Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security

Alter – Information Systems 4th

ed. © 2002 Prentice Hall1

E-Business Security



Threat of Accidents and Malfunctions

Operator error Hardware malfunction Software bugs Data errors Accidental disclosure of information Damage to physical facilities Inadequate system performance Liability for system failure



Threat of Computer Crime: Theft

Theft of software and equipment Unauthorized use of access codes and

financial passwords Theft by entering fraudulent transaction data Theft by stealing or modifying data Internet hoaxes for illegal gain Theft by modifying software



Threat of Computer Crime: Sabotage and Vandalism

Trap door A set of instructions that permits a user to

bypass the computer system’s security measures

Trojan horse A program that appears to be valid but

contains hidden instructions that can cause damage



Threat of Computer Crime: Sabotage and Vandalism (cont.)

Logic bomb A type of Trojan horse set to activate when a

particular condition occurs Virus

A special type of Trojan horse that can replicate itself and spread

Denial of service attack Sabotaging a Web site by flooding it with incoming

messages



Factors that Increase the Risks

The nature of complex systems Human limitations Pressures in the business environment



Methods for Minimizing Risks

Controlling system development and modifications Software change control systems

Providing security training Physical access controls



Controlling Access to Data, Computers, and Networks

Guidelines for manual data handling Access privileges Access control based on what you know

Password Password schemes Access control based on what you have Access control based on where you are Access control based on who you are



Controlling incoming data flowing through networks and other media Commercially available virus protectionvirus protection

products FirewallFirewall software that inspects each incoming

data packet, and decides whether it is acceptable based on its IP address



Firewall and the Internet



Making the Data Meaningless to Unauthorized Users

Public key encryption – encryption method based on two related keys, a public key and a private (secret) key Also used to transmit the secret key used by

the Data Encryption Standard (DES) Digital signatures – use public key encryption

to authenticate the sender of a message and the message content



Encryption



Controlling Traditional Transaction Processing

Data preparation and authorization Data validation Error correction Backup and recovery



Maintaining Security in Web-Based Transactions

Public key infrastructure (PKI)Public key infrastructure (PKI) Certification authority (CA)Certification authority (CA) – a company that

issues digital certificates Computer-based records that identify the CA,

identify the sender that is being verified, contain the sender’s public key, an is digitally signed by the CA



Transaction Privacy, Authentication, Integrity, and Nonrepudiation

Web transactions are encrypted using the Secure Socket Layer (SSL) protocol - Encrypts the transmission using a temporary key generated

automatically based on session information

Transaction authentication – the process of verifying the identity of the participants in a transaction

Transaction integrity – ensuring that information is not changed after the transaction is completed

Nonrepudiation – ensuring that neither party can deny that the transaction occurred



Difficulties With Security Methods for Web Transactions

Secure Electronic Transaction (SET) method: Proposed by a consortium of credit card

companies More secure than SSL Costly, and very slow adoption rate



Motivating Efficient and Effective Operation

Monitoring information system usage Business process performance Information system performance Unusual activity

Charging users to encourage efficiency Chargeback systems try to motivate efficient

usage by assigning the cost of information systems to the user departments



Auditing the Information System

Auditing ensures that financial operations are neither misrepresented nor threatened due to defective procedures or accounting systems

Auditing around the computer vs. auditing through the computer



Preparing for Disasters

Disaster plan – a plan of action to recover from occurrences that shut down or harm major information systems

Documents

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security