Security Threats to Electronic Commerce

sweetlipscasteSecurity

Nov 2, 2013 (3 years and 11 months ago)

170 views



Security Threats to

Electronic Commerce

Objectives


Important computer and electronic
commerce security terms


Why secrecy, integrity, and necessity are
three parts of any security program


The roles of copyright and intellectual
property and their importance in any study
of electronic commerce

Objectives


Threats and counter measures to
eliminate or reduce threats


Specific threats to client machines,
Web servers, and commerce servers


Roles encryption and certificates play

Security Overview


Many fears to overcome


Intercepted e
-
mail messages


Unauthorized access to digital intelligence


Credit card information falling into the wrong
hands


Two types of computer security


Physical
-

protection of tangible objects


Logical
-

protection of non
-
physical objects

Security Overview


Countermeasures: physical or logical procedures that
recognize, reduce, or eliminate a threat



Computer Security Classification


Secrecy/Confidentiality


Protecting against unauthorized data disclosure and
ensuring the authenticity of the data’s source


Privacy



The ability to ensure the use of information about
oneself


Integrity


Preventing unauthorized data modification by an
unauthorized party


Necessity


Preventing data delays or denials (removal)

Computer Security Classification


Nonrepudiation



Ensure that e
-
commerce participants do not
deny (i.e., repudiate) their online actions


Authenticity



The ability to identify the identity of a person
or entity with whom you are dealing on the
Internet


Copyright and

Intellectual Property


Copyright


Protecting expression


Literary and musical works


Pantomimes and choreographic works


Pictorial, graphic, and sculptural works


Motion pictures and other audiovisual works


Sound recordings


Architectural works

Copyright and

Intellectual Property


Intellectual property


The ownership of ideas and control over the
tangible or virtual representation of those ideas


U.S. Copyright Act of 1976


Protects previously stated items for a fixed
period of time


Copyright Clearance Center


Clearinghouse for U.S. copyright information

Intellectual Property Threats


The Internet presents a tempting target for
intellectual property threats


Very easy to reproduce an exact copy of
anything found on the Internet


People are unaware of copyright restrictions, and
unwittingly infringe on them


Fair use allows limited use of copyright material when
certain conditions are met



Designing systems that are neither over
-
controlled nor under
-
controlled



Applying quality assurance standards in large
systems projects

MANAGEMENT CHALLENGES


Advances in telecommunications and
computer software



Unauthorized access, abuse, or fraud



Hackers



Denial of service attack



Computer virus

Why Systems are Vulnerable

Telecommunication Network
Vulnerabilities

Figure 14
-
1

Disaster

Destroys computer hardware, programs,
data files, and other equipment


Security

Prevents unauthorized access, alteration,
theft, or physical damage

Concerns for System Builders and
Users


Errors


Cause computers to disrupt or destroy
organization’s record
-
keeping and
operations

Concerns for System Builders
and Users

Bugs

Program code defects or errors


Maintenance Nightmare

Maintenance costs high due to
organizational change, software
complexity, and faulty system analysis
and design

System Quality Problems: Software
and Data

Points in the Processing Cycle
where Errors can Occur

Figure 14
-
2

Data Quality Problems



Caused due to errors during data input
or faulty information system and
database design


The Cost of Errors over the Systems
Development Cycle

Figure 14
-
3

Controls



Methods, policies, and procedures



Ensures protection of organization’s
assets



Ensures accuracy and reliability of
records, and operational adherence to
management standards

Overview

General controls



Establish framework for controlling
design, security, and use of computer
programs



Include software, hardware, computer
operations, data security,
implementation, and administrative
controls

General Controls and Application
Controls

Security Profiles for a Personnel
System

Figure 14
-
4

Application controls



Unique to each computerized application



Include input, processing, and output
controls

General Controls and Application
Controls


On
-
line transaction processing:

Transactions entered online are
immediately processed by computer



Fault
-
tolerant computer systems:

Contain
extra hardware, software, and power
supply components


Protecting the Digital Firm


High
-
availability computing:

Tools and
technologies enabling system to recover from a
crash


Disaster recovery plan:

Runs business in event
of computer outage


Load balancing:

Distributes large number of
requests for access among multiple servers


Mirroring:

Duplicating all processes and
transactions of server on backup server to
prevent any interruption



Clustering:

Linking two computers together so
that a second computer can act as a backup to
the primary computer or speed up processing


Protecting the Digital Firm

Security Threats in the

E
-
commerce Environment



Three key points of vulnerability


the client


communications pipeline


the server

Vulnerable Points in an

E
-
commerce Environment



Electronic Commerce
Threats


Client Threats


Active Content


Java applets, Active X controls, JavaScript, and
VBScript


Programs that interpret or execute instructions
embedded in downloaded objects


Malicious active content can be embedded into
seemingly innocuous Web pages
--

launched when you
use your browser to view the page

Electronic Commerce
Threats


Client Threats

--

Cookies


remember user names, passwords, and other
commonly referenced information


Exercise


Go to “cookie FAQs” on text links page or
:
http://www.cookiecentral.com/faq/


Are cookies dangerous?


How did they get to be called “cookies?”


What are the benefits of cookies?

