Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 5 Chapter 5 Security Threats to Electronic Commerce.

Similar presentations

Presentation on theme: "1 5 Chapter 5 Security Threats to Electronic Commerce."— Presentation transcript:

1 1 5 Chapter 5 Security Threats to Electronic Commerce

2 2 5 Objectives u Important computer and electronic commerce security terms u Why secrecy, integrity, and necessity are three parts of any security program u The roles of copyright and intellectual property and their importance in any study of electronic commerce

3 3 5 Objectives u Threats and counter measures to eliminate or reduce threats u Specific threats to client machines, Web servers, and commerce servers u Enhance security in back office products, such as database servers u How security protocols plug security holes u Roles encryption and certificates play

4 4 5 Security Overview u Many fears to overcome l Intercepted e-mail messages l Unauthorized access to digital intelligence l Credit card information falling into the wrong hands u Two types of computer security l Physical - protection of tangible objects l Logical - protection of non-physical objects

5 5 5 Security Overview Figure 5-1 u Countermeasures are procedures, either physical or logical, that recognize, reduce, or eliminate a threat

6 6 5 Computer Security Classification u Secrecy l Protecting against unauthorized data disclosure and ensuring the authenticity of the data’s source u Integrity l Preventing unauthorized data modification u Necessity l Preventing data delays or denials (removal)

7 7 5 Copyright and Intellectual Property u Copyright l Protecting expression u Literary and musical works u Pantomimes and choreographic works u Pictorial, graphic, and sculptural works u Motion pictures and other audiovisual works u Sound recordings u Architectural works

8 8 5 Copyright and Intellectual Property u Intellectual property l The ownership of ideas and control over the tangible or virtual representation of those ideas u U.S. Copyright Act of 1976 l Protects previously stated items for a fixed period of time l Copyright Clearance Center u Clearinghouse for U.S. copyright information

9 9 5 Copyright Clearance Center Home Page Figure 5-2

10 10 5 Security Policy and Integrated Security u Security policy is a written statement describing what assets are to be protected and why, who is responsible, which behaviors are acceptable or not l Physical security l Network security l Access authorizations l Virus protection l Disaster recovery

11 11 5 Specific Elements of a Security Policy u Authentication l Who is trying to access the site? u Access Control l Who is allowed to logon and access the site? u Secrecy l Who is permitted to view selected information

12 12 5 Specific Elements of a Security Policy u Data integrity l Who is allowed to change data? u Audit l What and who causes selected events to occur, and when?

13 13 5 Intellectual Property Threats u The Internet presents a tempting target for intellectual property threats l Very easy to reproduce an exact copy of anything found on the Internet l People are unaware of copyright restrictions, and unwittingly infringe on them u Fair use allows limited use of copyright material when certain conditions are met

14 14 5 The Copyright Website Home Page Figure 5-3

15 15 5 Intellectual Property Threats u Cybersquatting l The practice of registering a domain name that is the trademark of another person or company u Cybersquatters hope that the owner of the trademark will pay huge dollar amounts to acquire the URL u Some Cybersquatters misrepresent themselves as the trademark owner for fraudulent purposes

16 16 5 Electronic Commerce Threats u Client Threats l Active Content u Java applets, Active X controls, JavaScript, and VBScript u Programs that interpret or execute instructions embedded in downloaded objects u Malicious active content can be embedded into seemingly innocuous Web pages u Cookies remember user names, passwords, and other commonly referenced information

17 17 5 Java, Java Applets, and JavaScript u Java is a high-level programming language developed by Sun Microsystems u Java code embedded into appliances can make them run more intelligently u Largest use of Java is in Web pages (free applets can be downloaded) u Platform independent - will run on any computer

18 18 5 Java Applet Example Figure 5-4

19 19 5 Sun’s Java Applet Page Figure 5-5

20 20 5 Java, Java Applets, and JavaScript u Java sandbox l Confines Java applet actions to a security model-defined set of rules l Rules apply to all untrusted applets, applets that have not been proven secure u Signed Java applets l Contain embedded digital signatures which serve as a proof of identity

21 21 5 ActiveX Controls u ActiveX is an object, called a control, that contains programs and properties that perform certain tasks u ActiveX controls only run on Windows 95, 98, or 2000 u Once downloaded, ActiveX controls execute like any other program, having full access to your computer’s resources

22 22 5 ActiveX Warning Dialog box Figure 5-6

23 23 5 Graphics, Plug-ins, and E-mail Attachments u Code can be embedded into graphic images causing harm to your computer u Plug-ins are used to play audiovisual clips, animated graphics l Could contain ill-intentioned commands hidden within the object u E-mail attachments can contain destructive macros within the document

24 24 5 Netscape’s Plug-ins Page Figure 5-7

25 25 5 Communication Channel Threats u Secrecy Threats l Secrecy is the prevention of unauthorized information disclosure l Privacy is the protection of individual rights to nondisclosure l Theft of sensitive or personal information is a significant danger l Your IP address and browser you use are continually revealed while on the web

26 26 5 Communication Channel Threats u Anonymizer l A Web site that provides a measure of secrecy as long as it’s used as the portal to the Internet l u Integrity Threats l Also known as active wiretapping l Unauthorized party can alter data u Change the amount of a deposit or withdrawal

27 27 5 Anonymizer’s Home Page Figure 5-8

28 28 5 Communication Channel Threats u Necessity Threats l Also known as delay or denial threats l Disrupt normal computer processing u Deny processing entirely u Slow processing to intolerably slow speeds u Remove file entirely, or delete information from a transmission or file u Divert money from one bank account to another

29 29 5 Server Threats u The more complex software becomes, the higher the probability that errors (bugs) exist in the code u Servers run at various privilege levels l Highest levels provide greatest access and flexibility l Lowest levels provide a logical fence around a running program

30 30 5 Server Threats u Secrecy violations occur when the contents of a server’s folder names are revealed to a Web browser u Administrators can turn off the folder name display feature to avoid secrecy violations u Cookies should never be transmitted unprotected

31 31 5 Displayed Folder Names Figure 5-9

32 32 5 Server Threats u One of the most sensitive files on a Web server holds the username and password pairs u The Web server administrator is responsible for ensuring that this, and other sensitive files, are secure

33 33 5 Database Threats u Disclosure of valuable and private information could irreparably damage a company u Security is often enforced through the use of privileges u Some databases are inherently insecure and rely on the Web server to enforce security measures

34 34 5 Oracle Security Features Page Figure 5-10

35 35 5 Other Threats u Common Gateway Interface (CGI) Threats l CGIs are programs that present a security threat if misused l CGI programs can reside almost anywhere on a Web server and therefore are often difficult to track down l CGI scripts do not run inside a sandbox, unlike JavaScript

36 36 5 Other Threats u Other programming threats include l Programs executed by the server l Buffer overruns can cause errors l Runaway code segments u The Internet Worm attack was a runaway code segment l Buffer overflow attacks occur when control is released by an authorized program, but the intruder code instructs control to be turned over to it

37 37 5 Buffer Overflow Attack Figure 5-11

38 38 5 Computer Emergency Response Team (CERT) u Housed at Carnegie Mellon University u Responds to security events and incidents within the U.S. government and private sector u Posts CERT alerts to inform Internet users about recent security events

39 39 5 CERT Alerts Figure 5-12

Download ppt "1 5 Chapter 5 Security Threats to Electronic Commerce."

Similar presentations

Ads by Google