992SEC14 Secure Electronic Commerce E-Finance Securit Control

8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control

1/83

Secure Electronic Commerce

1

Min-Yuh Day

Assistant Professor

Dept. of Information Management,Tamkang University

http://mail.im.tku.edu.tw/~myday/2011-06-03

t(E-Finance Security Control Mechanisms)

992SEC14TGMXM0A

Fri. 6,7,8 (13:10-16:00) L526


2/83

2

Subject/Topics

1 100/02/18 (Course Orientation for Secure Electronic Commerce)

2 100/02/25 (Introduction to E-Commerce)

3 100/03/04 (E-Marketplaces)

4 100/03/11

(Retailing in Electronic Commerce: Products and Services)

5 100/03/18 (Online Consumer Behavior, Market Research, and

Advertisement)

6 100/03/25 B2BB2CC2C (B2B, B2C, C2C E-Commerce)

7 100/04/01 Web 2.0, Social Network, Social Media

8 100/04/08

9 100/04/15 (Mobile Computing and Commerce)

10 100/04/22

Syllabus


3/83

3

Subject/Topics

11 100/04/29 (E-Commerce Security)12 100/05/06 (Digital Certificate) [Module 4]

13 100/05/13 (Network and Website Security) [Module 5]

14 100/05/20 IC(Transaction Security, System Security, IC Card Security,

Electronic Commerce Payment Systems) [Module 6, 7, 8, 9]

15 100/05/27 (Mobile Commerce Security) [Module 12]

16 100/06/03 t(E-Finance Security Control Mechanisms) [Module 13]

17 100/06/10 (Operation Security Management)

18 100/06/17

Syllabus (cont.)


4/83

13 - 4

Module 13

t


5/83

13 - 5

1. t

2. 10

3.

4.


6/83

13 - 6

Module 13Module 13tt

Module 13-1

Module 13-2

Module 13-3 Module 13-4


7/83

13 - 7

Module 13Module 13--11


8/83

13 - 8


9/83

13 - 9

(59%)

(52%)

/(50%)

(26%)

(IM)(25%)

(25%)

(25%)


10/83

13 - 10

1. Port Scanning

2. SNMP Scanning

3. Enumeration & Banner Grabbing

4. Wireless Enumeration5. Vulnerability Scanning

6. Host Evaluation

7. Network Device Analysis

8. Password Compliance Testing

9. Application Specific Scanning

10. Network Sniffing


11/83

13 - 11

1. Port Scanning

Identify enabled network services on systems

Look for unauthorized services or backdoors

2. SNMP Scanning

Enumerate systems on the network Identify community strings

3. Enumeration & Banner Grabbing

Verification of operating system

4. Wireless Enumeration Tools Identify access points and potential exposures

5. Vulnerability Scanning

Identify well-known vulnerabilities on systems


12/83

13 - 12

6. Host Evaluation Analyze configuration, discretionary access control and

policies

7. Network Device Analysis

Analyze security architecture for well-known

vulnerabilities and insecure configurations8. Password Compliance Testing

Evaluate adherence to password policy and determinewhether password filters are being effectivelyimplemented

9. Application Specific Scanning Evaluate security configuration of critical applications

10. Network Sniffing

Identifies sensitive information traversing the network(log-in, passwords, server configurations via telnet, etc)


13/83

13 - 13

1. Port Scanning1. Port Scanning

Use nmap tool


14/83

13 - 14


Use SuperScan tool


15/83

13 - 15


Use FScan tool


16/83

13 - 16

2. SNMP Scanning2. SNMP Scanning

Use SNScan tool


17/83

13 - 17


Use SolarWinds SNMPweep tool


18/83

13 - 18


Use SolarWinds IP Network Browser tool


19/83

13 - 19

3. Enumeration3. Enumeration

Use nslookupDNS Server


20/83

13 - 20


Use finger tool on UNIX


21/83

13 - 21


Use rpcinfo tool on UNIX


22/83

13 - 22

3. Banner Grabbing3. Banner Grabbing

Use SuperScan tool


23/83

13 - 23


Use telnet (80) tool

GET


24/83

13 - 24


Use telnet (21) tool

FTP 21 PORT ?


25/83

13 - 25

4. Wireless Enumeration4. Wireless Enumeration

Use Network Stumbler tool


26/83

13 - 26

5. Vulnerability Scanning5. Vulnerability Scanning

Use Nessus tool


27/83

13 - 27


Use NeWT Security Scanner tool


28/83

13 - 28


Use Saint tool


29/83

13 - 29


Use IBM Internet Security Scanner tool


30/83

13 - 30

6. Host Evaluation6. Host Evaluation

Use CIS Windows Benchmark tool


31/83

13 - 31


Use MS-Baseline Security Analyzer tool


32/83

13 - 32


Use DameWare NT Utility tool


33/83

13 - 33

7. Network Device Analysis7. Network Device Analysis

Use Insightix tool


34/83

13 - 34

8. Password Compliance Testing8. Password Compliance Testing

Use L0phtcrack tool


35/83

13 - 35

9. Application Specific Scanning9. Application Specific Scanning

Use Wikto tool


36/83

13 - 36


Use WebInspect tool


37/83

13 - 37


Use NGS Squirrel tool


38/83

13 - 38

10. Network Sniffing10. Network Sniffing

Use Ethereal tool


39/83

13 - 39

Internet (B2C)

Extranet (B2B)

Cross Domain Intranet (HK, VN, JP, USetc)

Web Zone

Application / Database / Testing Zone

Transaction / Mainframe Zone

IDS / IPS

,

BIOS, HDD, USB,


40/83

13 - 40

http://www.owasp.org

Top 10 in 2007

A1 Cross Site Scripting (XSS)

A2 Injection Flaws

A3 Malicious File Execution

A4 Insecure Direct Object Reference

A5 Cross Site Request Forgery (CSRF)

A6 Information Leakage and Improper Error Handling

A7 Broken Authentication and Session ManagementA8 Insecure Cryptographic Storage

A9 Insecure Communications

A10 Failure to Restrict URL Access


41/83

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

The OWASP Top 10 Web Application Security Risks for 2010

A1: Injection

A2: Cross-Site Scripting (XSS)

A3: Broken Authentication and Session Management

A4: Insecure Direct Object References

A5: Cross-Site Request Forgery (CSRF)

A6: Security Misconfiguration

A7: Insecure Cryptographic Storage

A8: Failure to Restrict URL Access

A9: Insufficient Transport Layer Protection

A10: Unvalidated Redirects and Forwards

13 - 41


42/83

13 - 42

A1: Injection Flaws

http://www.owasp.org

Source Code Secure Review

Web Application Firewall (WAF)


43/83

13 - 43

Module 13Module 13--22


44/83

13 - 44

tt http://www.ba.org.tw/

t

ttt

//


45/83

13 - 45

tt

t


46/83

13 - 46

(Electronic Banking)t()

ttt

t

t(Dial-Up, Lease-Line, VPN)

(Value Added NetworkVAN)

(Internet)


47/83

13 - 47

(////)

(

t)


48/83

13 - 48

< 5 < 10 < 20

(OTP),


49/83

13 - 49

tt

t(Lease-Line, VPN)

(VAN)

(Internet)

-

-

-

-

-

-

-

-

-

-

-

-

- , -

()t


50/83

13 - 50

(ID and Password)

t(FISC Card)

(One Time Password)

(Digital Signature)


51/83

13 - 51

() (),

(, )


52/83

13 - 52

()

Documents

992SEC14 Secure Electronic Commerce E-Finance Securit Control