Unit 2aa

Copyright © 2010
Pearson Education, Inc.Copyright © 2009 Pearson Education, Inc. Slide 5-1
Unit 2
Security Issues in E- Business

Copyright © 2010
Pearson Education, Inc.
Types of Attacks
Against
Computer
Systems
(Cybercrime)
Slide 5-2
Figure 5.1, Page 267
Source: Based on data from Computer
Security Institute, 2009.

Copyright © 2010
What Is Good E-commerce Security?
 To achieve highest degree of security
New technologies
Organizational policies and procedures
Industry standards and government laws

Copyright © 2010
The E-commerce Security Environment
Slide 5-4

Copyright © 2010
Dimension of E-Commerce Security
1.Integrity- the ability to ensure that
information being displayed on a web site or
transmitted or received over the internet has
not been altered in any way by an
unauthorized party.
2.Non-repudiation – the ability to ensure that
e-commerce participants do not deny their
online actions.

Copyright © 2010
3. Authenticity- the ability to identify the
identity of a person or entity with whom
you are dealing on the internet.
4. Confidentiality – the ability to ensure
that messages and data are available
only to those who are authorized to view
them.

Copyright © 2010
5. Privacy- the ability to control the use
of information about oneself.
6. Availability – the ability to ensure that
an e- commerce site continues to
function as intended.

Copyright © 2010
Table 5.2, Page 271
Slide 5-8

Copyright © 2010
The Tension Between Security and
Other Values
 Security vs. ease of use
The more security measures added, the
more difficult a site is to use, and the slower
it becomes
 Security vs. desire of individuals to act
anonymously
Use of technology by criminals to plan crimes
or threaten nation-state
Slide 5-9

Copyright © 2010
Security Threats in the E-commerce
Environment
 Three key points of vulnerability:
1. Client
2. Server
3. Communications pipeline
Slide 5-10

Copyright © 2010
Most Common Security Threats in the
E-commerce Environment
 Malicious code
Viruses (replicate, make copies of itself)
Worms (spread from computer to computer)
Trojan horses (appears to be benign, but
then does something other than expected)
Bots (respond to external command sent by
the attacker)
Botnets (collection of bot computers)
Slide 5-11

Copyright © 2010
 Unwanted programs
Browser parasites (a browser that can monitor and
change the settings of a user’s browser)
Spyware ( a program used to obtain information
such as user emails, IM and so on.)
 Phishing
Deceptive online attempt by a third party to
obtain confidential information for
Financial gain
Use information to commit fraudulent acts
(access checking accounts), steal identity
Slide 5-12

Copyright © 2010
 Hacking and cybervandalism
Hackers (individual who intends to gain
unauthorized access to a computer system)
Crackers (term used to denote hacker with
criminal intent)
Cybervandalism: intentionally disrupting,
defacing, destroying a Web site
Types of hackers:
white hats (good hackers), black hats
(intention of causing harm), grey hats
(discover the weakness and publish it)

Copyright © 2010
 Credit card fraud/theft
Fear of stolen credit card information deters
online purchases
Online companies at higher risk than offline
 Spoofing: misrepresenting self by using fake
e-mail address
 Pharming: spoofing a Web site
Redirecting a Web link to a new, fake Web
site
 Spam/junk Web sites
Slide 5-14

Copyright © 2010
 Denial of service (DoS) attack
Hackers flood site with useless traffic to
overwhelm network
 Distributed denial of service (DDoS) attack
Hackers use multiple computers to attack
target network
 Sniffing- Eavesdropping program that monitors
information traveling over a network
 Insider jobs - Single largest financial threat
 Poorly designed server and client software

Copyright © 2010
Technology Solutions
 Protecting Internet communications
(encryption)
 Securing channels of communication (SSL, S-
HTTP, VPNs)
 Protecting networks (firewalls)
 Protecting servers and clients
Slide 5-16

Copyright © 2010
Tools
Available to
Achieve Site
Security
Slide 5-17

Copyright © 2010
 Encryption is the coding of information
by using a mathematically based
program and a secret key to produce a
string of characters that is unintelligible.
 Science that studies encryption is called
cryptography (secret writing).
 Science of creating messages that only
the sender and receiver can read.

