Security aspects of e-tailing. Chapter 7

Transcription

1 Security aspects of e-tailing Chapter 7 1

2 Learning Objectives Understand the general concerns of customers concerning security Understand what e-tailers can do to address these concerns 2

3 Players in e-tailing Security 3

4 Customer Threats Offer Multiple Payment Options Avoid a Customer Account Keep Customers on the Site Fix Errors Effectively Ask for Appropriate Information Reassure the Costumer about Safety and Privacy Avoid Distractions Call to Action 4

5 Points of Target 5

6 Customer Threats Malicious Codes Trojans, Worms, Virus Tricking Masquerading, Phishing Active Content Sniffing Password Guess Patches and Disabled components 6

7 Channel Threats Confidentiality Integrity Availability 7

8 Server Threats Web-server Commerce server Database CGI Denial of Service Known Bugs 8

9 Security Attributes Authentication Authorization Privacy Integrity Non Repudiation 9

10 Security Lifecycle Security Requirement Specification + Risk Analysis Collect information on assets of the organization that need to be protected, threat perception on those assets, associated access control policies, existing operational infrastructure, connectivity aspects, services required to access the asset and the access control mechanism for the services. Security Policy Specification Use security requirement specification and risk analysis report to generate a set of e-commerce security policies Policy statements are high-level rule-based and generic; they do not provide any insight to system implementation or equipment configuration Security Infrastructure Specification Analyse the security requirement specification and the security policy specification to generate a list of security tools that are needed to protect the assets Provide views on the location and purpose of the security tools Security Infrastructure Implementation Procure, deploy, and configure the selected security infrastructure at the system level Security Testing Perform tests to determine the effectiveness of the security infrastructure, functionality of the access control mechanism, specified operational context, existence of known vulnerabilities in the infrastructure Requirement Validation Analyse the extent of fulfilment of the security requirements of the e-commerce organization by the corresponding security policy and the implemented security infrastructure 10

11 Security Policy Hardware Controls Software Controls Physical Infrastructure Personnel Controls 11

12 Security Infrastructure Enforcing password aging and expiration Enforcing the complexity of passwords Blocking prohibited outbound connections from the firewall Requiring digital certificates to authenticate remote access connections Requiring badges for physical access to building Requiring all physical access to servers to be recorded in a written log 12

13 Security Tools Firewalls Public Key Infrastructure Encryption software Digital certificates Digital Signatures Biometrics Passwords Locks and bars operations centres 13

14 Security Testing Verification of the security requirement specification Verification of the configuration of the security tools specified in the security infrastructure Verification of any gap between the proposed security infrastructure and the implemented security infrastructure Verification of the limitation of the proposed security infrastructure with respect to the known vulnerabilities 14

15 Security Testing Compliance Testing Penetration Testing 15

16 Compliance Models ISO COBIT 2000 SSE-CMM 2003 ISO/IEC

17 Security Guidelines Choose a secure ecommerce platform Use a secure connection for online checkout- -and ensure PCI compliance Do not store sensitive data Employ an address and card verification system Ensure strong passwords Set up system alerts for suspicious activity Provide layers of security Provide security training to employees Use tracking numbers for all orders 17

18 Security Infrastructure Monitor website regularly Perform regular PCI scans Ensure timely patches to the systems Ensure DDoS protection and mitigation service Consider a fraud management service Ensure regular back ups Prepare a disaster recovery plan Use cookies 18