Amity School of Business
Download
Report
Transcript Amity School of Business
Amity School of Business
Amity School of Business
BBA, Semester II
E-Commerce
Arpan Sinha
1
Amity School of Business
MODULE-V
e-Security
2
Internet Security
Amity School of Business
• Internet security is about protecting information. The
risks inherent in e-commerce can be harnessed only
through appropriate security measures and business and
legal procedures that ensure the integrity and reliability
of Internet transactions.
• The electronic system that support e-commerce is
susceptible to abuse and failure in many ways:
- Fraud, resulting in direct financial loss. Funds may be
transferred from one account to another
- Theft of confidential, proprietary, technological, or
marketing information belonging to the firm or to the
customer
- Disruption of service, resulting in major losses to the
business or inconvenience to the customer
- Loss of customer confidence stemming from illegal
3
interruption into customer files or company business
E-Commerce Security issues
Amity School of Business
The following points outline the security issues related to
e-commerce.
• Confidentially : Knowing who can read data and ensuring
that information in the network remain private.
•Authentication : Making sure that message senders or
principals are who they say they are.
•Access Control : Restricting the use of a resource to
authorized principals.
•Integrity : Making sure that information is not
accidentally or maliciously altered or corrupted in transit.
• Nonrepudiation : Ensuring that principals cannot deny
that they sent the message.
4
Amity School of Business
Designing E-Security
Designing e-security involves five steps:
1. Assessing Web Security needs.
2. Establishing a Good Policy.
3. Fulfilling Web security needs.
4. Structuring the Security Environment.
5. Monitoring the System.
5
Amity School of Business
Assessing Web Security
Needs
• A chief security officer is incharge of overseeing the
entire security setup of the firm. He or she should be
well versed in the technology as well as the nature of
the business.
• The person must also be able to pinpoint which security
breaches threaten the company’s business and how well
the company is in compliance with various laws and
regulations.
6
Amity School of Business
Establishing A Good Policy
• Policies should cover the threats
confidentially, integrity and privacy.
that
attack
• Security Polices should cover the entire e-commerce
system including the merchant’s local area networks,
hardware, software, firewalls, protocols, standards,
databases, and the staff directly involved in the ecommerce process.
• The policies should spell out Internet security practices,
the nature and level of risks, the level of protection, and
the procedure to be followed in case of threats and
recover from failure.
7
Amity School of Business
Fulfilling Web Security
Needs
• Design consideration for the company is to list top
vulnerabilities and take a close look at critical
applications to decide risk levels. The amount of
security a Web merchant needs depends on the
sensitivity of its data and the demand for it. For
example, if your site collects credit card numbers for
access, you want the highest security possible for the
Web server, the network and the Web site.
• Consult with your Web administrator or an outside
security consultant to see what options are available and
how to put them to good use.
8
Structuring The Security
Environment
Amity School of Business
• The design begins with sketching out the stepping
stones- the sequence and parameters in the security
network based on the security policy and requirements
of the e-commerce system.
• How much security goes into a system depends on how
much risk the company is willing to take, the security
policy it willing to adopt, and the present state of
security practices in the workplace.
• A security perimeter generally includes firewalls,
authentication, virtual private networks, and intrusion
detection devices. Installing such software and devices
is part of physical design. The challenge is to police the
entire perimeter.
9
Amity School of Business
Authorize and Monitoring The
Security system
• Once the perimeter is secure and only authorized users
are allowed access to the e-commerce site, the next
step is to install a system that generates authorization
to different users to handle different jobs.
• These functions require that the security system be
monitored via feedback mechanisms to ensure that the
entire system is working properly.
• Monitoring means capturing processing details for
evidence, verifying that e-commerce is operating within
the security policy, and verifying that attacks have
been unsuccessful.
10
Amity School of Business
Kinds of Threats and
Crimes
1. Those that are physically related : For example, a
hacker might attempt to steal or damage inventory.
Other example include stolen credit card records,
stolen computer hardware or software. An attacker,
often by guessing passwords, might succeed in gaining
access to another user’s account.
