chapter 10: electronic commerce security. online security issues overview computer security äthe...
Post on 21-Dec-2015
228 views
TRANSCRIPT
![Page 1: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/1.jpg)
Chapter 10:Electronic Commerce Security
![Page 2: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/2.jpg)
Online Security Issues Overview
Computer security The protection of assets from unauthorized access, use,
alteration, or destruction Physical security
Includes tangible protection devices Logical security
Protection of assets using nonphysical means Threat
Any act or object that poses a danger to computer assets
![Page 3: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/3.jpg)
Managing RiskTerms -- Countermeasure
General name for a procedure that recognizes, reduces, or eliminates a threat
Eavesdropper Person or device that can listen in on and copy Internet
transmissions Crackers or hackers
Write programs or manipulate technologies to obtain unauthorized access to computers and networks
![Page 4: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/4.jpg)
Computer Security Classification
Secrecy/Confidentiality Protecting against unauthorized
data disclosure Technical issues
Privacy The ability to ensure the use of
information about oneself Legal Issues
Integrity Preventing unauthorized data
modification by an unauthorized party
Necessity Preventing data delays or
denials (removal)
Nonrepudiation Ensure that e-commerce
participants do not deny (i.e., repudiate) their online actions
Authenticity The ability to identify the
identity of a person or entity with whom you are dealing on the Internet
![Page 5: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/5.jpg)
Some solutions --
![Page 6: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/6.jpg)
Exercise
Visit the Copyright Web site: http://www.benedict.com/
Check out examples of copyright infringement: Audio arts
Visual arts
Digital arts
Read comments Under “Info”
![Page 7: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/7.jpg)
Security Threats in the E-commerce Environment
Three key points of vulnerability the client communications pipeline the server
![Page 8: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/8.jpg)
Active Content
Active content refers to programs embedded transparently in Web pages that cause an action to occur
Scripting languages
Provide scripts, or commands, that are executed
Applet
Small application program
Java
Active X
Trojan horse Program hidden inside
another program or Web page that masks its true purpose
Zombie Program that secretly takes
over another computer to launch attacks on other computers
Attacks can be very difficult to trace to their creators
![Page 9: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/9.jpg)
Viruses, Worms, and Antivirus Software
Virus Software that attaches itself to another program Can cause damage when the host program is
activated Macro virus
Type of virus coded as a small program (macro) and is embedded in a file
Antivirus software Detects viruses and worms
![Page 10: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/10.jpg)
Digital Certificates
A digital certificate is a program embedded in a Web page that verifies that the sender or Web site is who or what it claims to be
A certificate is signed code or messages that provide proof that the holder is the person identified by the certificate
Certification authority (CA) issues digital certificates
Main elements:
Certificate owner’s identifying information
Certificate owner’s public key
Dates between which the certificate is valid
Serial number of the certificate
Name of the certificate issuer
Digital signature of the certificate issuer
![Page 11: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/11.jpg)
Communication Channel Security Recall that --
Secrecy is the prevention of unauthorized information disclosure
Privacy is the protection of individual rights to nondisclosure
Sniffer programs Provide the means to record information passing through a
computer or router that is handling Internet traffic
Demonstration of working of a Java implementation of a Packet Sniffer
![Page 12: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/12.jpg)
Other ThreatsIntegrity Integrity threats exist when an
unauthorized party can alter a message stream of information
Cybervandalism Electronic defacing of an
existing Web site’s page Masquerading or spoofing
Pretending to be someone you are not
Domain name servers (DNSs) Computers on the Internet that
maintain directories that link domain names to IP addresses
Necessity
Purpose is to disrupt or deny normal computer processing
DoS attacks
Remove information altogether
Delete information from a transmission or file
Wireless Network Threats
Wardrivers
Attackers drive around using their wireless-equipped laptop computers to search for accessible networks
Warchalking
When wardrivers find an open network they sometimes place a chalk mark on the building
AnonymizerA Web site that provides a measure of secrecy as long as it’s used as the portal to the Internethttp://www.anonymizer.com
![Page 13: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/13.jpg)
Tools Available to Achieve Site Security
![Page 14: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/14.jpg)
Encryption
Transforms plain text or data into cipher text that cannot be read by anyone outside of the sender and the receiver. Purpose: to secure stored information to secure information transmission.
