Presentation is loading. Please wait.

Presentation is loading. Please wait.

E-Business Tenth Edition Chapter 10 Online Security.

Similar presentations


Presentation on theme: "E-Business Tenth Edition Chapter 10 Online Security."— Presentation transcript:

1 E-Business Tenth Edition Chapter 10 Online Security

2 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 22 Learning Objectives In this chapter, you will learn: What security risks arise in online business and how to manage them How to create a security policy How to implement security on Web client computers How to implement security in the communication channels between computers

3 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition Learning Objectives (cont’d.) How to implement security on Web server computers What organizations promote computer, network, and Internet security 3

4 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 4 Online Security Issues Overview Early Internet days –Most popular use: electronic mail Today’s higher stakes –Electronic mail, shopping, all types of financial transactions Common worry of Web shoppers –Stolen credit card as it transmits over the Internet –More likely to be stolen from computer where stored Chapter topic: security in the context of electronic commerce

5 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 5 Origins of Security on Interconnected Computer Systems Data security measures taken by Roman Empire –Coded information to prevent enemies from reading secret war and defense plans Modern electronic security techniques –Defense Department wartime use “Orange Book”: rules for mandatory access control Business computers –Initially adopted military’s security methods Today’s computing –Requires comprehensive computer security plans 5

6 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 6 Computer Security and Risk Management Computer security –Asset protection from unauthorized access, use, alteration, and destruction Physical security –Includes tangible protection devices Alarms, guards, fireproof doors, security fences, safes or vaults, and bombproof buildings Logical security –Asset protection using nonphysical means

7 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 7 Computer Security and Risk Management (cont’d.) Threat –Any act or object posing danger to computer assets Countermeasure –Procedure (physical or logical) Recognizes, reduces, and eliminates threat –Extent and expense of countermeasures Vary depending on asset importance 7

8 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 8 Computer Security and Risk Management (cont’d.) Risk management model –Four general organizational actions Impact (cost) and probability of physical threat –Also applicable for protecting Internet and electronic commerce assets from physical and electronic threats Electronic threat examples: –Impostors, eavesdroppers, thieves Eavesdropper (person or device) –Listen in on and copy Internet transmissions 8

9 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 9 FIGURE 10-1 Risk management model © Cengage Learning 2013

10 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 10 Computer Security and Risk Management (cont’d.) Crackers or hackers (people) –Write programs; manipulate technologies Obtain unauthorized access to computers and networks White hat hacker and black hat hacker –Distinction between good hackers and bad hackers Good security scheme implementation –Identify risks –Determine how to protect threatened assets –Calculate costs to protect assets

11 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 11 Elements of Computer Security Secrecy –Protecting against unauthorized data disclosure –Ensuring data source authenticity Integrity –Preventing unauthorized data modification –Man-in-the-middle exploit message intercepted; contents changed before forwarded to original destination Necessity –Preventing data delays or denials (removal) –Delaying message or completely destroying it

12 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition Establishing a Security Policy Security policy –Assets to protect and why, protection responsibility, acceptable and unacceptable behaviors –Physical security, network security, access authorizations, virus protection, disaster recovery Military policy: stresses separation of multiple levels of security Corporate information classifications –Public –Company confidential 12

13 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 13 Establishing a Security Policy (cont’d.) Steps to create security policy –Determine assets to protect from threats –Determine access to various system parts –Identify resources to protect assets –Develop written security policy –Commit resources Comprehensive security plan goals –Protect privacy, integrity, availability; authentication –Selected to satisfy Figure 10-2 requirements

14 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 14 FIGURE 10-2 Requirements for secure electronic commerce © Cengage Learning 2013

15 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 15 Establishing a Security Policy (cont’d.) Security policies information sources –WindowSecurity.com site –Information Security Policy World site Absolute security: difficult to achieve –Create barriers deterring intentional violators –Reduce impact of natural disasters and terrorist acts Integrated security –Having all security measures work together Prevents unauthorized disclosure, destruction, modification of assets

16 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 16 Establishing a Security Policy (cont’d.) Security policy points –Authentication: Who is trying to access site? –Access control: Who is allowed to log on to and access site? –Secrecy: Who is permitted to view selected information? –Data integrity: Who is allowed to change data? –Audit: Who or what causes specific events to occur, and when?

