Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2015 Springer Education 1 Lecture 6 ReF: chapter 10 E -C OMMERCE S ECURITY AND F RAUD I SSUES AND P ROTECTIONS.

Published byEmil Curtis Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2015 Springer Education 1 Lecture 6 ReF: chapter 10 E -C OMMERCE S ECURITY AND F RAUD I SSUES AND P ROTECTIONS."— Presentation transcript:

1 Copyright © 2015 Springer Education 1 Lecture 6 ReF: chapter 10 E -C OMMERCE S ECURITY AND F RAUD I SSUES AND P ROTECTIONS

2 L EARNING O BJECTIVES 1. Understand the importance and scope of security of information systems for EC. 2. Understand about the major EC security threats, vulnerabilities, and technical attacks. 3. Understand Internet fraud, phishing, and spam. 4. Describe the information assurance security principles. 5. Describe the major technologies for protection of EC networks. 6. Describe various types of controls and special defense mechanisms. 7. Discuss enterprise wide implementation issues for EC security. 8. Understand why it is so difficult to stop computer crimes. 4-2 Copyright © 2015 Springer Education

3 10.1 THE INFORMATION SECURITY PROBLEM Copyright © 2015 Springer Education 3

4 10.1 THE INFORMATION SECURITY PROBLEM Information security: A variety of activities and methods that protect information systems, data, and procedures from any action designed to destroy, modify, or degrade the systems and their operations. Computer security: The protection of data, networks, computer programs, computer power, and other elements of computerized information systems.  Computer security aims to prevent, or at least minimize, the attacks. 4-4 Copyright © 2015 Springer Education

5 10.1 THE INFORMATION SECURITY PROBLEM Types of Attacks: 1. Corporate Espionage: Many attacks target energy-related companies because their inside information is valuable. 2. Political Espionage and Warfare: Political espionage and cyberwars are increasing in magnitude. Sometimes, these are related to corporate espionage. 4-5 Copyright © 2015 Springer Education

6 10.2 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE Copyright © 2015 Springer Education 6

7 10.2 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE The EC Security Battleground: The essence of EC security can be viewed as a battleground between attackers and defenders and the defenders’ security requirements. Components of Battleground: 1. The attacks, the attackers, and their strategies. 2. The assets that are being attacked (the targets) in vulnerable areas. 3. The security defense, the defenders, and their methods and strategy. 4-7 Copyright © 2015 Springer Education

8 10.2 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE 4-8 Copyright © 2015 Springer Education

9 10.2 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE 4-9 Copyright © 2015 Springer Education Unintentional Threats Categories: 1. Human errors: They can occur in the design of the hardware, software, or information systems. It can also occur in programming, testing and data collection. 2. Environmental Hazards: Include natural disasters and other environmental conditions outside of human control; sand storms, floods and fires. 3. Malfunctions in the Computer System: Defects can be the result of poor manufacturing, defective materials, memory leaks, and outdated or poorly maintained networks.

10 10.2 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE 4-10 Copyright © 2015 Springer Education EC Security Requirements: The following set of security requirements are used to assure success and to minimize EC transaction risks: 1. Authentication: A process used to verify (assure) the real identity of an EC entity, which could be an individual, software agent, computer program, or EC website. 2. Authorization: The provision of permission to an authenticated person to access systems and perform certain operations in those specific systems.

11 10.2 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE 4-11 Copyright © 2015 Springer Education EC Security Requirements : 3. Auditing When a person or program accesses a website or queries a database, various pieces of information are recorded or logged into a file. 4. Availability Assuring that systems and information are available to the user when needed and that the site continues to function. 5. Non repudiation: (Close to authentication) The assurance that online customers or trading partners will not be able to falsely deny their purchase, transaction, sale, or other obligation.

12 10.2 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE 4-12 Copyright © 2015 Springer Education The Defense: Defenders, Strategy, and Methods: EC security strategy consists of multiple layers of defense that includes several methods.  This defense aims to deter, prevent, and detect unauthorized entry into an organization’s computer and information systems. 1. Deterrent methods: countermeasures that make criminals abandon their idea of attacking a specific system. 2. Prevention measures: help stop unauthorized people from accessing the EC system. 3. Detection measures: help find security breaches in computer systems.

