IMM Laudon Traver E-commerce4E Chapter05 Security

7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security

1/31

-commerce. . .

Fourth Edition

Kenneth C. Laudon

Copyright 2007 Pearson Education, Inc. Slide 5-1

Chapter 5Online Security System



2/31

Cyberwar in Estonia

What is a DDoS attack? Why did it prove to be

so effective against Estonia? What are botnets? Wh are the used in DDoS

attacks?

botnets? What percentage of spam is sent by

Can anything be done to stop DDoS attacks?


Computer-generated Simulation of a DDoS

Attack



3/31

The E-commerce Security Environment: The

losses significant but stable; individuals face

uninsured losses

IC3: Processed 200,000+ Internet crime complaints

suffered financial loss as a result

of stolen information growing


Categories of Internet Crime Complaints



4/31

Average Reported Losses for Various


Type of Attacks against Computer



5/31

The E-commerce Security Environment

Figure 5.4, Page 263


Dimensions of E-commerce Security

displayed on a Web site or transmitted/received over theInternet has not been altered in an wa b anunauthorized party

Nonrepudiation: ability to ensure that e-commerceparticipants do not deny (repudiate) online actions

Authenticity: ability to identify the identity of a person orentity with whom you are dealing on the Internet

Confidentiality: ability to ensure that messages and dataare available only to those authorized to view them

Privacy: ability to control use of information a customerprov es a ou mse or erse o merc an

Availability: ability to ensure that an e-commerce site



6/31

ustomer an erc ant erspect ves on t e

Different Dimensions of E-commerce SecuritTable 5.1, Page 264


The Tension Between Security and

er a ues

.added, the more difficult a site is to use, and theslower it becomes

Too much security can harm profitability, while notenou h securit can ut ou out of business

Tension between the desire of individuals to actanonymously (to hide their identity) and the needs tomaintain public safety that can be threatened bycriminals or terrorists.

e nternet s ot anonymous an pervas ve, anideal communication tool for criminal and terrorist


, .


7/31

Security Threats in the E-commerce

Three key points of vulnerability:

Client

Communications channel


A Typical E-commerce Transaction . ,


SOURCE: Boncella, 2000.


8/31

Vulnerable Points in an E-commerce



SOURCE: Boncella, 2000.

Most Common Security Threats in the

-

Malicious code viruses, worms, Tro ans

Unwanted programs (spyware, browser parasites)

Hacking and cybervandalism

re car rau e

Spoofing (pharming)/spam (junk) Web sites

DoS and dDoS attacks

Sniffin Insider attacks



9/31

Malicious Code

Try to impair computers, steal email addresses, logoncredentials, personal data, and financial info.

replicate and spread to other files; most also deliver apayload of some sort (destructive or benign);

- , ,script viruses

Worms: Designed to spread from computer to

user or program like virus Tro an horse: A ears to be beni n but then does

something other than expected Bots: Can be covertly installed on computer;

to create a network of compromised computers forsending spam, generating a DDoS attack, and


See Table 5.3 for notable examples of malicious

code

Installed without the users informed consent

Browser parasites: Can monitor and change

settin s of a users browser

Adware: Calls for unwanted pop-up ads

,as a users keystrokes, e-mail, IMs, etc.



10/31

Phishing and Identity Theft

Any deceptive, online attempt by a third party

gain os popu ar ype: e-ma scam e er, e.g.,

Nigerians rich former oil minister seeking a bank,

account verification emails from eBay or CitiBankaskin to ive u ersonal account info, bank

account no., and credit card no. One of fastest growing forms of e-commerce crime

197,000 unique new phishing emails sentwithin the first 6 months of 2007, 18% increase


compared to 2n half of 2006.

An Example of a Nigerian Letter E-Mail



11/31

n xamp e o a s ng ac


Hacking and Cybervandalism

Hacker: Individual who intends to gain

Cracker: Hacker with criminal intent (two terms Cybervandalism: Intentionally disrupting,

Types of hackers include:

the firms computer system

Black hats hackers with intention of causin harm Grey hats hackers breaking in and revealing system

flaws without disrupting site or attempting to profit from


e r n s.