17 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 17 Security for Client Computers Client computers –Must be protected from threats Threats –Originate in software and downloaded data –Malevolent server site masquerades as legitimate Web site Chapter topics organized to follow the transaction-processing flow –Beginning with consumer –Ending with Web server at electronic commerce site

18 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 18 Cookies and Web Bugs Internet connection between Web clients and servers –Stateless connection Each information transmission is independent No continuous connection (open session) maintained between any client and server Cookies –Small text files Web servers place on Web client –Identify returning visitors –Allow continuing open session

19 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 19 Cookies and Web Bugs (cont’d.) Time duration cookie categories –Session cookies: exist until client connection ends –Persistent cookies: remain indefinitely –Electronic commerce sites use both Cookie sources –First-party cookies Web server site places them on client computer –Third-party cookies Different Web site places them on client computer

20 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 20 Cookies and Web Bugs (cont’d.) Disable cookies entirely –Complete cookie protection –Problem Useful cookies blocked (along with others) Full site resources not available Web browser cookie management functions –Refuse only third-party cookies –Review each cookie before accepted –Provided by most Web browsers

21 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 21 FIGURE 10-3 Mozilla Firefox dialog box for managing stored cookies

22 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 22 Cookies and Web Bugs (cont’d.) Web bug –Tiny graphic that third-party Web site places on another site’s Web page –Purpose Provide a way for a third-party site to place cookie on visitor’s computer Internet advertising community: –Calls Web bugs “clear GIFs” or “1-by-1 GIFs” Graphics created in GIF format Color value of “transparent,” small as 1 pixel by 1 pixel

23 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 23 Active Content Active content –Programs embedded transparently in Web pages –Cause action to occur –E-commerce example Place items into shopping cart; compute tax and costs Advantages –Extends HTML functionality –Moves data processing chores to client computer Disadvantages –Can damage client computer

24 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 24 Active Content (cont’d.) Cookies, Java applets, JavaScript, VBScript, ActiveX controls, graphics, Web browser plug-ins, attachments Scripting languages: provide executable script –Examples: JavaScript and VBScript Applet: small application program –Typically runs within Web browser Some browsers include tools limiting applets’ actions Active content modules –Embedded in Web pages (invisible)

25 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 25 FIGURE 10-4 Advanced JavaScript settings in Mozilla Firefox

26 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 26 Active Content (cont’d.) Crackers: embed malicious active content Trojan horse –Program hidden inside another program or Web page Masking true purpose –May result in secrecy and integrity violations Zombie (Trojan horse) –Secretly takes over another computer –Launches attacks on other computers Botnet (robotic network, zombie farm) –All controlled computers act as an attacking unit

27 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 27 Java Applets Java programming language –Developed by Sun Microsystems –Widespread use in Web pages: active content Java: platform-independent programming language –Provides Web page active content –Server sends applets with client-requested pages –Most cases: operation visible to visitor –Possibility: functions not noticed by visitor

28 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 28 Java Applets (cont’d.) Advantages –Adds functionality to business application’s functionality; relieves server-side programs Disadvantage – Possible security violations (Trojan horse, zombie)

29 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition Java Applets (cont’d.) Java sandbox –Confines Java applet actions to set of rules defined by security model –Rules apply to all untrusted Java applets Not established as secure –Java applets running within sandbox constraint Does not allow full client system access Prevents secrecy (disclosure) and integrity (deletion or modification) violations 29

30 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 30 JavaScript –Scripting language developed by Netscape –Enables Web page designers to build active content –Based loosely on Sun’s Java programming language –Can be used for attacks Cannot commence execution on its own User must start ill-intentioned JavaScript program

31 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 31 ActiveX Controls ActiveX control –Objects containing programs and properties Web designers place on Web pages Component construction –Many different programming languages Common: C++ and Visual Basic Run on Windows operating systems computers Executed on client computer like any other program

32 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 32 ActiveX Controls (cont’d.) Comprehensive ActiveX controls list –ActiveX page at Download.com Security danger –Execute like other client computer programs –Have access to full system resources Cause secrecy, integrity, and necessity violations –Actions cannot be halted once started Web browsers –Provide notice of Active-X download or install

