Security aspects of e-tailing. Chapter 7

Similar documents

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Introduction to Cyber Security / Information Security

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Security Controls What Works. Southside Virginia Community College: Security Awareness

A Decision Maker s Guide to Securing an IT Infrastructure

Best Practices For Department Server and Enterprise System Checklist

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Tenzing Security Services and Best Practices

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

SRA International Managed Information Systems Internal Audit Report

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Hardware and Software Security

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Managing internet security

PCI Compliance for Cloud Applications

Bellevue University Cybersecurity Programs & Courses

Network Security: Introduction

Security Overview. BlackBerry Corporate Infrastructure

Secure, Scalable and Reliable Cloud Analytics from FusionOps

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Vendor Risk Assessment Questionnaire

The Information Security Problem

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

KeyLock Solutions Security and Privacy Protection Practices

Remote Deposit Terms of Use and Procedures

Supplier Security Assessment Questionnaire

Birst Security and Reliability

Patch and Vulnerability Management Program

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Chapter 1 The Principles of Auditing 1

THE BLUENOSE SECURITY FRAMEWORK

Altius IT Policy Collection Compliance and Standards Matrix

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Achieving Compliance with the PCI Data Security Standard

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Security Policy JUNE 1, SalesNOW. Security Policy v v

Cisco Advanced Services for Network Security

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

White Paper How Noah Mobile uses Microsoft Azure Core Services

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

OCR LEVEL 3 CAMBRIDGE TECHNICAL

Information security controls. Briefing for clients on Experian information security controls

(Instructor-led; 3 Days)

Enterprise level security, the Huddle way.

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ Ã Securities and Exchange Board of India

Introduction. PCI DSS Overview

Critical Controls for Cyber Security.

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

StratusLIVE for Fundraisers Cloud Operations

CONTENTS. PCI DSS Compliance Guide

External Supplier Control Requirements

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

SECURITY ORGANISATION Security Awareness and the Five Aspects of Security

SECURITY. Risk & Compliance Services

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

White Paper: Librestream Security Overview

Cyber Essentials Scheme

Compliance and Cloud Computing

Top tips for improved network security

Infocomm Sec rity is incomplete without U Be aware,

Procedure Title: TennDent HIPAA Security Awareness and Training

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Passing PCI Compliance How to Address the Application Security Mandates

Security Controls for the Autodesk 360 Managed Services

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

State of Texas. TEX-AN Next Generation. NNI Plan

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Christchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

Hengtian Information Security White Paper

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

10 Best Practices to Protect Your Network presented by Saalex Information Technology and Citadel Group

Consensus Policy Resource Community. Lab Security Policy

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

8 Steps for Network Security Protection

Detailed Description about course module wise:

SUPPLIER SECURITY STANDARD

E-commerce. business. technology. society. Kenneth C. Laudon Carol Guercio Traver. Second Edition. Copyright 2007 Pearson Education, Inc.

Transcription:

Security aspects of e-tailing Chapter 7 1

Learning Objectives Understand the general concerns of customers concerning security Understand what e-tailers can do to address these concerns 2

Players in e-tailing Security 3

Customer Threats Offer Multiple Payment Options Avoid a Customer Account Keep Customers on the Site Fix Errors Effectively Ask for Appropriate Information Reassure the Costumer about Safety and Privacy Avoid Distractions Call to Action 4

Points of Target 5

Customer Threats Malicious Codes Trojans, Worms, Virus Tricking Masquerading, Phishing Active Content Sniffing Password Guess Patches and Disabled components 6

Channel Threats Confidentiality Integrity Availability 7

Server Threats Web-server Commerce server Database CGI Denial of Service Known Bugs 8

Security Attributes Authentication Authorization Privacy Integrity Non Repudiation 9

Security Lifecycle Security Requirement Specification + Risk Analysis Collect information on assets of the organization that need to be protected, threat perception on those assets, associated access control policies, existing operational infrastructure, connectivity aspects, services required to access the asset and the access control mechanism for the services. Security Policy Specification Use security requirement specification and risk analysis report to generate a set of e-commerce security policies Policy statements are high-level rule-based and generic; they do not provide any insight to system implementation or equipment configuration Security Infrastructure Specification Analyse the security requirement specification and the security policy specification to generate a list of security tools that are needed to protect the assets Provide views on the location and purpose of the security tools Security Infrastructure Implementation Procure, deploy, and configure the selected security infrastructure at the system level Security Testing Perform tests to determine the effectiveness of the security infrastructure, functionality of the access control mechanism, specified operational context, existence of known vulnerabilities in the infrastructure Requirement Validation Analyse the extent of fulfilment of the security requirements of the e-commerce organization by the corresponding security policy and the implemented security infrastructure 10

Security Policy Hardware Controls Software Controls Physical Infrastructure Personnel Controls 11

Security Infrastructure Enforcing password aging and expiration Enforcing the complexity of passwords Blocking prohibited outbound connections from the firewall Requiring digital certificates to authenticate remote access connections Requiring badges for physical access to building Requiring all physical access to servers to be recorded in a written log 12

Security Tools Firewalls Public Key Infrastructure Encryption software Digital certificates Digital Signatures Biometrics Passwords Locks and bars operations centres 13

Security Testing Verification of the security requirement specification Verification of the configuration of the security tools specified in the security infrastructure Verification of any gap between the proposed security infrastructure and the implemented security infrastructure Verification of the limitation of the proposed security infrastructure with respect to the known vulnerabilities 14

Security Testing Compliance Testing Penetration Testing 15

Compliance Models ISO 17799 COBIT 2000 SSE-CMM 2003 ISO/IEC 2000 16

Security Guidelines Choose a secure ecommerce platform Use a secure connection for online checkout- -and ensure PCI compliance Do not store sensitive data Employ an address and card verification system Ensure strong passwords Set up system alerts for suspicious activity Provide layers of security Provide security training to employees Use tracking numbers for all orders 17

Security Infrastructure Monitor website regularly Perform regular PCI scans Ensure timely patches to the systems Ensure DDoS protection and mitigation service Consider a fraud management service Ensure regular back ups Prepare a disaster recovery plan Use cookies 18