Upload
rohit-aggarwal
View
216
Download
1
Tags:
Embed Size (px)
DESCRIPTION
e-commerce
Citation preview
Security Issues, E-Commerce ThreatsThreats
Part-1
Security in Cyberspace The field of electronic security focuses on designing
measures that can enforce security policies.
Security in e-commerce generally employsprocedures such as authentication, ensuringconfidentiality, and the use of cryptography toconfidentiality, and the use of cryptography tocommunicate over open systems.
The electronic system that supports e-commerce issusceptible to abuse and failure in many ways
Security in CyberspaceThe electronic system that supports e-commerce is
susceptible to following threats:
Fraud Resulting in direct financial loss.
Funds might be transferred from one account to
Electronic Business MS114
UNIT-II
Funds might be transferred from one account toanother, or financial records might simply bedestroyed.
Security in Cyberspace Theft
Theft of confidential, proprietary, technological, ormarketing information belonging to the firm or tothe customer.
An intruder may disclose such information to a
Electronic Business MS114
UNIT-II
An intruder may disclose such information to athird party, resulting in damage to a key customer,a client, or the firm itself.
Disruption
Disruption of service resulting in major losses tobusiness or inconvenience to the customer.
Security in Cyberspace
Loss Loss of customer confidence stemming from
illegal intrusion into customer files or companybusiness, dishonesty, human mistakes, or network
Electronic Business MS114
UNIT-II
business, dishonesty, human mistakes, or networkfailure.
Security IssuesSecurity concerns generally include the following
issues:
Confidentiality
Knowing who can read data.
Ensuring that information in the network remains
Electronic Business MS114
UNIT-II
Ensuring that information in the network remains private.
This is done via encryption.
Identification and Authentication
Making sure that message sender or principal are authentic.
Security Issues Availability
System resources are safeguarded from tampering and are available for authorized users at the time and in the format needed
Integrity
Electronic Business MS114
UNIT-II
Integrity Making sure that information is not accidental or
maliciously altered or corrupted in transit. Access Control
Restricting the use of resources to authorized principals.
Security Issues
Nonrepudiation
Ensuring that principal cannot deny that they sent the message.
Privacy
Individual rights to nondisclosure
Electronic Business MS114
UNIT-II
Individual rights to nondisclosure
Firewalls
A filter between corporate network and the Internet to secure corporate information and files from intruders but allowing access to authorized principals.
Security Threats in the E-commerce Environment
Three key points of vulnerability: Client Server Communications channel
Most common threats: Malicious code
Electronic Business MS114
UNIT-II
Malicious code Hacking and cybervandalism Credit card fraud/theft Zombied PC Phishing Denial of service attacks Sniffing Spoofing
A Typical E-commerce Transaction
Electronic Business MS114
UNIT-II
Vulnerable Points in an E-commerce Environment
Electronic Business MS114
UNIT-II
Malicious Code Virus-
It is a software program which attach it self to otherprograms without the owner of program being aware of it.
when the main program is executed the virus is spreadcausing damage.
Worms designed to spread from computer to computer
Electronic Business MS114
UNIT-II
designed to spread from computer to computer It can spread without any human intervention. It can propagate through network and can affect hand held
devices. Trojan horse-
It is software that appears to perform a desirable functionfor the user prior to run or install.
Perhaps in addition to the expected function, stealsinformation or harms the system.
Malicious Code
Bad applets (malicious mobile code)-
malicious Java applets or ActiveX controls that may bedownloaded onto client and activated merely by surfing toa Web site
Electronic Business MS114
UNIT-II
Examples of Malicious Code
Electronic Business MS114
UNIT-II
Hacking and Cybervandalism
Hacker: Individual who intends to gain unauthorized access to a computer systems
Cracker: Used to denote hacker with criminal intent (two terms often used interchangeably)
Cybervandalism: Intentionally disrupting, defacing or destroying a Web site
Electronic Business MS114
UNIT-II
Types of hackers include: White hats Members of tiger teams used by corporate
security departments to test their own security measures Black hats Act with the intention of causing harm Grey hats Believe they are pursuing some greater good
by breaking in and revealing system flaws
Credit Card Fraud
Fear that credit card information will be stolen detersonline purchases
Hackers target credit card files and other customerinformation files on merchant servers; use stolen datato establish credit under false identity
Electronic Business MS114
UNIT-II
to establish credit under false identity One solution: New identity verification mechanisms
Kinds of Threats or Crimes Zombied PCs - A zombie computer (often
shortened as zombie) is a computer connected to theInternet that has been compromised by a hacker,computer virus or Trojan horse. Generally, a compromised machine is only one of many in
a botnet and will be used to perform malicious tasks of one
Electronic Business MS114
UNIT-II
a botnet and will be used to perform malicious tasks of onesort or another under remote direction. Most owners ofzombie computers are unaware that their system is beingused in this way. Because the owner tends to be unaware,these computers are metaphorically compared to zombies.
Kinds of Threats or Crimes Phishing - is the criminally fraudulent process of
attempting to acquire sensitive information such asusernames, passwords and credit card details bymasquerading as a trustworthy entity in an electroniccommunication
Electronic Business MS114
UNIT-II
Phishing is typically carried out by e-mail or instantmessaging, and it often directs users to enter details at afake website whose look and feel are almost identical to thelegitimate one.
Phishing is an example of social engineering techniquesused to fool users, and exploits the poor usability of currentweb security technologies.
Kinds of Threats or Crimes
DoS - A denial-of-service attack (DoS attack) or distributeddenial-of-service attack (DDoS attack) is an attempt to makea computer resource unavailable to its intended users.
Although the means to carry out, motives for, and targets ofa DoS attack may vary, it generally consists of theconcerted efforts of a person or people to prevent an
Electronic Business MS114
UNIT-II
concerted efforts of a person or people to prevent anInternet service or service from functioning efficiently or atall, temporarily or indefinitely.
Perpetrators of DoS attacks typically target sites or serviceshosted on high-profile web servers such as banks, creditcard payment gateways, and even root name servers.
Kinds of Threats or Crimes
The term is generally used with regards to computernetwork, but is not limited to this field, for example, it isalso used in reference to CPU resource management.
One common method of attack involves saturating thetarget machine with external communication requests, suchtarget machine with external communication requests, suchthat it cannot respond to legitimate traffic, or responds soslowly as to be rendered effectively unavailable.
Kinds of Threats or Crimes
Sniffing:
type of eavesdropping program that monitors informationtraveling over a network; enables hackers to stealproprietary information from anywhere on a network
Spoofing:
Electronic Business MS114
UNIT-II
Spoofing:
Misrepresenting oneself by using fake e-mail addresses ormasquerading as someone else