Cipher text text that has been encrypted and thus cannot be read by
anyone besides the sender and the receiver Symmetric Key Encryption
DES standard most widely used
![Page 15: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/15.jpg)
Group Exercise
Julius Caesar supposedly used secret codes known today as Caesar Cyphers. The simplest replaces A with B, B with C etc. This is called a one-rotate code. The following is encrypted using a simple Caesar rotation cypher. See if you can decrypt it:
Mjqqt hfjxfw. Mtb nx dtzw hnumjw? Xyfd fbfd kwtr ymj xjsfyj ytifd.
![Page 16: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/16.jpg)
Encryption
Public key cryptography uses two mathematically related digital
keys: a public key and a private key. The private key is kept secret by the
owner, and the public key is widely disseminated.
Both keys can be used to encrypt and decrypt a message.
A key used to encrypt a message, cannot be used to unencrypt the message
![Page 17: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/17.jpg)
Public Key Cryptography with Digital Signatures
![Page 18: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/18.jpg)
Public Key Cryptography: Creating a Digital Envelope
![Page 19: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/19.jpg)
Securing Channels of Communications Secure Sockets Layer (SSL)
is the most common form of securing channels
Secure negotiated session client-server session where
the requested document URL, contents, forms, and cookies are encrypted.
Session key is a unique symmetric encryption key chosen for a single secure session
![Page 20: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/20.jpg)
Firewalls
Software or hardware and software combination installed on a network to control packet traffic
Provides a defense between the network to be protected and the Internet, or other network that could pose a threat
Characteristics All traffic from inside to outside
and from outside to inside the network must pass through the firewall
Only authorized traffic is allowed to pass
Firewall itself is immune to penetration
Trusted networks are inside the firewall
Untrusted networks are outside the firewall
Packet-filter firewalls Examine data flowing back and
forth between a trusted network and the Internet
Gateway servers Firewalls that filter traffic based
on the application requested Proxy server firewalls
Firewalls that communicate with the Internet on the private network’s behalf
![Page 21: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/21.jpg)
Security Policy and Integrated Security
A security policy is a written statement describing: Which assets to protect and
why they are being protected
Who is responsible for that protection
Which behaviors are acceptable and which are not
First step in creating a security policy Determine which assets to
protect from which threats
Elements of a security policy address:
Authentication
Access control
Secrecy
Data integrity
Audits
Protection of Information Assets CISA 2006 Exam Preparation
![Page 22: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/22.jpg)
Tension Between Security and Other Values
Ease of use Often security slows down processors and adds significantly
to data storage demands. Too much security can harm
profitability; not enough can mean going out of business.
Public Safety & Criminal Use
claims of individuals to act anonymously vs. needs of public
officials to maintain public safety in light of criminals or
terrorists.
![Page 23: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/23.jpg)
Some questions
Can internet security measures actually create opportunities for criminals to steal? How?
Why are some online merchants hesitant to ship to international addresses?
What are some steps a company can take to thwart cyber-criminals from within a business?
Is a computer with anti-virus software protected from viruses? Why or why not?
What are the differences between encryption and authentication?
Discuss the role of administration in implementing a security policy?
![Page 24: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/24.jpg)
Security for Server Computers
Web server Can compromise secrecy if it allows automatic
directory listings
Can compromise security by requiring users to enter a username and password
Dictionary attack programs Cycle through an electronic dictionary, trying every
word in the book as a password
![Page 25: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/25.jpg)
Other Programming Threats
Buffer An area of memory set aside to hold data read from a
file or database Buffer overrun
Occurs because the program contains an error or bug that causes the overflow
Mail bomb Occurs when hundreds or even thousands of people
each send a message to a particular address
![Page 26: Chapter 10: Electronic Commerce Security. Online Security Issues Overview Computer security äThe protection of assets from unauthorized access, use, alteration,](https://reader035.vdocuments.us/reader035/viewer/2022062304/56649d635503460f94a45713/html5/thumbnails/26.jpg)
Organizations that Promote Computer Security
CERT
Responds to thousands of security incidents each year
Helps Internet users and companies become more knowledgeable about security risks
Posts alerts to inform the Internet community about security events
www.cert.org SANS Institute
A cooperative research and educational organization SANS Internet Storm Center
Web site that provides current information on the location and intensity of computer attacks
Microsoft Security Research Group Privately sponsored site that offers free information about
computer security issues