Security Threats to Electronic Commerce


2 Νοε 2013 (πριν από 5 χρόνια και 5 μήνες)

288 εμφανίσεις

Security Threats to

Electronic Commerce


Important computer and electronic
commerce security terms

Why secrecy, integrity, and necessity are
three parts of any security program

The roles of copyright and intellectual
property and their importance in any study
of electronic commerce


Threats and counter measures to
eliminate or reduce threats

Specific threats to client machines,
Web servers, and commerce servers

Roles encryption and certificates play

Security Overview

Many fears to overcome

Intercepted e
mail messages

Unauthorized access to digital intelligence

Credit card information falling into the wrong

Two types of computer security


protection of tangible objects


protection of non
physical objects

Security Overview

Countermeasures: physical or logical procedures that
recognize, reduce, or eliminate a threat

Computer Security Classification


Protecting against unauthorized data disclosure and
ensuring the authenticity of the data’s source


The ability to ensure the use of information about


Preventing unauthorized data modification by an
unauthorized party


Preventing data delays or denials (removal)

Computer Security Classification


Ensure that e
commerce participants do not
deny (i.e., repudiate) their online actions


The ability to identify the identity of a person
or entity with whom you are dealing on the

Copyright and

Intellectual Property


Protecting expression

Literary and musical works

Pantomimes and choreographic works

Pictorial, graphic, and sculptural works

Motion pictures and other audiovisual works

Sound recordings

Architectural works

Copyright and

Intellectual Property

Intellectual property

The ownership of ideas and control over the
tangible or virtual representation of those ideas

U.S. Copyright Act of 1976

Protects previously stated items for a fixed
period of time

Copyright Clearance Center

Clearinghouse for U.S. copyright information

Intellectual Property Threats

The Internet presents a tempting target for
intellectual property threats

Very easy to reproduce an exact copy of
anything found on the Internet

People are unaware of copyright restrictions, and
unwittingly infringe on them

Fair use allows limited use of copyright material when
certain conditions are met

Designing systems that are neither over
controlled nor under

Applying quality assurance standards in large
systems projects


Advances in telecommunications and
computer software

Unauthorized access, abuse, or fraud


Denial of service attack

Computer virus

Why Systems are Vulnerable

Telecommunication Network

Figure 14


Destroys computer hardware, programs,
data files, and other equipment


Prevents unauthorized access, alteration,
theft, or physical damage

Concerns for System Builders and


Cause computers to disrupt or destroy
organization’s record
keeping and

Concerns for System Builders
and Users


Program code defects or errors

Maintenance Nightmare

Maintenance costs high due to
organizational change, software
complexity, and faulty system analysis
and design

System Quality Problems: Software
and Data

Points in the Processing Cycle
where Errors can Occur

Figure 14

Data Quality Problems

Caused due to errors during data input
or faulty information system and
database design

The Cost of Errors over the Systems
Development Cycle

Figure 14


Methods, policies, and procedures

Ensures protection of organization’s

Ensures accuracy and reliability of
records, and operational adherence to
management standards


General controls

Establish framework for controlling
design, security, and use of computer

Include software, hardware, computer
operations, data security,
implementation, and administrative

General Controls and Application

Security Profiles for a Personnel

Figure 14

Application controls

Unique to each computerized application

Include input, processing, and output

General Controls and Application

line transaction processing:

Transactions entered online are
immediately processed by computer

tolerant computer systems:

extra hardware, software, and power
supply components

Protecting the Digital Firm

availability computing:

Tools and
technologies enabling system to recover from a

Disaster recovery plan:

Runs business in event
of computer outage

Load balancing:

Distributes large number of
requests for access among multiple servers


Duplicating all processes and
transactions of server on backup server to
prevent any interruption


Linking two computers together so
that a second computer can act as a backup to
the primary computer or speed up processing

Protecting the Digital Firm

Security Threats in the

commerce Environment

Three key points of vulnerability

the client

communications pipeline

the server

Vulnerable Points in an

commerce Environment

Electronic Commerce

Client Threats

Active Content

Java applets, Active X controls, JavaScript, and

Programs that interpret or execute instructions
embedded in downloaded objects

Malicious active content can be embedded into
seemingly innocuous Web pages

launched when you
use your browser to view the page

Electronic Commerce

Client Threats



remember user names, passwords, and other
commonly referenced information


Go to “cookie FAQs” on text links page or

Are cookies dangerous?

How did they get to be called “cookies?”

What are the benefits of cookies?

