l6 e security
TRANSCRIPT
-
7/30/2019 L6 E Security
1/44
Chapter 11
2008 Pearson Prentice Hall, Electronic Commerce 2008, Efraim Turban, et al.
E-Commerce Security
-
7/30/2019 L6 E Security
2/44
Learning Objectives
1. Explain EC-related crimes and whythey cannot be stopped.
2. Describe an EC security strategy andwh a life c cle a roach is needed.
11-2
3. Describe the information assurancesecurity principles.
4. Describe EC security issues from theperspective of customers and e-businesses.
-
7/30/2019 L6 E Security
3/44
Learning Objectives
5. Identify the major EC security threats,vulnerabilities, and risk.
6. Identify and describe common EC threatsand attacks.
11-3
7. Identify and assess major technologies andmethods for securing EC communications.
8. Identify and assess major technologies forinformation assurance and protection of ECnetworks.
-
7/30/2019 L6 E Security
4/44
Stopping E-Commerce Crimes
Information assurance (IA)
The protection of information systemsagainst unauthorized access to ormodification of information whether in
11-4
storage, processing or transit, andagainst the denial of service toauthorized users, including thosemeasures necessary to detect,document, and counter such threats
-
7/30/2019 L6 E Security
5/44
Stopping E-Commerce Crimes
Strong EC security makes online shoppinginconvenient and demanding on customers.
Lack of cooperation from credit card
issuers and foreign ISPs.
11-5
n ne s oppers are o ame or no a ngnecessary precautions to avoid becominga victim.
zombiesComputers infected with malware that are underthe control of a spammer, hacker, or other criminal
-
7/30/2019 L6 E Security
6/44
IS design and security architecture issues vulnerability
Weakness in software or other mechanism that threatens theconfidentiality, integrity, or availability of an asset (recall the
CIA model). It can be directly used by a hacker to gain accessto a s stem or network
11-6
common (security) vulnerabilities and exposures (CVE)
Publicly known computer security risks, which are collected,listed, and shared by a board of security-related organizations(cve.mitre.org)
riskThe probability that a vulnerability will be known and used
-
7/30/2019 L6 E Security
7/44
Stopping E-Commerce Crimes
exposure
The estimated cost, loss, or damage that can resultif a threat exploits a vulnerability
Lack of due care in business for hiring
11-7
pract ces, outsourc ng, an us nesspartnerships
standard of due care
Care that a company is reasonably expected totake based on the risks affecting its EC businessand online transactions
-
7/30/2019 L6 E Security
8/44
E-Commerce Security Strategyand Life Cycle Approach
The Internets Vulnerable Design
domain name system (DNS)
Translates (converts) domain names to their
11-8
-
7/30/2019 L6 E Security
9/44
E-Commerce Security Strategyand Life Cycle Approach
The Shift to Profit-Motivated Crimes
Treating EC Security as a Project EC security program
Set of controls over security processes to protect
11-9
Four high-level stages in the life cycle of an ECsecurity program:1. Planning and organizing
2. Implementation3. Operations and maintenance
4. Monitoring and evaluating
-
7/30/2019 L6 E Security
10/44
E-Commerce Security Strategyand Life Cycle Approach
Organizations that do not follow such a lifecycle approach usually:Do not have policies and procedures that are linked
to or supported by security activities
Suffer disconnect, confusion, and gaps in
11-10
Lack methods to fully identify, understand, and
improve deficiencies in the security program
Lack methods to verify compliance to regulations,
laws, or policiesHave to rely on patches, hotfixes, and service
packsbecause they lack a holistic EC securityapproach
-
7/30/2019 L6 E Security
11/44
E-Commerce Security Strategyand Life Cycle Approach
patchProgram that makes needed changes to softwarethat is already installed on a computer. Softwarecompanies issue patches to fix bugs in their
programs, to address security problems, or to addfunctionalit
11-11
hotfixMicrosofts name for a patch. Microsoft bundleshotfixes into service packs for easier installation
service packThe means by which product updates aredistributed. Service packs may contain updates forsystem reliability, program compatibility, security,and more
-
7/30/2019 L6 E Security
12/44
E-Commerce Security Strategyand Life Cycle Approach
Ignoring EC Security Best Practices
Computing Technology Industry Association(CompTIA)
Nonprofit trade group providing information security
11-12
researc an es prac ces
Despite the known role of human behavior ininformation security breaches, only 29% of the 574government, IT, financial, and educationalorganizations surveyed worldwide had mandatorysecurity training. Only 36% offered end-usersecurity awareness training
-
7/30/2019 L6 E Security
13/44
Information Assurance
CIA security triad (CIA triad)
Three security concepts important to
information on the Internet: confidentiality,
11-13
,
-
7/30/2019 L6 E Security
14/44
Information Assurance
confidentiality
Assurance of data privacy and accuracy. Keepingprivate or sensitive information from being disclosed tounauthorized individuals, entities, or processes
integrity
11-14
Assurance that stored data has not been modifiedwithout authorization; and a message that was sent isthe same message that was received
