Chapter 9 E-Security. Awad –Electronic Commerce 2/e © 2003 Prentice Hall 2 Day 24 Agenda Quiz 3 Corrected –4 A’s, 4 B’s and 1 C Quiz 4 (last) will be

WWWWWW

Chapter 9

E-Security

2WWWWWW Awad –Electronic Commerce 2/e© 2003 Prentice Hall

Day 24 Agenda

• Quiz 3 Corrected– 4 A’s, 4 B’s and 1 C

• Quiz 4 (last) will be April 30• Chap 13, 14, & 15

• Assignment 8 (last) will be assigned next week

• Should be progressing on Framework • Lecture/Discuss E-security


OBJECTIVES

• Security in Cyberspace

• Conceptualizing Security

• Designing for Security

• How Much Risk Can You Afford?

• Virus – Computer Enemy #1

• Security Protection & Recovery

E-Security: Objectives


ABUSE & FAILURE

• Fraud

• Theft

• Disruption of Service

• Loss of Customer Confidence

E-Security: Security in Cyberspace


WHY INTERNET IS DIFFERENT?

E-Security: Security in Cyberspace

Paper-Based Commerce Electronic Commerce

Signed paper Documents Digital Signature

Person-to-person Electronic via Website

Physical Payment System Electronic Payment System

Merchant-customer Face-to-face Face-to-face Absence

Easy Detectability of modification Difficult Detectability

Easy Negotiability Special Security Protocol


Digital Signature Act (Oct 1v 2000)

• A contract or agreement in interstate or foreign commerce will not be denied legal effect, validity, or enforceability if the contract or agreement is in electronic form and is signed by an electronic signature. Note that the act covers only foreign and interstate commerce. Therefore, where both parties to a contract are in the same state, the law would not seem to apply. However, most states have enacted their own digital signature laws, which cover intrastate transactions.

• The Act permits, but does not require the use of an electronic signature.

• A legal requirement to furnish a record to a consumer in writing can be satisfied by an electronic record, so long as the consumer consents.

• A legal record retention requirement can be satisfied with electronic records.


SECURITY CONCERNS

• Confidentiality

• Authentication

• Integrity

• Access Control

• Non-repudiation

• Firewalls

E-Security: Conceptualizing Security


INFORMATION SECURITY DRIVERS

• Global trading– On-line, real time

• Availability of reliable security packages– Good products…expensive

• Changes in attitudes toward security– Strategic asset



PRIVACY FACTOR


0%

10%

20%

30%

40%

50%

Men Women Ages 18-29

Ages 30-49

Ages 50or older

Incomeless than$40,000

Surfers who agree with the statement: The Internet is a serious threat to privacy


DESIGNING FOR SECURITY

• Adopt a reasonable security policy – Cost effective– Proactive

• Consider web security needs– Data sensitivity

• Design the security environment• Authorizing and monitoring the system

– Accountability– Traceability

E-Security: Designing for Security


ADOPT A REASONABLE SECURITY POLICY

• Policy– Understanding the threats information must be

protected against to ensure• Confidentiality

• Integrity

• Privacy

– Should cover the entire e-commerce system• Internet security practices

• Nature & level of risks

• Procedure of failure recovery



SECURITY PERIMETER

• Firewalls

• Authentication

• Virtual Private Networks (VPN)

• Intrusion Detection Devices



Security Design Process

Consider Web Security NeedsConsider Web Security Needs

Design The SecurityEnvironment

Design The SecurityEnvironment

Police The SecurityPerimeter

Police The SecurityPerimeter

Authorize and MonitorThe Security System

Authorize and MonitorThe Security System

Adopt a Security Policy That Makes Sense

Adopt a Security Policy That Makes Sense


AUTHORIZING & MONITORING SYSTEM

• Monitoring– Capturing processing details for evidence– Verifying e-commerce is operating within

security policy– Verifying attacks have been unsuccessful



HOW MUCH RISK CAN YOU AFFORD?

• Determine specific threats inherent to the system design

• Estimate pain threshold

• Analyze the level of protection required

E-Security: How Much Risk Can You Afford?


KINDS OF THREATS / CRIMES

• Physically-related– Create physical changes

• Order-related– Manipulation of existing orders

• Electronically-related– Sniffers– Spoofers– Script kiddies



CLIENT SECURITY THREATS

• Why?– Sheer Nuisances– Deliberate Corruption of Files– Rifling Stored Information

• How?– Physical Attack– Virus– Computer-to-computer Attack



SERVER SECURIY THREATS

• Web server with an active port

• Windows NT server, not upgraded to act as firewall

• Anonymous FTP service

• Web server directories that can be accessed & indexed



HOW HACKERS ACTIVATE A DISTRIBUTED DENIAL OF SERVICE

ATTACK (DDoS)• Break into less-secured computers

connected to a high-bandwidth network• Installs stealth program which duplicate

itself indefinitely to congest network traffic• Specifies a target network from a remote

location and activates the planted program• Victim’s network is overwhelmed & users

are denied access



VIRUS – COMPUTER ENEMY #1

• A malicious code replicating itself to cause disruption of the information infrastructure

• Attacks system integrity, circumvent security capabilities & cause adverse operation

• Incorporate into computer networks, files & other executable objects

E-Security: Virus – Computer Enemy #1


TYPES OF VIRUSES

• Boot Virus– Attacks boot sectors of the hard drive

• Macro Virus– Exploits macro commands in software application



VIRUS CHARACTERISTICS

• Fast– Easily invade and infect computer hard disk

• Slow– Less likely to detect & destroy

• Stealth– Memory resident – Able to manipulate its execution to disguise its

presence



ANTI-VIRUS STRATEGY

• Establish a set of simple enforceable rules

• Educate & train users

• Inform users of the existing & potential threats to the company’s systems

• Update the latest anti-virus software periodically



BASIC INTERNET SECURITY PRACTICES

• Password– http://www.crackpassword.com/

– Alpha-numeric

– Mix with upper and lower cases

– Change frequently

– No dictionary names

• Encryption– Coding of messages in traffic between the customer

placing an order and the merchant’s network processing the order

E-Security: Security Protection & Recovery


SECURITY RECOVERY

• Attack Detection

• Damage Assessment

• Correction & Recovery

• Corrective Feedback

E-Security: Security Protection & Recovery


FIREWALL & SECURITY

• Firewall– Enforces an access control policy between two

networks– Detects intruders, blocks them from entry,

keeps track what they did & notifies the system administrator

E-Security: Firewall & Security


WHAT FIREWALL CAN PROTECT

• Email services known to be problems

• Unauthorized external logins

• Undesirable material, e.g. pornography

• Unauthorized sensitive information



WHAT FIREWALL CAN’T PROTECT

• Attacks without going through the firewall

• Weak security policy

• ‘Traitors’ or disgruntled employees

• Viruses via floppy disks

• Data-driven attack



SPECIFIC FIREWALL FEATURES

• Security Policy

• Deny Capability

• Filtering Ability

• Scalability

• Authentication

• Recognizing Dangerous Services

• Effective Audit Logs



Assignment # 7

• On Page 276

• Answer Discussion Questions 1, 2 & 3– Answers should be well reasoned and explained

in under one page per question– Turn in a well formatted typed response sheet– Due Tuesday, November 19 at start of class