Chapter 12

Chapter 12Chapter 12

E-Commerce SecurityE-Commerce Security

© Prentice Hall 2004© Prentice Hall 2004 22

Accelerating Need forAccelerating Need forE-Commerce SecurityE-Commerce Security

Annual survey conducted by the Computer Security Institute and the FBI

1. Organizations continue to experience cyber attacks from inside and outside of the organization


Accelerating Need forAccelerating Need forE-Commerce Security E-Commerce Security

(cont.)(cont.)2. The types of cyber attacks that

organizations experience were varied

3. The financial losses from a cyber attack can be substantial

4. It takes more than one type of technology to defend against cyber attacks



(cont.)(cont.)National Infrastructure Protection National Infrastructure Protection Center (NIPC):Center (NIPC): A joint partnership, A joint partnership, under the auspices of the FBI, under the auspices of the FBI, among governmental and private among governmental and private industry; designed to prevent and industry; designed to prevent and protect the nation’s infrastructureprotect the nation’s infrastructure



(cont.)(cont.)According to the statistics reported to CERT/CC over the past year (CERT/CC 2002)

The number of cyber attacks skyrocketed from approximately 22,000 in 2000 to over 82,000 in 2002First First quarter of 2003 the number was already over 43,000


Security Is Security Is Everyone’s BusinessEveryone’s Business

Security practices of organizations of various sizes

Small organizations (10 to 100 computers)

The “haves” are centrally organized, devote a sizeable percentage of their IT budgets to securityThe “have-nots” are basically clueless when it comes to IT security


Security Is Security Is Everyone’s Business Everyone’s Business

(cont.)(cont.)Medium organizations (100 to 1,000 computers)

Rarely rely on managerial policies in making security decisions, and they have little managerial support for their IT policiesThe staff they do have is poorly educated and poorly trained—overall exposure to cyber attacks and intrusion is substantially greater than in smaller organizations



(cont.)(cont.)Large organizations (1,000 to 10,000 computers)

Complex infrastructures and substantial exposure on the InternetWhile aggregate IT security expenditures are fairly large, their security expenditures per employee are low



(cont.)(cont.)Larger organizations

IT security is part-time and undertrained—sizeable percentage of the large organizations suffer loss or damage due to incidentsBase their security decisions on organizational policies



(cont.)(cont.)Very large organizations (more than 10,000 computers)

extremely complex environments that are difficult to manage even with a larger staffrely on managerial policies in making IT security decisionsonly a small percentage have a well-coordinated incident response plan


Security IssuesSecurity Issues

From the user’s perspective:From the user’s perspective:Is the Is the Web server owned and operated by a legitimate company?Does Does the Web page and form contain some malicious or dangerous code or content?Will the Will the Web server distribute unauthorized information the user provides to some other party?


Security Issues Security Issues (cont.)(cont.)

From the company’s perspective:From the company’s perspective:Will the user not attempt to break into the Web server or alter the pages and content at the site?

Will Will the user will try to disrupt the server so that it isn’t available to others?



From both parties’ perspectives:From both parties’ perspectives:Is Is the network connection free from eavesdropping by a third party “listening” on the line?

Has Has the information sent back and forth between the server and the user’s browser been altered?


Security RequirementsSecurity Requirements

Authentication:Authentication: The process by The process by which one entity verifies that which one entity verifies that another entity is who they claim another entity is who they claim to be to be

Authorization:Authorization: The process that The process that ensures that a person has the ensures that a person has the right to access certain resourcesright to access certain resources


Security Requirements Security Requirements (cont.)(cont.)

Auditing:Auditing: The process of The process of collecting information about collecting information about attempts to access particular attempts to access particular resources, use particular resources, use particular privileges, or perform other privileges, or perform other security actionssecurity actions



Confidentiality:Confidentiality: Keeping private or Keeping private or sensitive information from being sensitive information from being disclosed to unauthorized disclosed to unauthorized individuals, entities, or processesindividuals, entities, or processes



Integrity:Integrity: As applied to data, the As applied to data, the ability to protect data from being ability to protect data from being altered or destroyed in an altered or destroyed in an unauthorized or accidental mannerunauthorized or accidental manner



NonrepudiationNonrepudiation:: The ability to The ability to limit parties from refuting that a limit parties from refuting that a legitimate transaction took place, legitimate transaction took place, usually by means of a signatureusually by means of a signature


Types of Threats and Types of Threats and AttacksAttacks

Nontechnical attack:Nontechnical attack: An attack An attack that uses chicanery to trick that uses chicanery to trick people into revealing sensitive people into revealing sensitive information or performing actions information or performing actions that compromise the security of a that compromise the security of a networknetwork


Types of Types of Threats and Attacks Threats and Attacks (cont.)(cont.)