13 10.2 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE 4-13 Copyright © 2015 Springer Education Information Assurance (IA):  Making sure that a customer is safe and secure while shopping online is a crucial part of improving the online buyer’s experience.  Measures taken to protect information systems and their processes against all risks. In other words assure the systems’ availability when needed. The assurance includes all tools and defense methods. Possible Punishment: A part of the defense is to deter criminals by punishing them heavily if they are caught. Judges now are giving more and harsher punishments than a decade ago.

14 10.2 BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE 4-14 Copyright © 2015 Springer Education Recovery: Especially critical in cases of a disaster or a major attack, and it must be speedy. Organizations need to continue their business until the information systems are fully restored, and they need to restore them fast. This is accomplished by activating business continuity and disaster recovery plans.

15 10.3 TECHNICAL MALWARE ATTACK METHODS Copyright © 2015 Springer Education 15

16 10.3 TECHNICAL MALWARE ATTACK METHODS: FROM VIRUSES TO DENIALOF SERVICE 4-16 Copyright © 2015 Springer Education Organizational Attacks: Those where the security of a network or the computer is compromised (e.g., lack of proper security awareness training). The Major Technical Attack Methods Hackers often use several software tools: Malware (or malicious software): It is a software code, that when spread, is designed to infect, alter, damage, delete, or replace data or an information system without the owner’s knowledge or consent.  Malware includes computer viruses, worms, botnets, trojan horses, phishing tools, spyware tools, and other malicious and unwanted software.

17 10.3 TECHNICAL MALWARE ATTACK METHODS 4-17 Copyright © 2015 Springer Education Virus: Programmed software inserted by criminals into a computer to damage the system; running the infected host program activates the virus. Worm: Unlike a virus, it can replicate itself automatically (as a “standalone” – without any host or human activation). Trojan horse: A program that seems to be harmless or even looks useful but actually contains a hidden malicious code

18 10.4 NONTECHNICAL METHODS: FROM PHISHING TO SPAM AND FRAUD Copyright © 2015 Springer Education 18

19 10.4 NONTECHNICAL METHODS: FROM PHISHING TO SPAM AND FRAUD 4-19 Copyright © 2015 Springer Education Social Engineering and Fraud: A collection of methods where criminals use human psychology to persuade or manipulate people into revealing their confidential information so they can collect information for illegal activities. Social Phishing:  A fraudulent process of acquiring confidential information, such as credit card or banking details, from unsuspecting computer users.  “ A phisher sends an e-mail, IM, comment, or text message that appears to come from a legitimate, popular company, bank, school, or institution.” Once the user enters the corrupted website, he or she may be tricked into submitting confidential information (e.g., being asked to “update” information).

20 10.4 NONTECHNICAL METHODS: FROM PHISHING TO SPAM AND FRAUD 4-20 Copyright © 2015 Springer Education

21 10.4 NONTECHNICAL METHODS: FROM PHISHING TO SPAM AND FRAUD 4-21 Copyright © 2015 Springer Education Pharming : A scam where malicious code is installed on a computer and used to redirect victims to a bogus websites without their knowledge or consent. Pharming can be more dangerous than phishing since users have no idea that they are have been redirected to a fake website. Similar to phishing.

22 10.4 NONTECHNICAL METHODS: FROM PHISHING TO SPAM AND FRAUD 4-22 Copyright © 2015 Springer Education Fraud and Scams on the Internet: Phishing is the first step that leads to many fraud schemes. The EC environment where buyers and sellers cannot see each other facilitates fraud. Fraud is a problem for online retailers and customers alike. Even though actual losses per incident increase, there are fewer incidents; and thus the total monetary damage may be declining.

