View
213
Download
0
Category
Preview:
Citation preview
8/16/2019 Lauden Security
1/44
Copyright © 2007 Pearson Education, Inc. Slide 5-1
E-commerce
Kenneth C. Laudon
Carol Guercio Traver
business. technology. society.
Second Edition
8/16/2019 Lauden Security
2/44
Copyright © 2007 Pearson Education, Inc. Slide 5-2
Chapter 5
Security and Encryption
8/16/2019 Lauden Security
3/44
Copyright © 2007 Pearson Education, Inc. Slide 5-3
The Merchant Pays
Class Discussion Why are offline credit card security procedures not
applicable in online environment? What new techniques are available to merchants
that would reduce credit card fraud? Why should the merchant bear the risk of online
credit purchases? Why not the issuing banks? What other steps can merchants take to reduce
credit card fraud at their sites? Why are merchants reluctant to add additional
security measures?
8/16/2019 Lauden Security
4/44
Copyright © 2007 Pearson Education, Inc. Slide 5-4
The E-commerce Security Environment: The
Scope o the Pro!lem Overall size of cybercrime unclear; amount of losses
significant but stable; individuals face new risks offraud that may involve substantial uninsured losses Symantec: Over ! overall attacks a day against
business firms between "uly #!!$%"une #!! #!! &omputer Security 'nstitute survey
() of respondents had detected breaches of
computer security within last *# months and+*) of these suffered financial loss as a result Over ,) e-perienced denial of service attacks Over .) detected virus attacks
8/16/2019 Lauden Security
5/44
Copyright © 2007 Pearson Education, Inc. Slide 5-5
The E-commerce Security Environment
"i#ure $.%& Pa#e '$(
8/16/2019 Lauden Security
6/44
Copyright © 2007 Pearson Education, Inc. Slide 5-6
Dimensions o E-commerce Security
'ntegrity: ability to ensure that information being displayed on aWeb site or transmitted/received over the 'nternet has not beenaltered in any way by an unauthorized party
0onrepudiation: ability to ensure that e1commerce participants donot deny 2repudiate3 online actions
4uthenticity: ability to identify the identity of a person or entity withwhom you are dealing on the 'nternet
&onfidentiality: ability to ensure that messages and data areavailable only to those authorized to view them
5rivacy: ability to control use of information a customer providesabout himself or herself to merchant
4vailability: ability to ensure that an e1commerce site continues tofunction as intended
8/16/2019 Lauden Security
7/44 Copyright © 2007 Pearson Education, Inc. Slide 5-7
Customer and Merchant Perspectives on the
Dierent Dimensions o E-commerce
SecurityTa!le $.)& Pa#e '$%
8/16/2019 Lauden Security
8/44 Copyright © 2007 Pearson Education, Inc. Slide 5-8
The Tension *et+een Security and
,ther alues
Security vs6 ease of use: the more security
measures that are added7 the more difficult a
site is to use7 and the slower it becomes Security vs6 desire of individuals to act
anonymously
8/16/2019 Lauden Security
9/44
8/16/2019 Lauden Security
10/44 Copyright © 2007 Pearson Education, Inc.Slide 5-10
Security Threats in the E-commerce
Environment cont/d0 9ost common threats:
9alicious code 5hishing acking and cybervandalism &redit card fraud/theft Spoofing 2pharming3 enial of service attacks Sniffing 'nsider
8/16/2019 Lauden Security
11/44 Copyright © 2007 Pearson Education, Inc.Slide 5-11
1 Typical E-commerce Transaction"i#ure $.$& Pa#e '$2
S,34CE: *oncella& '555.
8/16/2019 Lauden Security
12/44 Copyright © 2007 Pearson Education, Inc.Slide 5-12
ulnera!le Points in an E-commerce
Environment"i#ure $.6& Pa#e '$7
S,34CE: *oncella& '555.
8/16/2019 Lauden Security
13/44 Copyright © 2007 Pearson Education, Inc.Slide 5-13
Malicious Code
=iruses: computer program that has ability toreplicate and spread to other files; most also deliver a>payload of some sort 2may be destructive orbenign3; include macro viruses7 file1infecting viruses7
and script viruses Worms: designed to spread from computer to
computer 8ro
8/16/2019 Lauden Security
14/44 Copyright © 2007 Pearson Education, Inc.Slide 5-14
Phishin#
4ny deceptive7 online attempt by a third party
to obtain confidential information for financial
gain9ost popular type: e1mail scam letter
One of fastest growing forms of e1
commerce crime
8/16/2019 Lauden Security
15/44
8/16/2019 Lauden Security
16/44 Copyright © 2007 Pearson Education, Inc.Slide 5-16
Credit Card "raud
Cear that credit card information will be stolen
deters online purchases
ackers target credit card files and othercustomer information files on merchant
servers; use stolen data to establish credit
under false identity
One solution: 0ew identity verificationmechanisms
8/16/2019 Lauden Security
17/44 Copyright © 2007 Pearson Education, Inc.Slide 5-17
nsi#ht on Society: ;Evil T+ins< and
;Pharmin#evil twins and >pharming What is meant by >social engineering techniques?