Social engineering:Social engineering: A type of A type of nontechnical attack that uses nontechnical attack that uses social pressures to trick computer social pressures to trick computer users into compromising users into compromising computer networks to which computer networks to which those individuals have accessthose individuals have access



Multiprong approach used to combat social engineering:

1. Education and training2. Policies and procedures3. Penetration testing



Technical attack:Technical attack: An attack An attack perpetrated using software and perpetrated using software and systems knowledge or expertise systems knowledge or expertise



Common (security) vulnerabilities Common (security) vulnerabilities and exposures (CVEs):and exposures (CVEs): Publicly Publicly known computer security risks, known computer security risks, which are collected, listed, and which are collected, listed, and shared by a board of security-shared by a board of security-related organizations related organizations ((cve.mitre.orgcve.mitre.org))



Denial-of-service (DoS) attack:Denial-of-service (DoS) attack: An An attack on a Web site in which an attack on a Web site in which an attacker uses specialized attacker uses specialized software to send a flood of data software to send a flood of data packets to the target computer packets to the target computer with the aim of overloading its with the aim of overloading its resourcesresources



Distributed denial-of-service (DDoS) Distributed denial-of-service (DDoS) attack:attack: A denial-of-service attack in A denial-of-service attack in which the attacker gains illegal which the attacker gains illegal administrative access to as many administrative access to as many computers on the Internet as computers on the Internet as possible and uses these multiple possible and uses these multiple computers to send a flood of data computers to send a flood of data packets to the target computerpackets to the target computer





Malware:Malware: A generic term for A generic term for malicious softwaremalicious software

The severity of the viruses increased substantially, requiring much more time and money to recover85% of survey respondents said that their organizations had been the victims of e-mail viruses in 2002



Malicious code takes a variety of forms—both pure and hybrid

Virus:Virus: A piece of software code that A piece of software code that inserts itself into a host, including inserts itself into a host, including the operating systems, to the operating systems, to propagate; it requires that its host propagate; it requires that its host program be run to activate itprogram be run to activate it



Worm:Worm: A software program that A software program that runs independently, consuming runs independently, consuming the resources of its host in order the resources of its host in order to maintain itself and is capable to maintain itself and is capable of propagating a complete of propagating a complete working version of itself onto working version of itself onto another machineanother machine



Macro virus or macro worm:Macro virus or macro worm: A A virus or worm that is executed virus or worm that is executed when the application object that when the application object that contains the macro is opened or contains the macro is opened or a particular procedure is a particular procedure is executedexecuted



Trojan horse:Trojan horse: A program that A program that appears to have a useful appears to have a useful function but that contains a function but that contains a hidden function that presents a hidden function that presents a security risksecurity risk


Managing EC SecurityManaging EC Security

Common mistakes in managing their security risks (McConnell 2002):

Undervalued informationNarrowly defined security boundariesReactive security managementDated security management processesLack of communication about security responsibilities


Managing EC Security Managing EC Security (cont.)(cont.)

Security risk management:Security risk management: A A systematic process for systematic process for determining the likelihood of determining the likelihood of various security attacks and for various security attacks and for identifying the actions needed to identifying the actions needed to prevent or mitigate those attacksprevent or mitigate those attacks



Phases of security risk Phases of security risk managementmanagement

AssessmentPlanningImplementationMonitoring



Phase 1: AssessmentPhase 1: AssessmentEvaluate security risks by determining assets, vulnerabilities of their system, and potential threats to these vulnerabilities



Phase 2: PlanningPhase 2: PlanningGoal of this phase is to arrive at Goal of this phase is to arrive at a set of policies defining which a set of policies defining which threats are tolerable and which threats are tolerable and which are notare not

Policies also specify the general Policies also specify the general measures to be taken against measures to be taken against those threats that are those threats that are intolerable or high priorityintolerable or high priority



Phase 3: ImplementationPhase 3: ImplementationParticular technologies are chosen to counter high-priority threats

First step is to select First step is to select generic types of technology for each of the high priority threats



Phase 4: Monitoring to determinePhase 4: Monitoring to determineWhich measures are successfulWhich measures are unsuccessful and need modificationWhether there are any new types of threatsWhether there have been advances or changes in technologyWhether there are any new business assets that need to be secured



Methods of securing ECMethods of securing ECAuthentication systemAuthentication system

Access control mechanismAccess control mechanism

Passive tokensPassive tokens

Active tokensActive tokens


AuthenticationAuthentication

Authentication system:Authentication system: System System that identifies the legitimate that identifies the legitimate parties to a transaction, parties to a transaction, determines the actions they are determines the actions they are allowed to perform, and limits allowed to perform, and limits their actions to only those that their actions to only those that are necessary to initiate and are necessary to initiate and complete the transactioncomplete the transaction


Authentication Authentication (cont.)(cont.)

