Presentation is loading. Please wait.

Presentation is loading. Please wait.

ELC 200 Day 20 © 2007 Prentice-Hall, Inc.

Published by Modified over 10 years ago

Similar presentations

Presentation on theme: "ELC 200 Day 20 © 2007 Prentice-Hall, Inc."— Presentation transcript:

1 ELC 200 Day 20 © 2007 Prentice-Hall, Inc

2 End of days? (subject to change)
Nov 26 & 29 Chap 13 eSecurity and the USA Patriot Act Dec 3 & 6 Chap 14 Encryption Student Course Evaluations Assignment 8 Due Dec 10 Chap 15 Getting the Money Dec 13 Quiz 4 Optional assignment 9 due Dec 18 10 AM eCommerce frameworks due Student presentations 5 Mins each © 2007 Prentice-Hall, Inc

3 Agenda Assignment 6 Corrected 8 A’s, 7 B’s, 1 D and 2 non-submits
Written feedback Writing need some work Grammar and sentence structure Directed writing for the workplace Assignment 7 Corrected 10 A’s, 4 B’s, 1 F and 3 non-submits Assignment 8 posted Due Dec 3 Assignment 9? Optional replace lowest assignment grade. Quiz 3 Corrected 3 100+, 8 A’s, 6 B’s, 1 C, 2 D’s and 1 non-take The Lizard story ECommerce Initiative Frameworks Guidelines Due DEC 10 AM Discussion on E-Security and the USA Patriot Act © 2007 Prentice-Hall, Inc

4 Assignment 8 Security for Your eBusiness
Identify and quantify in monetary terms the critical assets in your company that may be at risk from the dangers listed in Chapter 13. (you should identify at a bare minimum 5 assets) For each of the critical assets at risk, what steps could you take to protect your company from the risks? For of the steps and possible solutions you identify in question 2, find out how much it would cost to implement the steps or solution. Is the cost of fixing the problems make sense in relation to potential monetary loss of not fixing the security problem? Could you purchase anti-hacker insurance for your company? If so, from where and how much would it cost? © 2007 Prentice-Hall, Inc

5 E-Security and the USA Patriot Act
© 2007 Prentice-Hall, Inc

6 The focus of this chapter is on several learning objectives
What is involved in designing for security The many faces of viruses and other contaminants on the Internet How to build a secure system and recover from disaster How biometrics contributes to security The makeup of the USA Patriot Act and its contribution to security via the Internet © 2007 Prentice-Hall, Inc

7 Abuse and Failure in E-Commerce
Fraud, resulting in direct financial loss Theft of confidential, proprietary, technological, or marketing information belonging to the firm or to the customer Disruption of service, resulting in major losses to the business or inconvenience to the customer Loss of customer confidence stemming from illegal intrusions into customer files or company business © 2007 Prentice-Hall, Inc

8 Paper-based versus Electronic Commerce Attributes
© 2007 Prentice-Hall, Inc

9 Conceptualizing Security
Security addressing risk and protection from the unknown Risk is a matter of degree The biggest risk in e-commerce is fraudulent credit card usage and the mishandling of personal information The first issue in security is identifying the principals © 2007 Prentice-Hall, Inc

10 Security Concerns Confidentiality Authentication Integrity Auditable
Access control Nonrepudiation © 2007 Prentice-Hall, Inc

11 General Security Issues at E-Commerce Sites
© 2007 Prentice-Hall, Inc

12 Privacy The ability to control who may see certain information and on what terms Lack of privacy has been more of a problem with the Internet than it has with any other medium invented to date Every time the issue of security surfaces, privacy is involved A Web site should post the vendor’s privacy policy for the consumer to evaluate © 2007 Prentice-Hall, Inc

13 Basic Steps to Protect Your Privacy Online
Send anonymous through r ers Improve security through your Web browser; deactivate or block cookies Use a secondary free service Stay away from filling out any form or questionnaire online Consider using privacy software Install a firewall program – © 2007 Prentice-Hall, Inc