23 10.5 THE INFORMATION ASSURANCE MODEL AND DEFENSE STRATEGY Copyright © 2015 Springer Education 23

24 10.5 THE INFORMATION ASSURANCE MODEL AND DEFENSE STRATEGY 4-24 Copyright © 2015 Springer Education Information Assurance (IA) model: A point of reference used to identify problem areas and evaluate the information security of an organization. The use of the model includes three necessary attributes: 1. Confidentiality. 2. Integrity. 3. Availability. The success and security of EC can be measured by these attributes.

25 10.5 THE INFORMATION ASSURANCE MODEL AND DEFENSE STRATEGY 4-25 Copyright © 2015 Springer Education 1. Confidentiality: The assurance of data secrecy and privacy. Namely, the data is disclosed only to authorized people (encryption and passwords). 2. Integrity: The assurance that data are accurate and that they cannot be altered. The integrity attribute needs to be able to detect and prevent the unauthorized creation, modification, or deletion of data or messages in transit. 3. Availability: The assurance that access to any relevant data, information websites, or other EC services and their use is available in real time, whenever and wherever needed.

26 10.5 THE INFORMATION ASSURANCE MODEL AND DEFENSE STRATEGY 4-26 Copyright © 2015 Springer Education E-Commerce Security Strategy: EC security needs to address the IA model and its components. The Phases of Security Defense: 1. Prevention and deterrence (preparation): Good controls may prevent criminal activities and human error from occurring. 2. Initial Response: Verifying if there is an attack. If so, determine how the intruder gained access to the system and which systems and data are infected or corrupted. 3. Detection: The earlier an attack is detected, the easier it is to fix the problem, and the smaller amount of damage is done. 4. Containment (contain the damage): It is to minimize or limit losses once a malfunction has occurred.

27 10.5 THE INFORMATION ASSURANCE MODEL AND DEFENSE STRATEGY 4-27 Copyright © 2015 Springer Education The Phases of Security Defense: 5. Eradication: Remove the malware from infected hosts. 6. Recovery: Recovery needs to be planned for to assure quick return to normal operations at a reasonable cost. One option is to replace parts rather than to repair them. 7. Correction: Finding the causes of damaged systems and fixing them. 8. Awareness and compliance: All organization members must be educated about possible hazards and must comply with the security rules and regulations.

28 10.5 THE INFORMATION ASSURANCE MODEL AND DEFENSE STRATEGY 4-28 Copyright © 2015 Springer Education Assessing Vulnerabilities and Security Needs: A key task in security strategy is to find the weaknesses and strengths of the existing security strategies and solutions. This part of a risk assessment can be accomplished in different ways: 1. Conduct a vulnerability assessment of your EC systems.  Vulnerability assessment: A process of identifying and evaluating problem areas that are vulnerable to attack on a computerized system. 2. Conduct penetration (pen) tests.

29 10.7 THE DEFENSE II: SECURING E-COMMERCE NETWORKS Copyright © 2015 Springer Education 29

30 10.7 THE DEFENSE II: SECURING E-COMMERCE NETWORKS 4-30 Copyright © 2015 Springer Education Technologies to ensure that an organization’s network boundaries are secure: 1. Firewalls: Barriers between an internal trusted network (or a PC) and the untrustworthy Internet. 2. Virtual private network (VPN): The use of the Internet to transfer information, but in a more secure manner. A VPN behaves like a private network by using encryption and other security features to keep the information secure. 3. Honeynet: A network of honeypots designed to attract hackers, just as bees are attracted to honey.  When intruders enter the honeypot, their activities are monitored.  Security experts then analyze why and how the hackers attack, and what they do during and after the system is compromised.

31 10.8 THE DEFENSE III: GENERAL CONTROLS, SPAM AND POP UPS Copyright © 2015 Springer Education 31

32 10.8 THE DEFENSE III: GENERAL CONTROLS, SPAM AND POP UPS 4-32 Copyright © 2015 Springer Education The objective of IT security management practices: Defend information systems. A defense strategy requires several controls. The major types of controls: 1. General controls: which are designed to protect all system applications. 2. Application controls guard applications.

