Date post: | 26-Mar-2015 |
Category: |
Documents |
Upload: | taylor-morrow |
View: | 226 times |
Download: | 2 times |
WWWWWW
Chapter 9
E-Security
2WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
OBJECTIVES
• Security in Cyberspace
• Conceptualizing Security
• Designing for Security
• How Much Risk Can You Afford?
• Virus – Computer Enemy #1
• Security Protection & Recovery
E-Security: Objectives
3WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
ABUSE & FAILURE
• Fraud
• Theft
• Disruption of Service
• Loss of Customer Confidence
E-Security: Security in Cyberspace
4WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
WHY INTERNET IS DIFFERENT?
E-Security: Security in Cyberspace
Paper-Based Commerce Electronic Commerce
Signed Paper Documents Digital Signature
Person-to-person Electronic Via Website
Physical Payment System Electronic Payment System
Merchant-customer Face-to-face Face-to-face Absence
Easy Detectability of modification Difficult Detectability
Easy Negotiability Difficult Negotiability
5WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
SECURITY CONCERNS
• Confidentiality
• Authentication
• Integrity
• Access Control
• Non-repudiation
• Firewalls
E-Security: Conceptualizing Security
6WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
INFORMATION SECURITY DRIVERS
• Global trading
• Availability of reliable security packages
• Changes in attitudes toward security
E-Security: Conceptualizing Security
7WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
PRIVACY FACTOR
E-Security: Conceptualizing Security
0%
10%
20%
30%
40%
50%
Men Women Ages 18-29
Ages 30-49
Ages 50or older
Incomeless than$40,000
Surfers who agree with the statement: The Internet is a serious threat to privacy
8WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
DESIGNING FOR SECURITY
• Adopt a reasonable security policy
• Consider web security needs
• Design the security environment
• Authorizing and monitoring the system
E-Security: Designing for Security
9WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
ADOPT A REASONABLE SECURITY POLICY
• Policy– Understanding the threats information must be
protected against to ensure• Confidentiality
• Integrity
• Privacy
– Should cover the entire e-commerce system• Internet security practices
• Nature & level of risks
• Procedure of failure recovery
E-Security: Designing for Security
10WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
DESIGN THE SECURITY ENVIRONMENT
E-Security: Designing for Security
SECURITYCONSULTANT
Edit paymentsystem
CERTIFIEDWEBSITE
DATABASE
CUSTOMERSERVICE
CERTIFIEDSTAFF
Verify ITStaff Integrity
Guidelines Password
Assignment
Authorized link
Verified Site
Test data
Exhibit - Logical procedure flow
11WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
SECURITY PERIMETER
• Firewalls
• Authentication
• Virtual Private Networks (VPN)
• Intrusion Detection Devices
E-Security: Designing for Security
12WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
AUTHORIZING & MONITORING SYSTEM
• Monitoring– Capturing processing details for evidence– Verifying e-commerce is operating within
security policy– Verifying attacks have been unsuccessful
E-Security: Designing for Security
13WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
HOW MUCH RISK CAN YOU AFFORD?
• Determine specific threats inherent to the system design
• Estimate pain threshold
• Analyze the level of protection required
E-Security: How Much Risk Can You Afford?
14WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
KINDS OF THREATS / CRIMES
• Physically-related
• Order-related
• Electronically-related
E-Security: How Much Risk Can You Afford?
15WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
CLIENT SECURITY THREATS
• Why?– Sheer Nuisances– Deliberate Corruption of Files– Rifling Stored Information
• How?– Physical Attack– Virus– Computer-to-computer Attack
E-Security: How Much Risk Can You Afford?
16WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
SERVER SECURIY THREATS
• Web server with an active port
• Windows NT server, not upgraded to act as firewall
• Anonymous FTP service
• Web server directories that can be accessed & indexed
E-Security: How Much Risk Can You Afford?
17WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
HOW HACKERS ACTIVATE A DENIAL OF SERVICE
• Break into less-secured computers connected to a high-bandwidth network
• Installs stealth program which duplicates itself indefinitely to congest network traffic
• Specifies a target network from a remote location and activates the planted program
• Victim’s network is overwhelmed & users are denied access
E-Security: How Much Risk Can You Afford?
18WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
VIRUS – COMPUTER ENEMY #1
• A malicious code replicating itself to cause disruption of the information infrastructure
• Attacks system integrity, circumvents security capabilities & causes adverse operation
• Incorporates into computer networks, files & other executable objects
E-Security: Virus – Computer Enemy #1
19WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
TYPES OF VIRUSES
• Boot Virus– Attacks boot sectors of the hard drive
• Macro Virus– Exploits macro commands in software application
E-Security: Virus – Computer Enemy #1
20WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
VIRUS CHARACTERISTICS
• Fast– Easily invades and infects computer hard disk
• Slow– Less likely to detect & destroy
• Stealth– Memory resident – Able to manipulate its execution to disguise its
presence
E-Security: Virus – Computer Enemy #1
21WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
ANTI-VIRUS STRATEGY
• Establish a set of simple enforceable rules
• Educate & train users
• Inform users of the existing & potential threats to the company’s systems
• Update the latest anti-virus software periodically
E-Security: Virus – Computer Enemy #1
22WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
BASIC INTERNET SECURITY PRACTICES
• Password– Alpha-numeric– Mix with upper and lower cases– Change frequently– No dictionary names
• Encryption– Coding of messages in traffic between the
customer placing an order and the merchant’s network processing the order
E-Security: Security Protection & Recovery
23WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
SECURITY RECOVERY
• Attack Detection
• Damage Assessment
• Correction & Recovery
• Corrective Feedback
E-Security: Security Protection & Recovery
24WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
FIREWALL & SECURITY
• Firewall– Enforces an access control policy between two
networks– Detects intruders, blocks them from entry,
keeps track of what they did & notifies the system administrator
E-Security: Firewall & Security
25WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
WHAT FIREWALLS CAN PROTECT
• E-mail services known to be problems
• Unauthorized external logins
• Undesirable material, e.g. pornography
• Unauthorized sensitive information
E-Security: Firewall & Security
26WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
WHAT FIREWALLS CAN’T PROTECT
• Attacks without going through the firewall
• Weak security policy
• “Traitors” or disgruntled employees
• Viruses via floppy disks
• Data-driven attacks
E-Security: Firewall & Security
27WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall
SPECIFIC FIREWALL FEATURES
• Security Policy
• Deny Capability
• Filtering Ability
• Scalability
• Authentication
• Recognizing Dangerous Services
• Effective Audit Logs
E-Security: Firewall & Security
WWWWWW
Chapter 9
E-Security