Download presentation
Presentation is loading. Please wait.
1
Module 4 E-COMMERCE SECURITY
2
What is E-Commerce Security?
E-Commerce Security refers to the protection of e-commerce assets and resources from unauthorized access, use, alteration, or destruction.
3
Definition of E-Commerce Security
E-Commerce security has been defined as “the technical tools backed by laws, regulations and administrative process designed to preserve the integrity and availability of digital information, assets process and transactions in e-commerce”\
4
Type of E-Commerce Security
1.Physical Security It includes tangible protection devices such as alarms, guards, fireproof doors, security fences, and bomb proof buildings etc. 2.Logical Security Protection of assets using non-physical means called logical security. It consists of software safeguards for an organization's systems, including user identification and password access, authenticating, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation.
5
Security Policy A security policy is a written statement describing which assets to protect and why they are being protected, who is responsible for that protection, and which behaviours are acceptable and which are not. The policy primarily addresses physical security , network security access authorization virus protection and disaster recovery.
6
Steps in creating a Security Policy
Determine which assets must be protected fro which threats Determine who should have access to various parts of the system or specific information Identify resources available or needed to protect assets Develop a security policy based on the information gathered in the first three steps Following the written policy, develop or buy software, hardware, and physical barriers to implement the security policy.
7
Security Threats Any act or object that poses a danger to computer assets is known as a threat. Management must be aware of the various kinds of threats facing the organization. There are several type of threats Attempt to access a website and modify or destroy its contents Attempt to access a website and read confidential information such as credit card numbers and other confidential data Send malicious programs such as Viruses, Worms and Trojans to a web server by a browser
8
Passive Threats Active Threats
The potential Network security threats can be classified into two Passive Threats Active Threats The monitoring and recording of data while the data are being transmitted over a communication facility by an unauthorized user is passive threats Two types of passive threats are Release of message contents Traffic analysis
9
Active threat involves the alteration of digital data
Active Threats Active threat involves the alteration of digital data or generation of spurious data, by an attacker. These involve some modification of the data stream or creation of a false stream. Active threats may fall in three categories Message stream modification Denial of message service Masquerade
10
Classification of Security Threat or attacks
1.Tricking the Shopper/ Social Engineering Techniques These attack involve surveillance of the Shoppers's behaviour and gathering information to use against the shopper. E.g. the attacker may contact the shopper pretending to be a representative from a site visited and extract information. Phishing is a common method of tricking Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication
11
Spoofing It is the creation of messages with a forged sender address. It is easy to do because the core protocols do not have any mechanism for authentication. It can be accomplished from within a LAN or from an external environment using Trojan horses. Spam and phishing s typically use such spoofing to mislead the recipient about the origin of the message.
12
2. Snooping the Shopper’s Computer
Millions of computers are added to the Internet every month. Most users' knowledge of security vulnerabilities of their systems is vague at best. Additionally, software and hardware vendors, in their quest to ensure that their products are easy to install, will ship products with security features disabled. In most cases, enabling security features requires a non-technical user to read manuals written for the technologist
13
3. Sniffing the Network In this scheme, the attacker monitors the data between the shopper's computer and the server. He collects data about the shopper or steals personal information, such as credit card numbers. A practical location for sniffing the network is near the shoppers computer or near the server.
14
4. Guessing passwords Another common attack is to guess a user's password. This style of attack is manual or automated. Manual attacks are laborious, and only successful if the attacker knows something about the shopper. For example ,if the shopper uses their child's name as the password. Automated attacks have a higher likelihood of success, because the probability of guessing a user ID/password becomes more significant as the number of tries increases. Tools exist that use all the words in the dictionary to test user ID/password combinations, or that attack popular user ID/password combinations. The attacker can automate to go against multiple sites at one time.
15
5. Denial-of-Service attack (DOS)
In computing, a Denial Of Service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. A Distributed Denial of Service(DDoS) is where the attack source is more than one–and often thousands– of unique IP addresses. Criminal perpetrators of DoS attacks often target sites or services hosted on high- profile web servers such as banks, credit card payment gateways; but motives of revenge, blackmail or activism can be behind other attacks
16
6. Using Known Server Bugs
Under this method the attacker analysis the site to find what types of software are used on the site he then proceeds to find what patches were issued for the software. Additionally, he searches on how to exploit a system without the patch. He proceeds to try each of the exploits. The sophisticated attacker finds a weakness in a similar type of software, and tries to use that to exploit the system. This is a simple but effective attack.
