55
  Security Threats to Electronic Commerce

Security threats to E-commerce

Embed Size (px)

DESCRIPTION

Presentation about various Security threats to E-commerce

Citation preview

  • Security Threats toElectronic Commerce

  • ObjectivesImportant computer and electronic commerce security termsWhy secrecy, integrity, and necessity are three parts of any security programThe roles of copyright and intellectual property and their importance in any study of electronic commerce

  • ObjectivesThreats and counter measures to eliminate or reduce threatsSpecific threats to client machines, Web servers, and commerce serversRoles encryption and certificates play

  • Security OverviewMany fears to overcomeIntercepted e-mail messagesUnauthorized access to digital intelligenceCredit card information falling into the wrong handsTwo types of computer securityPhysical - protection of tangible objectsLogical - protection of non-physical objects

  • Security Overview

    Countermeasures: physical or logical procedures that recognize, reduce, or eliminate a threat

  • Computer Security ClassificationSecrecy/ConfidentialityProtecting against unauthorized data disclosure and ensuring the authenticity of the datas sourcePrivacy The ability to ensure the use of information about oneselfIntegrityPreventing unauthorized data modification by an unauthorized partyNecessityPreventing data delays or denials (removal)

  • Computer Security ClassificationNonrepudiation Ensure that e-commerce participants do not deny (i.e., repudiate) their online actionsAuthenticity The ability to identify the identity of a person or entity with whom you are dealing on the Internet

  • Copyright and Intellectual PropertyCopyrightProtecting expressionLiterary and musical worksPantomimes and choreographic worksPictorial, graphic, and sculptural worksMotion pictures and other audiovisual worksSound recordingsArchitectural works

  • Copyright and Intellectual PropertyIntellectual propertyThe ownership of ideas and control over the tangible or virtual representation of those ideasU.S. Copyright Act of 1976Protects previously stated items for a fixed period of timeCopyright Clearance CenterClearinghouse for U.S. copyright information

  • Intellectual Property ThreatsThe Internet presents a tempting target for intellectual property threatsVery easy to reproduce an exact copy of anything found on the InternetPeople are unaware of copyright restrictions, and unwittingly infringe on themFair use allows limited use of copyright material when certain conditions are met

  • Designing systems that are neither over-controlled nor under-controlled Applying quality assurance standards in large systems projectsMANAGEMENT CHALLENGES

  • Advances in telecommunications and computer software

    Unauthorized access, abuse, or fraud

    Hackers

    Denial of service attack

    Computer virusWhy Systems are Vulnerable

  • Telecommunication Network Vulnerabilities

  • DisasterDestroys computer hardware, programs, data files, and other equipment

    SecurityPrevents unauthorized access, alteration, theft, or physical damageConcerns for System Builders and Users

  • ErrorsCause computers to disrupt or destroy organizations record-keeping and operationsConcerns for System Builders and Users

  • BugsProgram code defects or errors

    Maintenance NightmareMaintenance costs high due to organizational change, software complexity, and faulty system analysis and designSystem Quality Problems: Software and Data

  • Points in the Processing Cycle where Errors can Occur

  • Data Quality Problems

    Caused due to errors during data input or faulty information system and database design

  • The Cost of Errors over the Systems Development Cycle

  • Controls

    Methods, policies, and procedures

    Ensures protection of organizations assets

    Ensures accuracy and reliability of records, and operational adherence to management standardsOverview

  • General controls

    Establish framework for controlling design, security, and use of computer programs

    Include software, hardware, computer operations, data security, implementation, and administrative controlsGeneral Controls and Application Controls

  • Security Profiles for a Personnel System

  • Application controls

    Unique to each computerized application

    Include input, processing, and output controlsGeneral Controls and Application Controls

  • On-line transaction processing: Transactions entered online are immediately processed by computer

    Fault-tolerant computer systems: Contain extra hardware, software, and power supply components Protecting the Digital Firm