What is the security weakness in the domain name
system that permits pharming?
What steps can users take to verify they are
communicating with authentic sites and networks?
8/16/2019 Lauden Security
18/44 Copyright © 2007 Pearson Education, Inc.Slide 5-18
Spooin# Pharmin#0 9isrepresenting oneself by using fake e1mail
addresses or masquerading as someone else
8hreatens integrity of site; authenticity
8/16/2019 Lauden Security
19/44
Copyright © 2007 Pearson Education, Inc.Slide 5-19
DoS and dDoS 1ttac9s
enial of service 2oS3 attack: ackers flood
Web site with useless traffic to inundate and
overwhelm network istributed denial of service 2doS3 attack:
hackers use numerous computers to attack
target network from numerous launch points
8/16/2019 Lauden Security
20/44
Copyright © 2007 Pearson Education, Inc.Slide 5-20
,ther Security Threats
Sniffing: 8ype of eavesdropping program that
monitors information traveling over a network;
enables hackers to steal proprietaryinformation from anywhere on a network
'nsider
8/16/2019 Lauden Security
21/44
Copyright © 2007 Pearson Education, Inc.Slide 5-21
Technolo#y Solutions
5rotecting 'nternet communications
2encryption3
Securing channels of communication 2SSD7
S18857 =50s3 5rotecting networks 2firewalls3
5rotecting servers and clients
8/16/2019 Lauden Security
22/44
Copyright © 2007 Pearson Education, Inc.Slide 5-22
Tools 1vaila!le to 1chieve Site Security
"i#ure $.2& Pa#e '6>
8/16/2019 Lauden Security
23/44
Copyright © 2007 Pearson Education, Inc.Slide 5-23
Protectin# nternet Communications:
Encryption Encryption: 8he process of transforming plain te-t or
data into cipher te-t that cannot be read by anyoneother than the sender and receiver
5urpose: Secure stored information and informationtransmission
5rovides: 9essage integrity
0onrepudiation 4uthentication &onfidentiality
8/16/2019 Lauden Security
24/44
Copyright © 2007 Pearson Education, Inc.Slide 5-24
Symmetric Key Encryption
4lso known as secret key encryption @oth the sender and receiver use the same
digital key to encrypt and decrypt message
Fequires a different set of keys for eachtransaction
ata Encryption Standard 2ES3: 9ost widelyused symmetric key encryption today; uses
(1bit encryption key; other types use *#G1bitkeys up through #!$G bits
8/16/2019 Lauden Security
25/44
Copyright © 2007 Pearson Education, Inc.Slide 5-25
Pu!lic Key Encryption
5ublic key cryptography solves symmetric keyencryption problem of having to e-change secret key
Ases two mathematically related digital keys % publickey 2widely disseminated3 and private key 2keptsecret by owner3
@oth keys are used to encrypt and decrypt message Once key is used to encrypt message7 same key
cannot be used to decrypt message
Cor e-ample7 sender uses recipientHs public key toencrypt message; recipient uses his/her private keyto decrypt it
8/16/2019 Lauden Security
26/44
Copyright © 2007 Pearson Education, Inc.Slide 5-26
Pu!lic Key Crypto#raphy ? 1 Simple Case
"i#ure $.7& Pa#e '2'
8/16/2019 Lauden Security
27/44
Copyright © 2007 Pearson Education, Inc.Slide 5-27
Pu!lic Key Encryption usin# Di#ital
Si#natures and 8ash Di#ests 4pplication of hash function 2mathematical
algorithm3 by sender prior to encryption
produces hash digest that recipient can useto verify integrity of data
ouble encryption with senderHs private key
2digital signature3 helps ensure authenticity
and nonrepudiation
8/16/2019 Lauden Security
28/44
Copyright © 2007 Pearson Education, Inc.Slide 5-28
Pu!lic Key Crypto#raphy +ith Di#ital
Si#natures"i#ure $.>& Pa#e '2%
8/16/2019 Lauden Security
29/44
Copyright © 2007 Pearson Education, Inc.Slide 5-29
Di#ital Envelopes
4ddresses weaknesses of public key
encryption 2computationally slow7 decreases
transmission speed7 increases processing
time3 and symmetric key encryption 2faster7but more secure3
Ases symmetric key encryption to encrypt
document but public key encryption toencrypt and send symmetric key
8/16/2019 Lauden Security
30/44
Copyright © 2007 Pearson Education, Inc.Slide 5-30
Pu!lic Key Crypto#raphy: Creatin# a
