Chapter 13 Understanding E-Security. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES Security in Cyberspace Conceptualizing Security

WWWWWW

Chapter 13

Understanding E-Security

2WWWWWW Awad –Electronic Commerce 2/e© 2004 Pearson Prentice Hall

OBJECTIVES

• Security in Cyberspace

• Conceptualizing Security

• Designing for Security

• How Much Risk Can You Afford?

• Virus – Computer Enemy #1

• Security Protection and Recovery


ABUSE & FAILURE

• Fraud

• Theft

• Disruption of Service

• Loss of Customer Confidence


WHY INTERNET IS DIFFERENT?

Paper-Based Commerce Electronic Commerce

Signed paper Documents Digital Signature

Person-to-person Electronic via Web site

Physical Payment System Electronic Payment System

Merchant-customer Face-to-face Face-to-face Absence

Easy Detectability of modification Difficult Detectability

Easy Negotiability Difficult Negotiability


SECURITY CONCERNS

• Confidentiality

• Authentication

• Integrity

• Access Control

• Nonrepudiation

• Firewalls


INFORMATION SECURITY DRIVERS

• Global trading

• Availability of reliable security packages

• Changes in attitudes toward security


PRIVACY FACTOR

0%

10%

20%

30%

40%

50%

Men Women Ages 18-29

Ages 30-49

Ages 50or older

Incomeless than$40,000

Surfers who agree with the statement: The Internet is a serious threat to privacy


DESIGNING FOR SECURITY

• Adopt a reasonable security policy

• Consider Web security needs

• Design the security environment

• Authorizing and monitoring the system


ADOPT A REASONABLE SECURITY POLICY

• Policy– Understanding the threats information must be

protected against to ensure• Confidentiality

• Integrity

• Privacy

– Should cover the entire e-commerce system• Internet security practices

• Nature and level of risks

• Procedure of failure recovery


DESIGN THE SECURITY ENVIRONMENT

SECURITYCONSULTANT

Edit paymentsystem

CERTIFIEDWEBSITE DATABASE

CUSTOMERSERVICE

CERTIFIEDSTAFF

Verify ITStaff Integrity

Guidelines Password

Assignment

Authorized link

Verified Site

Test data

Exhibit - Logical procedure flow


SECURITY PERIMETER

• Firewalls

• Authentication

• Virtual Private Networks (VPN)

• Intrusion Detection Devices


AUTHORIZING & MONITORING SYSTEM

• Monitoring– Capturing processing details for evidence– Verifying e-commerce is operating within

security policy– Verifying attacks have been unsuccessful


HOW MUCH RISK CAN YOU AFFORD?

• Determine specific threats inherent to the system design

• Estimate pain threshold

• Analyze the level of protection required


KINDS OF THREATS/CRIMES

• Physically-related

• Order-related

• Electronically-related


CLIENT SECURITY THREATS

• Why?– Sheer Nuisances– Deliberate Corruption of Files– Rifling Stored Information

• How?– Physical Attack– Virus– Computer-to-computer Attack


SERVER SECURIY THREATS

• Web server with an active port

• Windows NT server, not upgraded to act as firewall

• Anonymous FTP service

• Web server directories that can be accessed and indexed


HOW HACKERS ACTIVATE A DENIAL OF SERVICE

• Break into less-secured computers connected to a high-bandwidth network

• Installs stealth program which duplicate itself indefinitely to congest network traffic

• Specifies a target network from a remote location and activates the planted program

• Victim’s network is overwhelmed and users are denied access


VIRUS – COMPUTER ENEMY #1

• A malicious code replicating itself to cause disruption of the information infrastructure

• Attacks system integrity, circumvent security capabilities and cause adverse operation

• Incorporate into computer networks, files and other executable objects


TYPES OF VIRUSES

• Boot Virus– Attacks boot sectors of the hard drive

• Macro Virus– Exploits macro commands in software application


VIRUS CHARACTERISTICS

• Fast– Easily invade and infect computer hard disk

• Slow– Less likely to detect and destroy

• Stealth– Memory resident – Able to manipulate its execution to disguise its

presence


ANTIVIRUS STRATEGY

• Establish a set of simple enforceable rules

• Educate and train users

• Inform users of the existing and potential threats to the company’s systems

• Update the latest antivirus software periodically


BASIC INTERNET SECURITY PRACTICES

• Password– Alphanumeric– Mix with upper and lower cases– Change frequently– No dictionary names

• Encryption– Coding of messages in traffic between the

customer placing an order and the merchant’s network processing the order


SECURITY RECOVERY

• Attack Detection

• Damage Assessment

• Correction and Recovery

• Corrective Feedback


FIREWALL & SECURITY

• Firewall– Enforces an access control policy between two

networks– Detects intruders, blocks them from entry,

keeps track what they did and notifies the system administrator


WHAT FIREWALL CAN PROTECT

• E-mail services known to be problems

• Unauthorized external logins

• Undesirable material, e.g. pornography

• Unauthorized sensitive information


WHAT FIREWALL CAN’T PROTECT

• Attacks without going through the firewall

• Weak security policy

• “Traitors” or disgruntled employees

• Viruses via floppy disks

• Data-driven attack


SPECIFIC FIREWALL FEATURES

• Security Policy

• Deny Capability

• Filtering Ability

• Scalability

• Authentication

• Recognizing Dangerous Services

• Effective Audit Logs

WWWWWW

Chapter 13

Understanding E-Security