Lauden Security

8/16/2019 Lauden Security

1/44

Copyright © 2007 Pearson Education, Inc. Slide 5-1

E-commerce

Kenneth C. Laudon

Carol Guercio Traver

business. technology. society.

Second Edition


2/44


Chapter 5

Security and Encryption


3/44


The Merchant Pays

Class Discussion Why are offline credit card security procedures not

applicable in online environment? What new techniques are available to merchants

that would reduce credit card fraud? Why should the merchant bear the risk of online

credit purchases? Why not the issuing banks? What other steps can merchants take to reduce

credit card fraud at their sites? Why are merchants reluctant to add additional

security measures?


4/44


The E-commerce Security Environment: The

Scope o the Pro!lem Overall size of cybercrime unclear; amount of losses

significant but stable; individuals face new risks offraud that may involve substantial uninsured losses Symantec: Over ! overall attacks a day against

business firms between "uly #!!$%"une #!! #!! &omputer Security 'nstitute survey

() of respondents had detected breaches of

computer security within last *# months and+*) of these suffered financial loss as a result Over ,) e-perienced denial of service attacks Over .) detected virus attacks


5/44


The E-commerce Security Environment

"i#ure $.%& Pa#e '$(


6/44


Dimensions o E-commerce Security

'ntegrity: ability to ensure that information being displayed on aWeb site or transmitted/received over the 'nternet has not beenaltered in any way by an unauthorized party

0onrepudiation: ability to ensure that e1commerce participants donot deny 2repudiate3 online actions

4uthenticity: ability to identify the identity of a person or entity withwhom you are dealing on the 'nternet

&onfidentiality: ability to ensure that messages and data areavailable only to those authorized to view them

5rivacy: ability to control use of information a customer providesabout himself or herself to merchant

4vailability: ability to ensure that an e1commerce site continues tofunction as intended


7/44 Copyright © 2007 Pearson Education, Inc. Slide 5-7

Customer and Merchant Perspectives on the

Dierent Dimensions o E-commerce

SecurityTa!le $.)& Pa#e '$%


8/44 Copyright © 2007 Pearson Education, Inc. Slide 5-8

The Tension *et+een Security and

,ther alues

Security vs6 ease of use: the more security

measures that are added7 the more difficult a

site is to use7 and the slower it becomes Security vs6 desire of individuals to act

anonymously


9/44


10/44 Copyright © 2007 Pearson Education, Inc.Slide 5-10

Security Threats in the E-commerce

Environment cont/d0 9ost common threats:

9alicious code 5hishing acking and cybervandalism &redit card fraud/theft Spoofing 2pharming3 enial of service attacks Sniffing 'nsider



1 Typical E-commerce Transaction"i#ure $.$& Pa#e '$2

S,34CE: *oncella& '555.



ulnera!le Points in an E-commerce

Environment"i#ure $.6& Pa#e '$7

S,34CE: *oncella& '555.



Malicious Code

=iruses: computer program that has ability toreplicate and spread to other files; most also deliver a>payload of some sort 2may be destructive orbenign3; include macro viruses7 file1infecting viruses7

and script viruses Worms: designed to spread from computer to

computer 8ro



Phishin#

4ny deceptive7 online attempt by a third party

to obtain confidential information for financial

gain9ost popular type: e1mail scam letter

One of fastest growing forms of e1

commerce crime


15/44



Credit Card "raud

Cear that credit card information will be stolen

deters online purchases

ackers target credit card files and othercustomer information files on merchant

servers; use stolen data to establish credit

under false identity

One solution: 0ew identity verificationmechanisms



nsi#ht on Society: ;Evil T+ins< and

;Pharmin#evil twins and >pharming What is meant by >social engineering techniques?

What is the security weakness in the domain name

system that permits pharming?

What steps can users take to verify they are

communicating with authentic sites and networks?



Spooin# Pharmin#0 9isrepresenting oneself by using fake e1mail

addresses or masquerading as someone else

8hreatens integrity of site; authenticity


19/44

Copyright © 2007 Pearson Education, Inc.Slide 5-19

DoS and dDoS 1ttac9s

enial of service 2oS3 attack: ackers flood

Web site with useless traffic to inundate and

overwhelm network istributed denial of service 2doS3 attack:

hackers use numerous computers to attack

target network from numerous launch points


20/44


,ther Security Threats

Sniffing: 8ype of eavesdropping program that

monitors information traveling over a network;

enables hackers to steal proprietaryinformation from anywhere on a network

'nsider


21/44


Technolo#y Solutions

5rotecting 'nternet communications

2encryption3

Securing channels of communication 2SSD7

S18857 =50s3 5rotecting networks 2firewalls3

5rotecting servers and clients


22/44


Tools 1vaila!le to 1chieve Site Security

"i#ure $.2& Pa#e '6>


23/44


Protectin# nternet Communications:

Encryption Encryption: 8he process of transforming plain te-t or

data into cipher te-t that cannot be read by anyoneother than the sender and receiver