  • High-availability computing: Tools and technologies enabling system to recover from a crashDisaster recovery plan: Runs business in event of computer outageLoad balancing: Distributes large number of requests for access among multiple servers Mirroring: Duplicating all processes and transactions of server on backup server to prevent any interruption Clustering: Linking two computers together so that a second computer can act as a backup to the primary computer or speed up processing

    Protecting the Digital Firm

  • Security Threats in the E-commerce Environment

    Three key points of vulnerabilitythe clientcommunications pipelinethe server

  • Vulnerable Points in an E-commerce Environment

  • Electronic Commerce ThreatsClient ThreatsActive ContentJava applets, Active X controls, JavaScript, and VBScriptPrograms that interpret or execute instructions embedded in downloaded objectsMalicious active content can be embedded into seemingly innocuous Web pages -- launched when you use your browser to view the page

  • Electronic Commerce ThreatsClient Threats -- Cookiesremember user names, passwords, and other commonly referenced informationExerciseGo to cookie FAQs on text links page or: http://www.cookiecentral.com/faq/Are cookies dangerous?How did they get to be called cookies?What are the benefits of cookies?

  • Graphics, Plug-ins, andE-mail AttachmentsCode can be embedded into graphic images causing harm to your computerPlug-ins are used to play audiovisual clips, animated graphicsCould contain ill-intentioned commands hidden within the objectE-mail attachments can contain destructive macros within the document

  • Communication Channel ThreatsSecrecy ThreatsSecrecy is the prevention of unauthorized information disclosure - technical issuePrivacy is the protection of individual rights to nondisclosure - legal issue regarding rightsTheft of sensitive or personal information is a significant dangerYour IP address and browser you use are continually revealed while on the web

  • Communication Channel ThreatsAnonymizerA Web site that provides a measure of secrecy as long as its used as the portal to the Internethttp://www.anonymizer.comCheck out Heres what we know about youIntegrity ThreatsAlso known as active wiretappingUnauthorized party can alter dataChange the amount of a deposit or withdrawal

  • Communication Channel ThreatsNecessity ThreatsAlso known as delay or denial threatsDisrupt normal computer processingDeny processing entirelySlow processing to intolerably slow speedsRemove file entirely, or delete information from a transmission or fileDivert money from one bank account to another

  • Server ThreatsThe more complex software becomes, the higher the probability that errors (bugs) exist in the codeServers run at various privilege levelsHighest levels provide greatest access and flexibilityLowest levels provide a logical fence around a running program

  • Server ThreatsContents of a servers folder names are revealed to a Web browserCookies should never be transmitted unprotectedSensitive files such as username and password pairs or credit card numbersHacking and Cracking -- the Web server administrator is responsible for ensuring that all sensitive files, are secure

  • Database ThreatsOnce a user is authenticated to a database, selected database information is visible to the user.Security is often enforced through the use of privilegesSome databases are inherently insecure and rely on the Web server to enforce security measures

  • Other ThreatsCommon Gateway Interface (CGI) ThreatsCGIs are programs that present a security threat if misusedCGI programs can reside almost anywhere on a Web server and therefore are often difficult to track downCGI scripts do not run inside a sandbox, unlike JavaScript

  • Other ThreatsOther programming threats includePrograms executed by the serverBuffer overruns can cause errorsRunaway code segmentsThe Internet Worm attack was a runaway code segmentBuffer overflow attacks occur when control is released by an authorized program, but the intruder code instructs control to be turned over to it

  • Tools Available to Achieve Site Security

  • EncryptionTransforms plain text or data into cipher text that cannot be read by anyone outside of the sender and the receiver. Purpose:to secure stored informationto secure information transmission.Cipher texttext that has been encrypted and thus cannot be read by anyone besides the sender and the receiverSymmetric Key EncryptionDES standard most widely used