Copyright © 2010
Encryption
Transforms data (plain text) into cipher text
readable only by sender and receiver
Secures stored information and information
transmission
Provides 4 of 6 key dimensions of e-
commerce security:
1. Message integrity (unaltered)
2. Nonrepudiation (can’t deny the action)
3. Authentication (verify identity)
4. Confidentiality (message not read by
others)
Slide 5-19

Copyright © 2010
 Plaintext- An unencrypted message in human-
readable form
 Ciphertext- A plaintext message after it has
been encrypted into a machine-readable form
 Substitution Cipher - Cipher is letter plus two
So Hello will replace by letter two places
forward
 Transposition Cipher – Change in order in a
symmetric way eg. Hello- reverse it Olleh.

Copyright © 2010
Symmetric Key Encryption (Secret/private Key Encryp.)
 Sender and receiver use same digital key to
encrypt and decrypt message
 Requires different set of keys for each transaction
-Data Encryption Standard (DES) developed by National
Security Agency (NSA) and IBM in 1950s.Uses 56- bit
encryption key. U.S. Gov. uses 3DES
 Advanced Encryption Standard (AES)
-Most widely used symmetric key encryption
Uses 128-, 192-, and 256-bit encryption keys
-Other standards use keys with up to 2,048 bits

Copyright © 2010
Public Key Encryption (Asymmetric encryption)
 Uses two mathematically related digital keys
1. Public key (widely disseminated)
2. Private key (kept secret by owner)
 Both keys used to encrypt and decrypt message
 Once key used to encrypt message, same
key cannot be used to decrypt message
 Sender uses recipient’s public key to encrypt
message; recipient uses his/her private key to
decrypt it

Copyright © 2010
Public Key Cryptography—A Simple Case
Slide 5-23

Copyright © 2010
Public Key Encryption Using Digital Signatures and
Hash Digests
 Hash function:
Mathematical algorithm that produces fixed-
length number called message or hash
digest
 Hash digest of message sent to recipient along with
message to verify integrity
 Property of hash function –any change in the
original message will cause the message digest to be
different
Slide 5-24

Copyright © 2010
 Digital Signature (e- signature)
- To verify authenticity of message and
message integrity.
- signed Cipher text that can be sent over the
internet
- With hash document, it is unique for the
document, and changes for every document.

Copyright © 2010
Public Key Cryptography with Digital Signatures
Slide 5-26

Copyright © 2010
Public Key Encryption Using Digital Signatures and Hash Digests
1.The sender creates an original message
2.The sender applies a hash function, producing a 128-
bit hash result.
3.The sender encrypts the message and hash result
using recipient’s public key.
4.The sender encrypts the result ,again his or her private
key.
5.The result of this double encryption is sent over the
internet.
6.The receiver uses the sender’s public key to
authenticate the message.
7.The receiver uses his /her private key to decrypt the
hash function and the original message. The receiver
checks to ensure the original message and the hash
function results conform to one another.

Copyright © 2010
Digital Envelopes (key within a key)
 Addresses weaknesses of:
- Public key encryption: Computationally slow,
decreased transmission speed, increased
processing time
- Symmetric key encryption: Insecure
transmission lines
 Uses symmetric key encryption to encrypt
document
 Uses public key encryption to encrypt and
send symmetric key
Slide 5-28

Copyright © 2010
Creating a Digital Envelope
Slide 5-29

Copyright © 2010
What are Digital Certificates?
A digital certificate (DC) is a digital file that
certifies the identity of an individual or
institution, or even a router seeking access to
computer- based information. It is issued by a
Certification Authority (CA), and serves the
same purpose as a driver’s license or a
passport.

Copyright © 2010
Digital Certificates
 Digital certificate is a digital document issued by a
certification authority. It includes:
Name of subject/company
Subject’s public key
Digital certificate serial number
Expiration date, issuance date
Digital signature of certification authority (trusted
third party institution) that issues certificate
Other identifying information
 Certification authority (CA): A trusted third party that
issues digital certificates
Slide 5-31

Copyright © 2010
What are Certification
Authorities?
Certification Authorities are the digital world’s
equivalent to passport offices. They issue digital
certificates and validate holders’ identity and
authority.
They embed an individual or institution’s public key
along with other identifying information into each
digital certificate and then cryptographically sign it as
a tamper-proof seal verifying the integrity of the data
within it, and validating its use.

Copyright © 2010
Public Key Infrastructure (PKI)
 It is a comprehensive system which is required to
provide public key encryption and digital signature
services.
 PKI is the combination of software, encryption
technologies and services that enables enterprises to
protect the security of their communications and
business transaction on networks.
 It integrates CAs, digital certificate, public key
cryptography into total, enterprise wide security
architecture.
 The purpose of PKI is to manage keys and
certificates.

