Hall © 2006 48 Summary 1.Trends in computer attacks. 2.Security is everyone’s business. 3.Basic security issues. 4.Basic types of network security attacks. 5.Managing EC security. 6.Securing EC communications. 7.Technologies for securing networks.
Chapter 11 E-Commerce Security. Electronic CommercePrentice Hall © Learning Objectives 1.Document the trends in computer and network security attacks.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
E-COMMERCE SECURITY ELECTRONIC COMMERCE. E-Commerce Security Successful e-tailing requires addressing online security and privacy fears of your online.
E-Commerce Security 1. 2 Security Issues From the user’s perspective: Is the Is the Web server owned and operated by a legitimate company? Does Does the.
Chapter 10 E-Commerce Security. Stopping E-Commerce Crimes Six major reasons why is it difficult for e-tailers to stop cyber criminals and fraudsters:
Chapter 8 E-Commerce Security. Objectives Understand the basic elements of EC security. Explain the basic types of network security attacks.
Chapter 11 E-COMMERCE SECURITY. Chapter 10 Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall1 Learning Objectives Explain EC-related.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Chapter 12 E-Commerce Security. © Prentice Hall Learning Objectives 1.Document the rapid rise in computer and network security attacks. 2.Describe.
2001 Prentice Hall, Inc. All rights reserved. Chapter 7 – Computer and Network Security Outline 7.1Introduction 7.2Ancient Ciphers to Modern Cryptosystems.
© 2008 Pearson Prentice Hall, Electronic Commerce 2008, Efraim Turban, et al. Chapter 11 E-Commerce Security.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
14 Systems Analysis and Design in a Changing World, Fourth Edition.
1 CS5038 The Electronic Society Lecture 12: Security and Crime Online Lecture Outline Types of Attacks Security Problems Major security issues in online.
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
17.3 Electronic Infection Types of Electronic Infection 1. Computer viruses 3. Trojan horses2. Worms.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.
Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.
CHAPTER 3 Information Privacy and Security. CHAPTER OUTLINE Ethical Issues in Information Systems Threats to Information Security Protecting Information.
Database Security Tampere University of Technology, Introduction to Databases. Oleg Esin.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
Threads, SMP, and Microkernels Chapter 4 1. Process Resource ownership - process includes a virtual address space to hold the process image Scheduling/execution-
Chapter 12 Network Security. Security Policy Life Cycle A method for the development of a comprehensive network security policy is known as the security.
Security Awareness: Applying Practical Security in Your World Chapter 5: Network Security.
ITEC5611S. Kungpisdan 1 Course Outline Revisited 1.Overview of Electronic Commerce 2.E-Marketplace 3.Retailing in Electronic Commerce 4.Consumer Behavior,
Time for a BREAK! You have 45 Minutes. Time Left 44.
BUSINESS B1 Information Security. 2 Learning Outcomes Describe the relationship between information security policies and an information security plan.
Information Security in Distributed Systems Distributed Systems1.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Cloud Security Mechanisms “Reference: Cloud Computing Concepts, Technology & Architecture. Thomas Erl, Zaigham Mahmood and Richardo Puttini.” Place photo.
Protecting Internet Communications: Encryption Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Chapter 10 E-Commerce Security and Fraud Issues and Protections.
Security and Control Brian Mennecke. Planning for Security and Control In today’s net-enabled environment, an increasingly important part of IT planning.
PUBLIC KEY CRYPTOSYSTEMS Symmetric Cryptosystems 6/05/2014 | pag. 2.
Cryptographic Technologies Chapter 5. Goals of Cryptography Four primary goals Many applications provide multiple cryptographic benefits simultaneously.
Invitation to Computer Science 5 th Edition Chapter 8 Information Security.
Module N° 4ICAO State Safety Programme (SSP) Implementation Course 1 Module N° 4 – ICAO SSP framework Revision N° 5ICAO State Safety Programme (SSP) Implementation.
1 Chapter 12 File Management Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.
HIPAA Security Standards What’s happening in your office?
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
1 Chapter 17 Risks, Controls and Security Measures.
© 2017 SlidePlayer.com Inc. All rights reserved.