  • EncryptionPublic key cryptographyuses two mathematically related digital keys: a public key and a private key.The private key is kept secret by the owner, and the public key is widely disseminated.Both keys can be used to encrypt and decrypt a message.A key used to encrypt a message, cannot be used to unencrypt the message

  • Public Key Cryptography - A Simple Case

  • Public Key Cryptography with Digital Signatures

  • Public Key Cryptography: Creating a Digital Envelope

  • Securing Channels of CommunicationsSecure Sockets Layer (SSL) is the most common form of securing channelsSecure negotiated sessionclient-server session where the requested document URL, contents, forms, and cookies are encrypted.Session key is a unique symmetric encryption key chosen for a single secure session

  • Secure Negotiated Sessions Using SSL

  • Securing Channels of CommunicationsSecure Hypertext Transfer Protocol (S-HTTP)secure message-oriented communications protocol for use with HTTP. Virtual Private Networks (VPN)remote users can securely access internal networks via Point-to-Point Tunneling Protocol (PPTP)

  • Protecting NetworksFirewallssoftware applications that act as a filter between a private network and the InternetProxy serverserver that handles all communications originating from or being sent to the Internet, acting as a spokesperson or bodyguard for the organization

  • Policies, Procedures, and LawsDeveloping an e-commerce security planperform a risk assessmentdevelop a security policydevelop an implementation plancreate a security organizationperform a security audit

  • Tension Between Security and Other ValuesEase of use Often security slows down processors and adds significantly to data storage demands. Too much security can harm profitability; not enough can mean going out of business.Public Safety & Criminal Useclaims of individuals to act anonymously vs. needs of public officials to maintain public safety in light of criminals or terrorists.

  • Security Policy andIntegrated SecuritySecurity policy is a written statement describing what assets are to be protected and why, who is responsible, which behaviors are acceptable or notPhysical securityNetwork securityAccess authorizationsVirus protectionDisaster recovery

  • Specific Elements of a Security PolicyAuthenticationWho is trying to access the site?Access ControlWho is allowed to logon and access the site?SecrecyWho is permitted to view selected informationData integrityWho is allowed to change data?AuditWhat and who causes selected events to occur, and when?

  • Computer Emergency Response Team (CERT)Housed at Carnegie Mellon UniversityResponds to security events and incidents within the U.S. government and private sector

  • Some questionsCan internet security measures actually create opportunities for criminals to steal? How?Why are some online merchants hesitant to ship to international addresses?What are some steps a company can take to thwart cyber-criminals from within a business?Is a computer with anti-virus software protected from viruses? Why or why not?What are the differences between encryption and authentication?Discuss the role of administration in implementing a security policy?

  • Group ExerciseGiven the shift to m-commerce, identify and discuss the new security threats to this type of technology?What are some of the non-security impacts on society?Select a reporter and give a brief synopsis of your views to the class.


Identifying and Mitigating Threats to E-commerce Payment ... · Open Web Application Security Project (OWASP) • • Non-profit designed to improve web application security ... OWASP

Identifying and Mitigating Threats to E-commerce Payment ... · Open Web Application Security Project (OWASP) • • Non-profit designed to improve web application security ... OWASP

Documents
Computer Security Threats

Computer Security Threats

Software
范錚強 1 E-Commerce Security 范錚強 2 The Security Threats Computer Crime and Security Survey 2002 90% computers exposed to security violations 40% computers

范錚強 1 E-Commerce Security 范錚強 2 The Security Threats Computer Crime and Security Survey 2002 90% computers exposed to security violations 40% computers

Documents
Web Security Threats

Web Security Threats

Documents
Identifying and Mitigating Threats to E-commerce Payment ...€¦ · Threats to E-commerce Payment Processing Erik Rasmussen Director, NA Cyber Security Intelligence Visa Inc. 29

Identifying and Mitigating Threats to E-commerce Payment ...€¦ · Threats to E-commerce Payment Processing Erik Rasmussen Director, NA Cyber Security Intelligence Visa Inc. 29

