SlideShare a Scribd company logo

E-commerce security.ppt

Download as PPT, PDF
S
Susan130641

Chapter 5 focuses on e-commerce security, outlining the threats posed by cybercrime and the vulnerabilities within client, server, and communication pipelines. Key statistics reveal that the majority of cybersecurity breaches result from human error, with financial motives behind a significant percentage of cyber incidents. The chapter discusses the importance of a security policy, management procedures, encryption technologies, and various legislation in protecting sensitive information and achieving robust security in e-commerce environments.

Technology
1 of 56
Downloaded 23 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Most read
39
40
41
42
43
44
45
Most read
46
47
48
49
50
51
52
53
54
55
56
Most read
Chapter 5 E-commerce Security
Learner Activities  Read on /watch  cyberwar: MAD2.0  Watch the movie:  we are legion  Research on the iphone app called :  spyphone
The E-commerce Security Environment  Overall size and losses of cybercrime unclear  Reporting issues  Computer Crime and Security Survey 2022  95 percent of cybersecurity breaches are caused by human error.  68 percent of business leaders feel their cybersecurity risks are increasing.  On average, only five percent of companies’ folders are properly protected.  Approximately 70 percent of breaches in 2021 were financially motivated, while less than five percent were motivated by espionage.  How do companies protect itself from this hostile environment? Slide 5-3
Cyberwar: MAD 2.0  What is the difference between hacking and cyberwar?  Why has cyberwar become more potentially devastating in the past decade?  Why has Google been the target of so many cyberattacks?  Is it possible to find a political solution to MAD 2.0? Slide 5-4
Myths of information security  Protection against hackers  Mainstream Websites Are Safe to Visit-scam sites?  Segregation of external threats  Antivirus and Cyber-Security Software is Good Enough  Complex Passwords Cannot Be Cracked-programs for hacking  My Data Isn’t Worth Anything-social media adverts and marketing? Data can be materialized for crime, such as theft, impersonation, and physical harm. If it’s valuable for some, it’s valuable for many.  Scams and Phishing Are Glaringly Obvious-social media trust issues Slide 5-5
Security issues  From the user’s perspective:  Is the Web server owned and operated by a legitimate company?  Does the Web page and form contain some malicious or dangerous code or content?  Will the Web server distribute unauthorized information the user provides to some other party? Slide 5-6
Factors influencing E- commerce Security?  To achieve highest degree of security  New technologies  Organizational policies and procedures  Industry standards and government laws  Other factors  Time value of money  Cost of security vs. potential loss  Security often breaks at weakest link Slide 5-7
Security issues cont’  From the company’s perspective:  Will the user not attempt to break into the Web server or alter the pages and content at the site?  Will the user will try to disrupt the server so that it isn’t available to others? Slide 5-8
Security issues cont’  From both parties’ perspectives:  Is the network connection free from eavesdropping by a third party “listening” on the line?  Has the information sent back and forth between the server and the user’s browser been altered Slide 5-9
The E-commerce Security Environment Fi Slide 5-10
Security requirements  Authentication  The process by which one entity verifies that another entity is who they claim to be  Authorization  The process that ensures that a person has the right to access certain resources  Auditing  The process of collecting information about attempts to access particular resources, use particular privileges, or perform other security actions  Confidentiality  Keeping private or sensitive information from being disclosed to unauthorized individuals, entities, or processes  Integrity  As applied to data, the ability to protect data from being altered or destroyed in an unauthorized or accidental manner  Non-repudiation  The ability to limit parties from refuting that a legitimate transaction took place, usually by means of a signature Slide 5-11
Slide 5-12
The Tension Between Security and Other Values  Discussion  What will you end up doing, if every time…  You have to unlock 10 locks to get home  You have to lock 10 door before you leave  Risk and Security measures should be balanced  Ease of use  The more security measures added, the more difficult a site is to use, and the slower it becomes  Public safety and criminal uses of the Internet  Use of technology by criminals to plan crimes or threaten nation-state Slide 5-13
A simple case  When you take a vacation, you supervisor asks you to provide your password ..  Should you comply?  Can you refuse?  On what basis? Slide 5-14
Security Threats in the E-commerce Environment Three key points of vulnerability in e-commerce environment: 1. Client 2. Server 3. Communications pipeline (Internet communications channels) Slide 5-15