Copyright © 2010
PKI involves the following
a) Subscriber- individual or entity identified by the
certificate
b) Certifying authority- issuer of the certificate
c) Relying party- company, agency, or individual
relying on the certificate.
Role of CA
1)To issue digital certificate to the subscriber
2) Identify and authenticate the subscriber’s
information contained in the certificate for the
benefit of the relying party.

Copyright © 2010
A PKI infrastructure is expected to offer its users the
following benefits:
 certainty of the quality of information sent and
received electronically
 certainty of the source and destination of that
information
 assurance of the time and timing of that
information (providing the source of time is known)
 certainty of the privacy of that information
 assurance that the information may be introduced
as evidence in a court or law

Copyright © 2010
Who Provides the Infrastructure- Among PKI leaders are:
 RSA, which has developed the main algorithms used by PKI
vendors
 Verisign, which acts as a certificate authority and sells
software that allows a company to create its own certificate
authorities
 GTE CyberTrust, which provides a PKI implementation
methodology and consultation service that it plans to vend to
other companies for a fixed price
 Xcert, whose Web Sentry product that checks the revocation
status of certificates on a server, using the Online Certificate
Status Protocol (OCSP)
 Netscape, whose Directory Server product is said to support
50 million objects and process 5,000 queries a second;
Secure E-Commerce, which allows a company
orextranet manager to manage digital certificates; and Meta-
Directory, which can connect all corporate directories into a
single directory for security management

Copyright © 2010
Some Indian Websites that uses digital
signature
- Rediff, Sify-mall, Bazee,All major airlines
,ICICI,HDFC
Some Certifying Authorities in India
- Safe Scrypt(A sify- verisign venture) was the
first CA in India
- National Informatics Centre
- Tata Consultancy Services

Copyright © 2010
Digital Certificates and Certification Authorities
Slide 5-38

Copyright © 2010
Limits to Encryption Solutions
 Doesn’t protect storage of private key
PKI not effective against insiders, employees
Protection of private keys by individuals may be
haphazard
 No guarantee that verifying computer of
merchant is secure
 CAs are unregulated, self-selecting
organizations
Slide 5-39

Copyright © 2010
Securing Channels of Communication
 Secure Sockets Layer (SSL developed by netscape
communication):
Establishes a secure, negotiated client-server
session in which URL of requested document,
along with contents, is encrypted (secure comm.
b/w two computers)
It is a protocol that operates between the transport
and application layers of TCP/IP and secures
communications between the clients and server (by
using encryption, digital signature technique).
A session key is a unique symmetric encryption key
chosen just for single secure session.
Slide 5-40

Copyright © 2010
 S-HTTP (developed by commercenet):
Provides a secure message-oriented
communications protocol designed for use
in conjunction with HTTP (secure individual
message)
It includes encrypting web communications
carried over HTTP.
SSL is designed to establish a secure
connection between two computers
whereas S- HTTP is designed to send
individual messages securely.

Copyright © 2010
Firewalls
 Firewall a technological barrier designed to
prevent unauthorized or unwanted
communications between computer networks
or hosts.
 Hardware or software that filters packets
 Prevents some packets from entering the
network based on security policy
 Network inside the firewall is called trusted,
and outside the firewall is called untrusted
Slide 5-43

Copyright © 2010
Three main methods:
1.Packet filters (examine all data flowing back and
forth b/w the trusted n/w (within the firewall) and
the Internet.
2.Application gateways (firewalls that filter traffic
based on the application requested. Eg. permits
incoming FTP request and blocks outgoing FTP
request)
3.Proxy Server (firewall that communicate with the
internet on the private network’s behalf, it is a
Software servers that handle all communications
originating from or being sent to the Internet).

Copyright © 2010
Personal Firewalls
 A personal firewall is an application which controls
network traffic to and from a computer, permitting or
denying communications based on a security policy.
Typically it works as an application layer firewall.
 A personal firewall will usually protect only the
computer on which it is installed, as compared to a
conventional firewall which is normally installed on a
designated interface between two or more networks,
such as a router or proxy server. Hence, personal
firewalls allow a security policy to be defined for
individual computers, whereas a conventional firewall
controls the policy between the networks that it
connects.
 Personal firewalls may also provide some level of intrusion detection,
allowing the software to terminate or block connectivity where it
suspects an intrusion is being attempted.