Documents
Security threats ecom

Security threats ecom

Technology
Managing Security Threats

Managing Security Threats

Documents
Class 3 – April 6, 2012 IT Security. IT Security Threats Three types of Security Threats (External, Network, Internal) External- Intrusion Threats Hacking:

Class 3 – April 6, 2012 IT Security. IT Security Threats Three types of Security Threats (External, Network, Internal) External- Intrusion Threats Hacking:

Documents
E-COMMERCE SECURITY THREATS And what you can do about it

E-COMMERCE SECURITY THREATS And what you can do about it

Documents
Threats and Countermeasures for Network Security … · Threats and Countermeasures for Network Security ... Threats and Countermeasures for Network Security ... Computer Recreations

Threats and Countermeasures for Network Security … · Threats and Countermeasures for Network Security ... Threats and Countermeasures for Network Security ... Computer Recreations

Documents
Cyber Security Governance · 2019-06-06 · Cyber Security Threats / Visibility Recent News Target: Businesses and Government: Finance, Critical Infrastructure, Government, and Commerce

Cyber Security Governance · 2019-06-06 · Cyber Security Threats / Visibility Recent News Target: Businesses and Government: Finance, Critical Infrastructure, Government, and Commerce

Documents
Security Threats to Electronic Commerce

Security Threats to Electronic Commerce

Business
1 E-Commerce Security Part I – Threats. 2 Objectives Threats to –intellectual property rights –client computers –communication channels between computers

1 E-Commerce Security Part I – Threats. 2 Objectives Threats to –intellectual property rights –client computers –communication channels between computers

Documents
Threats of E-Commerce in Database

Threats of E-Commerce in Database

Technology
Dealing With Security Threats

Dealing With Security Threats

Technology
INFORMATION TECHNOLOGY AND E-COMMERCE (Honours … · What do you understand by the term security in context to e-commerce ? 2017 What threats are perceived in e-commerce environment

INFORMATION TECHNOLOGY AND E-COMMERCE (Honours … · What do you understand by the term security in context to e-commerce ? 2017 What threats are perceived in e-commerce environment

Documents
Security Threats Mmj

Security Threats Mmj

Documents
Hidden threats in e-commerce applications

Hidden threats in e-commerce applications

Technology
New security threats

New security threats

Technology
Internet Security Threats -

Internet Security Threats -

Business
Security Threats - course.ece.cmu.edu

Security Threats - course.ece.cmu.edu

Documents
5 network-security-threats

5 network-security-threats

Documents
1 Security and Protection Chapter 9. 2 The Security Environment Threats Security goals and threats

1 Security and Protection Chapter 9. 2 The Security Environment Threats Security goals and threats

Documents
Internet Security Threats

Internet Security Threats

Documents
Security Threats to Electronic Commerce. 2 Learning Objectives In this chapter, you will learn about: Important computer and electronic commerce security

Security Threats to Electronic Commerce. 2 Learning Objectives In this chapter, you will learn about: Important computer and electronic commerce security

Documents
Security , hacking, threats & tools for security · SECURITY, HACKING, THREATS & TOOLS FOR SECURITY N.Anupama Asst Professor ANUCET ANU

Security , hacking, threats & tools for security · SECURITY, HACKING, THREATS & TOOLS FOR SECURITY N.Anupama Asst Professor ANUCET ANU

Documents
Security Chapters 14,15. The Security Environment Threats Security goals and threats

Security Chapters 14,15. The Security Environment Threats Security goals and threats

Documents
E-commerce Security and Threats

E-commerce Security and Threats

Technology
Focus: Security threats Ten Control System security threats · 10/12/2012 · Focus: Security threats Ten Control System security threats "THE Top 10 Vulnerabilities of Control Systems

Focus: Security threats Ten Control System security threats · 10/12/2012 · Focus: Security threats Ten Control System security threats "THE Top 10 Vulnerabilities of Control Systems

Documents
Logical Security threats

Logical Security threats

Documents