entrepreneurship & commerce in it - 11 - security & encryption
TRANSCRIPT
![Page 1: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/1.jpg)
Entrepreneurship &
Commerce in IT
11
Sachintha Gunasena MBCS
http://lk.linkedin.com/in/sachinthadtg
![Page 2: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/2.jpg)
Recap so far…
Sachintha Gunasena MBCS
http://lk.linkedin.com/in/sachinthadtg
![Page 3: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/3.jpg)
Building an E-Commerce
Website• Planning
• Systems analysis and design
• Building the system: In-house vs. outsourcing
• Website hosting: In-house vs. outsourcing
• System Testing
• Implementation and maintenance
• Website optimization factors
• Choosing server software
• Application servers
• E-commerce merchant server software functionality
• Merchant server software packages
• Choosing the right hardware for your e-commerce site
• Right-sizing your hardware platform
• Other e-commerce site development tools
• Personalization tools
![Page 4: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/4.jpg)
Today…
![Page 5: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/5.jpg)
Security and Encryption
• The e-commerce security environment
• Types of threats
• Technology solutions
• Protecting Internet communications
• Encryption
• Securing channels of communication
• Secure socket layers (SSL)
• Protecting networks - Firewalls
• Protecting servers and clients – OS controls/Anti-virus software
![Page 6: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/6.jpg)
The E-Commerce Security
Environment• For most law-abiding citizens, the Internet holds the promise of a
huge and convenient global marketplace
• For criminals, the Internet has created entirely new – and profitable –
ways to steal from the more than one billion Internet consumers
worldwide
• steal what?
• products, services, cash, information
• It’s also less risky to steal online
• For example, rather than rob a bank in person, the Internet makes it
possible to rob people remotely and almost anonymously
![Page 7: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/7.jpg)
The E-Commerce Security
Environment
![Page 8: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/8.jpg)
The E-Commerce Security
Environment
![Page 9: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/9.jpg)
Security Implementation
Concerns• Can there be too much security?
• Yes.
• adds overhead and expense to business operations
• Expanding computer security also has other downsides:
• Makes systems more difficult to use
• Slows down processors
• Increases data storage demands
• May reduce individual’s abilities to remain anonymous
![Page 10: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/10.jpg)
Threats
• Three key points of vulnerability:
• Client
• Server
• Communications channel
![Page 11: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/11.jpg)
An E-Commerce Transaction
![Page 12: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/12.jpg)
Vulnerable Points in an E-
Commerce Transaction
![Page 13: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/13.jpg)
Types of Threats• Viruses
• needs a host
• a virus attaches itself to executable code and is executed when the software program begins to run
or an infected file is opened
• Worms
• does not need a host
• replicates itself through the Internet
• Trojans
• code that is layered behind another program,
• can perform covert, malicious functions
• Logic Bombs
• a version of a Trojan Horse, however, it is event or time specific
![Page 14: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/14.jpg)
Types of Threats Cont.d
• Bot networks
• a number of Internet-connected computers communicating with other similar machines in an effort to
complete repetitive tasks and objectives
• zombie computer network / master host computer
• used for spam or DDoS attacks
• DDoS attacks
• many computers are used to launch an attack on a particular E-Commerce server
• a massive amount of invalid data is sent to the server
• achieved by bot networks
• Phishing
• the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an
attempt to scam the user into surrendering private information that will be used for identity theft
![Page 15: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/15.jpg)
Types of Threats Cont.d
• Data Packet Sniffing
• an attacker can also use a sniffer to intercept the data packet flow and analyze the
individual data packets
• IP Spoofing
• change the source address of a data packet to give it the appearance that it originated
from another computer
• used to start the launch of a Denial of Service Attack
• Port Scanning
• listening to the network ports of the E-Commerce server
• figure out what kind of services are running on the E-Commerce server
• figure out the vulnerabilities of the system in order to cause the greatest damage possible
![Page 16: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/16.jpg)
Types of Threats Cont.d• Backdoors / Trapdoors
• developers often leave “backdoors” to monitor the code as it is developed
• Instead of a implementing a secure protocol in which to access the code, backdoors
provide a quick way into the code
• Backdoors provide a very easy vulnerability for the attacker to get into, and cause system
wide damage to the E-Commerce server.
• Data theft
• create an additional, unauthorized copy
• Identify theft
• someone pretends to be someone else by assuming that person's identity
• as a method to gain access to resources or obtain credit and other benefits in that
person's name
![Page 17: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/17.jpg)
Types of Threats Cont.d
• Credit card fraud
• obtain goods without paying
• obtain unauthorized funds from an account
• also an adjunct to identity theft
• Spyware
• software that aims to gather information about a person or organization
without their knowledge
• send such information to another entity without the consumer's consent
• asserts control over a computer without the consumer's knowledge
![Page 18: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/18.jpg)
Security Solutions
• Two lines of defence
• Technology Solutions
• Policy Solutions
![Page 19: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/19.jpg)
Technology Solutions
• Redundant firewall protection
• stop cyberattacks before they can penetrate the network perimeter
• Web application protection
• Web Application Firewall
• protects from from application-level attacks like SQL injections and cross-site
scripting (XSS) attacks
• extends protection in places where traditional firewall’s can’t provide
• DoS/DDoS mitigation
• ward off DDoS events by providing a barrier between your server and the IP
flood
![Page 20: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/20.jpg)
Technology Solutions
• SSL VPN
• create a secure connection for remote users who will be
administering the Web applications and hosting environment
• Vulnerability Monitoring
• scan your Web application code around the clock looking for
unexpected changes and malicious code that matches known
"diseases" in the threat database
• Antivirus protection
• reviews files and services stored on the physical server
![Page 21: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/21.jpg)
Technology Solutions
• Two factor authentication
• requires Web site administrators to go through two layers of
security before obtaining access to the hosting environment
• unique because it challenges you with something you know
and something you have
• prevents password leaks
• Encrypted backup, service monitoring and response
• read more
![Page 22: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/22.jpg)
Protecting Internet
Communications
• ideas?