Copyright © 2010
 Features of personal firewalls -Protects the user from
unwanted incoming connection attempts
 Allows the user to control which programs can and cannot
access the local network and/or Internet and provide the user
with information about an application that makes a
connection attempt
 Block or alert the user about outgoing connection attempts
 Hide the computer from port scans by not responding to
unsolicited network traffic
 Monitor applications that are listening for incoming
connections
 Monitor and regulate all incoming and outgoing Internet users
 Prevent unwanted network traffic from locally installed
applications
 Provide information about the destination server with which
an application is attempting to communicate

Copyright © 2010
Virtual Private Network (VPN)
 Allows remote users to securely access internal
network via the Internet, using Point-to-Point
Tunneling Protocol (PPTP)
 It enables a host computer to send and receive data
across shared or public networks as if it were a
private network with all the functionality, security and
management policies of the private network.[1]This is
done by establishing a virtual point-to-
point connection through the use of dedicated
connections, encryption, or a combination of the two.

Copyright © 2010
- The VPN connection across the Internet
is technically a wide area network (WAN)
link between the sites but appears to the
user as a private network link—hence the
name "virtual private network".
- Point-to-Point Tunneling Protocol
(PPTP) is an encoding mechanism that
allows one local network to connect to
another using the internet as the conduit.
- - VPN is a temporary secure line and it
reduces the cost of secure connection.

Copyright © 2010
 Four Protocols used in VPN
- PPTP -- Point-to-Point Tunneling Protocol
- L2TP -- Layer 2 Tunneling Protocol
- IPsec -- Internet Protocol Security
- SOCKS – is not used as much as the ones
above
Tunneling- A virtual point-to-point connection
made through a public network. The process
of connecting one protocol (PPTP) through
another (IP) is called tunneling.

Copyright © 2010
 A VPN works by using the shared public
infrastructure while maintaining privacy through
security procedures and tunneling protocols
such as the Layer Two Tunneling Protocol
(L2TP). In effect, the protocols, by encrypting
data at the sending end and decrypting it at the
receiving end, send the data through a "tunnel"
that cannot be "entered" by data that is not
properly encrypted. An additional level of
security involves encrypting not only the data,
but also the originating and receiving network
addresses.

Copyright © 2010
 Eliminating the need for expensive long-distance
leased lines
 Reducing the long-distance telephone charges for
remote access.
 Transferring the support burden to the service
providers
 Operational costs
Advantages: Scalability
 Flexibility of growth
 Efficiency with broadband technology
Advantages: Cost Savings

Copyright © 2010
- VPNs require an in-depth understanding of
public network security issues and proper
deployment of precautions
- Availability and performance depends on
factors largely outside of their control
- Immature standards
- VPNs need to accommodate protocols other
than IP and existing internal network
technology
Disadvantages

Copyright © 2010
Definitions - Intrusion Detection Systems
 Intrusion
A set of actions aimed to compromise the security
goals, namely
 Integrity, confidentiality, or availability, of a computing
and networking resource
 Intrusion detection
The process of identifying and responding to
intrusion activities
 Intrusion prevention
Extension of ID with exercises of access control to
protect computers from exploitation

Copyright © 2010
Intrusion Detection Systems
 An intrusion detection system (IDS) is a
device or software application that
monitors network or system activities for
malicious activities or policy violations
and produces reports to a management
station.

Copyright © 2010
 Intrusion detection and prevention systems
(IDPS) are primarily focused on identifying
possible incidents, logging information about
them, and reporting attempts. In addition,
organizations use IDPSes for other purposes,
such as identifying problems with security
policies, documenting existing threats and
deterring individuals from violating security
policies.
 Types of IDS

Copyright © 2010
 Network intrusion detection system (NIDS) is an
independent platform that identifies intrusions by
examining network traffic and monitors multiple hosts.
Network intrusion detection systems gain access to
network traffic by connecting to a network
hub, network switch
 Host-based intrusion detection system (HIDS) It
consists of an agent on a host that identifies intrusions
by analyzing system calls, application logs, file-system
modifications and other host activities and state.
 Stack-based intrusion detection system (SIDS) in
this,the packets are examined as they go through the
TCP/IP stack and, therefore, it is not necessary for
them to work with the network interface in
promiscuous mode.

Unit 2aa

More Related Content

What's hot (17)

Viewers also liked (20)

Similar to Unit 2aa (20)

Recently uploaded (20)

Unit 2aa