2. Those that are order related: For example, a
customer might attempt to use an invalid or a stolen
credit card or claim no merchandise was received on a
good credit card. Children might use their parent’s
credit card without permission. Insiders can do a lot
to infect an order because they have access to
11
sensitive systems and information.
Amity School of Business
Kinds of Threats and
Crimes
3. Those that are electronically related: A hacker
might try to sniff e-mail information or attempt to
steal credit card numbers and use them illegally at a
later date. Sniffer (a person or a program that uses
the Internet to record information that transmits
through a router from its source to its destination).
Another example of an electronically related attack is
damaging or destroying a Web site and infecting the
entire business-to-consumer interface with malicious
software called a virus.
12
Amity School of Business
The Threats Posed to ECommerce Servers
• E-Commerce is the transaction of goods and
services and the payment for those goods and
services over the Internet. Therefore, the
physical place where all of these transactions
occur is at the Server level. The server can be
viewed as the central repository for your “ECommerce Place of Business” which consists of
the actual website which displays your products
and services, the customer database, and the
payment mechanism.
13
Amity School of Business
• Threats to E-Commerce servers can be classified as
either (1) Malicious Code Threats
(2) Transmission Threats.
• Malicious code is introduced into the server in order
to gain access to the system resources. Very often,
the intent of Malicious Code Attacks is to cause large
scale damage to the E-Commerce server.
• The threats and risks can be classified as either as
active or passive. With passive threats, the main goal
is to listen to transmissions to the server. With
active threats, the intent is to alter the flow of data
transmission aimed directly at the E-Commerce
server.
14
Malicious Code Threats
Amity School of Business
Viruses and Worms
• A virus needs a host of some sort in order to cause damage
to the system. The exact definition is “ . . . a virus
attaches itself to executable code and is executed when
the software program begins to run or an infected file is
opened.” So for example, a virus needs a file in which to
attach itself to. Once that file is opened, the virus can
then cause the damage. This damage can range from the
deletion of some files to the total reformatting of the
hard drive. The key to thing to remember about viruses is
that they cannot by themselves spread-they require a host
file. However, worms are very much different. A worm
does not need a host to replicate. Rather, the worm
replicates itself through the Internet, and can literally
infect millions of computers on a global basis in just a
matter of hours. However, worms can shut down parts of
the Internet or E-Commerce servers, because they can
use up valuable resources of the Internet, as well as the
memory and processing power of servers and other15
computers.
Malicious Code Threats
Amity School of Business
Trojan Horses
• A Trojan Horse is a piece of programming code that is
layered behind another program, and can perform
covert, malicious functions.
For example, your ECommerce server can display a “cool-looking” screen
saver, but behind that could be a piece of hidden code,
causing damage to your system. One way to get a Trojan
Horse attack is by downloading software from the
Internet.
Logic Bombs
• A Logic Bomb is a version of a Trojan Horse, however, it
is event or time specific. For example, a logic bomb will
release malicious or rogue code in an E-Commerce server
after some specific time has elapsed or a particular
event in application or processing has occurred.
16
Transmission Threats
Amity School of Business
Denial of Service Attacks
• With a Denial of Service Attack, the main
intention is to deny your customers the services
provided on your E-Commerce server. There is
no actual intent to cause damage to files or to
the system, but the goal is to literally shut the
server down. This happens when a massive
amount of invalid data is sent to the
server. Because the server can handle and
process so much information at any given time,
it is unable to keep with the information and
data overflow. As a result, the server becomes
“confused”, and subsequently shuts down.
17
Amity School of Business
Transmission Threats
Ping of Death
• When we surf the Web, or send E-Mail, the
communications between our computer and the server
takes place via the data packet. It is the data packet
that contains the information and the request for
information that is sent from our computer to other
computers over the Internet. The communication
protocol which is used to govern the flow of data
packets
is
called
Transmission
Control
Protocol/Internet Protocol, or TCP/IP for short. The
TCP/IP protocol allows for data packets to be as large
as 65,535 bytes. With a Ping of Death Attack, a
massive data packet is sent i.e., > 65,535 bytes.