A Typical E-commerce Transaction Figure 5.2, Page 256 Slide 5-16
Vulnerable Points in an E-commerce Transaction Figure 5.3, Page 257 Slide 5-17
Most Common Security Threats in the E-commerce Environment  Malicious code (malware, exploits)  Drive-by downloads  Viruses  Worms  Ransomware  Trojan horses  Backdoors  Bots, botnets  Threats at both client and server levels Slide 5-18
Most Common Security Threats (cont.)  Potentially unwanted programs (PUPs)  Browser parasites  Adware  Spyware  Phishing  Social engineering  E-mail scams  Spear-phishing  Identity fraud/theft Slide 5-19
Most Common Security Threats (cont.)  Hacking  Hackers vs. crackers  Types of hackers: White, black, grey hats  Hacktivism  Cybervandalism:  Disrupting, defacing, destroying Web site  Data breach  Losing control over corporate information to outsiders Slide 5-20
We Are Legion What organization and technical failures led to the data breach on the PlayStation Network? Are there any positive social benefits of hacktivism? Have you or anyone you know experienced data breaches or cybervandalism? Slide 5-21
Most Common Security Threats (cont.)  Credit card fraud/theft  Spoofing and pharming  Spam (junk) Web sites (link farms)  Identity fraud/theft  Denial of service (DoS) attack  Hackers flood site with useless traffic to overwhelm network  Distributed denial of service (DDoS) attack Slide 5-22
Most Common Security Threats (cont.)  Sniffing  Eavesdropping program that monitors information traveling over a network  Insider attacks  Poorly designed server and client software  Social network security issues  Mobile platform security issues  Vishing, smishing, madware  Cloud security issues Slide 5-23
Think Your Smartphone Is Secure?  What types of threats do smartphones face?  Are there any particular vulnerabilities to this type of device?  What did Nicolas Seriot’s “Spyphone” prove?  Are apps more or less likely to be subject to threats than traditional PC software programs? Slide 5-24
Technology Solutions  Protecting Internet communications  Encryption  Securing channels of communication  SSL, VPNs  Protecting networks  Firewalls  Protecting servers and clients Slide 5-25
Onion of security Slide 5-26
Tools Available to Achieve Site Security Slide 5-27
Encryption  Encryption  Transforms data into cipher text readable only by sender and receiver  Secures stored information and information transmission  Provides 4 of 6 key dimensions of e- commerce security:  Message integrity  Nonrepudiation  Authentication  Confidentiality Slide 5-28
Symmetric Key Encryption  Sender and receiver use same digital key to encrypt and decrypt message  Requires different set of keys for each transaction  Strength of encryption  Length of binary key used to encrypt data  Data Encryption Standard (DES)  Advanced Encryption Standard (AES)  Most widely used symmetric key encryption  Uses 128-, 192-, and 256-bit encryption keys  Other standards use keys with up to 2,048 bits Slide 5-29
Public Key Encryption  Uses two mathematically related digital keys  Public key (widely disseminated)  Private key (kept secret by owner)  Both keys used to encrypt and decrypt message  Once key used to encrypt message, same key cannot be used to decrypt message  Sender uses recipient’s public key to encrypt message; recipient uses private key to decrypt it Slide 5-30
Public Key Cryptography: A Simple Case Figure 5.6, Page 279 Slide 5-31
Public Key Encryption using Digital Signatures and Hash Digests  Hash function:  Mathematical algorithm that produces fixed-length number called message or hash digest  Hash digest of message sent to recipient along with message to verify integrity  Hash digest and message encrypted with recipient’s public key  Entire cipher text then encrypted with recipient’s private key—creating digital signature—for authenticity, nonrepudiation Slide 5-32
Public Key Cryptography with Digital Signatures Figure 5.7, Page 281 Slide 5-33
Digital Envelopes  Address weaknesses of:  Public key encryption  Computationally slow, decreased transmission speed, increased processing time  Symmetric key encryption  Insecure transmission lines  Uses symmetric key encryption to encrypt document  Uses public key encryption to encrypt and send symmetric key Slide 5-34
Creating a Digital Envelope Figure 5.8, Page 282 Slide 5-35
Digital Certificates and Public Key Infrastructure (PKI)  Digital certificate includes:  Name of subject/company  Subject’s public key  Digital certificate serial number  Expiration date, issuance date  Digital signature of CA  Public Key Infrastructure (PKI):  CAs and digital certificate procedures  PGP Slide 5-36
Digital Certificates and Certification Authorities Figure 5.9, Page 283 Slide 5-37
Limits to Encryption Solutions  Doesn’t protect storage of private key  PKI not effective against insiders, employees  Protection of private keys by individuals may be haphazard  No guarantee that verifying computer of merchant is secure  CAs are unregulated, self-selecting organizations Slide 5-38