14 The Password Passwords have been used for decades to protect files from unauthorized use Password cracking programs and user carelessness are rendering passwords ineffective Alternatives to passwords Public-key encryption Biometrics Smart cards that can store a password to perform complex encryption on the card Two-factor solutions One time passwords © 2007 Prentice-Hall, Inc

15 Ideas to Improve Security Systems
Limit the number of times a password can be repeated in accessing a sensitive system Train employees, customers, and the general public in more advanced methods like biometrics, PKE, and smart cards Ensure that systems designers and systems analysts are well versed in security issues and security procedures as part of every future application Review and evaluate the strength of the current password schemes used by customers and employees alike © 2007 Prentice-Hall, Inc

16 Identity Theft and Phishing
ID theft has become a societal and governmental concern ID theft has gone electronic Viruses and worms carrying Trojan horse code are powering massive ID theft rings Thieves are using wireless devices to impersonate legitimate Internet access points with the intent to steal credit card numbers and other privileged information © 2007 Prentice-Hall, Inc

17 Identity Theft and Phishing (Cont’d)
Phishing is a relatively recent phenomenon Phishing characteristics: Trojan horses are installed on vulnerable machines to gather data “Harvest” user names and passwords to distribute to attackers Users’ PCs are compromised without their knowledge Software vulnerabilities force PCs to download code © 2007 Prentice-Hall, Inc

18 Basic Guidelines for Protecting Yourself from Identity Theft
Protect your social security number by supplying it only when absolutely necessary Check your credit reports at least once a year. Check your statements for unexplained charges or unusual withdrawals from your bank accounts Be careful whom you talk to on the telephone – telemarketers, ISP employees, or even members of government agencies could all be disguised criminals Use shredders to get rid of your statements or receipts. When using ATMs, never leave your receipts behind © 2007 Prentice-Hall, Inc

19 Basic Guidelines for Protecting Yourself from Identity Theft (Cont’d)
If you carry a laptop around, use “strong” passwords (combination of upper and lowercase characters, symbols, numbers, etc.) Don’t use the last four digits of your social security number, date of birth, or your mother’s maiden name Remove your mail from your mailbox promptly, especially while on vacation. Thieves could make a habit of following the mail carrier for rifling through your mail. Place a fraud alert on your credit reports by calling Equifax ( ) or Experian (888-EXPERIAN) Check Credit reports every year © 2007 Prentice-Hall, Inc

20 The Security Assessment Life Cycle
© 2007 Prentice-Hall, Inc

21 Designing for Security
Design process begins with a chief security officer Five major steps Assessing the security needs of the firm Establishing a good policy Fulfilling Web security needs Structuring the security environment Monitoring the system © 2007 Prentice-Hall, Inc

22 Designing the Security Environment
The design begins with the sequence and parameters in the security network based on the security policy and requirements of the e-commerce system How much security depends on how much risk the company is willing to take, the security policy it is willing to adopt, and the present state of security practices A security perimeter generally includes firewalls, authentication, virtual private networks (VPNs), and intrusion detection devices The first line of defense is the firewall Another technology protecting the perimeter is authentication © 2007 Prentice-Hall, Inc

23 Security in the Middle Ages
© 2007 Prentice-Hall, Inc

24 The Security System Design Process
© 2007 Prentice-Hall, Inc

25 Monitoring the Security System
Separation of responsibilities Security system must be monitored via feedback mechanisms to ensure that the entire system is working properly Monitoring Capture processing details for evidence Verify that e-commerce is operating within the security policy Verify that attacks have been unsuccessful © 2007 Prentice-Hall, Inc

26 How Much Risk Can You Afford?
How secure are we? How much will it cost to secure our system? Estimate the pain threshold your company and the attacker are willing to tolerate Goal of security strategies, methods, and procedures is to raise the threshold of pain an attacker must endure to access and cause damage to a system What is the level of protection required against the risks the merchant is willing to assume? © 2007 Prentice-Hall, Inc