As a result, the memory buffers of the E-Commerce
Server are totally overloaded, thus causing it to crash. 18
Amity School of Business
Customer Related Threats
Phishing Attacks
• Phishing can be defined as “the act of sending an email to a user falsely claiming to be an established
legitimate enterprise in an attempt to the user into
surrendering private information that will be used
for identity theft.” For example, fraudulent e-mail
could be sent to your customers claiming that their
online account is about to expire, or that there is a
security upgrade that will take place affecting their
online account. After they are tricked into believing
the content of the Phishing e-mail, the customer then
clicks on the link, and submits all of their confidential
information. All Phishing e-mail contains a link, or a web
address, in which the customer clicks on thinking that
19
they are using secure and legitimate site.
Amity School of Business
Transmission Threats
Data Packet Sniffing
• This refers to the use of Data Packet Sniffers, also known
simply as “sniffers.” While it is an invaluable tool to the
Network Administrator for troubleshooting and diagnosis,
an attacker can also use a sniffer to intercept the data
packet
flow
and
analyze
the
individual
data
packets. Usernames, passwords, and other confidential
customer data can then be hijacked from the ECommerce server.
This is a very serious problem,
especially in wireless networks, as the data packets literally
leave the confines of the network cabling and travel in the
air. Ultimately, Data Packet Sniffing can lead to hijacking
sessions. This is when the attacker eventually takes control
over the network connection, kicks off legitimate users
(such as your customers) from the E-Commerce server, and
ultimately gains control of it.
20
Security Protection and
Recovery
Amity School of Business
Basic Internet Security Practices
• Passwords
• Firewalls
• Biometrics
21
FIREWALLS
Amity School of Business
• A firewall is a combination of hardware and software
that sits between the internet and internal network of
an organization to protect the network from outside
attack (Fig. 1). It can examine the data entering or
leaving from the network and can filter the data
according to certain rules, thus, protects the network
from an attack.
• It uses a set of rules to determine whether outgoing or
incoming data packets are allowed to pass through the
firewall. For example, we can, as a rule, specify IP
addresses of sending devices such that packets from
these IP addresses are not allowed to enter the network.
22
The Firewall would stop them from entering.
Cryptography
Amity School of Business
• Cryptography is the technique of converting a message
into unintelligible or non-understandable form such
that even if some unauthorized or unwanted person
intercepts the message he/she would still not be able
to make any sense out of it. Cryptography is thousands
of years old.
• Techniques used for cryptography Substitution In
substitution we replace each letter in the message with
another to make the message non-understandable. For
example, each letter “a” in the message can be replaced
with letter “d” and letter “b” with letter “e” and so on.
Transposition It is based on scrambling the characters
in a message.
• A transposition system may first write a message into a
table row by row then the message can be read and
rewritten column by column to make it scrambled (see
23
Fig 1)
Amity School of Business
24
Cryptography
Amity School of Business
• Without cryptography, it is doubtful that banks,
businesses and individuals would feel safe doing
business online.
• Cryptography is a collection of mathematical
techniques used to ensure confidentiality of
information. The process of scrambling a message with
the help of a key is called Encryption. The process of
unscrambling a message using an appropriate key is
called Decryption
• There are two types of cryptography - Symmetric and
Asymmetric cryptography.
25
Amity School of Business
26
Amity School of Business
• Symmetric Cryptography
• In symmetric cryptography same keys are used for
encryption and decryption.
• Asymmetric or Public Key Cryptography
• In this type a pair of public and private keys is used
for encryption and decryption
27
Amity School of Business
28
Amity School of Business
Private–Key Cryptography
(Symmetric Encryption)
In private-key cryptography, the sender and recipient
agree beforehand on a secret private key. The
plaintext is somehow combined with the key to create
the cipher text. The method of combination is such
that, it is hoped, an adversary could not determine
the meaning of the message without decrypting the
message, for which he needs the keys.
• The following diagram illustrates the Encryption
Process .
• The following diagram illustrates the Decryption
Process
29
Amity School of Business
30
Amity School of Business
Private-key methods are efficient and difficult to
break. However, one major drawback that the key must
be exchanged between the sender and recipient
beforehand, raising the issue of how to protect the
secrecy of the key.
31
Amity School of Business
Public-Key Cryptography (Asymmetric Encryption)
• A encryption system that uses two keys -- a public key
known to everyone and a private or secret key known
only to the recipient of the message.