12/31

Credit Card Fraud

Fear that credit card information will be stolen

Overall rate of credit card fraud is lower than, . - .

transactions (CyberSource Corporation, 2007).

$50 for a stolen credit card. Hackers tar et credit card files and other

customer information files on merchant servers;use stolen data to establish credit under falseen y

One solution: New identity verification


Spoofing (Pharming) and Spam (Junk)

e es Spoofing (Pharming)

Misrepresenting oneself by using fake e-mail addresses ormasquerading as someone else

Threatens inte rit of site authenticit

Spoofing a Web site is called pharming, which involvesredirecting a Web link to another IP address different from

Pharming is carried out by hacking local DNS servers.

true site, or altering orders and sending them to the truesite for processing and delivery.

true sender of a message.

S am Junk Web sites


Use domain names similar to legitimate one, redirect traffic tospammer-redirection domains


13/31

DoS and DDoS Attacks

Denial of service (DoS) attack

ac ers oo e s e w use ess ra c o nun a eand overwhelm network

compromised workstations.

o. o o a ac s per ay grew rom ur nglast 6 months of 2004 to 927 during first 6

,

2005).

Hackers use numerous computers to attack target


Microsoft and Yahoo have experienced such attacks

en a o erv ce Ping Flooding

Attacker sends a flood of pings to the intended victim

The in ackets will saturate the victims bandwidth

Internet

Attackin S stem s

Victim SystemSOURCE: PETER SHIPLEY


14/31

Denial of Service SMURF ATTACK

Uses a ping packet with two extra twist ac er c ooses an unw ng v c m Spoofs the source address ICMP = Internet Control

Messa e Protocol

PERPETRATOR

1 SYN

VICTIM

10,000 SYN/ACKs -- VICTIM IS DEA

INNOCENT

REFLECTOR SITES

BANDWIDTH MULTIPLICATION:A T1 (1.54 Mbps) can easilyyield 100 MBbps of attack

Sent to IP broadcast address

ICMP echo replySOURCE: CISCO

o ac us ra eHacker

Unsecured ComputersHacker scansInternet for

1

that can be

compromised

Program


15/31

Hacker

o ac us ra e

Zombies

installs zombie

turning unsecuredcom uters intozombies

Hacker

o ac us ra e

ZombiesMasterServer

ac er se ec sa Master Server to

the zombies


16/31

Hacker

o ac us ra e

ZombiesMaster

Server

program, hacker sendscommands to MasterServer to launch zombieattack a ainst a

TargetedSystem

targeted system

Hacker

o ac us ra e

MasterZombies

Server

sends signal to

zombies to launchTargetedSystem

attack on targeteds stem


17/31

Hacker

o ac us ra e

MasterZombies

Server

Targeted system isoverwhelmed by bogus

down for legitimateusers

TargetedSystemRequest Denied

User

Other Securit Threats

monitors information traveling over a network;enables hackers to steal ro rietar informationfrom anywhere on a network

Insider obs: Sin le lar est financial threat

64% of business firms experienced an inside

(Computer Security Institute, 2007).

Increase in complexity of software programse. . MSs Win32 API has contributed to


increase is vulnerabilities that hackers can exploit


18/31

Technology Solutions

Protecting Internet communications

encryp on Securin channels of communication SSL

S-HTTP, VPNs)

Protecting servers and clients


Tools Available to Achieve Site SecurityFigure 5.9, Page 279



19/31

Protecting Internet Communications:

Encryption

or data into cipher text that cannot be read by

Purpose: Secure stored information and

Provides:

