1
Network and E-commerce Security
Nungky Awang ChandraFasilkom
Mercu Buana University
2
Network Security
$ 10 billion worth of data stolen every year Huge number of credit card numbers get
stolen 50% of the computer crimes are committed
by “insiders” Many cases are not reported Network security is a major issue Still, not accorded the priority it deserves -
low budget allocations, for example. Enterprise network security goals need to
be set at the highest level
3
Main Issues
Security of Internal Networks Security of Networks Connected to
the Internet Secure E-commerce Issues
Network Security Transaction Security
Privacy – no unauthorized access Confidentiality – deletion after use Integrity – no tampering
4
Internet Security Terms
Authentication – a way to verify that message senders are who they say they are
Integrity – ensuring that information will not be accidentally or maliciously altered or destroyed
Reliability – ensuring that the system will perform consistently and at an acceptable level of quality
Encryption – a process of making information indecipherable except to those with a decoding key
5
Internet Security Terms Firewall – a filter between a corporate
network and the Internet that keeps the corporate network secure from intruders but allows authenticated corporate users access to the Internet
Spoofing – a way of creating counterfeit packets with private IP (Intranet) addresses in order to gain access to private networks and steal information
Denial of service – an attack on the information and communication services by a third party that prevents legitimate users from using the infrastructure
6
Figure 13-4 Security vs. Productivity BalanceGOLDMAN: DATACOMM FIG. 13-04
High risk Low cost Open access No productivity loss Open access may lead to data loss or data integrity problems which may lead to productivity loss.
High cost Low risk Restrictive access Productivity loss Overly restrictive security may lead to non-compliance with security processes which may lead to loss of security
Balanced risk and costs Restrictiveness of security policy balanced by people's acceptance of those policies
Lack of security may ultimately have
negative impact on productivity
No productivity loss due to access
restrictions
SECURITYPRODUCTIVITY
SECURITYPRODUCTIVITY
Overly restrictive security casues
productivity decline
Security needs take priority over user
access
SECURITYPRODUCTIVITY
Minimize negative impact on
productivity
Maximize security processes
BALANCE
Optimal Balance of Security and Productivity
Overly Restrictive Security
Lack of Security
7
Network Security
Essentials of Network Security Policy Identification/authorization - authorized
users access resources Access control - even authorized users
allowed appropriate access Privacy - no eavesdropping Data integrity - that data is genuine and
cannot be altered without proper controls Non-repudiation - users do not deny
occurrence of given events or transactions
8
Network Security
Steps in security policy development Identify assets Identify threats Identify vulnerabilities Consider the risks Take protective measures
9
Network Security Policy Development Process
Executive’s and Management’s Responsibility for Protection of Information Resources Set acceptable-use policy for the entire
organization State the value of information as a
corporate resource Require security awareness training Assess the consequences of security
breach Find optimal balance between security
and productivity needs Lead by example
10
Virus Protection
Virus - a malicious computer program Computer viruses are most common
microcomputer security breach Frequent occurrences Complete recovery from a virus infection costs
on an average of $8100 and 44 hr over 10 working days
Over 10,000 known viruses, 200 new viruses per month
Viruses need some kind of a trigger (time bomb, logic bomb)
Logic bomb may appear as a button in a program Trojan Horses hide viruses (e.g. Concept,
Melissa)
11
Virus Protection
Different categories of virus File infectors: attach themselves to a variety of
executable files System/boot infectors: attack the files of the
operating system or boot sector
Antivirus Strategies Install virus scanning software at possible points of
attack Scan diskettes at stand-alone PCs Outsider lap-tops – same as diskettes Prohibit, control, or scan shareware programs Vendors must run their demos on own machines
12
Figure 13-17 Virus Infection Points of Attack and Protective Measures
GOLDMAN: DATACOMM FIG. 13-17
Router
Point of Attack: Client PC Vulnerabilities
Infected diskettes Groupware conferences with infected documents
Protective Measures Strict diskette scanning policy Auto-scan at system start-up
Point of Attack: Internet Access Vulnerabilities
Downloaded viruses Downloaded hostile agents
Protective Measures Firewalls User education about the dangers of downloading
Point of Attack: Server Vulnerabilities
Infected documents stored by attached clients Infected documents replicated from other groupware servers
Protective Measures Autoscan run at least once a day Consider active monitoring virus checking before allowing programs to be loaded onto server Rigorous backup in case of major outbreak Audit logs to track down sources
Point of Attack: Remote Access Users Vulnerabilities
Frequent up/downloading of data and use of diskettes increase risk Linking to customer sites increases risk
Protective Measures Strict diskette scanning policy Strict policy about the connection to corporate networks after linking to other sites.
INTERNET
hub
Client PC
Remote Access Users
Server
13
Virus Protection
Antivirus Technology Relies On Virus scanning - primary method - checks for
unique signatures of known viruses and removes them
Emulation technology - runs programs to examine and identify potentially unknown viruses
Programs are run in a safe environment to detect virus-like activities
14
Authorization and Access Control Assures that only authorized users are able to access
those files, directories, and applications to which they are entitled
Simplest method is requiring users to use passwords Further security can be enforced by making the users
choose passwords with certain features, requiring them to change passwords at intervals
Modern authentication systems use smart cards Future trends - biometric authentication (fingerprints
and retinal patterns) Access to resources can be restricted by giving
different levels of access permissions
15
Encryption
Encryption involves changing of data into an indecipherable form
Decryption - changing the code back into original message
DES (Data Encryption Standard) - Private Key Encryption
64 bit encryption - 2 to the 64th power number of combinations
Both the sender and the receiver must know the private key
If private key is intercepted, encryption system is compromised
16
Encryption
RSA Standard (Rivet-Shamir-Alderman) - Public Key Encryption
Makes use of a public/private key combination
Digital Signature Encryption An original document is processed using a
hash algorithm The unique hash string is encoded using the
sender’s private key Recipient re-generates the original
document to compare it with the document received