E-Business Technologies1 Chapter 7 E-Business Network and Web Site Security.

E-Business Technologies 1

Chapter 7

E-Business Network and Web SiteSecurity


Objectives

In this chapter, you will learn to:

• Describe general e-business and Web site security issues

• Identify ways to protect the physical security of a network

• List internal network security risks and explain how to protect against them

• Discuss external network and Web site security risks and explain how to protect against them


Objectives

In this chapter, you will learn to:

• Identify the risks associated with an e-business’s online transactions

• Illustrate a virtual private network

• Describe wireless security issues

• Discuss the importance of security audits


General Network and Web Site Security Issues

• E-business security: protecting data and physical networks

• E-business security risks include:

– Physical risks: Damage to network and data

– Internal risks: Threats originating within organization

– External risks: Threats from outside the organization

– Transactional risks: Data loss and interception


Physical Risks

• Include accidental or deliberate damage to equipment or data resulting from natural disaster or sabotage

• Specific issues include:

– Network equipment and physical location

– Electrical power backup

– Internet connectivity redundancy

– Outsourcing physical risks

Valued Gateway Client:

Valued Gateway Client:


Network Equipment andPhysical Location

Equipment and locations security include:• Network facilities location: network equipment and server

rooms always locked, locations anonymous• Fire protection: install fire-suppression systems that do not

damage servers, routers, electrical equipment - but these systems might be fatal to humans

• Network facilities construction: construction and design of facilities more substantial than conventional office space and with particular attention to electrical and communication considerations


Electrical Power Backup

• E-businesses should consider two levels of backup power:– Batteries that assume power within milliseconds of

a failure

– Power generators that automatically start when the batteries die

• Critical servers should never be out more than five minutes per year to achieve “five nines reliability” (99.999% uptime)


Internet Connectivity Redundancy

• E-businesses should have more than one connection to the Internet

• ISPs and Web hosting companies often have connections to more than one network service provider (NSP)

• Complete data-center redundancy allowse-businesses to continue operations from a different location in the event of a major disaster

• What is the price of redundancy and when is the price too high?


Outsourcing Physical Risks

• Using Web hosting services provides physically secure environment for e-business servers

• Fee for service arrangement provides power, connectivity, and secure environment

• Eliminates internal risks to physical security• What are the benefits for small firms to

outsource?


Physical Risks to Network andWeb Site Assets

• Include accidental or deliberate damage to equipment or data is accidental or deliberate more likely?

• Caused by natural disaster or sabotage• Threat to network infrastructure includes:

– Damage to network equipment

– Damage to power supplies

– Damage from fire



• Physical security begins with equipment safety• Threat reduction includes proper management of

network facilities location and fire protection• Security countermeasures for network facilities

locations include:– Locked network equipment room doors with

restricted personnel access

– Locations of servers and switching equipment kept anonymous



• Fire protection and countermeasures to prevent fire damage include:– Use fire suppression system approved for

electrical fires in server, switch, and power rooms

– Use only fire extinguishers approved for electrical fires in server, switch, and power rooms

– Pre-select and train employees responsible for fire control


Internal Security Risks

• Come from inside the company: unhappy employees, poor security awareness, poor planning

• Establishing and enforcing security policy is first countermeasure

• Additional countermeasures include:– Password protecting the network– Using biometric identification– Using smart card authorization


Passwords

• Passwords are used to identify a specific computer user and grant user access

• Effective when created properly and changed regularly

DO DON’T

Use a combination of at least six characters and numbers

Use familiar names, dates, or numbers significant to user

Use easy to remember combinations

Use common words from the dictionary, street names, etc.

Change password periodically Pick new password similar to the old password


Biometric Identification

• Measurement of biological data

• Biometric security devices and software measure and record a computer user’s unique human characteristics (such as eye retina or iris) for user identification

• Still under development


Smart Card

• Smart cards contain an embedded memory chip with user identification information

• Can be used to authenticate a remote user logging into a network

• Disadvantage: Risk of loss or theft


Backup and RestorePolicies and Procedures

• Describes the plan for securing vital data files and software in case of disaster

• Specifies when and how critical files and software are backed up

• Backups should be built in to daily, weekly, monthly network maintenance schedule

• Test restore procedure, and archive, by performing periodic restores


Backup and RestorePolicies and Procedures

• Backup media should also be stored offsite or at least a second copy of the backup media)

• Some e-businesses assign backup responsibilities to employees outside of IT department

• Offsite storage also available via Internet connection from data management companies


Disaster Recovery Planning

• Disaster Recovery Plan part of e-business’ Business Continuity Plan

• DRP for network operations should include procedures for handling electrical outages, data loss, and security breaches

• Plan can include the use or redundant servers and equipment to handle system failover

• DRP should be tested periodically


External Security Risks

• Originate outside the company’s network• Must bypass network defenses• Connecting to the Internet exposes private

LANs to risk of attack• Stringent security necessary to protect

against external risk


Hackers

• Outside intruders that deliberately gain unauthorized access to individual computers or computer networks

• White hat hackers find and make known weaknesses in computer systems without regard for personal gain

• Black hat hackers (crackers) gain access to steal valuable information, disrupt service, or cause damage


Hacker Attack Tactics

• Objective: interrupt operations or use hacked computer as base of attack on other computers

• The most common method is to send confusing data to a server or other computer

• Crashing a program can allow a hacker to take control of computers

• Buffer overflows tie up operating memory, degrading performance, causing crashes


Distributed Denial of Service Attacks

• Denial of Service (DoS) attacks designed to disable network using flood of useless traffic

• Distributed DoS uses multiple computers to attack networks

• DDoS attacks include:– Unending string of Pings – Sending hundred of huge e-mail messages