Message integrity Nonrepudiation

Authentication

Confidentialit


Symmetric Key Encryption

Also known as secret key encryption

o e sen er an rece ver use e same

digital key to encrypt and decrypt message Requires a different set of keys for each

transaction

Advanced Encryption Standard (AES): Most

offers 128-, 192-, and 256-bit encryption

2,048 bits



20/31

2004 D. A. Menasc. All Rights Reserved.

Public Key Encryption

Solves symmetric key encryption problem of

Uses two mathematically related digital keys (kept secret by owner)

o eys use o encryp an ecryp message

Once key used to encrypt message, same keycannot be used to decrypt message

to encrypt message; recipient uses his/her



21/31


Public Key Cryptography A Simple Case




22/31

Public Key Encryption using Digital

Public ke encr tion rovides confidentialit butnot authentication, integrity, and nonrepudiation

Application of hash function (mathematicalalgorithm) by sender prior to encryption produceshash (message) digest that recipient can use to

Hash function produces a fixed-length number.

Examples of hash function include MD4 and.

Double encryption with senders private keydi ital si nature hel s ensure authenticit and


nonrepudiation

Messa eessage

1011010

Function SmallLarge (e.g., 128 bits)



24/31

Public Key Cryptography with Digital



Digital Envelopes

Addresses weaknesses of public keyencryption (computationally slow, decreases

transmission s eed, increases rocessintime) and symmetric key encryption (faster,

Uses symmetric key encryption to encryptocumen u pu c ey encryp on o

encrypt and send symmetric key



25/31

Public Key Cryptography: Creating a



Digital Certificates and Public Key

Still missing a way to verify identity of Web sites.

third party called certificate authority (CA) Di ital certificate includes:

Name of subject/company Subjects public key

Expiration date Issuance date Digital signature of certification authority (trusted third

party institution) that issues certificate

Public Key Infrastructure (PKI): refers to the CAs

and digital certificate procedures that are



26/31

Digital Certificates and Certification



Limits to Encryption Solutions

PKI applies mainly to protecting messages intransit

Protection of private keys by individuals may beap azar

No uarantee that verif in com uter of merchantis secure

, -



27/31

Securing Channels of Communication

Secure Sockets Layer (SSL): Most common form ofsecurin channels of communication; used to

establish a secure negotiated session (client-serversession in which URL of requested document, alongw con en s, s encryp e

S-HTTP: Alternative method; provides a secure-

for use in conjunction with HTTP

between two computers, S-HTTP is designed to send

Virtual Private Networks (VPNs): Allow remote usersto securel access internal networks via the Internet


using Point-to-Point Tunneling Protocol (PPTP)

Secure Negotiated Sessions Using SSLgure . , age



28/31

Protecting Networks: Firewalls and

Proxy Servers

communications packets; prevents some packetsfrom enterin the network based on a securitpolicy

Firewall methods include: Packet filters looks inside data packets to decide

whether they are destined for a prohibited port oror g nate rom a pro te a ress.

Application gateways filters communications based,

source or destination of the message.


packet filters, but can compromise system performance

Protecting Networks: Firewalls and

all communications originating from or being

Initially for limiting access of internal clients to

Can be used to restrict access to certainypes o s es, suc as porno, auc on, or

stock-trading sites, or to cache frequently-accesse e pages o re uce own oatimes



29/31

Firewalls and Proxy ServersFigure 5.15, Page 293


Protecting Servers and Clients

Operating system controls: Authenticationand access control mechanisms

-expensive way to prevent threats to system



30/31

A Security Plan: Management Policies

Perform risk assessment: assessment of risks and

Develop security policy: set of statements prioritizing

identifying mechanisms for achieving targets

Develo im lementation lan: action ste s needed toachieve security plan goals

Create securit or anization: in char e of securit ;

educates and trains users, keeps management aware ofsecurity issues; administers access controls,au en ca on proce ures an au or za on po c es

Perform security audit: review of security practices and


Developing an E-commerce Security




31/31

The Role of Laws and Public Policy

New laws have granted local and national authoritiesnew tools and mechanisms for identif in , tracin

and prosecuting cybercriminals National Infrastructure Protection Center unit

within National Cyber Security Division ofDepartment of Homeland Security whose mission

. .technology and telecommunications infrastructure

Homeland Security Act overnmen po c es an con ro s on encryp on

software


Documents

IMM Laudon Traver E-commerce4E Chapter05 Security