Securing Channels of Communication  Secure Sockets Layer (SSL)/Transport Layer Security (TLS)  Establishes secure, negotiated client–server session  Virtual Private Network (VPN)  Allows remote users to securely access internal network via the Internet  Wireless (Wi-Fi) networks  WPA2 Slide 5-39
Secure Negotiated Sessions Using SSL/TLS Figure 5.10, Page 286 Slide 5-40
Protecting Networks  Firewall  Hardware or software  Uses security policy to filter packets  Two main methods:  Packet filters  Application gateways  Proxy servers (proxies)  Software servers that handle all communications from or sent to the Internet  Intrusion detection systems  Intrusion prevention systems Slide 5-41
Firewalls and Proxy Servers Figure 5.11, Page 289 Slide 5-42
Protecting Servers and Clients  Operating system security enhancements  Upgrades, patches  Anti-virus software  Easiest and least expensive way to prevent threats to system integrity  Requires daily updates Slide 5-43
Management Policies, Business Procedures, and Public Laws  Worldwide, companies spend more than $65 billion on security hardware, software, services  Managing risk includes:  Technology  Effective management policies  Public laws and active enforcement Slide 5-44
A Security Plan: Management Policies  Risk assessment  Security policy  Implementation plan  Security organization  Access controls  Authentication procedures, including biometrics  Authorization policies, authorization management systems  Security audit Slide 5-45
Developing an E-commerce Security Plan Figure 5.12, Page 291 Slide 5-46
The Role of Laws and Public Policy  Laws that give authorities tools for identifying, tracing, prosecuting cybercriminals:  National Information Infrastructure Protection Act of 1996  USA Patriot Act  Homeland Security Act  Private and private-public cooperation  CERT Coordination Center  US-CERT  Government policies and controls on encryption software  OECD, G7/G8, Council of Europe, Wassener Arrangement Slide 5-47
Security policy and integrated security  A security policy is a written statement describing: • Which assets to protect and why they are being protected • Who is responsible for that protection • Which behaviors are acceptable and which are not  First step in creating a security policy • Determine which assets to protect from which threats Slide 5-48
Cont’  Elements of a security policy address:  Authentication  Access control  Secrecy  Data integrity  Audits Slide 5-49
Security policy continued  The security policy may cover issues like:  What service types (e.g., web, FTP, SMTP) users may have access to?  What classes of information exist within the organization and which should be encrypted before being transmitted?  What client data does the organization hold. How sensitive is it? How is it to be protected?  What class of employees may have remote access to the corporate network?  Roles and responsibilities of managers and employees in implementing the security policy.  How security breaches are to be responded to? Slide 5-50
Security policy cont’  The security policy should also consider physical aspects of network security. For example,  Who has access to the corporate server?  Is it in a locked environment or kept in an open office?  What is the procedure for determining who should be given access? The security policy regulates the activities of employees just as much as it defines how IT infrastructure will be configured. The policy should include details on how it is to be enforced  How individual responsibilities are determined? Slide 5-51
Cont’  For it to be effective, the policy needs regular testing and review to judge the security measures.  The review process needs to take into account any changes in technology or business practices which may have an influence upon security.  Lastly, the policy itself needs to be regarded as a living document which will be updated at set intervals to reflect the evolving ways in which the business, customers and technology interact. Slide 5-52
Security standards  There are various standards pertaining to the security aspects of enterprises. Some of them are ISO 17799 (Information technology – Code of practice for information security management). (ISO/IEC 2000). SSE-CMM (Systems security engineering – Capability maturity model). (SSE-CMM 2003). COBIT (Control objectives for information and related technology). (COBIT 2000). Slide 5-53
Organisations that promote Computer security  CERT  Responds to thousands of security incidents each year  Helps Internet users and companies become more knowledgeable about security risks  Posts alerts to inform the Internet community about security events Slide 5-54
Other organisations  SANS Institute  A cooperative research and educational organization  SANS Internet Storm Center  Web site that provides current information on the location and intensity of computer attacks  Microsoft Security Research Group  Privately sponsored site that offers free information about computer security issues Slide 5-55
Homework  Read on  Firewall  Digital signatures  Digital certificates Slide 5-56

