Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Threats to Electronic Commerce.

Similar presentations

Presentation on theme: "Security Threats to Electronic Commerce."— Presentation transcript:

1 Security Threats to Electronic Commerce

2 Objectives Important computer and electronic commerce security terms
Why secrecy, integrity, and necessity are three parts of any security program The roles of copyright and intellectual property and their importance in any study of electronic commerce

3 Objectives Threats and counter measures to eliminate or reduce threats
Specific threats to client machines, Web servers, and commerce servers Roles encryption and certificates play

4 Security Overview Many fears to overcome
Intercepted messages Unauthorized access to digital intelligence Credit card information falling into the wrong hands Two types of computer security Physical - protection of tangible objects Logical - protection of non-physical objects

5 Security Overview Countermeasures: physical or logical procedures that recognize, reduce, or eliminate a threat

6 Computer Security Classification
Secrecy/Confidentiality Protecting against unauthorized data disclosure and ensuring the authenticity of the data’s source Privacy The ability to ensure the use of information about oneself Integrity Preventing unauthorized data modification by an unauthorized party Necessity Preventing data delays or denials (removal)

7 Computer Security Classification
Nonrepudiation Ensure that e-commerce participants do not deny (i.e., repudiate) their online actions Authenticity The ability to identify the identity of a person or entity with whom you are dealing on the Internet

8 Copyright and Intellectual Property
Protecting expression Literary and musical works Pantomimes and choreographic works Pictorial, graphic, and sculptural works Motion pictures and other audiovisual works Sound recordings Architectural works

9 Copyright and Intellectual Property
The ownership of ideas and control over the tangible or virtual representation of those ideas U.S. Copyright Act of 1976 Protects previously stated items for a fixed period of time Copyright Clearance Center Clearinghouse for U.S. copyright information

10 Intellectual Property Threats
The Internet presents a tempting target for intellectual property threats Very easy to reproduce an exact copy of anything found on the Internet People are unaware of copyright restrictions, and unwittingly infringe on them Fair use allows limited use of copyright material when certain conditions are met

Designing systems that are neither over-controlled nor under-controlled Applying quality assurance standards in large systems projects

12 Why Systems are Vulnerable
Advances in telecommunications and computer software Unauthorized access, abuse, or fraud Hackers Denial of service attack Computer virus

13 Telecommunication Network Vulnerabilities
Figure 14-1

14 Concerns for System Builders and Users
Disaster Destroys computer hardware, programs, data files, and other equipment Security Prevents unauthorized access, alteration, theft, or physical damage

15 Concerns for System Builders and Users
Errors Cause computers to disrupt or destroy organization’s record-keeping and operations

16 System Quality Problems: Software and Data
Bugs Program code defects or errors Maintenance Nightmare Maintenance costs high due to organizational change, software complexity, and faulty system analysis and design

17 Points in the Processing Cycle where Errors can Occur
Figure 14-2

18 Data Quality Problems Caused due to errors during data input or faulty information system and database design

19 The Cost of Errors over the Systems Development Cycle
Figure 14-3

20 Overview Controls Methods, policies, and procedures
Ensures protection of organization’s assets Ensures accuracy and reliability of records, and operational adherence to management standards

21 General Controls and Application Controls
Establish framework for controlling design, security, and use of computer programs Include software, hardware, computer operations, data security, implementation, and administrative controls

22 Security Profiles for a Personnel System
Figure 14-4

23 General Controls and Application Controls
Unique to each computerized application Include input, processing, and output controls

24 Protecting the Digital Firm
On-line transaction processing: Transactions entered online are immediately processed by computer Fault-tolerant computer systems: Contain extra hardware, software, and power supply components

25 Protecting the Digital Firm
High-availability computing: Tools and technologies enabling system to recover from a crash Disaster recovery plan: Runs business in event of computer outage Load balancing: Distributes large number of requests for access among multiple servers Mirroring: Duplicating all processes and transactions of server on backup server to prevent any interruption Clustering: Linking two computers together so that a second computer can act as a backup to the primary computer or speed up processing

26 Security Threats in the E-commerce Environment
Three key points of vulnerability the client communications pipeline the server

27 Vulnerable Points in an E-commerce Environment

28 Electronic Commerce Threats
Client Threats Active Content Java applets, Active X controls, JavaScript, and VBScript Programs that interpret or execute instructions embedded in downloaded objects Malicious active content can be embedded into seemingly innocuous Web pages -- launched when you use your browser to view the page

29 Electronic Commerce Threats
Client Threats -- Cookies remember user names, passwords, and other commonly referenced information Exercise Go to “cookie FAQs” on text links page or: Are cookies dangerous? How did they get to be called “cookies?” What are the benefits of cookies?

