E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications



Similar documents
E-commerce Revision. Typical e-business Architecture. Routing and Addressing. E-Commerce Web Sites. Infrastructure- Packets, Routing and Addressing

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Content Teaching Academy at James Madison University

E-commerce. business. technology. society. Kenneth C. Laudon Carol Guercio Traver. Second Edition. Copyright 2007 Pearson Education, Inc.

Security Goals Services

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

COSC 472 Network Security

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Penetration Testing Service. By Comsec Information Security Consulting

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

Chap. 1: Introduction

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Network Security and Firewall 1

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Contents Introduction xxvi Chapter 1: Understanding the Threats: Viruses, Trojans, Mail Bombers, Worms, and Illicit Servers

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

ISM/ISC Middleware Module

Cornerstones of Security

Chapter 10. Network Security

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Security & Privacy on the WWW. Topic Outline. Information Security. Briefing for CS4173

The Case For Secure

E-BUSINESS THREATS AND SOLUTIONS

Information Security Basic Concepts

Overview. SSL Cryptography Overview CHAPTER 1

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Security: Focus of Control. Authentication

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Chapter 12 Objectives. Chapter 12 Computers and Society: Security and Privacy

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Part I: Ethics. Moral guidelines that govern use of computers and information systems. Unauthorized use of computer systems

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Detailed Description about course module wise:

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Chapter 11 Computers and Society, Security, Privacy, and Ethics

Computers and Society: Security and Privacy

資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

CS5008: Internet Computing

Client Server Registration Protocol

Cybersecurity for the C-Level

E-COMMERCE and SECURITY - 1DL018

Network Security. Chapter 12. Learning Objectives. Chapter Outline. After reading this chapter, you should be able to:

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

How To Protect A Web Application From Attack From A Trusted Environment

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

NETWORK SECURITY. Farooq Ashraf. Department of Computer Engineering King Fahd University of Petroleum and Minerals Dhahran 31261, Saudi Arabia

Malicious Software. Ola Flygt Växjö University, Sweden Viruses and Related Threats

: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Transport Layer Security Protocols

Is your data safe out there? -A white Paper on Online Security

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Why you need secure

Securing your Online Data Transfer with SSL

How To Use A College Computer System Safely

Security. Definitions

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Soran University Faculty of Science and Engineering Computer Science Department Information Security Module Specification

ELECTRONIC COMMERCE OBJECTIVE QUESTIONS

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

How To Use Pretty Good Privacy (Pgp) For A Secure Communication


JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Passing PCI Compliance How to Address the Application Security Mandates

WEB ATTACKS AND COUNTERMEASURES

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

Information Security

Last update: February 23, 2004

VALLIAMMAI ENGINEERING COLLEGE

Compter Networks Chapter 9: Network Security

Using etoken for SSL Web Authentication. SSL V3.0 Overview

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Security Features of SellerDeck Web Sites

The Hidden Dangers of Public WiFi

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

What is network security?

CS Final Exam

How To Protect Your From Being Hacked On A Pc Or Mac Or Ipa From Being Stolen On A Network (For A Free Download) On A Computer Or Ipo (For Free) On Your Pc Or Ipom (For An Ipo

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

Security Digital Certificate Manager

Payment Card Industry (PCI) Data Security Standard

Transcription:

Learning objectives E-commerce Security Threats and Protection Mechanisms. This lecture covers internet security issues and discusses their impact on an e-commerce. Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 1 You will learn about: Internet security issues Security for client computers Security for the communication channels between computers Security for server computers Organizations that promote computer, network, and Internet security Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 2 Internet Security Issues: Overview Computer security: The protection of assets from unauthorized access, use, alteration, or destruction Physical security: Includes tangible protection devices Logical security: Protection of assets using nonphysical means Threat: Any act or object that poses a danger to computer assets Managing Risk-1 Countermeasure: General name for a procedure that recognises, reduces, or eliminates a threat Eavesdropper: Person or device that can listen in on and copy Internet transmissions Crackers or hackers: Write programs or manipulate technologies to obtain unauthorized access to computers and networks Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 3 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 4 Managing Risk-2 Computer Security Classifications Secrecy: Protecting against unauthorized data disclosure and ensuring the authenticity of data source Integrity: Refers to preventing unauthorized data modification Necessity: Refers to preventing data delays or denials (removal) Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 5 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 6 1