More Related Content

PPTX
Security issues in E-commerce
nikitaTahilyani1
 
PPTX
Security Threats in E-Commerce
Dattatreya Reddy Peram
 
PPT
E-Commerce Security
Syed Maniruzzaman Pabel
 
PPTX
Security issues in e commerce
sadaf tst
 
PPTX
Security in E-commerce
m8817
 
PPTX
E-commerce- Security & Encryption
Biroja
 
PPT
E commerce security
Shakti Singh
 
PDF
Application of E-COMMERCE & E-ENTERPRISE
Dr Vijay Vishwakarma
 
Security issues in E-commerce
nikitaTahilyani1
 
Security Threats in E-Commerce
Dattatreya Reddy Peram
 
E-Commerce Security
Syed Maniruzzaman Pabel
 
Security issues in e commerce
sadaf tst
 
Security in E-commerce
m8817
 
E-commerce- Security & Encryption
Biroja
 
E commerce security
Shakti Singh
 
Application of E-COMMERCE & E-ENTERPRISE
Dr Vijay Vishwakarma
 

What's hot (20)

PDF
Network security for E-Commerce
Hem Pokhrel
 
PPTX
Network security and firewalls
Murali Mohan
 
PDF
Security issue in e commerce
Bosco Technical Training Society, Don Bosco Technical School (Aff. GGSIP University, New Delhi)
 
PPTX
Security in e commerce
akhand Akhandenator
 
PDF
Consumer Oriented E commerce Application
Mahesh Shetty
 
PPTX
Client server security threats
rahul kundu
 
PPTX
Business Value of Security and Control
Syama Raveendran
 
PPTX
overview of electronic payment system
Kavitha Ravi
 
PPTX
E commerce advantages,disadvantages,E-r diag,process flow
Harsh Panchal
 
PPT
Security environment
Jay Choudhary
 
PPTX
Presentation - Electronic Data Interchange
Sharad Srivastava
 
PPTX
E commerce infrastructure
Raj vardhan
 
PDF
E Commerce -Security Threats and Challenges
Inderjeet Singh
 
PPT
Digital Signature
Mohamed Talaat
 
PPTX
Electronic Payment Systems in E Commerce
Vinay Chaithanya
 
PPTX
1 introduction to e commerce
sajid ullah
 
PPTX
Online security and payment system
Gc university faisalabad
 
PPTX
Encryption ppt
Anil Neupane
 
PPTX
Consumer Oriented Application, Mercantile process and Mercantile models
Rabin BK
 
PPTX
The Rise of E-commerce: Trends, Opportunities, and Challenges
Hauper Technologies
 
Network security for E-Commerce
Hem Pokhrel
 
Network security and firewalls
Murali Mohan
 
Security issue in e commerce
Bosco Technical Training Society, Don Bosco Technical School (Aff. GGSIP University, New Delhi)
 
Security in e commerce
akhand Akhandenator
 
Consumer Oriented E commerce Application
Mahesh Shetty
 
Client server security threats
rahul kundu
 
Business Value of Security and Control
Syama Raveendran
 
overview of electronic payment system
Kavitha Ravi
 
E commerce advantages,disadvantages,E-r diag,process flow
Harsh Panchal
 
Security environment
Jay Choudhary
 
Presentation - Electronic Data Interchange
Sharad Srivastava
 
E commerce infrastructure
Raj vardhan
 
E Commerce -Security Threats and Challenges
Inderjeet Singh
 
Digital Signature
Mohamed Talaat
 
Electronic Payment Systems in E Commerce
Vinay Chaithanya
 
1 introduction to e commerce
sajid ullah
 
Online security and payment system
Gc university faisalabad
 
Encryption ppt
Anil Neupane
 
Consumer Oriented Application, Mercantile process and Mercantile models
Rabin BK
 
The Rise of E-commerce: Trends, Opportunities, and Challenges
Hauper Technologies
 
