E-commerce security

abdomendebonairSecurity

Nov 2, 2013 (3 years and 9 months ago)

343 views

Prentice Hall, 2002

1

Chapter 13

E
-
Commerce Security

Prentice Hall, 2002

2

Learning Objectives

Document the rapid rise in computer and
network security attacks

Understand the factors contributing to the
rise in EC security breaches

Explain the basic types of network security
attacks

Prentice Hall, 2002

3

Learning Objectives
(cont.)

Discuss the major steps in developing a
security risk management system

Describe the major types of attacks
against EC systems

Discuss some of the major technologies
for securing EC

Prentice Hall, 2002

4

Bringing Down an EC Site:

Mere Child’s Play

Distributed Denial of Service (DDoS)
attacks can inundate a site with so many
requests that legitimate traffic is virtually
halted

Attacker used software to send a flood of data
packets to the target computer(s) with the
aim of overloading its resources

Prentice Hall, 2002

5

Figure 13
-
1

Using Zombies in a Distributed Denial of Service Attack

Source
: Scambray et al. (2000)

Prentice Hall, 2002

6

Bringing Down an EC Site:

Mere Child’s Play
(cont.)

Distributed Denial of Service (DDoS) attacks

Zombie

machine on which the DDoS software is
loaded, unknown to the owner

Home computers with cable modems or DSL
service that are left on all the time

Business Web servers located outside the
firewall

Availability of free tools and scripts make it easy
to mount a DDOS attack

Prentice Hall, 2002

7

Figure 13
-
2

Attack Sophistication vs. Intruder Technical Knowledge

Source
: Special permission to reproduce the CERT
©/CC graphic © 2000 by Carnegie Melon University, in Electronic
Commerce 2002 in Allen et al. (2000).

Prentice Hall, 2002

8

The Need for Security

Data from Computer Security Institute and
FBI indicate:

Cyber attacks are on the increase

Internet connections are increasingly a point of
attack

The variety of attacks is on the rise

The reporting of serious crimes to law
enforcement has declined

Prentice Hall, 2002

9

Table 13
-
2

Incidents and Vulnerabilities Reported to CERT

Figures from Computer Emergency
Response Team (CERT)

Prentice Hall, 2002

10

Why Now?

Security systems are only as strong as
their weakest points

Security and ease of use (or
implementation) are antithetical to one
another

Security takes a back seat to market
pressures

Prentice Hall, 2002

11

Why Now?
(cont.)

Security of an EC site depends on the
security of the Internet as a whole

Security vulnerabilities are increasing
faster than they can be combated

Security compromised by common
applications


Prentice Hall, 2002

12

Basic Security Issues

User’s perspective

Is Web server owned
and operated by
legitimate company?

Web page and form
contain some malicious
code content?

Will Web server
distribute the user’s
information to another
party?


Company’s perspective

Will the user attempt
to break into the Web
server or alter the
site?

Will the user try to
disrupt the server so it
isn’t available to
others?

Issues at a simple marketing site:

Prentice Hall, 2002

13



Basic Security Issues
(cont.)


Issues at a simple marketing site:

User and company perspective

Is network connection free from
eavesdropping?

Has information sent back and forth
between server and browser been altered?

Prentice Hall, 2002

14

Basic Security Issues
(cont.)

Major security issues in EC

Authentication

Authorization

Auditing

Confidentiality or privacy

Integrity

Availability

Non
-
repudiation

Prentice Hall, 2002

15

Security Risk Management

Required to determine
security needs

4 phases of risk
management

Assessment

Planning

Implementation

Monitoring

Definitions involved in
risk management

Assets

anything of
value worth
securing

Threat

eventuality
representing danger
to an asset

Vulnerability

weakness in a
safeguard

Prentice Hall, 2002

16

Security Risk Management
(cont.)

Assessment phase

evaluation of assets,
threats, vulnerabilities

Determine organizational objectives

Inventory assets

Delineate threats

Identify vulnerabilities

Quantify the value of each risk


Prentice Hall, 2002

17

Table 13
-
3

Security Risks for EC & Other Internet Sites

Prentice Hall, 2002

18

Security Risk Management
(cont.)

Planning phase of risk management

arrive at a set of security policies

Define specific policies

Establish processes for audit and review

Establish an incident response team and
contingency plan

Prentice Hall, 2002

19

Security Risk Management
(cont.)

Implementation phase of risk
management

choose particular
technologies to deal with high priority
threats

Monitoring phase of risk management

ongoing processes used to determine
which measures are successful,
unsuccessful and need modification

Prentice Hall, 2002

20

Types of Threats and Attacks

Nontechnical vs. technical attacks

Steps in a hacker’s attack

Discover key elements of network

Scan for vulnerabilities

Hack in and gain administrator privileges

Disable auditing & traces from log files

Steal files, modify data, steal source code, etc.

Install back doors, etc to permit undetectable
reentry

Return at will to do more damage

Prentice Hall, 2002

21

Types of Threats and Attacks
(cont.)

The players

Hackers

Crackers

Script kiddies

Systems and software bugs and
misconfigurations

Prentice Hall, 2002

22

Types of Threats and Attacks
(cont.)

IP fragmentation
(teardrop, bonk,
boink, nestea, and
others)

DNS spoofing


Ping of death

Smurf attack

SYNFlood

Buffer overflows


Denial
-
of
-
service (DoS) attacks

Prentice Hall, 2002

23

Types of Threats and Attacks
(cont.)

Input validation attacks

Intercepted transmissions

Malicious code

Viruses

Worms

Macro viruses and macro worms

Trojan horses

Malicious mobile code


Prentice Hall, 2002

24

Security Technologies

Firewalls and access control

Firewall

network node that isolates private
network from public network

Packet
-
filtering routers

Application
-
level proxies

Screened host firewall

Prentice Hall, 2002

25

Figure 13
-
6

Application
-
Level Proxy (Bastion Gateway Host)

Prentice Hall, 2002

26

Figure 13
-
7

Screened Host Firewall

Prentice Hall, 2002

27

Figure 13
-
8

Screened Subnet Firewall (with DMZ)

Prentice Hall, 2002

28

Security Technologies
(cont.)

Virtual private networks (VPNs)

use
public Internet to carry information but
remains private

Encryption

scramble communications

Authentication

ensure information remains
untampered with and comes from legitimate
source

Access control

verify identity of anyone using
network

Prentice Hall, 2002

29

Security Technologies
(cont.)

Protocol tunneling

ensure confidentiality
and integrity of data transmitted

Point
-
to
-
point tunneling (PTP)

Layer 2 tunneling protocol (L2PT)

Intrusion Detection Systems (IDS)

Prentice Hall, 2002

30

Managerial Issues

Recognize the business consequences of
poor security

Security through obscurity doesn't work

It’s the business that counts, not the
technology

Security is an on
-
going, closed
-
loop process

Even for EC sites, internal breaches are more
prevalent than external breaches