1

Network and E-commerce Security

Nungky Awang ChandraFasilkom

Mercu Buana University

2

Network Security

$ 10 billion worth of data stolen every year Huge number of credit card numbers get

stolen 50% of the computer crimes are committed

by “insiders” Many cases are not reported Network security is a major issue Still, not accorded the priority it deserves -

low budget allocations, for example. Enterprise network security goals need to

be set at the highest level

3

Main Issues

Security of Internal Networks Security of Networks Connected to

the Internet Secure E-commerce Issues

Network Security Transaction Security

Privacy – no unauthorized access Confidentiality – deletion after use Integrity – no tampering

4

Internet Security Terms

Authentication – a way to verify that message senders are who they say they are

Integrity – ensuring that information will not be accidentally or maliciously altered or destroyed

Reliability – ensuring that the system will perform consistently and at an acceptable level of quality

Encryption – a process of making information indecipherable except to those with a decoding key

5

Internet Security Terms Firewall – a filter between a corporate

network and the Internet that keeps the corporate network secure from intruders but allows authenticated corporate users access to the Internet

Spoofing – a way of creating counterfeit packets with private IP (Intranet) addresses in order to gain access to private networks and steal information

Denial of service – an attack on the information and communication services by a third party that prevents legitimate users from using the infrastructure

6

Figure 13-4 Security vs. Productivity BalanceGOLDMAN: DATACOMM FIG. 13-04

High risk Low cost Open access No productivity loss Open access may lead to data loss or data integrity problems which may lead to productivity loss.

High cost Low risk Restrictive access Productivity loss Overly restrictive security may lead to non-compliance with security processes which may lead to loss of security

Balanced risk and costs Restrictiveness of security policy balanced by people's acceptance of those policies

Lack of security may ultimately have

negative impact on productivity

No productivity loss due to access

restrictions

SECURITYPRODUCTIVITY

SECURITYPRODUCTIVITY

Overly restrictive security casues

productivity decline

Security needs take priority over user

access

SECURITYPRODUCTIVITY

Minimize negative impact on

productivity

Maximize security processes

BALANCE

Optimal Balance of Security and Productivity

Overly Restrictive Security

Lack of Security

7

Network Security

Essentials of Network Security Policy Identification/authorization - authorized

users access resources Access control - even authorized users

allowed appropriate access Privacy - no eavesdropping Data integrity - that data is genuine and

cannot be altered without proper controls Non-repudiation - users do not deny

occurrence of given events or transactions

8

Network Security

Steps in security policy development Identify assets Identify threats Identify vulnerabilities Consider the risks Take protective measures

9

Network Security Policy Development Process

Executive’s and Management’s Responsibility for Protection of Information Resources Set acceptable-use policy for the entire

organization State the value of information as a

corporate resource Require security awareness training Assess the consequences of security

breach Find optimal balance between security

and productivity needs Lead by example

10

Virus Protection

Virus - a malicious computer program Computer viruses are most common

microcomputer security breach Frequent occurrences Complete recovery from a virus infection costs

on an average of $8100 and 44 hr over 10 working days

Over 10,000 known viruses, 200 new viruses per month

Viruses need some kind of a trigger (time bomb, logic bomb)

Logic bomb may appear as a button in a program Trojan Horses hide viruses (e.g. Concept,

Melissa)

11

Virus Protection

Different categories of virus File infectors: attach themselves to a variety of

executable files System/boot infectors: attack the files of the

operating system or boot sector

Antivirus Strategies Install virus scanning software at possible points of

attack Scan diskettes at stand-alone PCs Outsider lap-tops – same as diskettes Prohibit, control, or scan shareware programs Vendors must run their demos on own machines

12

Figure 13-17 Virus Infection Points of Attack and Protective Measures

GOLDMAN: DATACOMM FIG. 13-17

Router

Point of Attack: Client PC Vulnerabilities

Infected diskettes Groupware conferences with infected documents

Protective Measures Strict diskette scanning policy Auto-scan at system start-up

Point of Attack: Internet Access Vulnerabilities

Downloaded viruses Downloaded hostile agents

Protective Measures Firewalls User education about the dangers of downloading

Point of Attack: Server Vulnerabilities

Infected documents stored by attached clients Infected documents replicated from other groupware servers

Protective Measures Autoscan run at least once a day Consider active monitoring virus checking before allowing programs to be loaded onto server Rigorous backup in case of major outbreak Audit logs to track down sources

Point of Attack: Remote Access Users Vulnerabilities

Frequent up/downloading of data and use of diskettes increase risk Linking to customer sites increases risk

Protective Measures Strict diskette scanning policy Strict policy about the connection to corporate networks after linking to other sites.

INTERNET

hub

Client PC

Remote Access Users

Server

13

Virus Protection

Antivirus Technology Relies On Virus scanning - primary method - checks for

unique signatures of known viruses and removes them

Emulation technology - runs programs to examine and identify potentially unknown viruses

Programs are run in a safe environment to detect virus-like activities

14

Authorization and Access Control Assures that only authorized users are able to access

those files, directories, and applications to which they are entitled

Simplest method is requiring users to use passwords Further security can be enforced by making the users

choose passwords with certain features, requiring them to change passwords at intervals

Modern authentication systems use smart cards Future trends - biometric authentication (fingerprints

and retinal patterns) Access to resources can be restricted by giving

different levels of access permissions

15

Encryption

Encryption involves changing of data into an indecipherable form

Decryption - changing the code back into original message

DES (Data Encryption Standard) - Private Key Encryption

64 bit encryption - 2 to the 64th power number of combinations

Both the sender and the receiver must know the private key

If private key is intercepted, encryption system is compromised

16

Encryption

RSA Standard (Rivet-Shamir-Alderman) - Public Key Encryption

Makes use of a public/private key combination

Digital Signature Encryption An original document is processed using a

hash algorithm The unique hash string is encoded using the

sender’s private key Recipient re-generates the original

document to compare it with the document received