Di#ital Envelope"i#ure $.)5& Pa#e '2$
8/16/2019 Lauden Security
31/44
Copyright © 2007 Pearson Education, Inc.Slide 5-31
Di#ital Certiicates and Pu!lic Key
nrastructure PK0 igital certificate: igital document that includes:
0ame of sub
8/16/2019 Lauden Security
32/44
Copyright © 2007 Pearson Education, Inc.Slide 5-32
Di#ital Certiicates and Certiication
1uthorities"i#ure $.))& Pa#e '22
8/16/2019 Lauden Security
33/44
Copyright © 2007 Pearson Education, Inc.Slide 5-33
Limits to Encryption Solutions
5I' applies mainly to protecting messages in
transit
5I' is not effective against insiders
5rotection of private keys by individuals may be
haphazard
0o guarantee that verifying computer of merchant
is secure &4s are unregulated7 self1selecting organizations
8/16/2019 Lauden Security
34/44
8/16/2019 Lauden Security
35/44
Copyright © 2007 Pearson Education, Inc.Slide 5-35
Securin# Channels o Communication
Secure Sockets Dayer 2SSD3: 9ost common form ofsecuring channels of communication; used toestablish a secure negotiated session 2client1serversession in which AFD of requested document7 along
with contents7 is encrypted3 S1885: 4lternative method; provides a secure
message1oriented communications protocol designedfor use in con
8/16/2019 Lauden Security
36/44
8/16/2019 Lauden Security
37/44
Copyright © 2007 Pearson Education, Inc.Slide 5-37
Protectin# Aet+or9s: "ire+alls and
ProBy Servers Cirewall: ardware or software filters communications
packets and prevents some packets from entering
the network based on a security policy Cirewall methods include:
5acket filters
4pplication gateways
5ro-y servers: Software servers that handle allcommunications originating from or being sent to the
'nternet
8/16/2019 Lauden Security
38/44
Copyright © 2007 Pearson Education, Inc.Slide 5-38
"ire+alls and ProBy Servers
"i#ure $.)(& Pa#e '7(
8/16/2019 Lauden Security
39/44
8/16/2019 Lauden Security
40/44
Copyright © 2007 Pearson Education, Inc.Slide 5-40
1 Security Plan: Mana#ement Policies Steps in developing a security plan
5erform risk assessment: assessment of risks and points ofvulnerability
evelop security policy: set of statements prioritizing informationrisks7 identifying acceptable risk targets7 and identifyingmechanisms for achieving targets
evelop implementation plan: action steps needed to achievesecurity plan goals
&reate security organization: in charge of security; educates andtrains users7 keeps management aware of security issues;administers access controls7 authentication procedures and
authorization policies 5erform security audit: review of security practices and procedures
8/16/2019 Lauden Security
41/44
Copyright © 2007 Pearson Education, Inc.Slide 5-41
Developin# an E-commerce Security
Plan"i#ure $.)%& Pa#e '76
8/16/2019 Lauden Security
42/44
Copyright © 2007 Pearson Education, Inc.Slide 5-42
nsi#ht on *usiness: 8irin# 8ac9ers to
Locate Threats: Penetration Testin#
Class Discussion
Why would firms hire outsiders to crash its
systems?
What are >grey and >black hats and why do
firms avoid them as security testers?
4re penetration specialists like "ohnny Dong
performing a public service or
8/16/2019 Lauden Security
43/44
Copyright © 2007 Pearson Education, Inc.Slide 5-43
The 4ole o La+s and Pu!lic Policy
0ew laws have granted local and national authoritiesnew tools and mechanisms for identifying7 tracing andprosecuting cybercriminals 0ational 'nfrastructure 5rotection &enter % unit within
0ational &yber Security ivision of epartment ofomeland Security whose mission is to identify andcombat threats against A6S6 technology andtelecommunications infrastructure
AS4 5atriot 4ct
omeland Security 4ct Bovernment policies and controls on encryption software
8/16/2019 Lauden Security
44/44
,ECD Guidelines
#!!# Organization for Economic &ooperation andevelopment 2OE&3 Buidelines for the Security of'nformation Systems and 0etworks has nine principles:
4wareness
Fesponsibility
Fesponse Ethics
emocracy Fisk assessment
Security design and implementation
Security management Feassessment
Recommended