• An important element to the public key system is that
the public and private keys are related in such a way
that only the public key can be used to encrypt
messages and only the corresponding private key can
be used to decrypt them
32
Amity School of Business
E-Commerce : Encryption contd…
(Alice’s private key)
(Alice’s public key)
Bob
Doug
Alice’s public key is known
to all
33
Amity School of Business
"Hey,Alice, how
about lunch at Taco
Bell. I hear they
have free refills!"
Bob
(S)
Alice
(R)
HNFmsEm6Un
BejhhyCGKOK
JUxhiygSBCEiC
0QYIh/Hn3xgiK
BcyLK1UcYiY
lxx2lCFHDC/A
Encrypt with
Alice’s public key
HNFmsEm6Un
BejhhyCGKOK
JUxhiygSBCEiC
0QYIh/Hn3xgiK
BcyLK1UcYiY
lxx2lCFHDC/A
"Hey,Alice, how
about lunch at Taco
Bell. I hear they
have free refills!"
Decrypt with
Alice’s private key
34
Digital/Electronic
Signature
Amity School of Business
• An electronic signature means any letters, numbers,
symbols, images, characters or any combination thereof
in electronic form applied to an electronic document
which can ensure authenticity, integrity and nonrepudiation.
• It uses public key cryptography Authenticity means
that the message is from a particular source/individual.
Integrity means that the message has not been altered
during transmission. Non-repudiation means that the
execution of the digital signatures cannot be denied by
the one who is sending the message.
35
Amity School of Business
36
Amity School of Business
Digital Certificates
These are the certificates in electronic form which
establish whether or not a public key belongs to the
purported owner. A digital certificate at least
comprises a public key, certification information (name,
ID etc.) and electronic signatures of a certification
authority.
37
Amity School of Business
Certification authority
(CA)
• A certification authority is defined to be a trusted
public/private body that attests the association of a
particular individual with his/her corresponding public key. A
CA signs digital certificates with its private key.
• There are many CAs working in the field but the pioneering or
the most reputed CA is Verisign which is based in America.
• Certification authorities work in a hierarchical fashion. There
is the CA at the top called root CA (the most reputed CA). It
can issue certificates to CAs working below it and those CAs’
can further issue certificates to CAs working under them. In
this fashion a hierarchy of CAs is developed with each CA
confirming the public key of the CA below it through a digital
certificate.
38
Role of a Certification Authority
Amity School of Business
The role of a Certification Authority is analogous or similar
to a passport office. The issuance of passport by the
passport office attaches credibility that this particular
person is entitled to travel. However, the passport is not
issued by the office until detailed enquiry/verification
about the Identity of the person is made.
Once a person holds the passport, that confirms that this
particular person whose, name, address etc. is appearing
on the passport is entitled to travel. Similarly, if a digital
certificate is issued by a reputed CA that would confirm
to other people that this particular public key certified
by the CA belongs to this individual only.
39
Reason why we use the
concept of CAs.
Amity School of Business
We use it for the verification of identify of a person.
This is probably the best solution envisaged for such
verification, though it may have certain loopholes in it.
You can realize that the best thing is that Mr. A
personally hands over his public key. On the other hand
if I try to trace his public key against his particulars
(name, address, and identification no.) on a key server
There is a possibility that I end up discovering that there
are three, four, five different public keys against the
particulars of same Mr. A. Assume that all of them
have been certified by different CAs. Now, I am
confused that which of these is genuine so that I can
use it. Indeed, only one of them is genuine and the rest
are fraudulent keys registered by fraudulent people
using particulars of Mr. A. In this situation I would use
and rely upon that public key of Mr. A that has been
certified by the most reputed CA among all the CAs. I40
would treat others as fraudulent.
Amity School of Business
The objective of getting fraudulent keys is to
intercept/receive the messages intended to be sent to a
particular receiver. So, if someone intends to receive the
messages delivered for Mr. A, he may register the key
against his particulars and get a certificate in this
behalf.
Note: That CAs are supposed to issue the certificate
after proper enquiry, otherwise they may also be held
liable under different laws.
41
Amity School of Business
Thank You
&
All the Best !
42