Access control mechanism:Access control mechanism: Mechanism that limits the actions Mechanism that limits the actions that can be performed by an that can be performed by an authenticated person or groupauthenticated person or group



Passive tokens:Passive tokens: Storage devices Storage devices (e.g., magnetic strips) used in a (e.g., magnetic strips) used in a two-factor authentication system two-factor authentication system that contain a secret codethat contain a secret code



Active tokens:Active tokens: Small, stand-alone Small, stand-alone electronic devices in a two factor electronic devices in a two factor authentication system that authentication system that generate one-time passwordsgenerate one-time passwords


EncryptionEncryption

The process of transforming plain text or The process of transforming plain text or data into cipher text that cannot be read by data into cipher text that cannot be read by anyone outside of the sender and the anyone outside of the sender and the receiver. The purpose of encryption is receiver. The purpose of encryption is

(a) to secure stored information and (a) to secure stored information and (b) to secure information transmission.(b) to secure information transmission.

Cipher text is text that has been encrypted Cipher text is text that has been encrypted and thus cannot be read by anyone besides and thus cannot be read by anyone besides

the sender and thethe sender and the receiverreceiver



Symmetric key encryption (secret key Symmetric key encryption (secret key encryption) the sender and the receiver use encryption) the sender and the receiver use the same key to encrypt and decrypt the the same key to encrypt and decrypt the messagemessage

Data Encryption Standard (DES) is the most Data Encryption Standard (DES) is the most widely used symmetric key encryption, widely used symmetric key encryption, developed by the National Security Agency developed by the National Security Agency (NSA) and IBM. Uses a 56-bit encryption key(NSA) and IBM. Uses a 56-bit encryption key


Encryption Methods Encryption Methods (cont.)(cont.)



Public key cryptography uses two Public key cryptography uses two mathematically related digital keys are used: mathematically related digital keys are used: a public key and a private key.a public key and a private key.

The private key is kept secret by the owner, The private key is kept secret by the owner, and the public key is widely disseminated.and the public key is widely disseminated.

Both keys can be used to encrypt and decrypt Both keys can be used to encrypt and decrypt a message.a message.

However, once the keys are used to encrypt a However, once the keys are used to encrypt a message, the same key cannot be used to message, the same key cannot be used to unencrypt the messageunencrypt the message


Public Key Cryptography - Public Key Cryptography - A Simple CaseA Simple Case



Digital signature is a “signed” cipher text that Digital signature is a “signed” cipher text that can be sent over the Internetcan be sent over the Internet

Hash function uses an algorithm that produces Hash function uses an algorithm that produces a fixed-length number called a hash or a fixed-length number called a hash or message digestmessage digest

Digital envelop is a technique that uses Digital envelop is a technique that uses symmetric encryption for large documents, but symmetric encryption for large documents, but public key encryption to encrypt and send the public key encryption to encrypt and send the symmetric keysymmetric key


Public Key Cryptography with Digital SignaturesPublic Key Cryptography with Digital Signatures


Public Key Cryptography: Creating a Digital Public Key Cryptography: Creating a Digital EnvelopeEnvelope



Public Key Infrastructure (PKI) are Public Key Infrastructure (PKI) are certification authorities and certification authorities and digital certificate procedures that digital certificate procedures that are accepted by all partiesare accepted by all parties

Pretty Good Privacy (PGP) is a Pretty Good Privacy (PGP) is a widely used email public key widely used email public key encryption software programencryption software program



Digital certificate is a digital document issued Digital certificate is a digital document issued by a certification authority that contains the by a certification authority that contains the name of the subject or company, the name of the subject or company, the subject’s public key, a digital certificate serial subject’s public key, a digital certificate serial number, an expiration date, the digital number, an expiration date, the digital signature of the certification authority, and signature of the certification authority, and other identifying informationother identifying information

Certification Authority (CS) is a trusted third Certification Authority (CS) is a trusted third party that issues digital certificatesparty that issues digital certificates


Digital Certificates and Public Key InfrastructureDigital Certificates and Public Key Infrastructure


Elements of PKIElements of PKI

Digital signature:Digital signature: An identifying An identifying code that can be used to code that can be used to authenticate the identity of the authenticate the identity of the sender of a documentsender of a document

PortableCannot be easily repudiated or imitated, and can be time-stamped


Elements of PKI Elements of PKI (cont.)(cont.)