availabilityAssurance that access to data, the Web site, or otherEC data service is timely, available, reliable, andrestricted to authorized users
-
7/30/2019 L6 E Security
15/44
Information Assurance
authentication
Process to verify (assure) the realidentity of an individual, computer,com uter ro ram or EC Web site
11-15
authorization
Process of determining what the
authenticated entity is allowed to accessand what operations it is allowed toperform
-
7/30/2019 L6 E Security
16/44
Information Assurance
nonrepudiation
Assurance that online customers or
trading partners cannot falsely deny
11-16
digital signature or digital certificate
Validates the sender and time stamp of a
transaction so it cannot be later claimed thatthe transaction was unauthorized or invalid
-
7/30/2019 L6 E Security
17/44
Information Assurance
11-17
-
7/30/2019 L6 E Security
18/44
Enterprisewide E-CommerceSecurity and Privacy Model
11-18
-
7/30/2019 L6 E Security
19/44
Enterprisewide E-CommerceSecurity and Privacy Model
Senior Management Commitment and Support
EC Security Policies and Training To avoid violating privacy legislation when collecting
confidential data, policies need to specify that customers:
Know they are being collected
11-19
, ,
Have some control over how the information is used
Know they will be used in a reasonable and ethical manner
acceptable use policy (AUP)
Policy that informs users of their responsibilities when usingcompany networks, wireless devices, customer data, and soforth
-
7/30/2019 L6 E Security
20/44
Enterprisewide E-CommerceSecurity and Privacy Model
EC Security Procedures and Enforcement
business impact analysis (BIA)
An exercise that determines the impact of losing
the support of an EC resource to an organization
11-20
an es a s es e esca a on o a oss over me,identifies the minimum resources needed torecover, and prioritizes the recovery of processesand supporting systems
Security Tools: Hardware and Software
-
7/30/2019 L6 E Security
21/44
Basic E-Commerce SecurityIssues and Perspectives
Some of the major technology defenses toaddress these security issues that can occur inEC:
Authentication
11-21
auditing
Process of recording information about what Website, data, file, or network was accessed, when, and
by whom or whatConfidentiality (privacy) and integrity (trust)
Availability
Nonrepudiation
-
7/30/2019 L6 E Security
22/44
Threats and Attacks
nontechnical attack
An attack that uses chicanery to trickpeople into revealing sensitiveinformation or erformin actions that
11-22
compromise the security of a networksocial engineering
A type of nontechnical attack that usessome ruse to trick users into revealinginformation or performing an action thatcompromises a computer or network
-
7/30/2019 L6 E Security
23/44
Threats and Attacks
technical attack
An attack perpetrated using software andsystems knowledge or expertise
time-to-exploitation
11-23
The elapsed time between when avulnerability is discovered and the time it isexploited
zero-day incidentsAttacks through previously unknownweaknesses in their computer networks
-
7/30/2019 L6 E Security
24/44
Threats and Attacks
denial of service (DOS) attack
An attack on a Web site in which an
attacker uses specialized software to
11-24
computer with the aim of overloading itsresources
-
7/30/2019 L6 E Security
25/44
Threats and Attacks
Web server and Web page hijacking
botnet
A huge number (e.g., hundreds of thousands) ofhijacked Internet computers that have been set up toforward traffic, including spam and viruses, to other
11-25
computers on the Internet
malware
A generic term for malicious software
virusA piece of software code that inserts itself into a host,including the operating systems, in order to propagate; itrequires that its host program be run to activate it
-
7/30/2019 L6 E Security
26/44
Threats and Attacks
wormA software program that runs independently, consuming theresources of its host in order to maintain itself, that is capableof propagating a complete working version of itself ontoanother machine
macro virus (macro worm)
11-26
contains the macro is opened or a particular procedure isexecuted
Trojan horseA program that appears to have a useful function but thatcontains a hidden function that presents a security risk rootkit
A special Trojan horse program that modifies existing operatingsystem software so that an intruder can hide the presence of theTrojan program
-
7/30/2019 L6 E Security
27/44
SecuringE-Commerce Communications
access control
Mechanism that determines who canlegitimately use a network resource
assive token
11-27
Storage device (e.g., magnetic strip) that contains asecret code used in a two-factor authenticationsystem
active tokenSmall, stand-alone electronic device that generatesone-time passwords used in a two-factorauthentication system
-
7/30/2019 L6 E Security
28/44
SecuringE-Commerce Communications
biometric systems
Authentication systems that identify aperson by measurement of a biological
characteristic, such as fingerprints, iris (eye)
11-28
patterns, facial features, or voice
public key infrastructure (PKI)
A scheme for securing e-payments usingpublic key encryption and varioustechnical components
-
7/30/2019 L6 E Security
29/44
SecuringE-Commerce Communications
encryption
The process of scrambling (encrypting) a messagein such a way that it is difficult, expensive, or time-