33 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 33 FIGURE 10-5 ActiveX control download warning dialog box in Internet Explorer

34 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 34 Graphics and Plug-Ins Graphics, browser plug-ins, and attachments can harbor executable content Graphic: embedded code can harm client computer Browser plug-ins (programs) –Enhance browser capabilities –Popular plug-ins: Adobe Flash Player, Apple’s QuickTime Player, Microsoft Silverlight, RealNetworks’ RealPlayer –Can pose security threats 1999 RealPlayer plug-in Plug-ins executing commands buried within media

35 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 35 Viruses, Worms, and Antivirus Software Programs display attachments by automatically executing associated programs –Macro viruses within attached files can cause damage Virus: software –Attaches itself to another program –Causes damage when host program activated Worm: virus –Replicates itself on computers it infects –Spreads quickly through the Internet Macro virus –Small program (macro) embedded in file

36 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 36 Viruses, Worms, and Antivirus Software (cont’d.) ILOVEYOU virus (“love bug”) –Spread with amazing speed –Infected computers and clogged systems –Replicated itself explosively through Outlook –Caused other harm 2001 Code Red and Nimda: virus-worm combinations –Multivector virus: entered computer system in several different ways (vectors) 2002 and 2003: new virus-worm combinations –Example: Bugbear

37 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 37 Viruses, Worms, and Antivirus Software (cont’d.) Antivirus software –Detects viruses and worms –Either deletes or isolates them on client computer 2005 and 2006 Zotob –New breed of Trojan horse-worm combination 2007: Storm virus 2008 and continuing into 2009: Conflicker 2009 and 2010: URLzone and Clampi –New viruses designed specifically to hijack users’ online banking sessions

38 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition Viruses, Worms, and Antivirus Software (cont’d.) 2010: new Trojan horse-worm combination attack –Spread through a computer operating system –Designed to target industrial equipment German industrial giant Siemens’ control systems 2011: Zeus and SpyEye combined –Targeted bank account information –Not visible in Microsoft Windows Task Manager –Intercept credit card or online banking data entered in Web browser 38

39 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 39 FIGURE 10-6 Major viruses, worms, and Trojan horses

40 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 40 FIGURE 10-6 Major viruses, worms, and Trojan horses (continued)

41 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 41 FIGURE 10-6 Major viruses, worms, and Trojan horses (continued)

42 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 42 FIGURE 10-6 Major viruses, worms, and Trojan horses (continued)

43 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 43 FIGURE 10-6 Major viruses, worms, and Trojan horses (continued)

44 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 44 FIGURE 10-6 Major viruses, worms, and Trojan horses (continued)

45 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition Viruses, Worms, and Antivirus Software (cont’d.) Companies that track viruses, sell antivirus software, provide virus descriptions on Web sites –Symantec (Symantec Security Response) –McAfee (McAfee Virus Information) Data files must be updated regularly –Recognize and eliminate newest viruses Some Web systems: –Provide and update antivirus software Used to scan attachments before downloading –Example: Yahoo! Mail 45

46 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 46 Digital Certificates Digital certificate (digital ID) – message attachment or program embedded in Web page –Verifies sender or Web site –Contains a means to send encrypted message –Signed message or code Provides proof of holder identified by the certificate –Used for online transactions Electronic commerce, electronic mail, and electronic funds transfers

47 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 47 FIGURE 10-7 Delmar Cengage Learning’s digital certificate information displayed in Firefox browser © Cengage Learning 2013

48 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 48 Digital Certificates (cont’d.) Digital certificate for software: –Assurance software was created by specific company –Does not attest to quality of software Certification authority (CA) –Issues digital certificates to organizations, individuals Digital certificates cannot be forged easily Six main elements: owner’s identifying information, owner’s public key, dates certificate is valid, serial number, issuer name, issuer digital signature

49 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 49 Digital Certificates (cont’d.) Key –Number: usually long binary number Used with encryption algorithm “Lock” message characters being protected –Longer keys provide better protection Identification requirements vary –Driver’s license, notarized form, fingerprints Companies offering CA services –Thawte, VeriSign, Comodo, DigiCert, Entrust, GeoTrust, RapidSSL.com

