Chapter 10: Electronic Commerce Security
Download
Report
Transcript Chapter 10: Electronic Commerce Security
Chapter 10:
Electronic Commerce Security
Online Security Issues Overview
Computer security
The protection of assets from unauthorized access, use,
alteration, or destruction
Physical security
Includes tangible protection devices
Logical security
Protection of assets using nonphysical means
Threat
Any act or object that poses a danger to computer assets
Terms - Countermeasure
Managing Risk
General name for a procedure that recognizes, reduces, or
eliminates a threat
Eavesdropper
Person or device that can listen in on and copy Internet
transmissions
Crackers or hackers
Write programs or manipulate technologies to obtain
unauthorized access to computers and networks
Computer Security Classification
Secrecy/Confidentiality
Protecting against unauthorized
data disclosure
Technical issues
Privacy
The ability to ensure the use of
information about oneself
Legal Issues
Integrity
Preventing unauthorized data
modification by an unauthorized
party
Necessity
Preventing data delays or denials
(removal)
Nonrepudiation
Ensure that e-commerce
participants do not deny (i.e.,
repudiate) their online actions
Authenticity
The ability to identify the identity
of a person or entity with whom you
are dealing on the Internet
Some solutions --
Exercise
Visit the Copyright Web site:
http://www.benedict.com/
Check out examples of copyright infringement:
Audio arts
Visual arts
Digital arts
Read comments Under “Info”
Security Threats in the
E-commerce Environment
Three key points of vulnerability
the client
communications pipeline
the server
Active Content
Active content refers to
programs embedded
transparently in Web pages
that cause an action to occur
Scripting languages
Provide scripts, or commands,
that are executed
Applet
Small application program
Java
Active X
Trojan horse
Program hidden inside another
program or Web page that
masks its true purpose
Zombie
Program that secretly takes
over another computer to
launch attacks on other
computers
Attacks can be very difficult
to trace to their creators
Viruses, Worms, and Antivirus Software
Virus
Software that attaches itself to another program
Can cause damage when the host program is activated
Macro virus
Type of virus coded as a small program (macro) and is
embedded in a file
Antivirus software
Detects viruses and worms
Digital Certificates
A digital certificate is a
program embedded in a Web
page that verifies that the
sender or Web site is who or
what it claims to be
Main elements:
Certificate owner’s identifying
information
Certificate owner’s public key
A certificate is signed code or
messages that provide proof
that the holder is the person
identified by the certificate
Dates between which the
certificate is valid
Certification authority (CA)
issues digital certificates
Name of the certificate issuer
Serial number of the
certificate
Digital signature of the
certificate issuer
Communication Channel Security
Recall that - Secrecy is the prevention of unauthorized information disclosure
Privacy is the protection of individual rights to nondisclosure
Sniffer programs
Provide the means to record information passing through a
computer or router that is handling Internet traffic
Demonstration of working of a Java implementation of a Packet Sniffer
Other Threats
Integrity
Integrity threats exist when an
unauthorized party can alter a
message stream of information
Cybervandalism
Electronic defacing of an existing
Web site’s page
Masquerading or spoofing
Pretending to be someone you are
not
Domain name servers (DNSs)
Computers on the Internet that
maintain directories that link
domain names to IP addresses
Anonymizer
A Web site that provides a
measure of secrecy as long
as it’s used as the portal to
the Internet
http://www.anonymizer.com
Necessity
Purpose is to disrupt or deny
normal computer processing
DoS attacks
Remove information altogether
Delete information from a
transmission or file
Wireless Network Threats
Wardrivers
Attackers drive around using their
wireless-equipped laptop computers
to search for accessible networks
Warchalking
When wardrivers find an open
network they sometimes place a
chalk mark on the building
Tools Available to Achieve Site Security
Encryption
Transforms plain text or data into cipher text that cannot be
read by anyone outside of the sender and the receiver.
