elc 200 day 22 e-security. awad –electronic commerce 2/e © 2003 prentice hall 2 day 22 agenda...
TRANSCRIPT
WWWWWW
ELC 200Day 22
E-Security
2WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
Day 22 Agenda
• Quiz 3 Corrected– 14 A’s, 2 B’s and 3 no-takes– Too easy!
• Assignment #7 corrected– 13 A’s, 1 B, 1 C and 3 non-submits– Short discussion on results
• Quiz 4 (last) will be April 29• Chap 13, 14, & 15
• Assignment 8 (next to last) is on next slide – One more, will count best 8 out of 9
• Should be progressing on Framework • Lecture/Discuss E-security
3WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
Assignment # 8
• On Page 435
• Answer Discussion Questions 1, 2 & 3– Answers should be well reasoned and explained
in under one page per question (1 page is not enough, more than 3 is too much)
– Turn in a well formatted typed response sheet– Due Tuesday, April 19 at start of class
4WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
OBJECTIVES
• Security in Cyberspace
• Conceptualizing Security
• Designing for Security
• How Much Risk Can You Afford?
• Virus – Computer Enemy #1
• Security Protection & Recovery
E-Security: Objectives
5WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
ABUSE & FAILURE
• Fraud
• Theft
• Disruption of Service
• Loss of Customer Confidence
E-Security: Security in Cyberspace
6WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
WHY INTERNET IS DIFFERENT?
E-Security: Security in Cyberspace
Paper-Based Commerce Electronic Commerce
Signed paper Documents Digital Signature
Person-to-person Electronic via Website
Physical Payment System Electronic Payment System
Merchant-customer Face-to-face Face-to-face Absence
Easy Detectability of modification Difficult Detectability
Easy Negotiability Special Security Protocol
7WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
Digital Signature Act (Oct 1, 2000)
• A contract or agreement in interstate or foreign commerce will not be denied legal effect, validity, or enforceability if the contract or agreement is in electronic form and is signed by an electronic signature. Note that the act covers only foreign and interstate commerce. Therefore, where both parties to a contract are in the same state, the law would not seem to apply. However, most states have enacted their own digital signature laws, which cover intrastate transactions.
• The Act permits, but does not require the use of an electronic signature.
• A legal requirement to furnish a record to a consumer in writing can be satisfied by an electronic record, so long as the consumer consents.
• A legal record retention requirement can be satisfied with electronic records.
8WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
SECURITY CONCERNS
• Confidentiality
• Authentication
• Integrity
• Access Control
• Non-repudiation
• Firewalls
E-Security: Conceptualizing Security
9WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
INFORMATION SECURITY DRIVERS
• Global trading– On-line, real time
• Availability of reliable security packages– Good products…expensive
• Changes in attitudes toward security– Strategic asset
E-Security: Conceptualizing Security
10WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
PRIVACY FACTOR
E-Security: Conceptualizing Security
0%
10%
20%
30%
40%
50%
Men Women Ages 18-29
Ages 30-49
Ages 50or older
Incomeless than$40,000
Surfers who agree with the statement: The Internet is a serious threat to privacy
11WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
DESIGNING FOR SECURITY
• Adopt a reasonable security policy – Cost effective– Proactive
• Consider web security needs– Data sensitivity
• Design the security environment• Authorizing and monitoring the system
– Accountability– Traceability
E-Security: Designing for Security
12WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
ADOPT A REASONABLE SECURITY POLICY
• Policy– Understanding the threats information must be
protected against to ensure• Confidentiality
• Integrity
• Privacy
– Should cover the entire e-commerce system• Internet security practices
• Nature & level of risks
• Procedure of failure recovery
E-Security: Designing for Security
13WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
SECURITY PERIMETER
• Firewalls
• Authentication
• Virtual Private Networks (VPN)
• Intrusion Detection Devices
E-Security: Designing for Security
14WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
Security Design Process
Consider Web Security NeedsConsider Web Security Needs
Design The SecurityEnvironment
Design The SecurityEnvironment
Police The SecurityPerimeter
Police The SecurityPerimeter
Authorize and MonitorThe Security System
Authorize and MonitorThe Security System
Adopt a Security Policy That Makes Sense
Adopt a Security Policy That Makes Sense
15WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
AUTHORIZING & MONITORING SYSTEM
• Monitoring– Capturing processing details for evidence– Verifying e-commerce is operating within
security policy– Verifying attacks have been unsuccessful
E-Security: Designing for Security
16WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
Web Logs
17WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
HOW MUCH RISK CAN YOU AFFORD?
