Chapter 9 E-Security. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Security in Cyberspace Conceptualizing Security Designing for Security

WWWWWW

Chapter 9

E-Security

2WWWWWW Awad –Electronic Commerce 1/e© 2002 Prentice Hall

OBJECTIVES

• Security in Cyberspace

• Conceptualizing Security

• Designing for Security

• How Much Risk Can You Afford?

• Virus – Computer Enemy #1

• Security Protection & Recovery

E-Security: Objectives


ABUSE & FAILURE

• Fraud

• Theft

• Disruption of Service

• Loss of Customer Confidence

E-Security: Security in Cyberspace


WHY INTERNET IS DIFFERENT?

E-Security: Security in Cyberspace

Paper-Based Commerce Electronic Commerce

Signed Paper Documents Digital Signature

Person-to-person Electronic Via Website

Physical Payment System Electronic Payment System

Merchant-customer Face-to-face Face-to-face Absence

Easy Detectability of modification Difficult Detectability

Easy Negotiability Difficult Negotiability


SECURITY CONCERNS

• Confidentiality

• Authentication

• Integrity

• Access Control

• Non-repudiation

• Firewalls

E-Security: Conceptualizing Security


INFORMATION SECURITY DRIVERS

• Global trading

• Availability of reliable security packages

• Changes in attitudes toward security



PRIVACY FACTOR


0%

10%

20%

30%

40%

50%

Men Women Ages 18-29

Ages 30-49

Ages 50or older

Incomeless than$40,000

Surfers who agree with the statement: The Internet is a serious threat to privacy


DESIGNING FOR SECURITY

• Adopt a reasonable security policy

• Consider web security needs

• Design the security environment

• Authorizing and monitoring the system

E-Security: Designing for Security


ADOPT A REASONABLE SECURITY POLICY

• Policy– Understanding the threats information must be

protected against to ensure• Confidentiality

• Integrity

• Privacy

– Should cover the entire e-commerce system• Internet security practices

• Nature & level of risks

• Procedure of failure recovery



DESIGN THE SECURITY ENVIRONMENT


SECURITYCONSULTANT

Edit paymentsystem

CERTIFIEDWEBSITE

DATABASE

CUSTOMERSERVICE

CERTIFIEDSTAFF

Verify ITStaff Integrity

Guidelines Password

Assignment

Authorized link

Verified Site

Test data

Exhibit - Logical procedure flow


SECURITY PERIMETER

• Firewalls

• Authentication

• Virtual Private Networks (VPN)

• Intrusion Detection Devices



AUTHORIZING & MONITORING SYSTEM

• Monitoring– Capturing processing details for evidence– Verifying e-commerce is operating within

security policy– Verifying attacks have been unsuccessful



HOW MUCH RISK CAN YOU AFFORD?

• Determine specific threats inherent to the system design

• Estimate pain threshold

• Analyze the level of protection required

E-Security: How Much Risk Can You Afford?


KINDS OF THREATS / CRIMES

• Physically-related

• Order-related

• Electronically-related



CLIENT SECURITY THREATS

• Why?– Sheer Nuisances– Deliberate Corruption of Files– Rifling Stored Information

• How?– Physical Attack– Virus– Computer-to-computer Attack



SERVER SECURIY THREATS

• Web server with an active port

• Windows NT server, not upgraded to act as firewall

• Anonymous FTP service

• Web server directories that can be accessed & indexed



HOW HACKERS ACTIVATE A DENIAL OF SERVICE

• Break into less-secured computers connected to a high-bandwidth network

• Installs stealth program which duplicates itself indefinitely to congest network traffic

• Specifies a target network from a remote location and activates the planted program

• Victim’s network is overwhelmed & users are denied access



VIRUS – COMPUTER ENEMY #1

• A malicious code replicating itself to cause disruption of the information infrastructure

• Attacks system integrity, circumvents security capabilities & causes adverse operation

• Incorporates into computer networks, files & other executable objects

E-Security: Virus – Computer Enemy #1


TYPES OF VIRUSES

• Boot Virus– Attacks boot sectors of the hard drive

• Macro Virus– Exploits macro commands in software application



VIRUS CHARACTERISTICS

• Fast– Easily invades and infects computer hard disk

• Slow– Less likely to detect & destroy

• Stealth– Memory resident – Able to manipulate its execution to disguise its

presence



ANTI-VIRUS STRATEGY

• Establish a set of simple enforceable rules

• Educate & train users

• Inform users of the existing & potential threats to the company’s systems

• Update the latest anti-virus software periodically



BASIC INTERNET SECURITY PRACTICES

• Password– Alpha-numeric– Mix with upper and lower cases– Change frequently– No dictionary names

• Encryption– Coding of messages in traffic between the

customer placing an order and the merchant’s network processing the order

E-Security: Security Protection & Recovery


SECURITY RECOVERY

• Attack Detection

• Damage Assessment

• Correction & Recovery

• Corrective Feedback

E-Security: Security Protection & Recovery


FIREWALL & SECURITY

• Firewall– Enforces an access control policy between two

networks– Detects intruders, blocks them from entry,

keeps track of what they did & notifies the system administrator

E-Security: Firewall & Security


WHAT FIREWALLS CAN PROTECT

• E-mail services known to be problems

• Unauthorized external logins

• Undesirable material, e.g. pornography

• Unauthorized sensitive information



WHAT FIREWALLS CAN’T PROTECT

• Attacks without going through the firewall

• Weak security policy

• “Traitors” or disgruntled employees

• Viruses via floppy disks

• Data-driven attacks



SPECIFIC FIREWALL FEATURES

• Security Policy

• Deny Capability

• Filtering Ability

• Scalability

• Authentication

• Recognizing Dangerous Services

• Effective Audit Logs


WWWWWW

Chapter 9

E-Security