Oz – Foundations of Electronic Commerce © 2002 Prentice Hall Security and Privacy Issues

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall2 Learning Objectives List the major threats to networked information systems Suggest a security measure for each threat to networked information systems Explain encryption and how it supports electronic signatures and digital certificates

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall3 Learning Objectives Contrast the legitimate data-gathering needs of businesses and government with individual privacy concerns Discuss how the increased use of the Internet increases threats to privacy Explain the relationship between consumer profiling and privacy issues

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall4 No security? No privacy? No commerce! Online security From a corporate perspective - the ability to protect information sources from unauthorized access, modification, or destruction From a consumer perspective - the perceived guarantee that no unauthorized party will have access to the transaction information

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall5 Privacy concerns: Most people resent losing control of the collection and use of their personal information Controversial issue

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall The threats

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall7 Hacking Hacker Hacker - a person who accesses an information system resource without permission Almost always the first step towards criminal activity

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall8 Web site page defacement The malicious alteration of text, graphics, or audio content of pages May range from a cyber equivalent of graffiti to valid pages being replaced with offensive comments

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall9 Viruses Computer virus - a malicious program that spreads through the exchange of files on disks or through networks Viruses that spread on their own through networks are also called worms Viruses that have to be downloaded are called Trojan horses

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall10 Denial of service (DoS) Occurs when, due to hectic malicious activity, an organization cannot serve its clients Flooding the servers with logins Distributed denial of service zombies Distributed denial of service (DDoS) - the attackers “hijack” hundreds of systems (zombies) that simultaneously attack a site Impossible to stop

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall11 Spoofing Usually means deception with the purpose of gaining access, or making users thing that they are logged on a given site, when in reality they are logged on to another site Done by taking advantage of vulnerabilities of the DNS system A serious spoofing attack may result in massive fraud

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall The remedies

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall13 Authentication and confidentiality Authentication - the ability of the system to verify that the users are who they “say” they are Access codes “what you know”: “what you know”: userID and password “what you are”: “what you are”: biometrics Unique physical features used for authentication

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall14 Confidentiality = no one except the user and the system (or counterpart in an exchange) is able to know the content of an exchange Encryption Encryption methods Can also be used for authentication

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall15 Transparency Trade-off between security and convenience TRANSPARENCY TRANSPARENCY is achieved when security measures are in place but are not noticeable to the users

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall16 Firewalls Firewall - hardware and software whose purpose is to block access to certain resources Controls communication between a trusted network and the “untrusted” Internet

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall17 DeMilitarized Zone (DMZ) approach - the link between 2 servers, one of which is a proxy server proxy server A proxy server “represents” another server for all information requests Operated by an ISP Double firewall architecture: both the internal network server and the proxy server employ firewalls

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall18 Antispoofing measures The telecommunication companies that operate parts of the Internet must adopt spoof-proof software Encryption based DNS Security (DNSSEC) Ex.: DNS Security (DNSSEC) allows Web sites to verify their domain names and corresponding IP addresses using digital signatures and public key encryption

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall19 Backup Ideally, backup files should be updated in real time The backup fully reflects the original Backup files should be stored off-site Specialized companies

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall Encryption and its applications

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall21 Encryption Encryption - the conversion of data into a secret code Decryption - the conversion of the secret code back into readable data key(s) Mathematical algorithms based on key(s) The algorithm is not secret, only the key is

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall22 The key is a binary number, 40 to 128 bits long The larger the key, the more difficult it is to decipher the secret code The key is used both in encrypting and in decrypting the data

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall23 Symmetric keys: Both sender and recipient use the same, agreed upon, key Difficult when the same person has to communicate with many people A different key is required for each recipient

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall24 Asymmetric keys: The sender uses one key to encrypt the message, while the receiver uses a different related key to decrypt it Most common: public key method Each person has both a private and a public key The private key is secret, while the public key is freely distributed

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall25 Electronic signatures Several forms: User signs with a stylus on a special pad Use a biometric of the signer

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall26 Digital signatures An encrypted digest of the text that is sent with a message Authenticates Authenticates the sender of the message message was not altered Guarantees that the message was not altered Involves two phases: hashing algorithm The encryption software uses a hashing algorithm to create a message digest message digest The message digest is encrypted using a private key

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall27 Digital certificates Files that serve as the equivalent of ID cards Must be used by both buyers and sellers to authenticate a digital signature Issued by certificate authorities Also issue private and public keys

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall28 A digital certificate contains: Its holder’s name A serial number Expiration date The holder’s public key The digital signature of the certificate authority

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall29 Secure Sockets Layer, SHTTP, and PGP Secure Sockets Layer (SSL): Uses public key encryption The most popular security standard on the Internet Secure HyperText Transport Protocol (SHTTP): An alternative to SSL that only works with HTTP

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall30 Pretty Good Privacy (PGP): Used for secure private communications Works in conjunction with the program Must register the public key with a PGP server

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall31 Business continuity plans Almost all businesses are dependent on the continuous availability of information systems Especially important for online businesses Downtime - the time during which systems are not functional

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall32 Companies must have a clear business continuity plan Also known as business recovery plan Encompass: Hardware Software People Tasks Must be periodically reexamined

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall Privacy The ability of individuals to control information about themselves

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall34 not Generally, the law does not give people ownership of information about themselves Legal limits on the collection and dissemination of information exist implied Right to privacy is implied in the US Constitution

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall35 Threats to individual privacy: Government So far, the Internet has been used very little to collect information about citizens Business Always interested in information about their customers Especially true about retailers

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall36 Business needs Consumer information used primarily to provide better customer service, and more effective targeted marketing Individuals’ fears Consumer profiling Customer data as a saleable asset To self-regulate or not to self-regulate?

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall37 Monitoring at the work place privacy policies Web-browsing privacy Policies about surfing the net for nonbusiness purposes

Oz – Foundations of Electronic Commerce © 2002 Prentice Hall Security and Privacy Issues