Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Slides:



Advertisements
Similar presentations
Chapter 19: Network Management Business Data Communications, 5e.
Advertisements

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
CSA 223 network and web security Chapter one
System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 12 Network Security.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Payment Card Industry (PCI) Data Security Standard
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Installing and Configuring a Secure Web Server COEN 351 David Papay.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Invitation to Computer Science 5th Edition
IT Infrastructure Chap 1: Definition
IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Chapter 6 of the Executive Guide manual Technology.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Module 5: Configuring Internet Explorer and Supporting Applications.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.
Information Security What is Information Security?
Business Data Communications, Fourth Edition Chapter 11: Network Management.
CPS ® and CAP ® Examination Review OFFICE SYTEMS AND TECHNOLOGY, Fifth Edition By Schroeder and Graf ©2005 Pearson Education, Inc. Pearson Prentice Hall.
Chapter 2 Securing Network Server and User Workstations.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Module 11: Designing Security for Network Perimeters.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
E-Commerce & Bank Security By: Mark Reed COSC 480.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Information Systems Security
CS457 Introduction to Information Security Systems
Securing Network Servers
Working at a Small-to-Medium Business or ISP – Chapter 8
Chapter 7: Identifying Advanced Attacks
Secure Software Confidentiality Integrity Data Security Authentication
IS4680 Security Auditing for Compliance
IS4680 Security Auditing for Compliance
PLANNING A SECURE BASELINE INSTALLATION
Designing IIS Security (IIS – Internet Information Service)
6. Application Software Security
Presentation transcript:

Lesson 19-E-Commerce Security Needs

Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security. Implement server-side security. Implement application security. Implement database server security. Develop an e-commerce architecture.

Understand E-Commerce Services Organizations perform e-commerce to make profit by providing goods and services at a lower cost. Providing electronic library functions for sensitive or confidential information has come with the advent of e- commerce over the Internet.

Understand E-Commerce Services E-commerce service is most commonly thought of as the purchasing of goods. Security to e-commerce services can be measured by its confidentiality, integrity, and accountability.

Understand E-Commerce Services E-Commerce Services and regular DMZ Services differ in their requirements. Requirement of verification and confidentiality differentiate the e-commerce services from regular DMZ services. Availability becomes a critical security issue for the e- commerce site.

Understand E-Commerce Services E-commerce services may involve selling goods, providing confidential information, or distribution of information. Security to e-commerce services can be measured in terms of confidentiality, integrity, and accountability.

Understand the Importance of Availability Availability is the key issue for e-commerce services. Availability of the site has a direct impact on the confidence a customer will have in using the service. Failure in availability is almost guaranteed to push a potential customer to a competitor.

Understand the Importance of Availability Business-to-consumer issues: The entire site along with payment processing must be up at all times. Problem of availability includes business issues such as ability of the organization to fulfill orders entered into the system. Size of the infrastructure must be built according to the expected load.

Understand the Importance of Availability Business-to-business issues: Business-to-business e-commerce is established between two organizations that have some type of relationship. Availability issues may be more stringent in Business-to- business e-commerce. When one organization needs to make an order, the other organization must be able to receive and process it.

Understand the Importance of Availability Global time: E-commerce availability is governed by the concept of global time. This concept identifies the global nature of the Internet and of e-commerce. An e-commerce site must be able to handle orders from unexpected locations.

Understand the Importance of Availability Client comfort: Client must feel comfortable with the ability of the organization to process orders and deliver goods. Customer comfort or discomfort can multiply quickly.

Understand the Importance of Availability Cost of downtime: The cost of downtime is high. It can be measured by taking the average number of transactions over a period of time and the revenue of the average transaction. An e-commerce site must not have single points of failure. The site should also have procedures for updating hardware and software.

Understand the Importance of Availability Solving the availability problem: Downtime can be reduced through redundancy. For sites that expect large amounts of traffic, load-balancing application layer switches can be used. Network infrastructure components must also be configured to fail-over if high availability is required.

Implement Client-Side Security Client-side security components

Implement Client-Side Security Client-side security deals with the security from the customer’s desktop system to the e-commerce server. A realistic solution to communications security is encryption of information.

Implement Client-Side Security A cookie is a small amount of information that is stored on the client system by the Web server in cleartext or encrypted. Organizations must ensure that a legitimate customer places the order to reduce possible repudiation.

Implement Server-Side Security Security of servers includes: Information stored on the server. Protecting the server from attack.

Information Stored on the Server An e-commerce server is a semi-trusted or untrusted system which should not store sensitive information. If information is kept on the e-commerce server, it should be protected from unauthorized access through file access controls.

Protecting the Server from Attack Three categories in protecting an e-commerce server from attack: Server location. Operating system configuration. Web server configuration.

Server Location Server should be located in a protected area such as a data center. If the server is placed at a co-location facility, physical access to it must be separated from other clients. Firewall should be configured to only allow access to e- commerce server on ports 80 (for HTTP) and 443 (for HTTPS).

Operating System Configuration The first step in configuring the server securely is to remove or turn off any unnecessary services. The latest patches must be checked and loaded for the chosen operating system. The system should meet the organization’s policy and vulnerability scan should be conducted.

Web Server Configuration Web server must not be run as root or administrator for security. CGI scripts on Web server that are not being used should be removed to prevent intruder attack. Web server should be scanned for known vulnerabilities.

Implement Application Security Security of e-commerce application as a whole is the most important part of e-commerce security. Security requirements should be included in the requirements definition phase of project. Security requirements include requirements pertaining to protection, authentication, audit, availability, and identifying sensitive information.

Implement Application Security All sensitive information needs to be protected. Programs are a major source of system vulnerabilities due to programming errors. Buffer overflows can be reduced by not making assumptions about the size of user input and not passing unchecked user input to shell commands. Peer review or code review can catch many programming errors before the server goes into production.

Implement Application Security Vulnerability scanners should detect buffer overflow problems before the site goes into production. The two parts of configuration management are control of authorized changes and identification of unauthorized changes. To prevent false alarms, checksum should be updated during configuration management procedure.

Implement Database Server Security The database server may contain sensitive and confidential information which should be protected. Organizations must examine database location, communication with e-commerce server, and internal access protection. Database servers must be kept in controlled areas. The e-commerce server should initiate SQL connection to the database server for processing transactions.

Implement Database Server Security The e-commerce server must have an ID and password to initiate an SQL connection to the database server. Employees of the organization have access to internal network and thus are able to directly attack it. Database server could be moved to a separate network and protected by an internal firewall.

Develop an E-Commerce Architecture A high-traffic and high-availability e-commerce site requires two ISPs with fail-over capability. Routers, switches, and firewalls should be cross-connected so that failure of any one component will not affect traffic. Redundant switches may be used to ensure availability of the site. Regular vulnerability scans and database auditing must be conducted.

Summary E-commerce service providers can increase revenue by providing information to customers at a lower cost. Security with respect to confidentiality, integrity, and accountability plays a major role in e-commerce. Availability is a key issue for e-commerce. Client-side security protects information in transit, information stored on customer’s computer, and prevents repudiation.

Summary Server-side security involves protection of information stored on the server and protection of the server itself. Security of the e-commerce application as a whole is probably the most important part of e-commerce security. Confidential and sensitive information present in the database server must be protected.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.