Скачать презентацию Chapter 10 Electronic Commerce Security Online Security Скачать презентацию Chapter 10 Electronic Commerce Security Online Security

da70de26d5731f363a21860bfbc6c8a3.ppt

  • Количество слайдов: 26

Chapter 10: Electronic Commerce Security Chapter 10: Electronic Commerce Security

Online Security Issues Overview ü Computer security ä The protection of assets from unauthorized Online Security Issues Overview ü Computer security ä The protection of assets from unauthorized access, use, alteration, or destruction ü Physical security ä Includes tangible protection devices ü Logical security ä Protection of assets using nonphysical means ü Threat ä Any act or object that poses a danger to computer assets

Terms -ü Countermeasure Managing Risk ä General name for a procedure that recognizes, reduces, Terms -ü Countermeasure Managing Risk ä General name for a procedure that recognizes, reduces, or eliminates a threat ü Eavesdropper ä Person or device that can listen in on and copy Internet transmissions ü Crackers or hackers ä Write programs or manipulate technologies to obtain unauthorized access to computers and networks

Computer Security Classification ü Secrecy/Confidentiality ä Protecting against unauthorized data disclosure ä Technical issues Computer Security Classification ü Secrecy/Confidentiality ä Protecting against unauthorized data disclosure ä Technical issues ü Privacy ä The ability to ensure the use of information about oneself ä Legal Issues ü Integrity ä Preventing unauthorized data modification by an unauthorized party ü Necessity ä Preventing data delays or denials (removal) ü Nonrepudiation ä Ensure that e-commerce participants do not deny (i. e. , repudiate) their online actions ü Authenticity ä The ability to identify the identity of a person or entity with whom you are dealing on the Internet

Some solutions -- Some solutions --

Exercise ü Visit the Copyright Web site: ä http: //www. benedict. com/ ü Check Exercise ü Visit the Copyright Web site: ä http: //www. benedict. com/ ü Check out examples of copyright infringement: ä Audio arts ä Visual arts ä Digital arts ü Read comments Under “Info”

Security Threats in the E-commerce Environment Three key points of vulnerability Ø the client Security Threats in the E-commerce Environment Three key points of vulnerability Ø the client Ø communications pipeline Ø the server

Active Content ü Active content refers to programs embedded transparently in Web pages that Active Content ü Active content refers to programs embedded transparently in Web pages that cause an action to occur ü Scripting languages ä Provide scripts, or commands, that are executed ü Applet ä Small application program ä Java ä Active X ü Trojan horse ä Program hidden inside another program or Web page that masks its true purpose ü Zombie ä Program that secretly takes over another computer to launch attacks on other computers ä Attacks can be very difficult to trace to their creators

Viruses, Worms, and Antivirus Software ü Virus ä Software that attaches itself to another Viruses, Worms, and Antivirus Software ü Virus ä Software that attaches itself to another program ä Can cause damage when the host program is activated ü Macro virus ä Type of virus coded as a small program (macro) and is embedded in a file ü Antivirus software ä Detects viruses and worms

Digital Certificates ü A digital certificate is a program embedded in a Web page Digital Certificates ü A digital certificate is a program embedded in a Web page that verifies that the sender or Web site is who or what it claims to be ü Main elements: ä Certificate owner’s identifying information ä Certificate owner’s public key ü A certificate is signed code or messages that provide proof that the holder is the person identified by the certificate ä Dates between which the certificate is valid ü Certification authority (CA) issues digital certificates ä Name of the certificate issuer ä Serial number of the certificate ä Digital signature of the certificate issuer

Communication Channel Security ü Recall that -ä Secrecy is the prevention of unauthorized information Communication Channel Security ü Recall that -ä Secrecy is the prevention of unauthorized information disclosure ä Privacy is the protection of individual rights to nondisclosure ü Sniffer programs ä Provide the means to record information passing through a computer or router that is handling Internet traffic Demonstration of working of a Java implementation of a Packet Sniffer

Other Threats Integrity ü Integrity threats exist when an unauthorized party can alter a Other Threats Integrity ü Integrity threats exist when an unauthorized party can alter a message stream of information ü Cybervandalism ä Electronic defacing of an existing Web site’s page ü Masquerading or spoofing ä Pretending to be someone you are not ü Domain name servers (DNSs) ä Computers on the Internet that maintain directories that link domain names to IP addresses Anonymizer A Web site that provides a measure of secrecy as long as it’s used as the portal to the Internet http: //www. anonymizer. com Necessity ü Purpose is to disrupt or deny normal computer processing ü Do. S attacks ä Remove information altogether ä Delete information from a transmission or file Wireless Network Threats ü Wardrivers ä Attackers drive around using their wireless-equipped laptop computers to search for accessible networks ü Warchalking ä When wardrivers find an open network they sometimes place a chalk mark on the building

Tools Available to Achieve Site Security Tools Available to Achieve Site Security