50 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 50 Digital Certificates (cont’d.) Secure Sockets Layer-Extended Validation (SSL-EV) digital certificate –Issued after more extensive verification confirmed Annual fees –$200 to more than $1500 Digital certificates expire after period of time –Provides protection (users and businesses) –Must submit credentials for reevaluation periodically

51 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 51 FIGURE 10-8 Internet Explorer address window display for an SSL-EV Web site 51

52 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 52 Steganography –Hiding information within another piece of information Can be used for malicious purposes Hiding encrypted file within another file –Casual observer cannot detect anything of importance in container file –Two-step process Encrypting file protects it from being read Steganography makes it invisible Al Qaeda used steganography to hide attack orders

53 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 53 Physical Security for Clients Client computers –Control important business functions –Same physical security as early systems New physical security technologies –Fingerprint readers (less than $100) Stronger protection than password approaches Biometric security device –Identification using element of person’s biological makeup Writing pads, eye scanners, palm reading scanners, reading back of hand vein pattern

54 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition Client Security for Mobile Devices Security measures –Access password –Remote wipe: clears all personal data Can be added as an app Capability through corporate synchronization –Antivirus software Rogue apps: contain malware or collect information and forward to perpetrators –Apple App Store tests apps before authorizing sales –Android Market does less extensive testing –Users should not rush to install latest app 54

55 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 55 Communication Channel Security Internet –Not designed to be secure –Designed to provide redundancy Remains unchanged from original insecure state –Message traveling on the Internet Subject to secrecy, integrity, and necessity threats

56 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 56 Secrecy Threats Secrecy –Prevention of unauthorized information disclosure –Technical issue Requiring sophisticated physical and logical mechanisms Privacy –Protection of individual rights to nondisclosure –Legal matter

57 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition Secrecy Threats (cont’d.) message –Secrecy violations protected using encryption Protects outgoing messages –Privacy issues address whether supervisors are permitted to read employees’ messages randomly Electronic commerce threat –Sensitive or personal information theft –Sniffer programs Record information passing through computer or router 57

58 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 58 Secrecy Threats (cont’d.) Electronic commerce threat (cont’d.) –Backdoor: electronic holes Left open accidentally or intentionally Content exposed to secrecy threats Example: Cart32 shopping cart program backdoor –Stolen corporate information Eavesdropper example Web users continually reveal information –Secrecy breach –Possible solution: anonymous Web surfing

59 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 59 Integrity Threats Also known as active wiretapping –Unauthorized party alters message information stream Integrity violation example –Cybervandalism Electronic defacing of Web site Masquerading (spoofing) –Pretending to be someone else –Fake Web site representing itself as original

60 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 60 Integrity Threats (cont’d.) Domain name servers (DNSs) –Internet computers maintaining directories Linking domain names to IP addresses –Perpetrators use software security hole Substitute their Web site address in place of real one Spoofs Web site visitors Phishing expeditions –Capture confidential customer information –Common victims Online banking, payment system users

61 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 61 Necessity Threats Also known as delay, denial, denial-of-service (DoS) attack –Disrupt or deny normal computer processing –Intolerably slow-speed computer processing Renders service unusable or unattractive Distributed denial-of-service (DDoS) attack –Launch simultaneous attack on a Web site via botnets DoS attacks –Remove information altogether –Delete transmission or file information

62 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 62 Necessity Threats (cont’d.) Denial attack examples: –Quicken accounting program diverted money to perpetrator’s bank account –High-profile electronic commerce company received flood of data packets Overwhelmed sites’ servers Choked off legitimate customers’ access

63 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 63 Threats to the Physical Security of Internet Communications Channels Internet’s packet-based network design: –Precludes it from being shut down By attack on single communications link Individual user’s Internet service can be interrupted –Destruction of user’s Internet link Larger companies, organizations –Use more than one link to main Internet backbone

64 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 64 Threats to Wireless Networks Wireless Encryption Protocol (WEP) –Rule set for encrypting transmissions from the wireless devices to the wireless access points (WAPs) Wardrivers –Attackers drive around in cars –Search for accessible networks Warchalking –Place chalk mark on building Identifies easily entered wireless network nearby –Web sites include wireless access locations maps

