Date post: | 21-Dec-2015 |
Category: |
Documents |
View: | 228 times |
Download: | 3 times |
Chapter 10:Electronic Commerce Security
Online Security Issues Overview
Computer security The protection of assets from unauthorized access, use,
alteration, or destruction Physical security
Includes tangible protection devices Logical security
Protection of assets using nonphysical means Threat
Any act or object that poses a danger to computer assets
Managing RiskTerms -- Countermeasure
General name for a procedure that recognizes, reduces, or eliminates a threat
Eavesdropper Person or device that can listen in on and copy Internet
transmissions Crackers or hackers
Write programs or manipulate technologies to obtain unauthorized access to computers and networks
Computer Security Classification
Secrecy/Confidentiality Protecting against unauthorized
data disclosure Technical issues
Privacy The ability to ensure the use of
information about oneself Legal Issues
Integrity Preventing unauthorized data
modification by an unauthorized party
Necessity Preventing data delays or
denials (removal)
Nonrepudiation Ensure that e-commerce
participants do not deny (i.e., repudiate) their online actions
Authenticity The ability to identify the
identity of a person or entity with whom you are dealing on the Internet
Some solutions --
Exercise
Visit the Copyright Web site: http://www.benedict.com/
Check out examples of copyright infringement: Audio arts
Visual arts
Digital arts
Read comments Under “Info”
Security Threats in the E-commerce Environment
Three key points of vulnerability the client communications pipeline the server
Active Content
Active content refers to programs embedded transparently in Web pages that cause an action to occur
Scripting languages
Provide scripts, or commands, that are executed
Applet
Small application program
Java
Active X
Trojan horse Program hidden inside
another program or Web page that masks its true purpose
Zombie Program that secretly takes
over another computer to launch attacks on other computers
Attacks can be very difficult to trace to their creators
Viruses, Worms, and Antivirus Software
Virus Software that attaches itself to another program Can cause damage when the host program is
activated Macro virus
Type of virus coded as a small program (macro) and is embedded in a file
Antivirus software Detects viruses and worms
Digital Certificates
A digital certificate is a program embedded in a Web page that verifies that the sender or Web site is who or what it claims to be
A certificate is signed code or messages that provide proof that the holder is the person identified by the certificate
Certification authority (CA) issues digital certificates
Main elements:
Certificate owner’s identifying information
Certificate owner’s public key
Dates between which the certificate is valid
Serial number of the certificate
Name of the certificate issuer
Digital signature of the certificate issuer
Communication Channel Security Recall that --
Secrecy is the prevention of unauthorized information disclosure
Privacy is the protection of individual rights to nondisclosure
Sniffer programs Provide the means to record information passing through a
computer or router that is handling Internet traffic
Demonstration of working of a Java implementation of a Packet Sniffer
Other ThreatsIntegrity Integrity threats exist when an
unauthorized party can alter a message stream of information
Cybervandalism Electronic defacing of an
existing Web site’s page Masquerading or spoofing
Pretending to be someone you are not
Domain name servers (DNSs) Computers on the Internet that
maintain directories that link domain names to IP addresses
Necessity
Purpose is to disrupt or deny normal computer processing
DoS attacks
Remove information altogether
Delete information from a transmission or file
Wireless Network Threats
Wardrivers
Attackers drive around using their wireless-equipped laptop computers to search for accessible networks
Warchalking
When wardrivers find an open network they sometimes place a chalk mark on the building
AnonymizerA Web site that provides a measure of secrecy as long as it’s used as the portal to the Internethttp://www.anonymizer.com
Tools Available to Achieve Site Security
Encryption
Transforms plain text or data into cipher text that cannot be read by anyone outside of the sender and the receiver. Purpose: to secure stored information to secure information transmission.
Cipher text text that has been encrypted and thus cannot be read by
anyone besides the sender and the receiver Symmetric Key Encryption
DES standard most widely used
Group Exercise
Julius Caesar supposedly used secret codes known today as Caesar Cyphers. The simplest replaces A with B, B with C etc. This is called a one-rotate code. The following is encrypted using a simple Caesar rotation cypher. See if you can decrypt it:
Mjqqt hfjxfw. Mtb nx dtzw hnumjw? Xyfd fbfd kwtr ymj xjsfyj ytifd.
Encryption
Public key cryptography uses two mathematically related digital
keys: a public key and a private key. The private key is kept secret by the
owner, and the public key is widely disseminated.
Both keys can be used to encrypt and decrypt a message.
A key used to encrypt a message, cannot be used to unencrypt the message
Public Key Cryptography with Digital Signatures
Public Key Cryptography: Creating a Digital Envelope
Securing Channels of Communications Secure Sockets Layer (SSL)
is the most common form of securing channels
Secure negotiated session client-server session where
the requested document URL, contents, forms, and cookies are encrypted.
Session key is a unique symmetric encryption key chosen for a single secure session
Firewalls
Software or hardware and software combination installed on a network to control packet traffic
Provides a defense between the network to be protected and the Internet, or other network that could pose a threat
Characteristics All traffic from inside to outside
and from outside to inside the network must pass through the firewall
Only authorized traffic is allowed to pass
Firewall itself is immune to penetration
Trusted networks are inside the firewall
Untrusted networks are outside the firewall
Packet-filter firewalls Examine data flowing back and
forth between a trusted network and the Internet
Gateway servers Firewalls that filter traffic based
on the application requested Proxy server firewalls
Firewalls that communicate with the Internet on the private network’s behalf
Security Policy and Integrated Security
A security policy is a written statement describing: Which assets to protect and
why they are being protected
Who is responsible for that protection
Which behaviors are acceptable and which are not
First step in creating a security policy Determine which assets to
protect from which threats
Elements of a security policy address:
Authentication
Access control
Secrecy
Data integrity
Audits
Protection of Information Assets CISA 2006 Exam Preparation
Tension Between Security and Other Values
Ease of use Often security slows down processors and adds significantly
to data storage demands. Too much security can harm
profitability; not enough can mean going out of business.
Public Safety & Criminal Use
claims of individuals to act anonymously vs. needs of public
officials to maintain public safety in light of criminals or
terrorists.
Some questions
Can internet security measures actually create opportunities for criminals to steal? How?
Why are some online merchants hesitant to ship to international addresses?
What are some steps a company can take to thwart cyber-criminals from within a business?
Is a computer with anti-virus software protected from viruses? Why or why not?
What are the differences between encryption and authentication?
Discuss the role of administration in implementing a security policy?
Security for Server Computers
Web server Can compromise secrecy if it allows automatic
directory listings
Can compromise security by requiring users to enter a username and password
Dictionary attack programs Cycle through an electronic dictionary, trying every
word in the book as a password
Other Programming Threats
Buffer An area of memory set aside to hold data read from a
file or database Buffer overrun
Occurs because the program contains an error or bug that causes the overflow
Mail bomb Occurs when hundreds or even thousands of people
each send a message to a particular address
Organizations that Promote Computer Security
CERT
Responds to thousands of security incidents each year
Helps Internet users and companies become more knowledgeable about security risks
Posts alerts to inform the Internet community about security events
www.cert.org SANS Institute
A cooperative research and educational organization SANS Internet Storm Center
Web site that provides current information on the location and intensity of computer attacks
Microsoft Security Research Group Privately sponsored site that offers free information about
computer security issues