Security Policy and Integrated Security-1 A written statement describing Which assets to protect and why they are being protected Who is responsible for that protection Which behaviors are acceptable and which are not First step in creating a security policy Determine which assets to protect from which threats Define minimum level of acceptable security Security Policy and Integrated Security-2: Requirements for Secure Electronic Commerce Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 7 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 8 Security Policy and Integrated Security-3 Elements that a security policy should address: Authentication: who is trying to access? Access control: who is allows to log on and access? Secrecy: who is permitted to view selected info? Data integrity: who is allowed to change data? Audit: who or what causes specific events to occur and when? Security Policy and Integrated Security-4: Security for Client Computers Active content: Programs embedded transparently in Web pages and cause action to occur Scripting languages: Provide scripts, or commands, that are executed (JavaScript; VBScript) Applet: Small application program (Java Applets) Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 9 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 10 Security Policy and Integrated Security-5: Security for Client Computers Example: Dialog box asking for Permission to Open a Java Applet Trojan horse: Program hidden inside another program or Web page that masks its true purpose Zombie: Program that secretly takes over another computer to launch attacks on other computers Attacks can be very difficult to trace to their creators Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 11 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 12 2

Cookies1 Example: Information Stored in a Cookie on a Client Computer Cookie Central: Web site devoted to Internet cookies Session cookies: Exist until the Web client ends connection Persistent cookies: Remain on client computer indefinitely Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 13 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 14 Cookies2 First-party cookies: Cookies placed on client computer by Web server site Third-party cookies: Cookies placed on client computer by different Web site Web bug: Tiny graphic that a third-party Web site places on another site s Web page Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 15 Java Applets Java: High-level programming language developed by Sun Microsystems Java sandbox: Confines Java applet actions to a set of rules defined by the security model Untrusted Java applets : Applets not established as secure Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 16 JavaScript Scripting language developed by Netscape to enable Web page designers to build active content Can be used for attacks by Executing code that destroys client s hard disk Discloses e-mail stored in client mailboxes Sends sensitive information to attacker s Web server ActiveX Controls Object containing programs and properties that Web designers place on Web pages Common programming languages used C++ and Visual Basic Actions cannot be halted once they begin execution Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 17 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 18 3

Example: Internet Explorer ActiveX Control Warning Message Viruses, Worms, and Antivirus Software Virus: Software that attaches itself to another program and Can cause damage when host program is activated Warm: virus that replicates itself on the computer that it infects Macro virus: Type of virus coded as a small program (macro) and is embedded in a file Antivirus software: Detects viruses and worms Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 19 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 20 Steganography Describes process of hiding information within another piece of information Provides way of hiding an encrypted file within another file Messages hidden using steganography are difficult to detect Protecting Client Computers- Digital Certificates1 A program embedded in a Web page that Verifies that the sender or Web site is who or what it claims to be Signed code or messages Provide proof that the holder is the person identified by the certificate Certification authority (CA) Issues digital certificates Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 21 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 22 Example: Amazon.com s Digital Certificate Protecting Client Computers- Digital Certificates2 Main elements included: Certificate owner s identifying information Certificate owner s public key Dates between which the certificate is valid Serial number of the certificate Name of the certificate issuer Digital signature of the certificate issuer Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 23 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 24 4

Communication Channel Security Secrecy Prevention of unauthorized information disclosure Privacy is the protection of individual rights to nondisclosure Sniffer programs Provide means to record information passing through a computer or router that is handling Internet traffic Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 25 Communication Channel Security- Integrity Threats Exists when an unauthorized party can alter a message stream of information Cybervandalism Electronic defacing of an existing Web site s page Masquerading or spoofing Pretending to be someone you are not Domain name servers (DNSs) Computers on the Internet that maintain directories that link domain names to IP addresses Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 26 Communication Channel Security-Necessity Threats Purpose is to disrupt or deny normal computer processing Denial of Service attacks Remove information altogether or Delete information from a transmission or file Communication Channel Security- Threats to Wireless Networks Wardrivers Attackers drive around using their wirelessequipped laptop computers to search for accessible networks Warchalking When wardrivers find an open network they sometimes place a chalk mark on the building Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 27 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 28 Channel- Encryption Solutions Encryption Using a mathematically based program and a secret key to produce a string of characters that is unintelligible Cryptography Science that studies encryption Channel- Encryption Algorithms Encryption The coding of information by using a mathematically based program and secret key Encryption program Program that transforms normal text into cipher text Decryption program A type of encryption reversing procedure Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 29 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 30 5