65 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 65 Threats to Wireless Networks (cont’d.) Preventing attacks by wardrivers –Turn on WEP –Change default login and password settings Example –Best Buy wireless point-of-sale (POS) Failed to enable WEP Customer launched sniffer program Intercepted data from POS terminals

66 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 66 Encryption Solutions Encryption: coding information using mathematically based program, secret key Cryptography: science studying encryption –Science of creating messages only sender and receiver can read Steganography –Makes text undetectable to naked eye Cryptography converts text to other visible text –With no apparent meaning

67 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition Encryption Solutions (cont’d.) Encryption algorithms –Encryption program Transforms normal text (plain text) into cipher text (unintelligible characters string) –Encryption algorithm Logic behind encryption program Includes mathematics to do transformation –Decryption program Encryption-reversing procedure: message is decoded or decrypted 67

68 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 68 Encryption Solutions (cont’d.) Encryption algorithms (cont’d.) –National Security Agency controls dissemination –U.S. government banned publication of details Illegal for U.S. companies to export –Encryption algorithm property May know algorithm details Unable to decipher encrypted message without knowing key encrypting the message –Key type subdivides encryption into three functions Hash coding, asymmetric encryption, symmetric encryption

69 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 69 Encryption Solutions (cont’d.) Hash coding –Process uses Hash algorithm –Calculates number (hash value) from any length message –Unique message fingerprint –Good hash algorithm design Probability of collision is extremely small (two different messages resulting in same hash value) –Determining message alteration during transit Mismatch between original hash value and receiver computed value

70 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 70 Encryption Solutions (cont’d.) Asymmetric encryption (public-key encryption) –Encodes messages using two mathematically related numeric keys –Public key: one key freely distributed to public Encrypt messages using encryption algorithm –Private key: second key belongs to key owner Kept secret Decrypt all messages received

71 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 71 Encryption Solutions (cont’d.) –Pretty Good Privacy (PGP) –Software tools using different encryption algorithms Perform public key encryption –Individuals download free versions PGP Corporation site, PGP International site Encrypt messages –Sells business site licenses

72 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 72 Encryption Solutions (cont’d.) Symmetric encryption (private-key encryption) –Encodes message with one of several available algorithms Single numeric key to encode and decode data –Message receiver must know the key –Very fast and efficient encoding and decoding –Key must be guarded

73 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 73 Encryption Solutions (cont’d.) –Problems Difficult to distribute new keys to authorized parties while maintaining security, control over keys Private keys do not work well in large environments – Data Encryption Standard (DES) Encryption algorithms adopted by U.S. government Most widely used private-key encryption system Fast computers break messages encoded with smaller keys

74 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 74 Encryption Solutions (cont’d.) –Triple Data Encryption Standard (Triple DES, 3DES) Stronger version of Data Encryption Standard –Advanced Encryption Standard (AES) Alternative encryption standard Most government agencies use today –Longer bit lengths increase difficulty of cracking keys

75 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 75 Encryption Solutions (cont’d.) Comparing asymmetric and symmetric encryption systems –Advantages of public-key (asymmetric) systems Small combination of keys required No problem in key distribution Implementation of digital signatures possible –Disadvantages of public-key systems Significantly slower than private-key systems –Public-key systems: complement rather than replace private-key systems

76 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 76 FIGURE 10-9 Comparison of (a) hash coding, (b) private-key, and (c) public-key encryption © Cengage Learning 2013

77 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 77 Encryption Solutions (cont’d.) –Web servers accommodate encryption algorithms Must communicate with variety of Web browsers –Secure Sockets Layer (SSL) Goal: secures connections between two computers –Secure Hypertext Transfer Protocol (S-HTTP) Goal: send individual messages securely

78 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 78 Encryption Solutions (cont’d.) Secure sockets layer (SSL) protocol –Provides security “handshake” –Client and server exchange brief burst of messages –All communication encoded Eavesdropper receives unintelligible information –Secures many different communication types HTTP, FTP, Telnet –HTTPS: protocol implementing SSL Precede URL with protocol name HTTPS

79 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition Encryption Solutions (cont’d.) –Encrypted transaction generates private session key Bit lengths vary (40-bit, 56-bit, 128-bit, 168-bit) –Session key Used by encryption algorithm Creates cipher text from plain text during single secure session –Secrecy implemented using public-key and private- key encryption Private-key encryption for nearly all communications 79