Ad

Similar to E-commerce security.ppt (20)

PPTX
Chapter 5
Nada G.Youssef
 
DOC
Laudon traver ec11-im_ch05
BookStoreLib
 
PPT
laudon-traver_ec10_ppt_ch05.ppt
MohammedAliShakil
 
DOC
Laudon traver ec10-im_ch05
BookStoreLib
 
DOC
Laudon traver ec10-im_ch05
BookStoreLib
 
PPT
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
Shandy Aditya
 
PPTX
Ecommerce security
politegcuf
 
PPT
Chapter three e-security
Marya Sholevar
 
PPTX
E comm jatin
Jatin Mandhyan
 
PPTX
Security for e commerce
Mohsin Ahmad
 
PPT
Understanding Security Measures in E-Commerce Systems
saadkamal841
 
PPTX
protection & security of e-commerce ...
Rishav Gupta
 
PPT
laudon-traver_ec10_ppt_ch05.ppt
PriyalPatel158383
 
PPTX
Chapter 5 E marketing.pptx
amitshaha3
 
PPT
Security&reliability
caca1009
 
PDF
E-Commerce security
Tawhid Rahman
 
PPT
Principles of Electronic Commerce_Unit_III.ppt
Sathishkumar Jaganathan
 
PDF
Ijnsa050215
IJNSA Journal
 
PDF
E-Commerce Privacy and Security System
IJERA Editor
 
PDF
E-Commerce Privacy and Security System
IJERA Editor
 
Chapter 5
Nada G.Youssef
 
Laudon traver ec11-im_ch05
BookStoreLib
 
laudon-traver_ec10_ppt_ch05.ppt
MohammedAliShakil
 
Laudon traver ec10-im_ch05
BookStoreLib
 
Laudon traver ec10-im_ch05
BookStoreLib
 
E-Commerce Chap 5: E-COMMERCE SECURITY AND PAYMENT SYSTEMS (D3 B 2018)
Shandy Aditya
 
Ecommerce security
politegcuf
 
Chapter three e-security
Marya Sholevar
 
E comm jatin
Jatin Mandhyan
 
Security for e commerce
Mohsin Ahmad
 
Understanding Security Measures in E-Commerce Systems
saadkamal841
 
protection & security of e-commerce ...
Rishav Gupta
 
laudon-traver_ec10_ppt_ch05.ppt
PriyalPatel158383
 
Chapter 5 E marketing.pptx
amitshaha3
 
Security&reliability
caca1009
 
E-Commerce security
Tawhid Rahman
 
Principles of Electronic Commerce_Unit_III.ppt
Sathishkumar Jaganathan
 
Ijnsa050215
IJNSA Journal
 
E-Commerce Privacy and Security System
IJERA Editor
 
E-Commerce Privacy and Security System
IJERA Editor
 
Ad

Recently uploaded (20)

DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Cloud computing and distributed systems.
kkkkkhan
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Teaching material agriculture food technology
LiaRayya
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
KodekX | Application Modernization Development
KodekX
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 