Graphics, Plug
-
ins, and

E
-
mail Attachments


Code can be embedded into graphic images
causing harm to your computer


Plug
-
ins are used to play audiovisual clips,
animated graphics


Could contain ill
-
intentioned commands hidden
within the object


E
-
mail attachments can contain destructive
macros within the document

Communication Channel
Threats


Secrecy Threats


Secrecy is the prevention of unauthorized
information disclosure
-

technical issue


Privacy is the protection of individual rights to
nondisclosure
-

legal issue regarding rights


Theft of sensitive or personal information is a
significant danger


Your IP address and browser you use are
continually revealed while on the web

Communication Channel
Threats


Anonymizer


A Web site that provides a measure of secrecy
as long as it’s used as the portal to the Internet


http://www.anonymizer.com


Check out “Here’s what we know about you”


Integrity Threats


Also known as active wiretapping


Unauthorized party can alter data


Change the amount of a deposit or withdrawal

Communication Channel
Threats


Necessity Threats


Also known as delay or denial threats


Disrupt normal computer processing


Deny processing entirely


Slow processing to intolerably slow speeds


Remove file entirely, or delete information
from a transmission or file


Divert money from one bank account to
another


Server Threats


The more complex software becomes, the
higher the probability that errors (bugs)
exist in the code


Servers run at various privilege levels


Highest levels provide greatest access and
flexibility


Lowest levels provide a logical fence around a
running program

Server Threats


Contents of a server’s folder names are
revealed to a Web browser


Cookies should never be transmitted
unprotected


Sensitive files such as username and
password pairs or credit card numbers


Hacking and Cracking
--

the Web server
administrator is responsible for ensuring
that all sensitive files, are secure

Database Threats


Once a user is authenticated to a database,
selected database information is visible to
the user.


Security is often enforced through the use
of privileges


Some databases are inherently insecure and
rely on the Web server to enforce security
measures

Other Threats


Common Gateway Interface (CGI) Threats


CGIs are programs that present a security
threat if misused


CGI programs can reside almost anywhere on a
Web server and therefore are often difficult to
track down


CGI scripts do not run inside a sandbox, unlike
JavaScript


Other Threats


Other programming threats include


Programs executed by the server


Buffer overruns can cause errors


Runaway code segments


The Internet Worm attack was a runaway code
segment


Buffer overflow attacks occur when control is
released by an authorized program, but the
intruder code instructs control to be turned over
to it


Tools Available to Achieve Site
Security



Encryption


Transforms plain text or data into cipher
text that cannot be read by anyone outside
of the sender and the receiver. Purpose:


to secure stored information


to secure information transmission.


Cipher text


text that has been encrypted and thus cannot be
read by anyone besides the sender and the
receiver


Symmetric Key Encryption


DES standard most widely used

Encryption


Public key cryptography


uses two mathematically related digital keys: a
public key and a private key.


The private key is kept secret by the owner,
and the public key is widely disseminated.


Both keys can be used to encrypt and
decrypt a message.


A key used to encrypt a message, cannot be
used to unencrypt the message

Public Key Cryptography
-


A Simple Case



Public Key Cryptography with Digital
Signatures



Public Key Cryptography: Creating
a Digital Envelope



Securing Channels of Communications


Secure Sockets Layer (SSL) is the most
common form of securing channels


Secure negotiated session


client
-
server session where the requested
document URL, contents, forms, and cookies are
encrypted.


Session key is a unique symmetric encryption
key chosen for a single secure session

Secure Negotiated Sessions Using
SSL



Securing Channels of
Communications


Secure Hypertext Transfer Protocol (S
-
HTTP)


secure message
-
oriented communications
protocol for use with HTTP.


Virtual Private Networks (VPN)


remote users can securely access internal
networks via Point
-
to
-
Point Tunneling Protocol
(PPTP)

Protecting Networks


Firewalls


software applications that act as a filter
between a private network and the Internet


Proxy server


server that handles all communications
originating from or being sent to the Internet,
acting as a spokesperson or bodyguard for the
organization

Policies, Procedures, and Laws


Developing an e
-
commerce security plan


perform a risk assessment


develop a security policy


develop an implementation plan


create a security organization


perform a security audit

Tension Between Security and Other
Values


Ease of use



Often security slows down processors and adds
significantly to data storage demands. Too much
security can harm profitability; not enough can
mean going out of business.


Public Safety & Criminal Use


claims of individuals to act anonymously vs. needs
of public officials to maintain public safety in
light of criminals or terrorists.

Security Policy and

Integrated Security


Security policy is a written statement
describing what assets are to be
protected and why, who is responsible,
which behaviors are acceptable or not


Physical security


Network security


Access authorizations


Virus protection


Disaster recovery

Specific Elements of

a Security Policy


Authentication


Who is trying to access the site?


Access Control


Who is allowed to logon and access the site?


Secrecy


Who is permitted to view selected information


Data integrity


Who is allowed to change data?


Audit


What and who causes selected events to occur,
and when?

Computer Emergency Response
Team (CERT)


Housed at Carnegie Mellon University


Responds to security events and
incidents within the U.S. government
and private sector

Some questions


Can internet security measures actually create
opportunities for criminals to steal? How?


Why are some online merchants hesitant to ship
to international addresses?


What are some steps a company can take to
thwart cyber
-
criminals from within a business?


Is a computer with anti
-
virus software protected
from viruses? Why or why not?


What are the differences between encryption
and authentication?


Discuss the role of administration in implementing
a security policy?

Group Exercise


Given the shift to m
-
commerce, identify
and discuss the new security threats to
this type of technology?


What are some of the non
-
security
impacts on society?


Select a reporter and give a brief synopsis
of your views to the class.