80 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 80 FIGURE Establishing an SSL session © Cengage Learning 2013

81 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition Encryption Solutions (cont’d.) –After secure session established: Public-key encryption no longer used Message transmission protected by private-key encryption Session key (private key) discarded when session ends –Each new connection between client and secure server requires entire process: Beginning with handshake 81

82 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 82 Encryption Solutions (cont’d.) Secure HTTP (S-HTTP) –Extension to HTTP providing security features Client and server authentication, spontaneous encryption, request/response nonrepudiation –Symmetric encryption for secret communications –Public-key encryption to establish client/server authentication –Session negotiation: process between client and server of proposing and accepting (or rejecting) various transmission conditions

83 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 83 Encryption Solutions (cont’d.) –Establishing secure session SSL carries out client-server handshake exchange to set up secure communication S-HTTP sets up security details with special packet headers exchanged in S-HTTP –Headers define security technique type –Header exchanges state: Which specific algorithms that each side supports Whether client or server (or both) supports algorithm Whether security technique required, optional, refused

84 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 84 Encryption Solutions (cont’d.) –Secure envelope (complete package) Encapsulates message Provides secrecy, integrity, and client/server authentication SSL has become: –More generally accepted standard over S-HTTP

85 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 85 Using a Hash Function to Create a Message Digest Integrity violation –Message altered while in transit Difficult and expensive to prevent Security techniques to detect Harm: unauthorized message changes undetected Apply two algorithms to eliminate fraud and abuse –Hash algorithm –Message digest Number summarizing encrypted information

86 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 86 Converting a Message Digest into a Digital Signature Hash functions: potential for fraud –Solution: sender encrypts message digest using private key Digital signature –Encrypted message digest (message hash value) Digital signature provides: –Integrity, nonrepudiation, and authentication Provide transaction secrecy –Encrypt entire string (digital signature, message) Digital signatures: same legal status as traditional signatures

87 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 87 FIGURE Sending and receiving a digitally signed message © Cengage Learning 2013

88 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 88 Security for Server Computers Server vulnerabilities –Exploited by anyone determined to cause destruction or acquire information illegally Entry points –Web server and its software –Any back-end programs containing data No system is completely safe Web server administrator –Ensures security policies documented; considered in every electronic commerce operation

89 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 89 Web Server Threats Compromise of secrecy –By allowing automatic directory listings –Solution: turn off folder name display feature Sensitive file on Web server –Holds Web server username-password pairs –Solution: store authentication information in encrypted form

90 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 90 Web Server Threats (cont’d.) Passwords that users select –Easily guessable Dictionary attack programs cycle through electronic dictionary, trying every word as password –Solutions User password requirements Use password assignment software to check user password against dictionary Help creating very strong passwords: –Gibson Research Corporation’s Ultra High Security Password Generator

91 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 91 © Cengage Learning 2013 FIGURE Examples of passwords, from very weak to very strong

92 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 92 Database Threats Usernames and passwords –Stored in unencrypted table –Database fails to enforce security altogether Relies on Web server to enforce security Unauthorized users –Masquerade as legitimate database users Trojan horse programs hide within database system –Reveal information –Remove all access controls within database

93 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 93 Other Programming Threats Java or C++ programs executed by server –Passed to Web servers by client –Reside on server –Use a buffer Memory area set aside holding data read from file or database –Buffer overrun (buffer overflow) error Programs filling buffers malfunction and overfill buffer Excess data spilled outside designated buffer memory Cause: error in program or intentional 1998 Internet worm

94 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 94 Other Programming Threats (cont’d.) Insidious version of buffer overflow attack –Writes instructions into critical memory locations –Web server resumes execution by loading internal registers with address of attacking program’s code Reducing potential buffer overflow damage –Good programming practices –Some hardware functionality Mail bomb attack –Hundreds (thousands) send message to particular address

95 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 95 Threats to the Physical Security of Web Servers Protecting Web servers –Put computers in commerce service provider (CSP) facility Very high-level physical security on CSP –Maintain server content’s backup copies at remote location –Rely on service providers Offer managed services including Web server security –Hire smaller, specialized security service providers