Digital signatures include:Digital signatures include:Hash:Hash: A mathematical computation that A mathematical computation that is applied to a message, using a private is applied to a message, using a private key, to encrypt the messagekey, to encrypt the message

Message digest:Message digest: A summary of a A summary of a message, converted into a string of message, converted into a string of digits, after the hash has been applieddigits, after the hash has been applied

Digital envelope:Digital envelope: The combination of the The combination of the encrypted original message and the encrypted original message and the digital signature, using the recipient’s digital signature, using the recipient’s public keypublic key



Digital certificate:Digital certificate: Verification Verification that the holder of a public or that the holder of a public or private key is who they claim to private key is who they claim to bebe

Certificate authorities (CAs):Certificate authorities (CAs): Third Third parties that issue digital parties that issue digital certificatescertificates


Security ProtocolsSecurity Protocols

Secure Socket Layer (SSL):Secure Socket Layer (SSL): Protocol that utilizes standard Protocol that utilizes standard certificates for authentication and certificates for authentication and data encryption to ensure privacy data encryption to ensure privacy or confidentialityor confidentiality

Transport Layer Security (TLS):Transport Layer Security (TLS): As As of 1996, another name for the of 1996, another name for the SSL protocolSSL protocol


Security Protocols Security Protocols (cont.)(cont.)

Secure Electronic Transaction Secure Electronic Transaction (SET):(SET): A protocol designed to A protocol designed to provide secure online credit card provide secure online credit card transactions for both consumers transactions for both consumers and merchants; developed jointly and merchants; developed jointly by Netscape, Visa, MasterCard, by Netscape, Visa, MasterCard, and othersand others


Securing EC NetworksSecuring EC Networks

Technologies for organizational Technologies for organizational networksnetworks

Firewall:Firewall: A network node consisting of A network node consisting of both hardware and software that isolates both hardware and software that isolates a private network from a public networka private network from a public network

Packet-filtering routers:Packet-filtering routers: Firewalls that Firewalls that filter data and requests moving from the filter data and requests moving from the public Internet to a private network public Internet to a private network based on the network addresses of the based on the network addresses of the computer sending or receiving the computer sending or receiving the requestrequest


Securing EC Networks Securing EC Networks (cont.)(cont.)

Packet filters:Packet filters: Rules that can Rules that can accept or reject incoming packets accept or reject incoming packets based on source and destination based on source and destination addresses and the other addresses and the other identifying informationidentifying information

Application-level proxy:Application-level proxy: A firewall A firewall that permits requests for Web that permits requests for Web pages to move from the public pages to move from the public Internet to the private networkInternet to the private network



Bastion gateway:Bastion gateway: A special A special hardware server that utilizes hardware server that utilizes application-level proxy software to application-level proxy software to limit the types of requests that can limit the types of requests that can be passed to an organization’s be passed to an organization’s internal networks from the public internal networks from the public InternetInternetProxies:Proxies: Special software programs Special software programs that run on the gateway server and that run on the gateway server and pass repackaged packets from one pass repackaged packets from one network to the othernetwork to the other





Personal firewalls:Personal firewalls:Personal firewall:Personal firewall: A network A network node designed to protect an node designed to protect an individual user’s desktop system individual user’s desktop system from the public network by from the public network by monitoring all the traffic that monitoring all the traffic that passes through the computer’s passes through the computer’s network interface cardnetwork interface card



VPNsVPNsVirtual private network (VPN):Virtual private network (VPN): A A network that uses the public network that uses the public Internet to carry information but Internet to carry information but remains private by using remains private by using encryption to scramble the encryption to scramble the communications, authentication to communications, authentication to ensure that information has not ensure that information has not been tampered with, and access been tampered with, and access control to verify the identity of control to verify the identity of anyone using the networkanyone using the network



Protocol tunneling:Protocol tunneling: Method used Method used to ensure confidentiality and to ensure confidentiality and integrity of data transmitted integrity of data transmitted over the Internet, by encrypting over the Internet, by encrypting data packets, sending them in data packets, sending them in packets across the Internet, and packets across the Internet, and decrypting them at the decrypting them at the destination addressdestination address



Intrusion detection systems Intrusion detection systems (IDSs):(IDSs): A special category of A special category of software that can monitor activity software that can monitor activity across a network or on a host across a network or on a host computer, watch for suspicious computer, watch for suspicious activity, and take automated activity, and take automated action based on what it seesaction based on what it sees



Network-based IDS uses rules to analyze suspicious activity at the perimeter of a network or at key locations in the networkConsists of a monitor—a software package that scans the software agents that reside on various host computers and feed information back to the monitor

Chapter 12

Documents

commerce security cont

security issues cont

security decisions

security expenditures

low security

security requirementsa

everyones business cont

computer security institute