5urpose: Secure stored information and informationtransmission

5rovides: 9essage integrity

0onrepudiation 4uthentication &onfidentiality


24/44


Symmetric Key Encryption

4lso known as secret key encryption @oth the sender and receiver use the same

digital key to encrypt and decrypt message

Fequires a different set of keys for eachtransaction

ata Encryption Standard 2ES3: 9ost widelyused symmetric key encryption today; uses

(1bit encryption key; other types use *#G1bitkeys up through #!$G bits


25/44


Pu!lic Key Encryption

5ublic key cryptography solves symmetric keyencryption problem of having to e-change secret key

Ases two mathematically related digital keys % publickey 2widely disseminated3 and private key 2keptsecret by owner3

@oth keys are used to encrypt and decrypt message Once key is used to encrypt message7 same key

cannot be used to decrypt message

Cor e-ample7 sender uses recipientHs public key toencrypt message; recipient uses his/her private keyto decrypt it


26/44


Pu!lic Key Crypto#raphy ? 1 Simple Case

"i#ure $.7& Pa#e '2'


27/44


Pu!lic Key Encryption usin# Di#ital

Si#natures and 8ash Di#ests 4pplication of hash function 2mathematical

algorithm3 by sender prior to encryption

produces hash digest that recipient can useto verify integrity of data

ouble encryption with senderHs private key

2digital signature3 helps ensure authenticity

and nonrepudiation


28/44


Pu!lic Key Crypto#raphy +ith Di#ital

Si#natures"i#ure $.>& Pa#e '2%


29/44


Di#ital Envelopes

4ddresses weaknesses of public key

encryption 2computationally slow7 decreases

transmission speed7 increases processing

time3 and symmetric key encryption 2faster7but more secure3

Ases symmetric key encryption to encrypt

document but public key encryption toencrypt and send symmetric key


30/44


Pu!lic Key Crypto#raphy: Creatin# a

Di#ital Envelope"i#ure $.)5& Pa#e '2$


31/44


Di#ital Certiicates and Pu!lic Key

nrastructure PK0 igital certificate: igital document that includes:

0ame of sub


32/44


Di#ital Certiicates and Certiication

1uthorities"i#ure $.))& Pa#e '22


33/44


Limits to Encryption Solutions

5I' applies mainly to protecting messages in

transit

5I' is not effective against insiders

5rotection of private keys by individuals may be

haphazard

0o guarantee that verifying computer of merchant

is secure &4s are unregulated7 self1selecting organizations


34/44


35/44


Securin# Channels o Communication

Secure Sockets Dayer 2SSD3: 9ost common form ofsecuring channels of communication; used toestablish a secure negotiated session 2client1serversession in which AFD of requested document7 along

with contents7 is encrypted3 S1885: 4lternative method; provides a secure

message1oriented communications protocol designedfor use in con


36/44


37/44


Protectin# Aet+or9s: "ire+alls and

ProBy Servers Cirewall: ardware or software filters communications

packets and prevents some packets from entering

the network based on a security policy Cirewall methods include:

5acket filters

4pplication gateways

5ro-y servers: Software servers that handle allcommunications originating from or being sent to the

'nternet


38/44


"ire+alls and ProBy Servers

"i#ure $.)(& Pa#e '7(


39/44


40/44


1 Security Plan: Mana#ement Policies Steps in developing a security plan

5erform risk assessment: assessment of risks and points ofvulnerability

evelop security policy: set of statements prioritizing informationrisks7 identifying acceptable risk targets7 and identifyingmechanisms for achieving targets

evelop implementation plan: action steps needed to achievesecurity plan goals

&reate security organization: in charge of security; educates andtrains users7 keeps management aware of security issues;administers access controls7 authentication procedures and

authorization policies 5erform security audit: review of security practices and procedures


41/44


Developin# an E-commerce Security

Plan"i#ure $.)%& Pa#e '76


42/44


nsi#ht on *usiness: 8irin# 8ac9ers to

Locate Threats: Penetration Testin#

Class Discussion

Why would firms hire outsiders to crash its

systems?

What are >grey and >black hats and why do

firms avoid them as security testers?

4re penetration specialists like "ohnny Dong

performing a public service or


43/44


The 4ole o La+s and Pu!lic Policy

0ew laws have granted local and national authoritiesnew tools and mechanisms for identifying7 tracing andprosecuting cybercriminals 0ational 'nfrastructure 5rotection &enter % unit within

0ational &yber Security ivision of epartment ofomeland Security whose mission is to identify andcombat threats against A6S6 technology andtelecommunications infrastructure

AS4 5atriot 4ct

omeland Security 4ct Bovernment policies and controls on encryption software


44/44

,ECD Guidelines

#!!# Organization for Economic &ooperation andevelopment 2OE&3 Buidelines for the Security of'nformation Systems and 0etworks has nine principles:

4wareness

Fesponsibility

Fesponse Ethics

emocracy Fisk assessment

Security design and implementation

Security management Feassessment

Documents

Lauden Security