E-commerce security.ppt

  • 2. Learner Activities  Read on /watch  cyberwar: MAD2.0  Watch the movie:  we are legion  Research on the iphone app called :  spyphone
  • 3. The E-commerce Security Environment  Overall size and losses of cybercrime unclear  Reporting issues  Computer Crime and Security Survey 2022  95 percent of cybersecurity breaches are caused by human error.  68 percent of business leaders feel their cybersecurity risks are increasing.  On average, only five percent of companies’ folders are properly protected.  Approximately 70 percent of breaches in 2021 were financially motivated, while less than five percent were motivated by espionage.  How do companies protect itself from this hostile environment? Slide 5-3
  • 4. Cyberwar: MAD 2.0  What is the difference between hacking and cyberwar?  Why has cyberwar become more potentially devastating in the past decade?  Why has Google been the target of so many cyberattacks?  Is it possible to find a political solution to MAD 2.0? Slide 5-4
  • 5. Myths of information security  Protection against hackers  Mainstream Websites Are Safe to Visit-scam sites?  Segregation of external threats  Antivirus and Cyber-Security Software is Good Enough  Complex Passwords Cannot Be Cracked-programs for hacking  My Data Isn’t Worth Anything-social media adverts and marketing? Data can be materialized for crime, such as theft, impersonation, and physical harm. If it’s valuable for some, it’s valuable for many.  Scams and Phishing Are Glaringly Obvious-social media trust issues Slide 5-5
  • 6. Security issues  From the user’s perspective:  Is the Web server owned and operated by a legitimate company?  Does the Web page and form contain some malicious or dangerous code or content?  Will the Web server distribute unauthorized information the user provides to some other party? Slide 5-6
  • 7. Factors influencing E- commerce Security?  To achieve highest degree of security  New technologies  Organizational policies and procedures  Industry standards and government laws  Other factors  Time value of money  Cost of security vs. potential loss  Security often breaks at weakest link Slide 5-7
  • 8. Security issues cont’  From the company’s perspective:  Will the user not attempt to break into the Web server or alter the pages and content at the site?  Will the user will try to disrupt the server so that it isn’t available to others? Slide 5-8
  • 9. Security issues cont’  From both parties’ perspectives:  Is the network connection free from eavesdropping by a third party “listening” on the line?  Has the information sent back and forth between the server and the user’s browser been altered Slide 5-9
  • 10. The E-commerce Security Environment Fi Slide 5-10
  • 11. Security requirements  Authentication  The process by which one entity verifies that another entity is who they claim to be  Authorization  The process that ensures that a person has the right to access certain resources  Auditing  The process of collecting information about attempts to access particular resources, use particular privileges, or perform other security actions  Confidentiality  Keeping private or sensitive information from being disclosed to unauthorized individuals, entities, or processes  Integrity  As applied to data, the ability to protect data from being altered or destroyed in an unauthorized or accidental manner  Non-repudiation  The ability to limit parties from refuting that a legitimate transaction took place, usually by means of a signature Slide 5-11
  • 13. The Tension Between Security and Other Values  Discussion  What will you end up doing, if every time…  You have to unlock 10 locks to get home  You have to lock 10 door before you leave  Risk and Security measures should be balanced  Ease of use  The more security measures added, the more difficult a site is to use, and the slower it becomes  Public safety and criminal uses of the Internet  Use of technology by criminals to plan crimes or threaten nation-state Slide 5-13
  • 14. A simple case  When you take a vacation, you supervisor asks you to provide your password ..  Should you comply?  Can you refuse?  On what basis? Slide 5-14
  • 15. Security Threats in the E-commerce Environment Three key points of vulnerability in e-commerce environment: 1. Client 2. Server 3. Communications pipeline (Internet communications channels) Slide 5-15
  • 16. A Typical E-commerce Transaction Figure 5.2, Page 256 Slide 5-16
  • 17. Vulnerable Points in an E-commerce Transaction Figure 5.3, Page 257 Slide 5-17
  • 18. Most Common Security Threats in the E-commerce Environment  Malicious code (malware, exploits)  Drive-by downloads  Viruses  Worms  Ransomware  Trojan horses  Backdoors  Bots, botnets  Threats at both client and server levels Slide 5-18
  • 19. Most Common Security Threats (cont.)  Potentially unwanted programs (PUPs)  Browser parasites  Adware  Spyware  Phishing  Social engineering  E-mail scams  Spear-phishing  Identity fraud/theft Slide 5-19
