lesson 19-e-commerce security needs. overview understand e-commerce services. understand the...
TRANSCRIPT
![Page 1: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/1.jpg)
Lesson 19-E-Commerce Security Needs
![Page 2: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/2.jpg)
Overview
Understand e-commerce services.
Understand the importance of availability.
Implement client-side security.
Implement server-side security.
Implement application security.
Implement database server security.
Develop an e-commerce architecture.
![Page 3: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/3.jpg)
Understand E-Commerce Services
Organizations perform e-commerce to make profit by
providing goods and services at a lower cost.
Providing electronic library functions for sensitive or
confidential information has come with the advent of e-
commerce over the Internet.
![Page 4: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/4.jpg)
Understand E-Commerce Services
E-commerce service is most commonly thought of as the
purchasing of goods.
Security to e-commerce services can be measured by its
confidentiality, integrity, and accountability.
![Page 5: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/5.jpg)
Understand E-Commerce Services
E-Commerce Services and regular DMZ Services differ in
their requirements.
Requirement of verification and confidentiality differentiate
the e-commerce services from regular DMZ services.
Availability becomes a critical security issue for the e-
commerce site.
![Page 6: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/6.jpg)
Understand E-Commerce Services
E-commerce services may involve selling goods, providing
confidential information, or distribution of information.
Security to e-commerce services can be measured in terms
of confidentiality, integrity, and accountability.
![Page 7: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/7.jpg)
Understand the Importance of Availability
Availability is the key issue for e-commerce services.
Availability of the site has a direct impact on the confidence
a customer will have in using the service.
Failure in availability is almost guaranteed to push a
potential customer to a competitor.
![Page 8: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/8.jpg)
Understand the Importance of Availability
Business-to-consumer issues:
The entire site along with payment processing must be up at
all times.
Problem of availability includes business issues such as ability
of the organization to fulfill orders entered into the system.
Size of the infrastructure must be built according to the
expected load.
![Page 9: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/9.jpg)
Understand the Importance of Availability
Business-to-business issues:
Business-to-business e-commerce is established between two
organizations that have some type of relationship.
Availability issues may be more stringent in Business-to-
business e-commerce.
When one organization needs to make an order, the other
organization must be able to receive and process it.
![Page 10: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/10.jpg)
Understand the Importance of Availability
Global time:
E-commerce availability is governed by the concept of global
time.
This concept identifies the global nature of the Internet and of
e-commerce.
An e-commerce site must be able to handle orders from
unexpected locations.
![Page 11: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/11.jpg)
Understand the Importance of Availability
Client comfort:
Client must feel comfortable with the ability of the organization
to process orders and deliver goods.
Customer comfort or discomfort can multiply quickly.
![Page 12: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/12.jpg)
Understand the Importance of Availability
Cost of downtime:
The cost of downtime is high.
It can be measured by taking the average number of
transactions over a period of time and the revenue of the
average transaction.
An e-commerce site must not have single points of failure.
The site should also have procedures for updating hardware
and software.
![Page 13: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/13.jpg)
Understand the Importance of Availability
Solving the availability problem:
Downtime can be reduced through redundancy.
For sites that expect large amounts of traffic, load-balancing
application layer switches can be used.
Network infrastructure components must also be configured to
fail-over if high availability is required.
![Page 14: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/14.jpg)
Implement Client-Side Security
Client-side security components
![Page 15: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/15.jpg)
Implement Client-Side Security
Client-side security deals with the security from the
customer’s desktop system to the e-commerce server.
A realistic solution to communications security is encryption
of information.
![Page 16: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/16.jpg)
Implement Client-Side Security
A cookie is a small amount of information that is stored on
the client system by the Web server in cleartext or
encrypted.
Organizations must ensure that a legitimate customer
places the order to reduce possible repudiation.
![Page 17: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/17.jpg)
Implement Server-Side Security
Security of servers includes:
Information stored on the server.
Protecting the server from attack.
![Page 18: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/18.jpg)
Information Stored on the Server
An e-commerce server is a semi-trusted or untrusted
system which should not store sensitive information.
If information is kept on the e-commerce server, it should
be protected from unauthorized access through file access
controls.
![Page 19: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/19.jpg)
Protecting the Server from Attack
Three categories in protecting an e-commerce server from
attack:
Server location.
Operating system configuration.
Web server configuration.
![Page 20: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/20.jpg)
Server Location
Server should be located in a protected area such as a data
center.
If the server is placed at a co-location facility, physical
access to it must be separated from other clients.
Firewall should be configured to only allow access to e-
commerce server on ports 80 (for HTTP) and 443 (for
HTTPS).
![Page 21: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/21.jpg)
Operating System Configuration
The first step in configuring the server securely is to
remove or turn off any unnecessary services.
The latest patches must be checked and loaded for the
chosen operating system.
The system should meet the organization’s policy and
vulnerability scan should be conducted.
![Page 22: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/22.jpg)
Web Server Configuration
Web server must not be run as root or administrator for
security.
CGI scripts on Web server that are not being used should
be removed to prevent intruder attack.
Web server should be scanned for known vulnerabilities.
![Page 23: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/23.jpg)
Implement Application Security
Security of e-commerce application as a whole is the most
important part of e-commerce security.
Security requirements should be included in the
requirements definition phase of project.
Security requirements include requirements pertaining to
protection, authentication, audit, availability, and
identifying sensitive information.
![Page 24: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/24.jpg)
Implement Application Security
All sensitive information needs to be protected.
Programs are a major source of system vulnerabilities due to
programming errors.
Buffer overflows can be reduced by not making assumptions
about the size of user input and not passing unchecked user
input to shell commands.
Peer review or code review can catch many programming
errors before the server goes into production.
![Page 25: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/25.jpg)
Implement Application Security
Vulnerability scanners should detect buffer overflow
problems before the site goes into production.
The two parts of configuration management are control of
authorized changes and identification of unauthorized
changes.
To prevent false alarms, checksum should be updated
during configuration management procedure.
![Page 26: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/26.jpg)
Implement Database Server Security
The database server may contain sensitive and confidential
information which should be protected.
Organizations must examine database location, communication
with e-commerce server, and internal access protection.
Database servers must be kept in controlled areas.
The e-commerce server should initiate SQL connection to the
database server for processing transactions.
![Page 27: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/27.jpg)
Implement Database Server Security
The e-commerce server must have an ID and password to
initiate an SQL connection to the database server.
Employees of the organization have access to internal
network and thus are able to directly attack it.
Database server could be moved to a separate network and
protected by an internal firewall.
![Page 28: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/28.jpg)
Develop an E-Commerce Architecture
A high-traffic and high-availability e-commerce site requires two
ISPs with fail-over capability.
Routers, switches, and firewalls should be cross-connected so that
failure of any one component will not affect traffic.
Redundant switches may be used to ensure availability of the site.
Regular vulnerability scans and database auditing must be
conducted.
![Page 29: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/29.jpg)
Summary
E-commerce service providers can increase revenue by
providing information to customers at a lower cost.
Security with respect to confidentiality, integrity, and
accountability plays a major role in e-commerce.
Availability is a key issue for e-commerce.
Client-side security protects information in transit, information
stored on customer’s computer, and prevents repudiation.
![Page 30: Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f535503460f94c78726/html5/thumbnails/30.jpg)
Summary
Server-side security involves protection of information
stored on the server and protection of the server itself.
Security of the e-commerce application as a whole is
probably the most important part of e-commerce security.
Confidential and sensitive information present in the
database server must be protected.