27 Kinds of Threats or Crimes
Those that are physically related Those that are order related Those that are electronically related A sniffer is a person or a program that uses the Internet to record information that transmits through a router from its source to its destination © 2007 Prentice-Hall, Inc

28 Snoop and Sniff © 2007 Prentice-Hall, Inc

29 Client/Server Security Threats
Client attacks Sheer nuisance Deliberate corruption of files Rifling stored information Physical attacks Viruses Computer-to-computer attacks Server security threats Denial of service (DOS) is an attack by a third party that prevents authorized users from accessing the infrastructure Distributed denial of service attacks © 2007 Prentice-Hall, Inc

30 Hacker Strategies Social engineering Shoulder surfing Dumpster diving
Whacking (wireless hacking) © 2007 Prentice-Hall, Inc

31 Hacker Prevention Perform an online security checkup or install a firewall on your computer workstation Intrusion detection is sensing when a system is being used without authorization Hire a hacker who works at foiling the efforts of the troublemakers while not hacking Conduct cyber-forensic investigations and hire cyber-investigators to set up alarms and traps to watch and catch intruders and criminals within the networks © 2007 Prentice-Hall, Inc

32 The Players: Hackers, Crackers, and Other Attackers
Original hackers created the Unix operating system and helped build the Internet, Usenet, and World Wide Web; and, used their skills to test the strength and integrity of computer systems Over time, the term hacker came to be applied to rogue programmers who illegally break into computers and networks Hacker underground © 2007 Prentice-Hall, Inc

33 The Players: Hackers, Crackers, and Other Attackers (cont.)
Uber Haxor Wizard Internet Hackers Highly capable attackers Responsible for writing most that the attacker tools Crackers People who engage in unlawful or damaging hacking short for “criminal hackers” Other attackers “Script kiddies” are ego-driven, unskilled crackers who use information and software (scripts) that they download from the Internet to inflict damage on targeted sites Scorned by both the Law enforcement and Hackers communities © 2007 Prentice-Hall, Inc

34 Script Kiddies script kiddies: pl.n. 1. [very common] The lowest form of cracker; script kiddies do mischief with scripts and rootkits written by others, often without understanding the exploit they are using. Used of people with limited technical expertise using easy-to-operate, pre-configured, and/or automated tools to conduct disruptive activities against networked systems. Since most of these tools are fairly well-known by the security community, the adverse impact of such actions is usually minimal. 2. People who cannot program, but who create tacky HTML pages by copying JavaScript routines from other tacky HTML pages. More generally, a script kiddie writes (or more likely cuts and pastes) code without either having or desiring to have a mental model of what the code does; someone who thinks of code as magical incantations and asks only “what do I need to type to make this happen?” Source: More info: © 2007 Prentice-Hall, Inc

35 How Hackers Hack Many Techniques Social Engineering Cracking
Get someone to give you their password Cracking Guessing passwords A six letter password (no caps) > 300 million possibilities Merriam-Webster's citation files, which were begun in the 1880s, now contain 15.7 million examples of words used in context and cover all aspects of the English vocabulary. Buffer Overflows Getting code to run on other PCs Load a Trojan or BackDoor Snoop and Sniff Steal data Denial of Service (DOS) Crash or cripple a Computer from another computer Distributed Denial of Service (DDOS) Crash or cripple a Computer from multiple distributed computers © 2007 Prentice-Hall, Inc

36 The National Strategy to Secure Cyberspace
Create a cyberspace surety response system Establish a threat and vulnerability reduction program Improve security training and awareness Secure the government’s own systems Work internationally to solve security issues (U.S. Department of Homeland Security) © 2007 Prentice-Hall, Inc

37 CYBER Warfare Taught at US Military academies
bh-fed-03-dodge.pdf iwar_wise.pdf © 2007 Prentice-Hall, Inc

38 The Virus: Computer Enemy Number One
Most serious attack on a client computer or a server in an Internet environment is the virus A virus is a malicious code that replicates itself and can be used to disrupt the information infrastructure Viruses commonly compromise system integrity, circumvent security capabilities, and cause adverse operation by taking advantage of the information system of the network © 2007 Prentice-Hall, Inc