  • 20. Most Common Security Threats (cont.)  Hacking  Hackers vs. crackers  Types of hackers: White, black, grey hats  Hacktivism  Cybervandalism:  Disrupting, defacing, destroying Web site  Data breach  Losing control over corporate information to outsiders Slide 5-20
  • 21. We Are Legion What organization and technical failures led to the data breach on the PlayStation Network? Are there any positive social benefits of hacktivism? Have you or anyone you know experienced data breaches or cybervandalism? Slide 5-21
  • 22. Most Common Security Threats (cont.)  Credit card fraud/theft  Spoofing and pharming  Spam (junk) Web sites (link farms)  Identity fraud/theft  Denial of service (DoS) attack  Hackers flood site with useless traffic to overwhelm network  Distributed denial of service (DDoS) attack Slide 5-22
  • 23. Most Common Security Threats (cont.)  Sniffing  Eavesdropping program that monitors information traveling over a network  Insider attacks  Poorly designed server and client software  Social network security issues  Mobile platform security issues  Vishing, smishing, madware  Cloud security issues Slide 5-23
  • 24. Think Your Smartphone Is Secure?  What types of threats do smartphones face?  Are there any particular vulnerabilities to this type of device?  What did Nicolas Seriot’s “Spyphone” prove?  Are apps more or less likely to be subject to threats than traditional PC software programs? Slide 5-24
  • 25. Technology Solutions  Protecting Internet communications  Encryption  Securing channels of communication  SSL, VPNs  Protecting networks  Firewalls  Protecting servers and clients Slide 5-25
  • 27. Tools Available to Achieve Site Security Slide 5-27
  • 28. Encryption  Encryption  Transforms data into cipher text readable only by sender and receiver  Secures stored information and information transmission  Provides 4 of 6 key dimensions of e- commerce security:  Message integrity  Nonrepudiation  Authentication  Confidentiality Slide 5-28
  • 29. Symmetric Key Encryption  Sender and receiver use same digital key to encrypt and decrypt message  Requires different set of keys for each transaction  Strength of encryption  Length of binary key used to encrypt data  Data Encryption Standard (DES)  Advanced Encryption Standard (AES)  Most widely used symmetric key encryption  Uses 128-, 192-, and 256-bit encryption keys  Other standards use keys with up to 2,048 bits Slide 5-29
  • 30. Public Key Encryption  Uses two mathematically related digital keys  Public key (widely disseminated)  Private key (kept secret by owner)  Both keys used to encrypt and decrypt message  Once key used to encrypt message, same key cannot be used to decrypt message  Sender uses recipient’s public key to encrypt message; recipient uses private key to decrypt it Slide 5-30
  • 31. Public Key Cryptography: A Simple Case Figure 5.6, Page 279 Slide 5-31
  • 32. Public Key Encryption using Digital Signatures and Hash Digests  Hash function:  Mathematical algorithm that produces fixed-length number called message or hash digest  Hash digest of message sent to recipient along with message to verify integrity  Hash digest and message encrypted with recipient’s public key  Entire cipher text then encrypted with recipient’s private key—creating digital signature—for authenticity, nonrepudiation Slide 5-32
  • 33. Public Key Cryptography with Digital Signatures Figure 5.7, Page 281 Slide 5-33
  • 34. Digital Envelopes  Address weaknesses of:  Public key encryption  Computationally slow, decreased transmission speed, increased processing time  Symmetric key encryption  Insecure transmission lines  Uses symmetric key encryption to encrypt document  Uses public key encryption to encrypt and send symmetric key Slide 5-34
  • 35. Creating a Digital Envelope Figure 5.8, Page 282 Slide 5-35
  • 36. Digital Certificates and Public Key Infrastructure (PKI)  Digital certificate includes:  Name of subject/company  Subject’s public key  Digital certificate serial number  Expiration date, issuance date  Digital signature of CA  Public Key Infrastructure (PKI):  CAs and digital certificate procedures  PGP Slide 5-36
  • 37. Digital Certificates and Certification Authorities Figure 5.9, Page 283 Slide 5-37
  • 38. Limits to Encryption Solutions  Doesn’t protect storage of private key  PKI not effective against insiders, employees  Protection of private keys by individuals may be haphazard  No guarantee that verifying computer of merchant is secure  CAs are unregulated, self-selecting organizations Slide 5-38
  • 39. Securing Channels of Communication  Secure Sockets Layer (SSL)/Transport Layer Security (TLS)  Establishes secure, negotiated client–server session  Virtual Private Network (VPN)  Allows remote users to securely access internal network via the Internet  Wireless (Wi-Fi) networks  WPA2 Slide 5-39