33 10.8 THE DEFENSE III: GENERAL CONTROLS, SPAM AND POP UPS 4-33 Copyright © 2015 Springer Education

34 10.8 THE DEFENSE III: GENERAL CONTROLS, SPAM AND POP UPS 4-34 Copyright © 2015 Springer Education Protecting Against Spam: Sending spam that includes a sales pitch and looks like personal, legitimate e-mail and may bypass filters. However, many spammers hide their identity by using hijacked PCs or spam zombies to avoid detection and identification. For protecting your system against botnet attacks, which also spread a huge volume of spam.

35 10.8 THE DEFENSE III: GENERAL CONTROLS, SPAM AND POP UPS 4-35 Copyright © 2015 Springer Education Protecting Your Computer from Pop-Up Ads: The use of pop-ups and similar advertising methods is growing rapidly. It is difficult to close these ads when they appear on the screen. Some of these ads may be part of a consumer’s permitted marketing agreement, but most are unsolicited. Tools for Stopping or at Least Minimizing Pop-Ups: Installing software that blocks popup ads. Several software packages offer pop-up stoppers. Some are free e.g., Panicware, Softonic’s Pop up Blocker and AdFender.

36 10.9 IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY Copyright © 2015 Springer Education 36

37 10.9 IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY 4-37 Copyright © 2015 Springer Education Drivers for EC security management: The laws and regulations with which organizations must comply. The conduct of global EC. Information assets have become critical to the operation of many businesses. New and faster information technologies are shared throughout organizations. The complexity of both the attacks and the defense require an organization wide collaboration approach.

38 10.9 IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY 4-38 Copyright © 2015 Springer Education EC Security Policies and Training: An important security task is developing an organizational EC security policy, as well as procedures for specific security and EC activities such as access control and protecting customer data. The policies need to be disseminated throughout the organization and necessary training needs to be provided.

39 10.9 IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY 4-39 Copyright © 2015 Springer Education EC Security Policies and Training: First example,  To protect privacy during data collection, policies need to specify that customers should: Know that data is being collected. Give their permission for the data to be collected. Have knowledge and some control over how the data is controlled and used. Be informed that the information collected is not to be shared with other organizations. Second example,  To protect against criminal use of social media, you can: Develop policies and procedures to exploit opportunities but provide customer protection. Educate employees and others about what is acceptable and what is not acceptable.

40 10.9 IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY 4-40 Copyright © 2015 Springer Education The major reasons Internet crime is so difficult to stop: Making Shopping Inconvenient. Lack of Cooperation by Business Partners. Shoppers’ Negligence. Ignoring EC Security Best Practices. Design and Architecture Issues. Lack of Due Care in Business Practices.

Download ppt "Copyright © 2015 Springer Education 1 Lecture 6 ReF: chapter 10 E -C OMMERCE S ECURITY AND F RAUD I SSUES AND P ROTECTIONS."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Unit 1 Living in the Digital WorldChapter 1 Lets Communicate Internet Safety.

Unit 1 Living in the Digital WorldChapter 1 Lets Communicate Internet Safety.
What are computer viruses and its types? Computer Viruses are malicious software programs that damage computer program entering into the computer without.

What are computer viruses and its types? Computer Viruses are malicious software programs that damage computer program entering into the computer without.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.

© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.
Lecture 4 ref: Chapter 10 E-Commerce Fraud and Security Copyright © 2010 Pearson Education, Inc. 1.

Lecture 4 ref: Chapter 10 E-Commerce Fraud and Security Copyright © 2010 Pearson Education, Inc. 1.
7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.

7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.
THE INFORMATION SECURITY PROBLEM

THE INFORMATION SECURITY PROBLEM
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
22 November 2010. Security and Privacy  Security: the protection of data, networks and computing power  Privacy: complying with a person's desires when.

22 November Security and Privacy  Security: the protection of data, networks and computing power  Privacy: complying with a person's desires when.
Threats To A Computer Network

Threats To A Computer Network
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
E-Commerce Security and Fraud Issues and Protections

E-Commerce Security and Fraud Issues and Protections
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Similar presentations

Ads by Google