39 Types of Viruses File virus is one that attacks executable files
Boot virus attacks the boot sectors of the hard drive and diskettes Macro virus exploits the macro commands in software applications such as Microsoft Word © 2007 Prentice-Hall, Inc

40 Getting Rid of Viruses Anti-Vir Avast AVG Norton AntiVirus MacAfee
Get a good Virus Projection Software Free (not Recommended) Anti-Vir Avast AVG Not Free Norton AntiVirus MacAfee Free for UMFK students and staff Update definition files often © 2007 Prentice-Hall, Inc

41 Spyware and Adware Spyware is software the user unknowingly installs through an attachment or downloading an infected file that could be used for illicit reasons Adware is software that sneaks into a user’s hard disk installed by Internet advertising companies to promote pop-up ads and release information for advertisers on the outside © 2007 Prentice-Hall, Inc

42 Spyware Solutions Enforce strict user Web policies on surfing and downloading activities Install a desktop firewall on every laptop and desktop - Do not give users administrator privileges Configure an gateway to block all executable attachments Ensure desktop antivirus software signatures are up to date - © 2007 Prentice-Hall, Inc

43 Spyware Solutions (Cont’d)
Use commercial antispyware sofware to detect and remove existing spyware program - Keeping Your PC Spyware Free.pdf Enforce the usage of higher security settings in Internet browsers to prevent sites that cause spyware infection Use pop-up blockers that lead to Web sites low trustworthiness Educate your employees and staff about spyware threats be creating an active out-reach with groups and organizations, including the Consortium of Anti-Spyware Technology (COAST) © 2007 Prentice-Hall, Inc

44 Compliance Legislation
The Gramm-Leach-Billey Act The VISA USA Cardholder Information Security Program The Sarbanes-Oxley Act The Basel II Capital Accords © 2007 Prentice-Hall, Inc

45 Levels of Virus Damage © 2007 Prentice-Hall, Inc

46 Steps for Antivirus Strategy
Establish a set of simple enforceable rules for others to follow Educate and train users on how to check for viruses on a disk Inform users of the existing and potential threats to the company’s systems and the sensitivity of information they contain Periodically update the latest antivirus software © 2007 Prentice-Hall, Inc

47 Steps to Prevent E-Commerce Fraud
Be aware of corporate critical assets and who might be after the assets Investigate common attacks and electronic-fraud schemes that could be used against the company’s critical assets Install strong encryption such as public key infrastructure (PKI) Develop a program for evidence collection (called forensics) via committed investigators © 2007 Prentice-Hall, Inc

48 Steps to Prevent E-Commerce Fraud (Cont’d)
Ensure maintenance of strong and reliable transaction, network, and Internet service provider logs Conduct penetration testing to judge the integrity of existing security Investigate the availability of cyber-fraud insurance to provide coverage for potential losses © 2007 Prentice-Hall, Inc

49 Security Protection and Recovery
Install proper firewall(s) to protect data Ensure that your network is configured properly Protect your most sensitive data through encryption Maintain and update all antivirus programs on your PC or terminal Restrict access to your files by “need to know’ Assign unique IDs to authorized personnel and track all IDs on a daily basis Ensure that your system administrator has contemporary security skills Enforce and update company information security policy and inform employees of any changes in policy © 2007 Prentice-Hall, Inc

50 Creating Strong Password
Include at least one capital letter and one lowercase letter in the password Mix numbers with letters. Short passwords won’t do anymore. Stay away from passwords that are anywhere near your birthday, your last name, spouse’s name, too obvious a name, too well-known a name, or too common a name No dictionary names - hackers have dictionaries Change your password often Disable an employee’s password the moment that person leaves © 2007 Prentice-Hall, Inc

51 Firewalls and Security
Firewalls can be used to protect a corporation’s network in a number of ways Protect against authenticated log-ins Block all unsecured access to the internal network Separate groups within an organization Firewalls ensure Data integrity Authentication Confidentiality © 2007 Prentice-Hall, Inc

