Documente Academic
Documente Profesional
Documente Cultură
Electronic Commerce
Objectives
Important computer and electronic
commerce security terms
Why secrecy, integrity, and necessity are
three parts of any security program
The roles of copyright and intellectual
property and their importance in any study
of electronic commerce
Objectives
Threats and counter measures to
eliminate or reduce threats
Specific threats to client machines,
Web servers, and commerce servers
Roles encryption and certificates play
Security Overview
Many fears to overcome
Intercepted e-mail messages
Unauthorized access to digital intelligence
Credit card information falling into the wrong
hands
Security Overview
Countermeasures: physical or logical procedures that
recognize, reduce, or eliminate a threat
Privacy
The ability to ensure the use of information about
oneself
Integrity
Preventing unauthorized data modification by an
unauthorized party
Necessity
Preventing data delays or denials (removal)
Authenticity
The ability to identify the identity of a person
or entity with whom you are dealing on the
Internet
Copyright and
Intellectual Property
Copyright
Protecting expression
Literary and musical works
Pantomimes and choreographic works
Pictorial, graphic, and sculptural works
Motion pictures and other audiovisual works
Sound recordings
Architectural works
Copyright and
Intellectual Property
Intellectual property
The ownership of ideas and control over the
tangible or virtual representation of those ideas
MANAGEMENT CHALLENGES
Designing systems that are neither overcontrolled nor under-controlled
Applying quality assurance standards in large
systems projects
Telecommunication Network
Vulnerabilities
Figure 14-1
Disaster
Security
Prevents unauthorized access, alteration,
theft, or physical damage
Maintenance Nightmare
Maintenance costs high due to
organizational change, software
complexity, and faulty system analysis
and design
Figure 14-2
Figure 14-3
Overview
Controls
Methods, policies, and procedures
Ensures protection of organizations
assets
Ensures accuracy and reliability of
records, and operational adherence to
management standards
General controls
Figure 14-4
client
communications pipeline
the server
Vulnerable Points in an
E-commerce Environment
Electronic Commerce
Threats
Client Threats
Active Content
Java applets, Active X controls, JavaScript, and
VBScript
Programs that interpret or execute instructions
embedded in downloaded objects
Malicious active content can be embedded into
seemingly innocuous Web pages -- launched when you
use your browser to view the page
Electronic Commerce
Threats
Exercise
Go to cookie FAQs on text links page or:
http://www.cookiecentral.com/faq/
Are cookies dangerous?
How did they get to be called cookies?
What are the benefits of cookies?
Communication Channel
Threats
Secrecy Threats
Secrecy is the prevention of unauthorized
information disclosure - technical issue
Privacy is the protection of individual rights to
nondisclosure - legal issue regarding rights
Theft of sensitive or personal information is a
significant danger
Your IP address and browser you use are
continually revealed while on the web
Communication Channel
Threats
Anonymizer
A Web site that provides a measure of secrecy
as long as its used as the portal to the Internet
http://www.anonymizer.com
Check out Heres what we know about you
Integrity Threats
Also known as active wiretapping
Unauthorized party can alter data
Change the amount of a deposit or withdrawal
Communication Channel
Threats
Necessity Threats
Also known as delay or denial threats
Disrupt normal computer processing
Deny processing entirely
Slow processing to intolerably slow speeds
Remove file entirely, or delete information
from a transmission or file
Divert money from one bank account to
another
Server Threats
The more complex software becomes, the
higher the probability that errors (bugs)
exist in the code
Servers run at various privilege levels
Highest levels provide greatest access and
flexibility
Lowest levels provide a logical fence around a
running program
Server Threats
Contents of a servers folder names are
revealed to a Web browser
Cookies should never be transmitted
unprotected
Sensitive files such as username and
password pairs or credit card numbers
Hacking and Cracking -- the Web server
administrator is responsible for ensuring
that all sensitive files, are secure
Database Threats
Once a user is authenticated to a database,
selected database information is visible to
the user.
Security is often enforced through the use
of privileges
Some databases are inherently insecure and
rely on the Web server to enforce security
measures
Other Threats
Common Gateway Interface (CGI) Threats
CGIs are programs that present a security
threat if misused
CGI programs can reside almost anywhere on a
Web server and therefore are often difficult to
track down
CGI scripts do not run inside a sandbox, unlike
JavaScript
Other Threats
Other programming threats include
Programs executed by the server
Buffer overruns can cause errors
Runaway code segments
Encryption
Transforms
text
text
Symmetric
DES
Key Encryption
Encryption
Public
key cryptography
uses
The
Session
Secure
Securing Channels of
Communications
HTTP)
secure message-oriented communications
protocol for use with HTTP.
Virtual Private Networks (VPN)
remote
Protecting Networks
Firewalls
software
Proxy
server
server
a risk assessment
develop a security policy
develop an implementation plan
create a security organization
perform a security audit
Ease
of use
Often
Public
claims
Specific Elements of
a Security Policy
Authentication
Who is trying to access the site?
Access Control
Who is allowed to logon and access the site?
Secrecy
Who is permitted to view selected information
Data integrity
Who is allowed to change data?
Audit
What and who causes selected events to occur,
and when?
Some questions
Can internet security measures actually create
opportunities for criminals to steal? How?
Why are some online merchants hesitant to ship to
international addresses?
What are some steps a company can take to thwart
cyber-criminals from within a business?
Is a computer with anti-virus software protected from
viruses? Why or why not?
What are the differences between encryption and
authentication?
Discuss the role of administration in implementing a
security policy?
Group Exercise
Given the shift to m-commerce, identify
and discuss the new security threats to
this type of technology?
What are some of the non-security
impacts on society?
Select a reporter and give a brief synopsis
of your views to the class.