  • 40. Secure Negotiated Sessions Using SSL/TLS Figure 5.10, Page 286 Slide 5-40
  • 41. Protecting Networks  Firewall  Hardware or software  Uses security policy to filter packets  Two main methods:  Packet filters  Application gateways  Proxy servers (proxies)  Software servers that handle all communications from or sent to the Internet  Intrusion detection systems  Intrusion prevention systems Slide 5-41
  • 42. Firewalls and Proxy Servers Figure 5.11, Page 289 Slide 5-42
  • 43. Protecting Servers and Clients  Operating system security enhancements  Upgrades, patches  Anti-virus software  Easiest and least expensive way to prevent threats to system integrity  Requires daily updates Slide 5-43
  • 44. Management Policies, Business Procedures, and Public Laws  Worldwide, companies spend more than $65 billion on security hardware, software, services  Managing risk includes:  Technology  Effective management policies  Public laws and active enforcement Slide 5-44
  • 45. A Security Plan: Management Policies  Risk assessment  Security policy  Implementation plan  Security organization  Access controls  Authentication procedures, including biometrics  Authorization policies, authorization management systems  Security audit Slide 5-45
  • 46. Developing an E-commerce Security Plan Figure 5.12, Page 291 Slide 5-46
  • 47. The Role of Laws and Public Policy  Laws that give authorities tools for identifying, tracing, prosecuting cybercriminals:  National Information Infrastructure Protection Act of 1996  USA Patriot Act  Homeland Security Act  Private and private-public cooperation  CERT Coordination Center  US-CERT  Government policies and controls on encryption software  OECD, G7/G8, Council of Europe, Wassener Arrangement Slide 5-47
  • 48. Security policy and integrated security  A security policy is a written statement describing: • Which assets to protect and why they are being protected • Who is responsible for that protection • Which behaviors are acceptable and which are not  First step in creating a security policy • Determine which assets to protect from which threats Slide 5-48
  • 49. Cont’  Elements of a security policy address:  Authentication  Access control  Secrecy  Data integrity  Audits Slide 5-49
  • 50. Security policy continued  The security policy may cover issues like:  What service types (e.g., web, FTP, SMTP) users may have access to?  What classes of information exist within the organization and which should be encrypted before being transmitted?  What client data does the organization hold. How sensitive is it? How is it to be protected?  What class of employees may have remote access to the corporate network?  Roles and responsibilities of managers and employees in implementing the security policy.  How security breaches are to be responded to? Slide 5-50
  • 51. Security policy cont’  The security policy should also consider physical aspects of network security. For example,  Who has access to the corporate server?  Is it in a locked environment or kept in an open office?  What is the procedure for determining who should be given access? The security policy regulates the activities of employees just as much as it defines how IT infrastructure will be configured. The policy should include details on how it is to be enforced  How individual responsibilities are determined? Slide 5-51
  • 52. Cont’  For it to be effective, the policy needs regular testing and review to judge the security measures.  The review process needs to take into account any changes in technology or business practices which may have an influence upon security.  Lastly, the policy itself needs to be regarded as a living document which will be updated at set intervals to reflect the evolving ways in which the business, customers and technology interact. Slide 5-52
  • 53. Security standards  There are various standards pertaining to the security aspects of enterprises. Some of them are ISO 17799 (Information technology – Code of practice for information security management). (ISO/IEC 2000). SSE-CMM (Systems security engineering – Capability maturity model). (SSE-CMM 2003). COBIT (Control objectives for information and related technology). (COBIT 2000). Slide 5-53
  • 54. Organisations that promote Computer security  CERT  Responds to thousands of security incidents each year  Helps Internet users and companies become more knowledgeable about security risks  Posts alerts to inform the Internet community about security events Slide 5-54
  • 55. Other organisations  SANS Institute  A cooperative research and educational organization  SANS Internet Storm Center  Web site that provides current information on the location and intensity of computer attacks  Microsoft Security Research Group  Privately sponsored site that offers free information about computer security issues Slide 5-55
  • 56. Homework  Read on  Firewall  Digital signatures  Digital certificates Slide 5-56