Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Threats to Electronic Commerce. Objectives Important computer and electronic commerce security terms Why secrecy, integrity, and necessity are.

Similar presentations


Presentation on theme: "Security Threats to Electronic Commerce. Objectives Important computer and electronic commerce security terms Why secrecy, integrity, and necessity are."— Presentation transcript:

1 Security Threats to Electronic Commerce

2 Objectives Important computer and electronic commerce security terms Why secrecy, integrity, and necessity are three parts of any security program The roles of copyright and intellectual property and their importance in any study of electronic commerce

3 Objectives Threats and counter measures to eliminate or reduce threats Specific threats to client machines, Web servers, and commerce servers Roles encryption and certificates play

4 Security Overview Many fears to overcome äIntercepted messages äUnauthorized access to digital intelligence äCredit card information falling into the wrong hands Two types of computer security äPhysical - protection of tangible objects äLogical - protection of non-physical objects

5 Security Overview Countermeasures: physical or logical procedures that recognize, reduce, or eliminate a threat

6 Computer Security Classification Secrecy/Confidentiality äProtecting against unauthorized data disclosure and ensuring the authenticity of the data’s source Privacy ä The ability to ensure the use of information about oneself Integrity äPreventing unauthorized data modification by an unauthorized party Necessity äPreventing data delays or denials (removal)

7 Computer Security Classification Nonrepudiation ä Ensure that e-commerce participants do not deny (i.e., repudiate) their online actions Authenticity ä The ability to identify the identity of a person or entity with whom you are dealing on the Internet

8 Copyright and Intellectual Property Copyright äProtecting expression äLiterary and musical works äPantomimes and choreographic works äPictorial, graphic, and sculptural works äMotion pictures and other audiovisual works äSound recordings äArchitectural works

9 Copyright and Intellectual Property Intellectual property äThe ownership of ideas and control over the tangible or virtual representation of those ideas U.S. Copyright Act of 1976 äProtects previously stated items for a fixed period of time äCopyright Clearance Center äClearinghouse for U.S. copyright information

10 Intellectual Property Threats The Internet presents a tempting target for intellectual property threats äVery easy to reproduce an exact copy of anything found on the Internet äPeople are unaware of copyright restrictions, and unwittingly infringe on them äFair use allows limited use of copyright material when certain conditions are met

11 Designing systems that are neither over- controlled nor under-controlled Applying quality assurance standards in large systems projects MANAGEMENT CHALLENGES

12 Advances in telecommunications and computer software Unauthorized access, abuse, or fraud Hackers Denial of service attack Computer virus Why Systems are Vulnerable

13 Telecommunication Network Vulnerabilities Figure 14-1

14 Disaster Destroys computer hardware, programs, data files, and other equipment Security Prevents unauthorized access, alteration, theft, or physical damage Concerns for System Builders and Users

15 Errors Cause computers to disrupt or destroy organization’s record-keeping and operations Concerns for System Builders and Users

16 Bugs Program code defects or errors Maintenance Nightmare Maintenance costs high due to organizational change, software complexity, and faulty system analysis and design System Quality Problems: Software and Data

17 Points in the Processing Cycle where Errors can Occur Figure 14-2

18 Data Quality Problems Caused due to errors during data input or faulty information system and database design

19 The Cost of Errors over the Systems Development Cycle Figure 14-3

20 Controls Methods, policies, and procedures Ensures protection of organization’s assets Ensures accuracy and reliability of records, and operational adherence to management standards Overview

21 General controls Establish framework for controlling design, security, and use of computer programs Include software, hardware, computer operations, data security, implementation, and administrative controls General Controls and Application Controls

22 Security Profiles for a Personnel System Figure 14-4

23 Application controls Unique to each computerized application Include input, processing, and output controls General Controls and Application Controls

24 On-line transaction processing: Transactions entered online are immediately processed by computer Fault-tolerant computer systems: Contain extra hardware, software, and power supply components Protecting the Digital Firm

25 High-availability computing: Tools and technologies enabling system to recover from a crash Disaster recovery plan: Runs business in event of computer outage Load balancing: Distributes large number of requests for access among multiple servers Mirroring: Duplicating all processes and transactions of server on backup server to prevent any interruption Clustering: Linking two computers together so that a second computer can act as a backup to the primary computer or speed up processing Protecting the Digital Firm

26 Security Threats in the E-commerce Environment Three key points of vulnerability  the client  communications pipeline  the server

27 Vulnerable Points in an E-commerce Environment

28 Electronic Commerce Threats Client Threats äActive Content äJava applets, Active X controls, JavaScript, and VBScript äPrograms that interpret or execute instructions embedded in downloaded objects äMalicious active content can be embedded into seemingly innocuous Web pages -- launched when you use your browser to view the page

29 Electronic Commerce Threats Client Threats -- Cookies äremember user names, passwords, and other commonly referenced information Exercise äGo to “cookie FAQs” on text links page or: äAre cookies dangerous? äHow did they get to be called “cookies?” äWhat are the benefits of cookies?

