management & legal implications of ecommerce security
TRANSCRIPT
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Security
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Outline What is Security What is Electronic security Objectives of security Importance of security Types of security Security policy Security Tips
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
What is Security? That which secures; protection; a state of safety or safe keeping.
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Electronic Security The process of preventing and detecting
unauthorized use of a computer based information system
Prevention measures to stop unauthorized users from accessing any part of the computer based information system
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Importance of Security Privacy Crime Networks and their associated technologies
have opened the door to an increasing number of security threats. Important data can be lost, privacy can be
violated and the computer can even be used by an outside attacker to attack other computers on the Internet.
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
WHO MIGHT ATTACK? Hackers
In security circles, most of these people are known as "script kiddies."
Business rivals
Competitors may try to obtain information illicitly through your virtual back doors.
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
WHO MIGHT ATTACK? Foreign intelligence
Another area of concern is foreign espionage. France, Israel, and Russia are known to have active industrial espionage efforts underway against the United States.
Insiders
they may be hackers for their own amusement, for example, or they may be working for rivals or foreign intelligence agencies.
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Internet Access
Corporate Intranet
Internet Presence
eCommerce
Extranets
Security Considerations
Internet BusinessValue
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Objectives of Security Confidentiality Integrity Availability
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Confidentiality The process used to protect secret information
from unauthorized disclosure. Secret data needs to be protected when it is
stored or when it is being transmitted over the network.
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Integrity Refers to the unauthorized changing of creation
of values of data within the system. Data Integrity detects whether the data has been
modified during transmission. Such modification may be the result of an attack or a transmission error ( corruption).
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Integrity (cont.) There are legal concerns regarding
Anonymity of source Ease of reproduction Detection of alteration Unauthorised disclosure attribution
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Availability Caused by equipment malfunction, equipment
destruction (natural disaster) or equipment loss (theft).
Example: Computer Virus ( causes the system to be
unavailable for an extended period while the virus is removed and corrupted data is reprocessed).
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Types of Security Technical Countermeasures Non-Technical Countermeasures
Physical Procedural
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
A Balanced Approach to Security
Security Conscious
People
Policies & Procedure
Network Controls
Security Software
Threats Resources
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Technical Countermeasures Passwords Encryption Cryptography Digital Signatures Firewalls Key locks
Smart cards biometrics
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Passwords computer system is password protected
Make passwords as meaningless as possible No real words (forward or backwards) Mixture of letters and numbers
Change passwords regularly
Never divulge passwords to anyone
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Encryption Encryption technology ensures that messages
cannot be intercepted or read by anyone other than the authorized recipient.
Encryption is usually deployed to protect data that is transported over a public network such as the Internet and uses advance mathematical algorithms to ‘scramble’ messages and their attachments.
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Where is Encryption used: ATM’s EFTPOS Internet transaction Protects medical records, corporate trades
secrets, air traffic control centres etc.
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Cryptography It is the practical art of converting messages or data into
a different form, such that no-one can read them without having access to the 'key'.
The message may be converted using a 'code' (in which case each character or group of characters is substituted by an alternative one), or a 'cypher' or 'cipher' (in which case the message as a whole is converted, rather than individual characters).
Cryptanalysis is the science of 'breaking' or 'cracking' encryption schemes, i.e. discovering the decryption key.
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Symmetric Cryptography
The same key is used for encrypting and decrypting messages
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Public Key Cryptography
Multiple people encrypt messages using the recipient’s well-known public key. The recipient decrypts it with her private key.
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Public Key Cryptography (cont.) A message encrypted with a Public Key can only
be decrypted with the private Key A message encrypted with the private key can
only be decrypted with the public key
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Public Key Cryptography (cont.) Key Distribution
Certification Authority (CA) acts as a trusted third party which distributes digital certificates.
The digital certificates which are publicly distributed contain a user’s public key as well as other information such as the user’s personal details and the expiry date of the key.
Registration Authoriy verifies a user’s identity at the time the user applies for a digital certificate. Often the CA and an RA are the same entities.
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Public Key Distribution
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Digital Signatures Block of text that is used to verify that a
message really comes from the claimed sender. Can also be used to verify the time document
was sent. can only be generated by the sender and is very
difficult for anyone else to forge.
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Digital Signature Process
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Digital Envelopes1. Sender generates a random message key (K). Sender
encrypts the message (M) with K, creating the cipher text message (CM).
2. Sender encrypts K with recipient’s public key (RPubK), generating cipher text CK.
3. Sender computes a digital signature (S) using her private signature (SPrivK)
4. Sender sends CK, CM and S to recipient.5. Recipient uses his private key (RPrivK) to decrypt CK
and obtain K.6. Recipient uses K to decrypt CM and get M.7. Recipient uses sender’s public key (SPubK) to validate
S.
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Firewalls A firewall is a device that is placed between your
system and the internet. It can monitor and filter any incoming and outgoing traffic.
Offers a single point at which security can be monitored and alarms generated.
Encryption can be used as a safeguard. There should be a security policy in place. An important point need to keep in mind that
firewalls are not always impenetrable.
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Physical Countermeasures Is defined as the protection of its resources
against threats of damage, theft and natural disasters.
Involves a layered approach
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Computer Security
Building Security
End User Security
Hacker Attacks
PhysicalIntrusion
UnauthenticatedAccessEnvironmental
Disruption
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Building Security Guard Alarm system Surveillance system Perimeter security ( adequate lighting, security
fences) Warning signs Centralized control (response to an attack as
quickly as possible)
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Procedural Conditions of use (layout expectations) Key locks Supervision Usage monitoring Safe storage of data Backup (make copies of data and softwares) User authorisation Intruder detection Monitoring and control Business Continuity Plans Disaster Recovery Plans
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Disaster Recovery Plan Approved set of arrangements and procedures that
enable an organisation to respond to a disaster and resume its critical business functions within a defined time frame
Business Continuity Plan Process of developing advanced arrangements and
procedures that enable an organisation to respond to an event in such a manner that critical business functions continue without interruption or essential change
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Natural Disasters Causes extensive damage such as:
Loss of power, communication lines and processing; buildings set on fire; building collapsing.
To overcomes the damages organizations should:
Secure external communication links; Install lighting protection; create firebreaks around buildings; insure appropriate building construction.
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
IT Security Policy Example
http://www.uts.edu.au/div/publications/policies/select/itsecurity.html
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Assess the Situation
Fix High Risk Vulnerabilities
Secure the Perimeter
Secure the Interior
Deploy Monitors
Test\Attack High Risks
How to secure an environment
MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE
Security Tips Use protection software "anti-virus software" and
keep it up to date. Don't open email from unknown sources. Use hard-to-guess passwords. Protect your computer from Internet intruders --
use "firewalls". Don't share access to your computers with
strangers. Learn about file sharing risks. Back up your computer data.