17
7. Using Server Root Exploits
Root exploits refer to techniques that gain super user access to the server. This is the most coveted type of exploit because the possibilities are limitless. When you attack a shopper or his computer , you can only affect one individual. With a root exploit, you gain control of the merchant’s and all the shopper’s information on the site.
18
8. Eavesdropping An eavesdropper is a person or device who listens to the internet transmissions and copies it. Eavesdropping or snarfing is done when a host sets its network interface on immoral mode and copies packets that pass by for later analysis. It is possible to attach hardware and software, unknown to legitimate users and monitor and analyze all packets on that segment of the transmission media.
19
SECURITY REQUIREMENTS (FEATURES)
Privacy Authentication Authorization Integrity Non-Repudiation Availability
20
SECURITY MEASURES 1. Passwords A password is a word or string of characters used for user authentication to prove identity or access approval to gain access to a resource (example: an access code is a type of password), which should be kept secret from those not allowed access.
21
2. Virus Protection Virus protection software is designed to prevent viruses, worms and Trojan horses from getting onto a computer as well as remove any malicious software code that has already infected a computer. Most virus protection utilities now bundle anti-spyware and anti-malware capabilities to go along with anti-virus protection A computer virus has been defined as “ a piece of code which is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data”
22
Types of Computer Viruses
There are different types of viruses which can be classified according to their origin , techniques, types of files they infect, where they hide, the kind of damage they cause, etc 1.Memory Resident Virus They usually fix themselves inside the computer memory. They get activated every time the OS runs and end up infecting other opened files. They hide in RAM. E.g. CMJ, meve, randex, MrKlunky 2. Direct Action Virus These viruses mainly replicate or take action once they are executed. When a certain condition is met, the viruses will act by infecting the files in the directory or the folder specified in the AUTOEXEC.BAT. The viruses are generally found in the hard disk’s root directory, but they keep on changing location E.g. Vienna virus
23
3. Overwrite Virus These types of viruses delete any information in a file they infect, leaving them partially or completely useless once they are infected. Once in the computer, they replaces all the file content but the file size doesn’t change. E.g. Trj.Reboot, way, trivial.88.D 4. Boot-sector virus Boot-sector viruses infect computer systems by copying code either to the boot sector on a floppy disk or the partition table on a hard disk. During startup, the virus is loaded into memory. Once in memory, the virus will infect any non-infected disks accessed by the system. E.g. Polyboot.B, AntiEXE
24
5. Macro Virus These viruses infect the files created using some applications or programs that contain macros such as doc, pps, xls and mdb. They automatically infect the files with macros and also templates and documents that are contained in the file. They hide in documents shared through and networks. E.g. Relax, bablas, Melissa.A, 097M/Y2K 6. Directory Virus Also known as cluster virus or file system virus. They infect the computer’s directory by changing the path indicating file location. They are usually located in the disk but affect the entire directory. E.g. dir-2 virus
25
7. Macro Virus These viruses are more difficult to detect by scanning because each copy of the virus looks different than the other copies. Basically, polymorphic code mutates while keeping the original algorithm intact. Code encryption is a common method of achieving polymorphism E.g. Elkern, Marburg, Satan Bug , Tuareg 8. Companion Virus These types of viruses infect files just like the direct action and the resident types. Once inside the computer, they ‘accompany’ other existing files. E.g. Asimov.1539, stator and terrax.1069
26
9. File Infector Virus Virus that infects other files on a system or network. File infector viruses are the 'classic' form of virus, those to which the term is most commonly and, along with boot sector viruses, most appropriately applied 10. FAT Virus These lardy viruses attack the file allocation table (FAT) which is the disc part used to store every information about the available space, location of files, unusable space etc. E.g. The link virus
27
11. Logic Bombs Software that is inherently malicious, such as viruses and worms, often contain logic bombs that execute a certain payload at a pre-defined time or when some other condition is met. This technique can be used by a virus or worm to gain momentum and spread before being noticed.
28
Worms A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. E.g .lovgate.F, sobig.D, trile.C, PSWBugbear.B, Mapson
29
Trojan Horse A Trojan horse, or Trojan, in computing is any malicious computer program which misrepresents itself as useful, routine, or interesting in order to persuade a victim to install it. The term is derived from the Ancient Greek story of the wooden horse. Trojans are generally spread by some form of social engineering, for example where a user is duped into executing an attachment disguised to be unsuspicious, (e.g., a routine form to be filled in), or by drive-by download. Although their payload can be anything, many moderns forms act as a backdoor, contacting a controller which can then have unauthorized access to the affected computer. While Trojans and backdoors are not easily detectable by themselves, computers may appear to run slower due to heavy processor or network usage.