Channel- Hash Coding Process that uses a hash algorithm to calculate a number from a message of any length Good hash algorithms Designed so that probability of two different messages resulting in same hash value is small Convenient way to tell whether a message has been altered in transit Channel- Asymmetric Encryption1 Encodes messages by using two mathematically related numeric keys Public key Freely distributed to the public at large Private key Belongs to the key owner, who keeps the key secret Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 31 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 32 Channel- Asymmetric Encryption2 Pretty Good Privacy (PGP) One of the most popular technologies used to implement public-key encryption Set of software tools that Can use several different encryption algorithms to perform public-key encryption Can be used to encrypt their e-mail messages Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 33 Channel- Symmetric Encryption Encodes message with one of several available algorithms that use a single numeric key Data Encryption Standard (DES): Set of encryption algorithms adopted by the U.S. government for encrypting sensitive information Triple Data Encryption Standard Offers good protection Cannot be cracked even with today s supercomputers Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 34 Comparing Asymmetric and Symmetric Encryption Systems (a) Hash coding, (b) Private-key, and (c) Public-key Encryption Public-key (asymmetric): Systems provide several advantages over private-key (symmetric) encryption methods Secure Sockets Layer (SSL): protocol that provides secure information transfer through the Internet. SSL secures connections between two Computers S-HTTP: Sends individual messages securely. Extension of htttp Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 35 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 36 6

Ensuring Transaction Integrity with Hash Functions Integrity violation Occurs whenever a message is altered while in transit between the sender and receiver Hash algorithms are one-way functions There is no way to transform the hash value back to original message Message digest Small integer number that summarizes the encrypted information Ensuring Transaction Integrity with Digital Signatures Hash algorithm Anyone could Intercept a purchase order Alter the shipping address and quantity ordered Re-create the message digest Send the message and new message digest on to the merchant Digital signature An encrypted message digest Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 37 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 38 Sending and Receiving a Digitally Signed Message Security for Server Computers Web server Can compromise secrecy if it allows automatic directory listings Can compromise security by requiring users to enter a username and password Dictionary attack programs Cycle through an electronic dictionary, trying every word in the book as a password Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 39 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 40 Other Programming Threats Buffer An area of memory set aside to hold data read from a file or database Buffer overrun Occurs because the program contains an error or bug that causes the overflow Mail bomb Occurs when hundreds or even thousands of people each send a message to a particular address Protecting the web server- Firewalls1 Computer and software combination installed at the Internet entry point of a networked system Provides a defense between Network to be protected and the Internet, or other network that could pose a threat All corporate communication to and from Internet flows through firewalls Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 41 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 42 7

Protecting the web server- Firewalls2 Characteristics All traffic from inside to outside and from outside to inside the network must pass through firewall Only authorized traffic is allowed to pass Firewall itself is immune to penetration Trusted Networks inside the firewall Untrusted Networks outside the firewall Protecting the web server- Firewalls3 Packet-filter firewalls: Examine data flowing back and forth between trusted network and the Internet Gateway servers: Firewalls that filter traffic based on the application requested Proxy server firewalls: Firewalls that communicate with the Internet on the private network s behalf Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 43 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 44 Organizations that Promote Computer Security Computer Emergency Response Team Responds to thousands of security incidents each year Helps Internet users and companies become more knowledgeable about security risks Posts alerts to inform Internet community about security events Other Organizations SANS Institute A cooperative research and educational organization Internet Storm Center Web site that provides current information on the location and intensity of computer attacks Microsoft Security Research Group Privately sponsored site that offers free information about computer security issues Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 45 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 46 Computer Forensics and Ethical Hacking Computer forensics experts Hired to probe PCs and locate information that can be used in legal proceedings Computer forensics The collection, preservation, and analysis of computer-related evidence Summary Assets that companies must protect: Client computers; Computer communication channels; Web servers (susceptible to security threats) Communication channels, in general, and the Internet, in particular are especially vulnerable to attacks Encryption: Provides secrecy Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 47 Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 48 8

Next week User Experience in E-commerce Personalisation Usability Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html 49 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information