• Determine specific threats inherent to the system design
• Estimate pain threshold
• Analyze the level of protection required
E-Security: How Much Risk Can You Afford?
18WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
KINDS OF THREATS / CRIMES
• Physically-related– Create physical changes
• Order-related– Manipulation of existing orders
• Electronically-related– Sniffers– Spoofers– Script kiddies
E-Security: How Much Risk Can You Afford?
19WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
Snoop and Sniff
20WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
Day 23 Agenda
• Quiz 4 (last) will be April 29• Chap 13, 14, & 15
• Assignment 8 (next to last) is on next slide – Due Tuesday April 19 – One more, will count best 8 out of 9
• Should be progressing on Framework
• Lecture/Discuss E-security
21WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
Assignment # 8
• On Page 435
• Answer Discussion Questions 1, 2 & 3– Answers should be well reasoned and explained
in under one page per question (1 page is not enough, more than 3 is too much)
– Turn in a well formatted typed response sheet– Due Tuesday, April 19 at start of class
22WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
How Hackers Hack
• Many Techniques– Social Engineering
• Get someone to give you their password
– Cracking• Guessing passwords• A six letter password (no caps)
– > 300 million possibilities• Merriam-Webster's citation files, which were begun in the 1880s, now contain 15.7 million examples of
words used in context and cover all aspects of the English vocabulary. – http://www.m-w.com/help/faq/words_in.htm
– Buffer Overflows• Getting code to run on other PCs
– Load a Trojan or BackDoor– Snoop and Sniff
• Steal data
– Denial of Service (DOS)• Crash or cripple a Computer from another computer
– Distributed Denial of Service (DDOS)• Crash or cripple a Computer from multiple distributed computers
23WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
Maine’s Anti-Hacker laws• 432. Criminal invasion of computer privacy
1. A person is guilty of criminal invasion of computer privacy if the person intentionally accesses any computer resource knowing that the person is not authorized to do so. [1989, c. 620 (new).] 2. Criminal invasion of computer privacy is a Class D crime. [1989, c. 620 (new).]
Up to $2000 Fine and one year in jail
• §433. Aggravated criminal invasion of computer privacy 1. A person is guilty of aggravated criminal invasion of computer privacy if the person:
A. Intentionally makes an unauthorized copy of any computer program, computer software or computer information, knowing that the person is not authorized to do so; [1989, c. 620 (new).] B. Intentionally or knowingly damages any computer resource of another person, having no reasonable ground to believe that the person has the right to do so; or [1989, c. 620 (new).] C. Intentionally or knowingly introduces or allows the introduction of a computer virus into any computer resource, having no reasonable ground to believe that the person has the right to do so. [1989, c. 620 (new).][1989, c. 620 (new).]
2. Aggravated criminal invasion of computer privacy is a Class C crime. [1989, c. 620 (new).] Up to $5000 Fine and five years in jail
24WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
The Digital Millennium Copyright Act (DMCA, 1998)
• Highlights Generally:– Makes it a crime to circumvent anti-piracy measures built into most commercial
software.– Outlaws the manufacture, sale, or distribution of code-cracking devices used to
illegally copy software.– Does permit the cracking of copyright protection devices, however, to conduct
encryption research, assess product interoperability, and test computer security systems.
– Provides exemptions from anti-circumvention provisions for nonprofit libraries, archives, and educational institutions under certain circumstances.
– In general, limits Internet service providers from copyright infringement liability for simply transmitting information over the Internet.
– Service providers, however, are expected to remove material from users' web sites that appears to constitute copyright infringement.
– Limits liability of nonprofit institutions of higher education -- when they serve as online service providers and under certain circumstances -- for copyright infringement by faculty members or graduate students.
– Requires that "webcasters" pay licensing fees to record companies.
25WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
CLIENT COMPUTER SECURITY THREATS
• Why?– Sheer Nuisances– Deliberate Corruption of Files– Rifling Stored Information
• How?– Physical Attack– Virus– Computer-to-computer Attack
E-Security: How Much Risk Can You Afford?
26WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
SERVER SECURIY THREATS
• Web server with an active port
• Windows 2000 server, not upgraded to act as firewall
• Anonymous FTP service
• Web server directories that can be accessed & indexed
E-Security: How Much Risk Can You Afford?
27WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
HOW HACKERS ACTIVATE A DISTRIBUTED DENIAL OF SERVICE
ATTACK (DDoS)• Break into less-secured computers connected to a high-
bandwidth network
• Installs stealth program which duplicate itself indefinitely to congest network traffic
• Specifies a target network from a remote location and activates the planted program
• Victim’s network is overwhelmed & users are denied access
• More Info
– http://staff.washington.edu/dittrich/misc/ddos/
E-Security: How Much Risk Can You Afford?
28WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
Distributed Denial-of-Service Attacks
Distributed DOS (DDoS) Attack:Messages Come from Many Sources
Server
DoS Attack Packets
DoS Attack PacketsComputer with
Zombie
Computer withZombie
Attacker
AttackCommand
AttackCommand
29WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
VIRUS – COMPUTER ENEMY #1
• A malicious code replicating itself to cause disruption of the information infrastructure
• Attacks system integrity, circumvent security capabilities & cause adverse operation
• Incorporate into computer networks, files & other executable objects
E-Security: Virus – Computer Enemy #1
30WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
How Viruses Work
31WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
TYPES OF VIRUSES
• Boot Virus– Attacks boot sectors of the hard drive– Older and rarely seen “in the wild”
• Macro Virus– Exploits macro commands in software application– Big problem with Microsoft software
E-Security: Virus – Computer Enemy #1
32WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
VIRUS CHARACTERISTICS
• Fast– Easily invade and infect computer hard disk
• Slow– Less likely to detect & destroy
• Stealth– Memory resident – Able to manipulate its execution to disguise its
presence
E-Security: Virus – Computer Enemy #1
33WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
ANTI-VIRUS STRATEGY
• Establish a set of simple enforceable rules• Educate & train users• Inform users of the existing & potential threats to
the company’s systems• Update the latest anti-virus software periodically• Stay Current on Threats
– http://www.us-cert.gov/current/current_activity.html
E-Security: Virus – Computer Enemy #1
34WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
BASIC INTERNET SECURITY PRACTICES
• Password– http://www.crackpassword.com/– Alpha-numeric– Mix with upper and lower cases– Change frequently– No dictionary names– Password tutorial
• Encryption– Coding of messages in traffic between the customer placing an
order and the merchant’s network processing the order
• Good Resource– http://www.schneier.com/
E-Security: Security Protection & Recovery
35WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
SECURITY RECOVERY
• Attack Detection
• Damage Assessment
• Correction & Recovery
• Corrective Feedback
E-Security: Security Protection & Recovery
36WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
FIREWALL & SECURITY
• Firewall– Enforces an access control policy between two
networks– Detects intruders, blocks them from entry,
keeps track what they did & notifies the system administrator
E-Security: Firewall & Security
37WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
How Firewalls Work
• Firewall check Packets in and out of Networks– Decide which packets go through and which
don’t– Work in both directions– Only one part of Security
38WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
WHAT FIREWALL CAN PROTECT
• Email services known to be problems
• Unauthorized external logins
• Undesirable material, e.g. pornography
• Unauthorized sensitive information
E-Security: Firewall & Security
39WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
WHAT FIREWALL CAN’T PROTECT
• Attacks without going through the firewall
• Weak security policy
• ‘Traitors’ or disgruntled employees
• Viruses via floppy disks
• Data-driven attack
E-Security: Firewall & Security
40WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
Cyber Protect
• DOD Training Tool for security
• Scenario– Defend a LAN– 4 Qtr budgets– Spend money wisely
• Real world attack profiles
41WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
SPECIFIC FIREWALL FEATURES
• Security Policy
• Deny Capability
• Filtering Ability
• Scalability
• Authentication
• Recognizing Dangerous Services
• Effective Audit Logs
E-Security: Firewall & Security
42WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall
Firewall log