31
Adware Adware, or advertising-supported software, is any software package that automatically renders advertisements in order to generate revenue for its author. The advertisements may be in the user interface of the software or on a screen presented to the user during the installation process. The functions may be designed to analyze which Internet sites the user visits and to present advertising pertinent to the types of goods or services featured there. The term is sometimes used to refer to software that displays unwanted advertisements.
33
Spyware Spyware is a software that aims to gather information about a person or organization without their knowledge and that may send such information to another entity without the consumer's consent, or that asserts control over a computer without the consumer's knowledge.
34
Scareware Scareware is a type of malware designed to trick victims into purchasing and downloading useless and potentially dangerous software. Scareware, which generates pop-ups that resemble Windows system messages, usually purports to be antivirus or antispyware software, a firewall application or a registry cleaner.
35
Antivirus Antivirus or anti-virus software (often abbreviated as AV), sometimes known as anti-malware software, is computer software used to prevent, detect and remove malicious software. Antivirus software was originally developed to detect and remove computer viruses, hence the name. However, with the proliferation of other kinds of malware, antivirus software started to provide protection from other computer threats. In particular, modern antivirus software can protect from: malicious Browser Helper Objects (BHOs), browser hijackers, ransomware, key loggers, backdoors, rootkits, Trojan horses, worms, malicious LSPs, dialers, fraud tools, adware and spyware
37
Functions of Antivirus Programs
Ensures Security Prevents Online Threats Protect Critical Data Scanning Alerts Facilitates Timely Updates
38
III. FIREWALLS Firewall is a software or hardware-software combination that is installed in a network to control the packet traffic moving through it. Firewall provides a first line of defense for the resource in an e-commerce system. It defends against unauthorized access to system over internet. Definition “a software or hardware –software combination that filters communication packets and prevents some malicious packets from entering the network , based on a security policy”
39
Firewall s operate on the following principles
All the traffic from inside to outside and from outside to inside the network must pass through it. Only authorized traffic , as defined by the local security policy is allowed to pass through it The firewall itself is immune to penetration
40
The networks inside the firewall are often called Trusted, whereas networks outside the firewall are called Untrusted.
41
Types Of firewalls 1.Packet Filter Packet filter firewall examine all data flowing back and forth between the trusted network and the internet. Packet filtering examines the source and destination addresses and ports of incoming packets and either denies or permits entrance to the packets based on a preprogrammed set of rules.
42
Types Of firewalls 2. Gateway Server Gateway servers are firewalls that filter traffic based on the application requested. Gateway servers can limit access to specific applications such as Telnet, FTP and HTTP. In contrast to a packet filter firewall, an application level firewall filters requests and logs them at the application level, rather than at the lower IP level. A gateway firewall provides a central point, where all requests can be classified, logged and later analyzed An example is a gateway level policy that permits incoming FTP requests, but blocks outgoing FTP requests. This policy will prevent the employees inside a firewall from downloading potentially dangerous programs from outside.
43
Types Of firewalls 3. Proxy Server Proxy server firewalls are firewalls that communicate with the internet on behalf of the private network. When a client browser is configured to use a proxy server firewall, the firewall passes the browser request to the internet. When the internet sends back response, the proxy server relays it back to the client browser.
44
Advantages or functions of Firewalls
The basic function of firewall is to analyze any incoming files from the internet or other computers before accepting the files to download Block viruses or other malicious files before they reach your computer Firewall prevent malicious programs from accessing and damaging your computer system Block unsolicited communication between your computer and other computers outside the organization Protect your computers from hackers. Control outbound connections from your computer to prevent connection to unauthorized outside nodes Track and record inbound and outbound connection
45
Limitations of Firewalls
Firewalls may potentially interfere with the operation of some programs that access internet. It may block some communication required for running a program Firewall software can help block viruses and malware, but it cannot remove viruses and other malware that has been loaded onto your computer. Firewalls can control the traffic between the computer and the internet , but they are incapable to recognize any attack against the computer fro within.
46
IV. ENCRYPTION It is the process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and the receiver. It is the coding of information by using a mathematically based program and a secret key to produce a string of characters that is unintelligible. The type of key and the associated encryption program used to encrypt a message can be divided into three 1. Hash Coding Hash coding is the process that uses a hash algorithm to calculate a number, called hash value, from a message of any length. Hash Coding is a convenient way to tell whether a message has been altered in transit because its original hash value and the hash value computed by the receiver will not match, if a message is altered
47
2. Asymmetric cryptography
Asymmetric cryptography or public-key cryptography is cryptography in which a pair of keys is used to encrypt and decrypt a message so that it arrives securely. Initially, a network user receives a public and private key pair from a certificate authority
48
3. Symmetric Encryption Symmetric Encryption is the oldest and best-known technique. A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. Private Key encryption encodes a message by using a single numeric key to encode and decode data. As the same key is used, both the sender and receiver must kow the key.