![Page 23: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/23.jpg)
Encryption• transforming plain text or data into cipher text that cannot be read by anyone other than the
sender and the receiver
• to secure stored information and to secure information transmission
• [old way]
• Symmetric Key Encryption
• both the sender and the receiver use the same key to encrypt and decrypt the message
• sent the key to each other over some communications media or in person
• [updated way 1976]
• Asymmetric Key Encryption / Public Key Cryptography
• a class of cryptographic protocols based on algorithms that require two separate keys, one of
which is secret (or private) and one of which is public
• Although different, the two parts of this key pair are mathematically linked
![Page 24: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/24.jpg)
Public Key Cryptography
![Page 25: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/25.jpg)
Limitations to Encryption
• All forms of encryption have limitations
• It is not effective against insiders
• Protecting private keys may also be difficult
because they are stored on insecure desktop and
laptop computers
• Additional technology solutions exist for securing
channels of communications, networks, and
servers/clients
![Page 26: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/26.jpg)
Securing Channels of
Communication
• Secure Sockets Layer (SSL)
• Virtual Private Networks (VPNs)
![Page 27: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/27.jpg)
Secure Socket Layer (SSL)
• Transport Layer Security (TLS) and its predecessor, Secure
Sockets Layer (SSL), both of which are frequently referred to as
'SSL', are cryptographic protocols designed to provide
communications security over a computer network
• use X.509 certificates and hence asymmetric cryptography to
• authenticate the counterpart with whom they are communicating
• and to negotiate a symmetric session key
• session key is then used to encrypt data flowing between the
parties
![Page 28: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/28.jpg)
Secure Socket Layer (SSL)
• allows
• data/message confidentiality
• message authentication codes for message integrity
• message authentication
• use in applications such as
• web browsing
• Internet faxing
• instant messaging
• voice-over-IP (VoIP)
![Page 29: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/29.jpg)
Protecting Networks -
Firewalls• a technological barrier designed to prevent unauthorized or
unwanted communications between computer networks or hosts
• a network security system that monitors and controls the incoming
and outgoing network traffic based on predetermined security
rules
• establishes a barrier between a trusted, secure internal network
and another outside network, such as the Internet, that is
assumed to not be secure or trusted
• network firewall
• host-based firewall
![Page 30: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/30.jpg)
Protecting Servers & Clients –
OS Controls/Anti-virus Software
• Operating system security enhancements
• Anti-virus software
![Page 31: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/31.jpg)
Policy Solutions
• Management Policies
• Business Procedures
• Public Laws
![Page 32: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/32.jpg)
Policy Solutions
• An e-commerce security plan would include
• a risk assessment
• development of a security policy
• implementation plan
• creation of a security organization
• a security audit
![Page 33: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/33.jpg)
Policy Solutions
• A Implementation may involve
• expanded forms of access controls
• IDs
• passwords
• access codes
• biometrics
• fingerprints
• retina scans
• speech recognition
![Page 34: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/34.jpg)
Policy Solutions
• more ideas?
![Page 35: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/35.jpg)
References• http://www.technologyexecutivesclub.com/Articles/security/artThreatstoEcommerceServers.php
• http://www.slideshare.net/Timothy212/ebusiness-environment-and-analysis
• http://www.slideshare.net/omvikram/securityecommerce?qid=ae6a3149-f235-4e7d-81f0-
9e45da47bcd5&v=qf1&b=&from_search=4
• http://www.applicure.com/solutions/ecommerce-security
• http://www.ecommercetimes.com/story/69577.html
• http://www.ehow.com/how_5303365_protect-privacy-internet.html
• http://www.slate.com/blogs/future_tense/2013/06/07/how_to_secure_and_encrypt_your_email_and_other_communications_fro
m_prism.html
• http://www.ecommerce-digest.com/staying-safe.html
• http://econ.ucsb.edu/~doug/245a/Papers/ECommerce%20Privacy.pdf
• http://www.zurich.ibm.com/pdf/news/Konsbruck.pdf
• http://www.slideshare.net/m8817/security-in-ecommerce
• http://paws.kettering.edu/~aborcher/articles/CC001.PDF
• https://en.wikipedia.org/wiki/Transport_Layer_Security
• https://en.wikipedia.org/wiki/Public-key_cryptography
![Page 36: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/36.jpg)
Next Up…
• Web Payment Systems
Sachintha Gunasena MBCS
http://lk.linkedin.com/in/sachinthadtg
![Page 37: Entrepreneurship & Commerce in IT - 11 - Security & Encryption](https://reader031.vdocuments.site/reader031/viewer/2022021508/58ed4b2f1a28aba53c8b45cf/html5/thumbnails/37.jpg)
Thank you.
Sachintha Gunasena MBCS
http://lk.linkedin.com/in/sachinthadtg