Encryption ü Transforms plain text or data into cipher text that cannot be read Encryption ü Transforms plain text or data into cipher text that cannot be read by anyone outside of the sender and the receiver. Purpose: to secure stored information Ø to secure information transmission. Ø ü Cipher text Ø ü text that has been encrypted and thus cannot be read by anyone besides the sender and the receiver Symmetric Key Encryption Ø DES standard most widely used

Group Exercise ü Julius Caesar supposedly used secret codes known today as Caesar Cyphers. Group Exercise ü Julius Caesar supposedly used secret codes known today as Caesar Cyphers. The simplest replaces A with B, B with C etc. This is called a one-rotate code. The following is encrypted using a simple Caesar rotation cypher. See if you can decrypt it: ü Mjqqt hfjxfw. Mtb nx dtzw hnumjw? Xyfd fbfd kwtr ymj xjsfyj ytifd.

Encryption ü Public key cryptography ä ü ü ü uses two mathematically related digital Encryption ü Public key cryptography ä ü ü ü uses two mathematically related digital keys: a public key and a private key. The private key is kept secret by the owner, and the public key is widely disseminated. Both keys can be used to encrypt and decrypt a message. A key used to encrypt a message, cannot be used to unencrypt the message

Public Key Cryptography with Digital Signatures Public Key Cryptography with Digital Signatures

Public Key Cryptography: Creating a Digital Envelope Public Key Cryptography: Creating a Digital Envelope

Securing Channels of Communications ü ü Secure Sockets Layer (SSL) is the most common Securing Channels of Communications ü ü Secure Sockets Layer (SSL) is the most common form of securing channels Secure negotiated session ä ü client-server session where the requested document URL, contents, forms, and cookies are encrypted. Session key is a unique symmetric encryption key chosen for a single secure session

Firewalls ü Software or hardware and software combination installed on a network to control Firewalls ü Software or hardware and software combination installed on a network to control packet traffic ü Packet-filter firewalls ü Provides a defense between the network to be protected and the Internet, or other network that could pose a threat ü Characteristics ü Gateway servers ä All traffic from inside to outside and from outside to inside the network must pass through the firewall ä Only authorized traffic is allowed to pass ä Firewall itself is immune to penetration ü Trusted networks are inside the firewall ü Untrusted networks are outside the firewall ä Examine data flowing back and forth between a trusted network and the Internet ä Firewalls that filter traffic based on the application requested ü Proxy server firewalls ä Firewalls that communicate with the Internet on the private network’s behalf

Security Policy and Integrated Security ü A security policy is a written statement describing: Security Policy and Integrated Security ü A security policy is a written statement describing: ä Which assets to protect and why they are being protected ä Who is responsible for that protection ä Which behaviors are acceptable and which are not ü First step in creating a security policy ü Elements of a security policy address: ä Authentication ä Access control ä Secrecy ä Data integrity ä Audits ä Determine which assets to protect from which threats Protection of Information Assets CISA 2006 Exam Preparation

Tension Between Security and Other Values ü Ease of use Ø Often security slows Tension Between Security and Other Values ü Ease of use Ø Often security slows down processors and adds significantly to data storage demands. Too much security can harm profitability; not enough can mean going out of business. ü Public Safety & Criminal Use Ø claims of individuals to act anonymously vs. needs of public officials to maintain public safety in light of criminals or terrorists.

Some questions ü Can internet security measures actually create opportunities for criminals to steal? Some questions ü Can internet security measures actually create opportunities for criminals to steal? How? ü Why are some online merchants hesitant to ship to international addresses? ü What are some steps a company can take to thwart cybercriminals from within a business? ü Is a computer with anti-virus software protected from viruses? Why or why not? ü What are the differences between encryption and authentication? ü Discuss the role of administration in implementing a security policy?

Security for Server Computers ü Web server ä Can compromise secrecy if it allows Security for Server Computers ü Web server ä Can compromise secrecy if it allows automatic directory listings ä Can compromise security by requiring users to enter a username and password ü Dictionary attack programs ä Cycle through an electronic dictionary, trying every word in the book as a password

Other Programming Threats ü Buffer ä An area of memory set aside to hold Other Programming Threats ü Buffer ä An area of memory set aside to hold data read from a file or database ü Buffer overrun ä Occurs because the program contains an error or bug that causes the overflow ü Mail bomb ä Occurs when hundreds or even thousands of people each send a message to a particular address

Organizations that Promote Computer Security ü CERT ä Responds to thousands of security incidents Organizations that Promote Computer Security ü CERT ä Responds to thousands of security incidents each year ä Helps Internet users and companies become more knowledgeable about security risks ä Posts alerts to inform the Internet community about security events ä www. cert. org ü SANS Institute ä A cooperative research and educational organization ü SANS Internet Storm Center ä Web site that provides current information on the location and intensity of computer attacks ü Microsoft Security Research Group ä Privately sponsored site that offers free information about computer security issues