49
Encryption Techniques (Algorithms)
The following are the common encryption techniques Or algorithms 1.Caeser Cipher In cryptography, a Caesar cipher, also known as Caesar's cipher, the shift cipher, Caesar's code or Caesar shift, is one of the simplest and most widely known encryption techniques. It is a type of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet. For example, with a left shift of 3, D would be replaced by A, E would become B, and so on. The method is named after Julius Caesar, who used it in his private correspondence.
51
Encryption Techniques (Algorithms)
2 . Hill Cipher Each letter is first encoded as a number and usually a very simple scheme is used. E.g. A=0, B=1, C=2………… Z=25 3. Letter Pairing Under this method , each letter is paired in a random manner. For example, A=Z, B=Y, C=X and so on. The plain text is substituted with the letter pair.
52
4. Data Encryption Standard (DES)
This encryption method was first proposed by IBM in and standardized in DES is also called a symmetric encryption algorithm as the same key is used for encryption as well as descryption. The algorithm used by DES is designed in such a way that the operations performed for encryption and decryption can be easily performed by hardware circuits
53
5. Triple DES (3 DES) In cryptography, Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm (TDEA or Triple DEA) symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. The original DES cipher's key size of 56 bits was generally sufficient when that algorithm was designed, but the availability of increasing computational power made brute-force attacks feasible. Triple DES provides a relatively simple method of increasing the key size of DES to protect against such attacks, without the need to design a completely new block cipher algorithm.
54
6. Advanced Encryption Standard
The Advanced Encryption Standard or AES is a symmetric block cipher used by the U.S. government to protect classified information and is implemented in software and hardware throughout the world to encrypt sensitive data. The origins of AES date back to when the National Institute of Standards and Technology (NIST) announced that it needed a successor to the aging Data Encryption Standard (DES) which was becoming vulnerable to brute-force attacks.
55
Protecting Communication Channels
Protecting e-commerce communication is an important segment of e-commerce security. The messages send by the clients over the internet may not reach the web server and may be accessed by intermediate computing devices. Therefore, encryption has been adopted as a technique to protect the messages communicated over internet. Different Protocols are discussed below Pretty Good Privacy (PGP) PGP is a popular program used to encrypt and decrypt over the internet. It can also be used to send an encrypted digital signature that lets the receiver verify the sender’s identity and know that the message was not changed in transit.
56
Secure Socket Layer (SSL) Protocol
SSL is a protocol that encrypts data between the client browsers (shopper’s Computer) and the web server (e- commerce servers) The purpose of SSL is to ensure secure connections between two computers. This mechanism is widely used by e-commerce merchants to ensure that credit card numbers and other sensitive information sent by the clients are protected during transmission over communication channel. Secure HTTP (SHTTP) Secure Hypertext Transfer Protocol is an extention to HTTP that provides a number of security features, including client and server authentication, spontaneous encryption and non-repudiation.
57
Cookies Cookie is also known as HTTP cookie, web cookie, or browser cookie, is a small piece of data sent from a website and stored in a user’s web browser while a user is browsing a website. It is one or more pieces of information stored as text strings. When the user browses the same website in the future, the data stored In the cookie can be retrieved by the website to notify the website of the user’s previous activity. Types of Cookie 1.Temporary Cookies These are valid only for the lifetime of your current session and are deleted when you close your browser. 2.Permanent Cookies These are stored for a time period , specified by the site, on the shopper’s computer.
58
3. Server Only Cookies These cookies are used only by the server that issued them 4.Third Party Cookies These are usually used for tracking purposes by a site other than the one you are visiting. Digital Signature A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit.
60
The diagram shows you that:
The sender must have a private-public pair. The sender generates a digital signature, shown as the Encrypted Message Digest in the picture, using the private key and a message digest of the original document. The receiver decrypts the digital signature using the sender's public key and compares with the message digest of the received document. The receiver knows that received document has been tampered with by a third party if the message digest does not match the decrypted digital signature.
61
Digital Certificate Digital certificate provide a means of providing the identity on electronic transactions, much like a voters ID or Passport does in face to face interactions. With a Digital Certificate , business organization can assure business associates and online customers that the electronic information they receive are authentic. Digital certificate is an attachment to an electronic message used for security purposes. Digital certificate is issued by a Certificate Authority (CA)
63
The End
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.