Purpose:
Cipher text
to secure stored information
to secure information transmission.
text that has been encrypted and thus cannot be read by anyone
besides the sender and the receiver
Symmetric Key Encryption
DES standard most widely used
Group Exercise
Julius Caesar supposedly used secret codes known
today as Caesar Cyphers. The simplest replaces A
with B, B with C etc. This is called a one-rotate
code. The following is encrypted using a simple
Caesar rotation cypher. See if you can decrypt it:
Mjqqt hfjxfw. Mtb nx dtzw hnumjw? Xyfd fbfd
kwtr ymj xjsfyj ytifd.
Encryption
Public key cryptography
uses two mathematically related digital
keys: a public key and a private key.
The private key is kept secret by the
owner, and the public key is widely
disseminated.
Both keys can be used to encrypt and
decrypt a message.
A key used to encrypt a message, cannot
be used to unencrypt the message
Public Key Cryptography with Digital Signatures
Public Key Cryptography: Creating a Digital Envelope
Securing Channels of Communications
Secure Sockets Layer (SSL)
is the most common form of
securing channels
Secure negotiated session
client-server session where
the requested document
URL, contents, forms, and
cookies are encrypted.
Session key is a unique
symmetric encryption key
chosen for a single secure
session
Firewalls
Software or hardware and
software combination installed on a
network to control packet traffic
Packet-filter firewalls
Provides a defense between the
network to be protected and the
Internet, or other network that
could pose a threat
Characteristics
Gateway servers
All traffic from inside to outside
and from outside to inside the
network must pass through the
firewall
Only authorized traffic is allowed
to pass
Firewall itself is immune to
penetration
Trusted networks are inside the
firewall
Untrusted networks are outside
the firewall
Examine data flowing back and
forth between a trusted network
and the Internet
Firewalls that filter traffic based
on the application requested
Proxy server firewalls
Firewalls that communicate with
the Internet on the private
network’s behalf
Security Policy and Integrated Security
A security policy is a written
statement describing:
Which assets to protect and
why they are being protected
Who is responsible for that
protection
Which behaviors are
acceptable and which are not
First step in creating a
security policy
Elements of a security policy
address:
Authentication
Access control
Secrecy
Data integrity
Audits
Determine which assets to
protect from which threats
Protection of Information Assets CISA 2006 Exam Preparation
Tension Between Security and Other Values
Ease of use
Often security slows down processors and adds significantly to
data storage demands. Too much security can harm profitability;
not enough can mean going out of business.
Public Safety & Criminal Use
claims of individuals to act anonymously vs. needs of public
officials to maintain public safety in light of criminals or
terrorists.
Some questions
Can internet security measures actually create
opportunities for criminals to steal? How?
Why are some online merchants hesitant to ship to
international addresses?
What are some steps a company can take to thwart cybercriminals from within a business?
Is a computer with anti-virus software protected from
viruses? Why or why not?
What are the differences between encryption and
authentication?
Discuss the role of administration in implementing a
security policy?
Security for Server Computers
Web server
Can compromise secrecy if it allows automatic directory
listings
Can compromise security by requiring users to enter a
username and password
Dictionary attack programs
Cycle through an electronic dictionary, trying every word
in the book as a password
Other Programming Threats
Buffer
An area of memory set aside to hold data read from a file
or database
Buffer overrun
Occurs because the program contains an error or bug that
causes the overflow
Mail bomb
Occurs when hundreds or even thousands of people each
send a message to a particular address
Organizations that Promote Computer Security
CERT
Responds to thousands of security incidents each year
Helps Internet users and companies become more knowledgeable
about security risks
Posts alerts to inform the Internet community about security
events
www.cert.org
SANS Institute
A cooperative research and educational organization
SANS Internet Storm Center
Web site that provides current information on the location and
intensity of computer attacks
Microsoft Security Research Group
Privately sponsored site that offers free information about
computer security issues