52 Firewall Design and Implementation Issues
Policy Level of monitoring and control the organization wants Financial and administrative Whether the company wants internal firewalls installed Security policy Deny policy Filtering ability Scalability Authentication Recognizing dangerous services Effective audit logs © 2007 Prentice-Hall, Inc

53 Corporate Networks and Firewalls
© 2007 Prentice-Hall, Inc

54 Cycle of Recovery from Attack
Attack detection and vulnerability assessment Damage assessment <> evidence collection Correction and recovery Vigilance and corrective feedback © 2007 Prentice-Hall, Inc

55 Biometric Security Biometrics is the science and technology of quantifying and statistically scrutinizing biological data Biometrics enhance authentication Biometric devices ensure that the person who encrypts data is the only one who can decrypt and has access to the data Applying biometric technology on a smart card also would increase the level of confidence in the security When considering biometric technologies for future use, management does need to implement a cost-effective system appropriate for their particular circumstance © 2007 Prentice-Hall, Inc

56 Types of Biometrics and Select Application Areas
© 2007 Prentice-Hall, Inc

57 Types of Biometrics and Select Application Areas (Cont’d)
© 2007 Prentice-Hall, Inc

58 Implications for Management
The Internet is becoming an increasingly filtered channel of communication Information security continues to be deemphasized or ignored by management at all levels of the organization Changes in the identification of threats, the growing advancement of technologies, and the identification of new threats continue to shift the organizational security focus Any serious profile should begin with a valid security policy, which is then translated into an effective security plan with a focus on prevention, detection, and correction of threats © 2007 Prentice-Hall, Inc

59 Chapter Summary Electronic commerce involves digital signatures, electronic payment systems, no face-to-face interaction, difficult-to-detect modifications, and negotiable documents requiring special security protocols Several recent emphasis on information security Designing for e-security Web merchants must consider three kinds of threats: those that are physically related, those that are order related, and those that are electronically related No network is completely immune from viruses © 2007 Prentice-Hall, Inc

60 Chapter Summary (Cont’d)
To install an antivirus strategy, you need to establish enforceable rules, educate users in how to check for viruses, and periodically update the latest antivirus software A firewall is a software system that detects intruders, blocks intruders from entry, and keeps track of what an intruder does and where they originated Hackers, spammers, spyware, phishing, and identity theft have already infected the Internet, and are on the verge of bringing it to a virtual halt Spyware and identify theft are beginning to get the attention of government regulators © 2007 Prentice-Hall, Inc

61 Chapter Summary (Cont’d)
Guidelines have been publicized in various technical magazines and newspapers about how users can protect themselves for identity theft When it comes to the use of the Internet for illicit acts, money laundering is a major activity that continues to get worse © 2007 Prentice-Hall, Inc

Download ppt "ELC 200 Day 20 © 2007 Prentice-Hall, Inc."

Similar presentations

Chapter 9 E-Security. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Security in Cyberspace Conceptualizing Security Designing for Security.

Chapter 9 E-Security. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Security in Cyberspace Conceptualizing Security Designing for Security.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
1 Identity Theft and Phishing: What You Need to Know.

1 Identity Theft and Phishing: What You Need to Know.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Crime and Security in the Networked Economy Part 4.

Crime and Security in the Networked Economy Part 4.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Chapter 9 E-Security. Awad –Electronic Commerce 2/e © 2003 Prentice Hall 2 Day 24 Agenda Quiz 3 Corrected –4 A’s, 4 B’s and 1 C Quiz 4 (last) will be.

Chapter 9 E-Security. Awad –Electronic Commerce 2/e © 2003 Prentice Hall 2 Day 24 Agenda Quiz 3 Corrected –4 A’s, 4 B’s and 1 C Quiz 4 (last) will be.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 21.

Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 21.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment ELC 200 Day 25.

Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment ELC 200 Day 25.

Similar presentations

Ads by Google