30 Graphics, Plug-ins, and Attachments Code can be embedded into graphic images causing harm to your computer Plug-ins are used to play audiovisual clips, animated graphics äCould contain ill-intentioned commands hidden within the object attachments can contain destructive macros within the document

31 Communication Channel Threats Secrecy Threats äSecrecy is the prevention of unauthorized information disclosure - technical issue äPrivacy is the protection of individual rights to nondisclosure - legal issue regarding rights äTheft of sensitive or personal information is a significant danger äYour IP address and browser you use are continually revealed while on the web

32 Communication Channel Threats Anonymizer äA Web site that provides a measure of secrecy as long as it’s used as the portal to the Internet ähttp://www.anonymizer.comhttp://www.anonymizer.com äCheck out “Here’s what we know about you” Integrity Threats äAlso known as active wiretapping äUnauthorized party can alter data äChange the amount of a deposit or withdrawal

33 Communication Channel Threats Necessity Threats äAlso known as delay or denial threats äDisrupt normal computer processing äDeny processing entirely äSlow processing to intolerably slow speeds äRemove file entirely, or delete information from a transmission or file äDivert money from one bank account to another

34 Server Threats The more complex software becomes, the higher the probability that errors (bugs) exist in the code Servers run at various privilege levels äHighest levels provide greatest access and flexibility äLowest levels provide a logical fence around a running program

35 Server Threats Contents of a server’s folder names are revealed to a Web browser Cookies should never be transmitted unprotected Sensitive files such as username and password pairs or credit card numbers Hacking and Cracking -- the Web server administrator is responsible for ensuring that all sensitive files, are secure

36 Database Threats Once a user is authenticated to a database, selected database information is visible to the user. Security is often enforced through the use of privileges Some databases are inherently insecure and rely on the Web server to enforce security measures

37 Other Threats Common Gateway Interface (CGI) Threats äCGIs are programs that present a security threat if misused äCGI programs can reside almost anywhere on a Web server and therefore are often difficult to track down äCGI scripts do not run inside a sandbox, unlike JavaScript

38 Other Threats Other programming threats include äPrograms executed by the server äBuffer overruns can cause errors äRunaway code segments äThe Internet Worm attack was a runaway code segment äBuffer overflow attacks occur when control is released by an authorized program, but the intruder code instructs control to be turned over to it

39 Tools Available to Achieve Site Security

40 Encryption Transforms plain text or data into cipher text that cannot be read by anyone outside of the sender and the receiver. Purpose:  to secure stored information  to secure information transmission. Cipher text  text that has been encrypted and thus cannot be read by anyone besides the sender and the receiver Symmetric Key Encryption  DES standard most widely used

41 Encryption Public key cryptography ä uses two mathematically related digital keys: a public key and a private key. The private key is kept secret by the owner, and the public key is widely disseminated. Both keys can be used to encrypt and decrypt a message. A key used to encrypt a message, cannot be used to unencrypt the message

42 Public Key Cryptography - A Simple Case

43 Public Key Cryptography with Digital Signatures

44 Public Key Cryptography: Creating a Digital Envelope

45 Securing Channels of Communications Secure Sockets Layer (SSL) is the most common form of securing channels Secure negotiated session ä client-server session where the requested document URL, contents, forms, and cookies are encrypted. Session key is a unique symmetric encryption key chosen for a single secure session

46 Secure Negotiated Sessions Using SSL

47 Securing Channels of Communications Secure Hypertext Transfer Protocol (S- HTTP) ä secure message-oriented communications protocol for use with HTTP. Virtual Private Networks (VPN) ä remote users can securely access internal networks via Point-to-Point Tunneling Protocol (PPTP)

48 Protecting Networks Firewalls ä software applications that act as a filter between a private network and the Internet Proxy server ä server that handles all communications originating from or being sent to the Internet, acting as a spokesperson or bodyguard for the organization

49 Policies, Procedures, and Laws Developing an e-commerce security plan  perform a risk assessment  develop a security policy  develop an implementation plan  create a security organization  perform a security audit

50 Tension Between Security and Other Values Ease of use  Often security slows down processors and adds significantly to data storage demands. Too much security can harm profitability; not enough can mean going out of business. Public Safety & Criminal Use  claims of individuals to act anonymously vs. needs of public officials to maintain public safety in light of criminals or terrorists.

51 Security Policy and Integrated Security Security policy is a written statement describing what assets are to be protected and why, who is responsible, which behaviors are acceptable or not äPhysical security äNetwork security äAccess authorizations äVirus protection äDisaster recovery

52 Specific Elements of a Security Policy Authentication äWho is trying to access the site? Access Control äWho is allowed to logon and access the site? Secrecy äWho is permitted to view selected information Data integrity äWho is allowed to change data? Audit äWhat and who causes selected events to occur, and when?

53 Computer Emergency Response Team (CERT) Housed at Carnegie Mellon University Responds to security events and incidents within the U.S. government and private sector

54 Some questions Can internet security measures actually create opportunities for criminals to steal? How? Why are some online merchants hesitant to ship to international addresses? What are some steps a company can take to thwart cyber-criminals from within a business? Is a computer with anti-virus software protected from viruses? Why or why not? What are the differences between encryption and authentication? Discuss the role of administration in implementing a security policy?

55 Group Exercise Given the shift to m-commerce, identify and discuss the new security threats to this type of technology? What are some of the non-security impacts on society? Select a reporter and give a brief synopsis of your views to the class.


Download ppt "Security Threats to Electronic Commerce. Objectives Important computer and electronic commerce security terms Why secrecy, integrity, and necessity are."

Similar presentations


Ads by Google