consuming for an unauthorized person to
11-29
plaintext
An unencrypted message in human-readable form
ciphertext
A plaintext message after it has been encrypted into amachine-readable form
-
7/30/2019 L6 E Security
30/44
SecuringE-Commerce Communications
encryption algorithm
The mathematical formula used to encrypt the plaintextinto the ciphertext, and vice versa
key (key value)
The secret code used to encrypt and decrypt a message
11-30
The large number of possible key values (keys) created bythe algorithm to use when transforming the message
-
7/30/2019 L6 E Security
31/44
SecuringE-Commerce Communications
symmetric (private) key system
An encryption system that uses the
same key to encrypt and decrypt the
11-31
-
7/30/2019 L6 E Security
32/44
SecuringE-Commerce Communications
11-32
-
7/30/2019 L6 E Security
33/44
SecuringE-Commerce Communications
public (asymmetric) key encryptionMethod of encryption that uses a pair ofmatched keysa public key to encrypt amessage and a private key to decrypt it, orvice versa
11-33
public key
Encryption code that is publicly available to anyoneprivate key
Encryption code that is known only to its ownerRSA
The most common public key encryption algorithm;uses keys ranging in length from 512 bits to 1,024bits
-
7/30/2019 L6 E Security
34/44
SecuringE-Commerce Communications
Digital Signatures and Certificate Autherities hash
A mathematical computation that is applied to a message,using a private key, to encrypt the message
message digest (MD)
11-34
,after the hash has been applied
digital envelope
The combination of the encrypted original message and thedigital signature, using the recipients public key
certificate authorities (CAs)
Third parties that issue digital certificates
-
7/30/2019 L6 E Security
35/44
SecuringE-Commerce Communications
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
Protocol that utilizes standard certificates for
11-35
ensure privacy or confidentiality
Transport Layer Security (TLS)
As of 1996, another name for the SSLprotocol
-
7/30/2019 L6 E Security
36/44
SecuringE-Commerce Networks
The selection and operation of technologiesthat ensure network security should be basedon:
Defense in depth
11-36
- -policy of least privilege (POLP)
Policy of blocking access to network resources unlessaccess is required to conduct business
Role-specific securityMonitoring
Patch management
Incident response team (IRT)
-
7/30/2019 L6 E Security
37/44
SecuringE-Commerce Networks
FIREWALLS
firewall
A single point between two or more
11-37
point); the device authenticates, controls,and logs all traffic
packetSegment of data sent from one computer toanother on a network
-
7/30/2019 L6 E Security
38/44
SecuringE-Commerce Networks
Firewalls can be designed to protectagainst:
Remote login
11-38
SMTP session hijacking
Macros
Viruses
Spam
-
7/30/2019 L6 E Security
39/44
SecuringE-Commerce Networks
packet-filtering routers
Firewalls that filter data and requests movingfrom the public Internet to a private network
based on the network addresses of the
11-39
computer sending or receiving the request
packet filters
Rules that can accept or reject incoming packets
based on source and destination addresses andthe other identifying information
-
7/30/2019 L6 E Security
40/44
SecuringE-Commerce Networks
application-level proxyA firewall that permits requests for Web pagesto move from the public Internet to the privatenetworkbastion atewa
11-40
A special hardware server that utilizes application-level proxy software to limit the types of requeststhat can be passed to an organizations internalnetworks from the public Internet
proxiesSpecial software programs that run on the gatewayserver and pass repackaged packets from onenetwork to the other
-
7/30/2019 L6 E Security
41/44
SecuringE-Commerce Networks
11-41
-
7/30/2019 L6 E Security
42/44
SecuringE-Commerce Networks
personal firewallA network node designed to protect anindividual users desktop system from thepublic network by monitoring all the traffic thatpasses through the computers network
11-42
interface card
virtual private network (VPN)A network that uses the public Internet to carry
information but remains private by usingencryption to scramble the communications,authentication to ensure that information hasnot been tampered with, and access control toverify the identity of anyone using the network
-
7/30/2019 L6 E Security
43/44
SecuringE-Commerce Networks
intrusion detection systems (IDSs)A special category of software that canmonitor activity across a network or on a hostcomputer, watch for suspicious activity, andtake automated action based on what it sees
11-43
Honeynets and honeypotshoneynet
A network of honeypots
honeypotProduction system (e.g., firewalls, routers, Webservers, database servers) that looks like it doesreal work, but which acts as a decoy and iswatched to study how network intrusions occur
-
7/30/2019 L6 E Security
44/44
Managerial Issues
1. Why should managers learn about ECsecurity?
2. Why is an EC security strategy and life cycleapproach needed?
3. How should mana ers view EC securit
11-44
issues?
4. What is the key to establishing strong e-commerce security?
5. What steps should businesses follow inestablishing a security plan?6. Should organizations be concerned with
internal security threats?