E-Commerce Security and Fraud Protection CHAPTER 9

Similar documents
The Information Security Problem

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

E-BUSINESS THREATS AND SOLUTIONS

CSI Computer Crime and Security Survey

Chapter 12 Objectives. Chapter 12 Computers and Society: Security and Privacy

E-commerce. business. technology. society. Kenneth C. Laudon Carol Guercio Traver. Second Edition. Copyright 2007 Pearson Education, Inc.

Data Management & Protection: Common Definitions

Content Teaching Academy at James Madison University

COB 302 Management Information System (Lesson 8)

Top tips for improved network security


COSC 472 Network Security

Part I: Ethics. Moral guidelines that govern use of computers and information systems. Unauthorized use of computer systems

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Cybersecurity for the C-Level

E-Commerce: Attacks and Preventative Strategies. The majority of not only our nation, but most of the world, is performing and conducting

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

GlobalSign Malware Monitoring

Boston University Security Awareness. What you need to know to keep information safe and secure

BE SAFE ONLINE: Lesson Plan

1. Any requesting personal information, or asking you to verify an account, is usually a scam... even if it looks authentic.

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

Alexander Nikov. 9. Information Assurance and Security, Protecting Information Resources. Learning Objectives. You re on Facebook? Watch Out!

Stopping zombies, botnets and other - and web-borne threats

Chapter 9: Network and Internet Security

E-COMMERCE and SECURITY - 1DL018

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Security A to Z the most important terms

Skoot Secure File Transfer

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

E-Business, E-Commerce

Spyware: Securing gateway and endpoint against data theft

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Desktop and Laptop Security Policy

Information Security

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

Incident Response Plan for PCI-DSS Compliance

Network Security and the Small Business

TELE 301 Network Management. Lecture 18: Network Security

Commercial in confidence TELSTRA WHOLESALE ACCEPTABLE USE POLICY. Commercial-in-Confidence. Issue Number 1.5, 20 November 2012

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Security Goals Services

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

Security Best Practices for Mobile Devices

WHITE PAPER. Understanding How File Size Affects Malware Detection

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

CYBERTRON NETWORK SOLUTIONS

Learn to protect yourself from Identity Theft. First National Bank can help.

Data Security Incident Response Plan. [Insert Organization Name]

9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Cyber Security and Critical Information Infrastructure

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Where every interaction matters.

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

CHAPTER 10: COMPUTER SECURITY AND RISKS

How To Use A College Computer System Safely

Detailed Description about course module wise:

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Jort Kollerie SonicWALL

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Top Ten Cyber Threats

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

Data Management Policies. Sage ERP Online

E-BUSINESS SECURITY ASPECTS

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Business Phone Security. Threats to VoIP and What to do about Them

6. ecommerce Security and Payment Systems. Alexander Nikov. Teaching Objectives. Video: Online Banking, Is It Secure?

A Systems Engineering Approach to Developing Cyber Security Professionals

Section 12 MUST BE COMPLETED BY: 4/22

Network Incident Report

The Key to Secure Online Financial Transactions

WEBARROW: A CASE STUDY OF SECURE WEB DEPLOYMENT

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Chapter 11 Computers and Society, Security, Privacy, and Ethics

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

Computer Security. Principles and Practice. Second Edition. Amp Kumar Bhattacharjee. Lawrie Brown. Mick Bauer. William Stailings

7 Cs of WEB design - Customer Interface

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

ACS-3921/ Computer Security And Privacy. Lecture Note 5 October 7 th 2015 Chapter 5 Database and Cloud Security

Transcription:

E-Commerce Security and Fraud Protection CHAPTER 9

LEARNING OBJECTIVES 1. Understand the importance and scope of security of information systems for EC. 2. Describe the major concepts and terminology of EC security. 3. Learn about the major EC security threats, vulnerabilities, and technical attacks. 4. Understand Internet fraud, phishing, and spam. 5. Identify and assess major technologies and methods for securing EC access and communications. 9-1

THE INFORMATION SECURITY PROBLEM information security Protecting information and information systems from unauthorized access, use, disclosure, modification, inspection, recording or destruction 9-2

THE INFORMATION SECURITY PROBLEM THE DRIVERS OF EC SECURITY PROBLEMS The Internet s Vulnerable (weak) Design Domain Name System (DNS) Translates (converts) domain names to their numeric IP addresses IP address An address that uniquely identifies each computer connected to a network or the Internet 9-3

THE INFORMATION SECURITY PROBLEM Internet underground economy E-markets for stolen information made up of thousands of websites that sell credit card numbers, social security numbers, other data such as numbers of bank accounts, social network IDs, passwords, and much more keystroke logging (keylogging) A method of capturing and recording user keystrokes 9-4

BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE exposure The estimated cost, loss, or damage that can result if a threat exploit a vulnerability fraud Any business activity that uses dishonest practices or devices to rob another of property or other rights malware (malicious software) A generic term for malicious (hateful) software phishing A crime ware technique to steal the identity of a target company to get the identities of its customers 9-5

BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE Risk : The probability that a vulnerability will be known and used Spam: The electronic equivalent of junk mail vulnerability Weakness in software or other mechanism that threatens the confidentiality, integrity, or availability of an asset; it can be directly used by a hacker to gain access to a system or network zombies Computers infected with malware that are under the control of a spammer, hacker, or other criminal 9-6

9-7

BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE The Criminals and Methods hacker Someone who gains unauthorized access to a computer system cracker A malicious hacker who may represent a serious problem for a corporation 9-8

BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE EC Security Requirements authentication Process to verify (assure) the real identity of an individual, computer, computer program, or EC website authorization Process of determining what the authenticated entity is allowed to access and what operations it is allowed to perform 9-9

9-10

TECHNICAL ATTACK METHODS: FROM VIRUSES TO DENIAL OF SERVICE MALICIOUS CODE: VIRUSES, WORMS, AND TROJAN HORSES virus A piece of software code that inserts itself into a host, including the operating systems, in order to propagate; it requires that its host program be run to activate it worm A software program that runs independently, consuming the resources of its host in order to maintain itself, that is capable of propagating a complete working version of itself onto another machine 9-11

TECHNICAL ATTACK METHODS: FROM VIRUSES TO DENIAL OF SERVICE macro virus (macro worm) A macro virus or macro worm is executed when the application object that contains the macro is opened or a particular procedure is executed Trojan horse A program that appears to have a useful function but that contains a hidden function that presents a security risk banking Trojan A Trojan that comes to life when computer owners visit one of a number of online banking or e-commerce sites 9-12

TECHNICAL ATTACK METHODS: FROM VIRUSES TO DENIAL OF SERVICE denial-of-service (DoS) attack An attack on a website in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources page hijacking Creating a rogue copy of a popular website that shows contents similar to the original to a Web crawler; once there, an unsuspecting user is redirected to malicious websites 9-13

TECHNICAL ATTACK METHODS: FROM VIRUSES TO DENIAL OF SERVICE botnet A huge number (e.g., hundreds of thousands) of hijacked Internet computers that have been set up to forward traffic, including spam and viruses, to other computers on the Internet 9-14

9-15

9-16

THE DEFENSE I: ACCESS CONTROL, ENCRYPTION, AND PKI access control Mechanism that determines who can legitimately use a network resource Authorization and Authentication biometric control An automated method for verifying the identity of a person based on physical or behavioral characteristics biometric systems Authentication systems that identify a person by measurement of a biological characteristic, such as fingerprints, iris (eye) patterns, facial features, or voice 9-17

THE DEFENSE I: ACCESS CONTROL, ENCRYPTION, AND PKI ENCRYPTION AND THE ONE-KEY (SYMMETRIC) SYSTEM encryption The process of scrambling (encrypting) a message in such a way that it is difficult, expensive, or timeconsuming for an unauthorized person to unscramble (decrypt) it plaintext An unencrypted message in human-readable form ciphertext A plaintext message after it has been encrypted into a machine-readable form 9-18

THE DEFENSE I: ACCESS CONTROL, ENCRYPTION, AND PKI encryption algorithm The mathematical formula used to encrypt the plaintext into the ciphertext, and vice versa key (key value) The secret code used to encrypt and decrypt a message key space The large number of possible key values (keys) created by the algorithm to use when transforming the message 9-19

9-20

THE DEFENSE I: ACCESS CONTROL, ENCRYPTION, AND PKI symmetric (private) key encryption An encryption system that uses the same key to encrypt and decrypt the message Data Encryption Standard (DES) The standard symmetric encryption algorithm supported by the NIST and used by U.S. government agencies until October 2000 9-21

THE DEFENSE I: ACCESS CONTROL, ENCRYPTION, AND PKI public key infrastructure (PKI) A scheme for securing e-payments using public key encryption and various technical components public (asymmetric) key encryption Method of encryption that uses a pair of matched keys a public key to encrypt a message and a private key to decrypt it, or vice versa public key Encryption code that is publicly available to anyone private key Encryption code that is known only to its owner 9-22

THE DEFENSE II: SECURING E-COMMERCE NETWORKS firewall A single point between two or more networks where all traffic must pass (choke point); the device authenticates, controls, and logs all traffic packet Segment of data sent from one computer to another on a network 9-23

9-24

THE DEFENSE II: SECURING E-COMMERCE NETWORKS personal firewall A network node designed to protect an individual user s desktop system from the public network by monitoring all the traffic that passes through the computer s network interface card Additional Virus, Malware, and Botnet Protection 9-25

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information