30 Graphics, Plug-ins, and E-mail Attachments
Code can be embedded into graphic images causing harm to your computer Plug-ins are used to play audiovisual clips, animated graphics Could contain ill-intentioned commands hidden within the object attachments can contain destructive macros within the document

31 Communication Channel Threats
Secrecy Threats Secrecy is the prevention of unauthorized information disclosure - technical issue Privacy is the protection of individual rights to nondisclosure - legal issue regarding rights Theft of sensitive or personal information is a significant danger Your IP address and browser you use are continually revealed while on the web

32 Communication Channel Threats
Anonymizer A Web site that provides a measure of secrecy as long as it’s used as the portal to the Internet Check out “Here’s what we know about you” Integrity Threats Also known as active wiretapping Unauthorized party can alter data Change the amount of a deposit or withdrawal

33 Communication Channel Threats
Necessity Threats Also known as delay or denial threats Disrupt normal computer processing Deny processing entirely Slow processing to intolerably slow speeds Remove file entirely, or delete information from a transmission or file Divert money from one bank account to another

34 Server Threats The more complex software becomes, the higher the probability that errors (bugs) exist in the code Servers run at various privilege levels Highest levels provide greatest access and flexibility Lowest levels provide a logical fence around a running program

35 Server Threats Contents of a server’s folder names are revealed to a Web browser Cookies should never be transmitted unprotected Sensitive files such as username and password pairs or credit card numbers Hacking and Cracking -- the Web server administrator is responsible for ensuring that all sensitive files, are secure

36 Database Threats Once a user is authenticated to a database, selected database information is visible to the user. Security is often enforced through the use of privileges Some databases are inherently insecure and rely on the Web server to enforce security measures

37 Other Threats Common Gateway Interface (CGI) Threats
CGIs are programs that present a security threat if misused CGI programs can reside almost anywhere on a Web server and therefore are often difficult to track down CGI scripts do not run inside a sandbox, unlike JavaScript

38 Other Threats Other programming threats include
Programs executed by the server Buffer overruns can cause errors Runaway code segments The Internet Worm attack was a runaway code segment Buffer overflow attacks occur when control is released by an authorized program, but the intruder code instructs control to be turned over to it

39 Tools Available to Achieve Site Security

40 Encryption Transforms plain text or data into cipher text that cannot be read by anyone outside of the sender and the receiver. Purpose: to secure stored information to secure information transmission. Cipher text text that has been encrypted and thus cannot be read by anyone besides the sender and the receiver Symmetric Key Encryption DES standard most widely used

41 Encryption Public key cryptography
uses two mathematically related digital keys: a public key and a private key. The private key is kept secret by the owner, and the public key is widely disseminated. Both keys can be used to encrypt and decrypt a message. A key used to encrypt a message, cannot be used to unencrypt the message

42 Public Key Cryptography - A Simple Case

43 Public Key Cryptography with Digital Signatures

44 Public Key Cryptography: Creating a Digital Envelope

45 Securing Channels of Communications
Secure Sockets Layer (SSL) is the most common form of securing channels Secure negotiated session client-server session where the requested document URL, contents, forms, and cookies are encrypted. Session key is a unique symmetric encryption key chosen for a single secure session

46 Secure Negotiated Sessions Using SSL

47 Securing Channels of Communications
Secure Hypertext Transfer Protocol (S-HTTP) secure message-oriented communications protocol for use with HTTP. Virtual Private Networks (VPN) remote users can securely access internal networks via Point-to-Point Tunneling Protocol (PPTP)

48 Protecting Networks Firewalls Proxy server
software applications that act as a filter between a private network and the Internet Proxy server server that handles all communications originating from or being sent to the Internet, acting as a spokesperson or bodyguard for the organization

49 Policies, Procedures, and Laws
Developing an e-commerce security plan perform a risk assessment develop a security policy develop an implementation plan create a security organization perform a security audit

50 Tension Between Security and Other Values
Ease of use Often security slows down processors and adds significantly to data storage demands. Too much security can harm profitability; not enough can mean going out of business. Public Safety & Criminal Use claims of individuals to act anonymously vs. needs of public officials to maintain public safety in light of criminals or terrorists.

51 Security Policy and Integrated Security
Security policy is a written statement describing what assets are to be protected and why, who is responsible, which behaviors are acceptable or not Physical security Network security Access authorizations Virus protection Disaster recovery

52 Specific Elements of a Security Policy
Authentication Who is trying to access the site? Access Control Who is allowed to logon and access the site? Secrecy Who is permitted to view selected information Data integrity Who is allowed to change data? Audit What and who causes selected events to occur, and when?

53 Computer Emergency Response Team (CERT)
Housed at Carnegie Mellon University Responds to security events and incidents within the U.S. government and private sector

54 Some questions Can internet security measures actually create opportunities for criminals to steal? How? Why are some online merchants hesitant to ship to international addresses? What are some steps a company can take to thwart cyber-criminals from within a business? Is a computer with anti-virus software protected from viruses? Why or why not? What are the differences between encryption and authentication? Discuss the role of administration in implementing a security policy?

55 Group Exercise Given the shift to m-commerce, identify and discuss the new security threats to this type of technology? What are some of the non-security impacts on society? Select a reporter and give a brief synopsis of your views to the class.

Download ppt "Security Threats to Electronic Commerce."

Similar presentations

Ads by Google