Copyright © 2004 Pearson Education, Inc. Slide 5-1 Securing Channels of Communication Secure...

Copyright © 2004 Pearson Education, Inc. Slide 5-1

Securing Channels of Communication Secure Sockets Layer (SSL): Most common form of

securing channels of communication; used to establish a secure negotiated session (client-server session in which URL of requested document, along with contents, is encrypted)

S-HTTP: Alternative method; provides a secure message-oriented communications protocol designed for use in conjunction with HTTP

Virtual Private Networks (VPNs): Allow remote users to securely access internal networks via the Internet, using Point-to-Point Tunneling Protocol (PPTP)


Secure Negotiated Sessions Using SSLFigure 5.10, Page 282


Protecting Networks: Firewalls and Proxy Servers

Firewall: Software application that acts as a filter between a company’s private network and the Internet

Firewall methods include: Packet filters Application gateways

Proxy servers: Software servers that handle all communications originating from for being sent to the Internet (act as “spokesperson” or “bodyguard” for the organization)


Firewalls and Proxy ServersFigure 5.11, Page 284


A Security Plan: Management Policies Steps in developing a security plan:

Perform risk assessment – assessment of risks and points of vulnerability

Develop security policy – set of statements prioritizing information risks, identifying acceptable risk targets and identifying mechanisms for achieving targets

Develop implementation plan – action steps needed to achieve security plan goals

Create security organization – in charge of security; educates and trains users, keeps management aware of security issues; administers access controls, authentication procedures and authorization policies

Perform security audit – review of security practices and procedures


Developing an E-commerce Security PlanFigure 5.12, Page 286


Insight on Business: Tiger Teams – Hiring Hackers to Locate Threats

Tiger team: Group whose sole job activity is attempting to break into a site

Originated in 1970s with U.S. Air Force By 1980s-1990s, had spread to corporate

arena Most use just “white hats” and refuse to hire

known grey or black hats


The Role of Laws and Public Policy New laws have granted local and national authorities

new tools and mechanisms for identifying, tracing and prosecuting cybercriminals

National Infrastructure Protection Center – unit within FBI whose mission is to identify and combat threats against U.S. technology and telecommunications infrastructure

USA Patriot Act Homeland Security Act Government policies and controls on encryption

software


E-commerce Security LegislationTable 5.3, Page 290


Government Efforts to Regulate and Control EncryptionTable 5.4,

Page 292


OECD Guidelines 2002 Organization for Economic Cooperation and

Development (OECD) Guidelines for the Security of Information Systems and Networks has Nine principles: Awareness Responsibility Response Ethics Democracy Risk assessment Security design and implementation Security management Reassessment


VeriSign: The Web’s Security BlanketPage 294


Case Study: VeriSign: The Web’s Security Blanket

University of Pittsburgh’s e-Store an example of Internet trust (security) services offered by VeriSign

VeriSign has grown early expertise in public key encryption into related Internet security infrastructure businesses

Dominates the Web site encryption services market with over 75% market share

Provides secure payment services Provides businesses and government agencies with

managed security services Provides domain name registration, and manages

the .com and .net domains

Date post:	30-Dec-2015
Category:	Documents
Upload:	hilary-preston-short
View:	215 times
Download:	0 times

Copyright © 2004 Pearson Education, Inc. Slide 5-1 Securing Channels of Communication Secure...

Documents