Graphics, Plug
ins, and

mail Attachments

Code can be embedded into graphic images
causing harm to your computer

ins are used to play audiovisual clips,
animated graphics

Could contain ill
intentioned commands hidden
within the object

mail attachments can contain destructive
macros within the document

Communication Channel

Secrecy Threats

Secrecy is the prevention of unauthorized
information disclosure

technical issue

Privacy is the protection of individual rights to

legal issue regarding rights

Theft of sensitive or personal information is a
significant danger

Your IP address and browser you use are
continually revealed while on the web

Communication Channel


A Web site that provides a measure of secrecy
as long as it’s used as the portal to the Internet

Check out “Here’s what we know about you”

Integrity Threats

Also known as active wiretapping

Unauthorized party can alter data

Change the amount of a deposit or withdrawal

Communication Channel

Necessity Threats

Also known as delay or denial threats

Disrupt normal computer processing

Deny processing entirely

Slow processing to intolerably slow speeds

Remove file entirely, or delete information
from a transmission or file

Divert money from one bank account to

Server Threats

The more complex software becomes, the
higher the probability that errors (bugs)
exist in the code

Servers run at various privilege levels

Highest levels provide greatest access and

Lowest levels provide a logical fence around a
running program

Server Threats

Contents of a server’s folder names are
revealed to a Web browser

Cookies should never be transmitted

Sensitive files such as username and
password pairs or credit card numbers

Hacking and Cracking

the Web server
administrator is responsible for ensuring
that all sensitive files, are secure

Database Threats

Once a user is authenticated to a database,
selected database information is visible to
the user.

Security is often enforced through the use
of privileges

Some databases are inherently insecure and
rely on the Web server to enforce security

Other Threats

Common Gateway Interface (CGI) Threats

CGIs are programs that present a security
threat if misused

CGI programs can reside almost anywhere on a
Web server and therefore are often difficult to
track down

CGI scripts do not run inside a sandbox, unlike

Other Threats

Other programming threats include

Programs executed by the server

Buffer overruns can cause errors

Runaway code segments

The Internet Worm attack was a runaway code

Buffer overflow attacks occur when control is
released by an authorized program, but the
intruder code instructs control to be turned over
to it

Tools Available to Achieve Site


Transforms plain text or data into cipher
text that cannot be read by anyone outside
of the sender and the receiver. Purpose:

to secure stored information

to secure information transmission.

Cipher text

text that has been encrypted and thus cannot be
read by anyone besides the sender and the

Symmetric Key Encryption

DES standard most widely used


Public key cryptography

uses two mathematically related digital keys: a
public key and a private key.

The private key is kept secret by the owner,
and the public key is widely disseminated.

Both keys can be used to encrypt and
decrypt a message.

A key used to encrypt a message, cannot be
used to unencrypt the message

Public Key Cryptography

A Simple Case

Public Key Cryptography with Digital

Public Key Cryptography: Creating
a Digital Envelope

Securing Channels of Communications

Secure Sockets Layer (SSL) is the most
common form of securing channels

Secure negotiated session

server session where the requested
document URL, contents, forms, and cookies are

Session key is a unique symmetric encryption
key chosen for a single secure session

Secure Negotiated Sessions Using

Securing Channels of

Secure Hypertext Transfer Protocol (S

secure message
oriented communications
protocol for use with HTTP.

Virtual Private Networks (VPN)

remote users can securely access internal
networks via Point
Point Tunneling Protocol

Protecting Networks


software applications that act as a filter
between a private network and the Internet

Proxy server

server that handles all communications
originating from or being sent to the Internet,
acting as a spokesperson or bodyguard for the

Policies, Procedures, and Laws

Developing an e
commerce security plan

perform a risk assessment

develop a security policy

develop an implementation plan

create a security organization

perform a security audit

Tension Between Security and Other

Ease of use

Often security slows down processors and adds
significantly to data storage demands. Too much
security can harm profitability; not enough can
mean going out of business.

Public Safety & Criminal Use

claims of individuals to act anonymously vs. needs
of public officials to maintain public safety in
light of criminals or terrorists.

Security Policy and

Integrated Security

Security policy is a written statement
describing what assets are to be
protected and why, who is responsible,
which behaviors are acceptable or not

Physical security

Network security

Access authorizations

Virus protection

Disaster recovery

Specific Elements of

a Security Policy


Who is trying to access the site?

Access Control

Who is allowed to logon and access the site?


Who is permitted to view selected information

Data integrity

Who is allowed to change data?


What and who causes selected events to occur,
and when?

Computer Emergency Response
Team (CERT)

Housed at Carnegie Mellon University

Responds to security events and
incidents within the U.S. government
and private sector

Some questions

Can internet security measures actually create
opportunities for criminals to steal? How?

Why are some online merchants hesitant to ship
to international addresses?

What are some steps a company can take to
thwart cyber
criminals from within a business?

Is a computer with anti
virus software protected
from viruses? Why or why not?

What are the differences between encryption
and authentication?

Discuss the role of administration in implementing
a security policy?

Group Exercise

Given the shift to m
commerce, identify
and discuss the new security threats to
this type of technology?

What are some of the non
impacts on society?

Select a reporter and give a brief synopsis
of your views to the class.