96 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition Access Control and Authentication Controlling who and what has access to Web server Authentication –Identity verification of entity requesting computer access Server user authentication –Server must successfully decrypt user’s digital signature-contained certificate –Server checks certificate timestamp –Server uses callback system Certificates authenticate client computers and their users 96

97 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition Access Control and Authentication (cont’d.) Usernames and passwords –Provide some protection element Maintain usernames in plain text –Encrypt passwords with one-way encryption algorithm Problem –Site visitor may save username and password as a cookie Might be stored in plain text Access control list (ACL) –Restrict file access to selected users 97

98 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 98 Firewalls Firewall –Software, hardware-software combination –Installed in a network to control packet traffic Placed at Internet entry point of network –Defense between network and the Internet Between network and any other network Principles –All traffic must pass through it –Only authorized traffic allowed to pass –Immune to penetration

99 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 99 Firewalls (cont’d.) Trusted: networks inside firewall Untrusted: networks outside firewall Filter permits selected messages though network Separate corporate networks from one another –Coarse need-to-know filter Firewalls segment corporate network into secure zones Large organizations with multiple sites –Install firewall at each location All locations follow same security policy

100 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 100 Firewalls (cont’d.) Should be stripped of unnecessary software Packet-filter firewalls –Examine all data flowing back and forth between trusted network (within firewall) and the Internet Gateway servers –Filter traffic based on requested application –Limit access to specific applications Telnet, FTP, HTTP Proxy server firewalls –Communicate with the Internet on private network’s behalf

101 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 101 Firewalls (cont’d.) Perimeter expansion problem –Computers outside traditional physical site boundary Servers under almost constant attack –Install intrusion detection systems Monitor server login attempts Analyze for patterns indicating cracker attack Block further attempts originating from same IP address Cloud computing: firewall products lagging behind Personal firewalls –Software-only firewalls on individual client computers –Gibson Research Shields Up! Web site

102 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition Organizations that Promote Computer Security Following the Internet Worm of 1988 –Organizations formed to share information About threats to computer systems Principle followed –Sharing information about attacks and defenses for attacks Helps everyone create better computer security 102

103 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 103 CERT Computer Emergency Response Team Housed at Carnegie Mellon University –Software Engineering Institute Maintains effective, quick communications infrastructure among security experts –Security incidents avoided, handled quickly Provides security risk information Posts security event alerts Primary authoritative source for viruses, worms, and other types of attack information

104 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition Other Organizations 1989: System Administrator, Audit, Network and Security (SANS) Institute –Education and research efforts Research reports, security alerts, and white papers –SANS Internet Storm Center Web site Current information on location, intensity of computer attacks worldwide CERIAS (Center for Education and Research in Information Assurance and Security) –Multidisciplinary information security research and education 104

105 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 105 Other Organizations (cont’d.) Center for Internet Security –Not-for-profit cooperative organization –Helps electronic commerce companies CSO Online –Articles from CSO Magazine –Computer security-related news items Infosecurity.com –Articles about all types of online security issues

106 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition 106 Computer Forensics and Ethical Hacking Computer forensics experts (ethical hackers) –Computer sleuths hired to probe PCs –Locate information usable in legal proceedings –Job of breaking into client computers Computer forensics field –Responsible for collection, preservation, and computer-related evidence analysis Companies hire ethical hackers to test computer security safeguards

107 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition Summary Physical and logical computer security important in electronic commerce –Security policy can identify risks and countermeasures to reduce risks Key security provisions –Secrecy, integrity, available service Client threats and solutions –Virus threats, active content threats, cookies Communication channels’ threats and solutions –Encryption provides secrecy 107

108 © 2013 Cengage Learning. All Rights Reserved. This edition is intended for use outside of the U.S. only, with content that may be different from the U.S. Edition. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part. E-Business, Tenth Edition Summary (cont’d.) Web Server threats and solutions –Threats from programs, backdoors Security organizations –Share information about threats, defenses Computer forensics –“Break into” computers searching for legal use data –Assist in identifying security weaknesses 108


Download ppt "E-Business Tenth Edition Chapter 10 Online Security."

Similar presentations


Ads by Google