Web Site Defacement

• Hacker deliberately changes the content of Web pages

• Caused by breaking into network, accessing Web site files and modifying files

• Better known victims include FBI, Goodyear, NY Times, and NASA


Hacker Countermeasures

• Firewalls designed to resist buffer overflows and other common types of hacker attacks

• Firewall types include:– Packet-filtering firewalls– Circuit-level firewalls - verified by TCP, the weakness

is that once it is verified subsequent packets are not verified

– Application-level firewalls (e-mail, FTP, or some other application)



Hacker Countermeasures

• Network Address Translation uses external IP addresses to hide internal IP addresses

• Proxy server uses external IP address to send HTTP request over Internet and forwards responses from HTTP servers to requesting client using internal IP address

hacking back is illegal


How Filters Work

• A filter is a process or device that screens incoming information

• Allows only information that meets specified criteria through

• Disabling service ports denies access to HTTP, e-mail from Internet

• Restricting access to internal IP addresses hides computers


Viruses

Standard computer viruses:• Are small, usually destructive, programs that are

inserted into other files that then become “infected”

• Infect executable programs or operating system files, spreading when infected program executes

• Can also spread via e-mail headers or attachments• Can prevent a computer system from booting,

erase files or entire hard drives, prevent the saving or printing of files, and send repetitive e-mail messages


Worms

• Viruses that reside in a computer’s memory replicating itself

• Uncontrolled replications consume a computer’s resources, slowing or crashing the system

NAME DATE IDENTIFIED

WHAT IT DOES

W32.Nimda.A@mm

9/18/2001 Sent as e-mail or MS Outlook/Outlook Express folders. Attacks IIS Web servers.


Macro Viruses

• A macro virus is a virus that infects macros • Distributed in files such as Word documents or

Excel workbooks e-mailed or transferred via floppy disk


WHAT IT DOES

W97M.DebilByte.A

02/05/2002 Infects MS Word Normal.dot template, and subsequent documents


Trojan Horses

• Pretends to be something useful or fun, does something malicious instead

• Used to steal passwords, record a user’s keystrokes, locate IP addresses, and plant other destructive programs


WHAT IT DOES

Backdoor.Surgeon

02/20/2002 Allows hacker to take control by opening a port (35000) and get control of computer


Wireless Viruses

• “Liberty Crack” Palm Trojan, identified in August 2000– Could delete all applications on a Palm device

• “Phage” discovered in September 2000– Infected Palm operating system applications and

documents– Proliferated when users beamed or shared an

infected document


Virus Hoaxes

• Some so-called viruses trumpeted in the media or announced via warning e-mails are just hoaxes

• False warnings about viruses proliferate as quickly as real viruses

• Creates an atmosphere in which a real virus warning might not be taken seriously

• Several antivirus software vendors maintain up-to-date information on viruses, worms, Trojan horses, and hoaxes. This information is available online.


Virus Countermeasures

• Countermeasures to block infections include:– Antivirus software– Employee education– Installing software updates and patches– User awareness– Use of application software tools– It's not just the job of IT, but of all users


Transactional Security

• Transactional security includes:– Authentication

– Integrity

– Nonrepudiation

– Confidentiality

• Protective measures include: sending and receiving encrypted messages or data, using digital certificates to authenticate the parties involved in the transaction, and storing retained customer information properly


Encryption

• Cryptography is the art of protecting information by encrypting it

• Encryption is the translation of data into a secret code called ciphertext

• Ciphertext that is transmitted to its destination and then decrypted (or returned to its unencrypted format) is called plaintext

• Both parties in a transaction need access to encryption key

• Network encryption uses two keys: a public key to encrypt information and a private key to decrypt it


Public Key Infrastructure

• An e-business obtains public and private keys from a certificate authority (CA)

• Public keys are posted to a public directory• Private keys are given only to the e-business

requesting the keys• A digital certificate is the electronic security

credential that certifies an entity’s identity



How Public Key Encryption Works

• Public-key encryption is asymmetric• Uses very large prime numbers to create public

keys• Public and private keys are used for the initial

session greeting; session keys encrypt and decrypt data

• Session keys are shorter keys created and used only during the current session and discarded afterward

• In the U.S., session keys usually consist of 16 digits equaling 128 bits, also called 128-bit keys


Security Protocols

• Secure Sockets Layer (SSL) uses public key encryption and digital certificates; and is included in Web browsers/Web servers

• Transport Layer Security (TLS) used to assure no third-party access to Internet communications Uses two protocols:– TLS Record Protocol– TLS Handshake Protocol

• Secure Electronic Transactions (SET) protocol used for presenting credit card transaction on the Internet


Virtual Private Networks

• Virtual Private Networks (VPNs) are private networks that use the Internet to transmit data

VPNs use:• Firewalls• Public key encryption• Digital certificates



Tunneling

• Tunneling encapsulates one protocol within another protocol requires telecomm equipment that supports VPN

• VPNs using the Internet encapsulate encrypted data, sending and receiving IP addresses, and a special tunneling protocol within a regular IP packet

• Tunneling protocols include: Point-to-Point, GRE, L2TP, and IPSec

• Method of data encryption and encapsulation depends on the protocol used


Wireless Security

• Eavesdropping on early wireless transmissions was fairly simple:– FDMA technologies stayed on one frequency for

call duration, required “listening device” that operated on same frequency

– TDMA technologies switch can be intercepted using device that listens for one-third of a second and then decompresses signal into full second of speech

• CDMA (other current standards) poses more of a challenge, but … not invincible


WAP and WTLS

• Wireless Transport Layer Security (WTLS) uses encryption and digital certificates

• Upon accessing WAP server, WAP client requests secure connection

• WAP server responds by sending digital certificate, with public key

• WAP client generates encrypted session key to WAP server, which decrypts the key

• WAP client/server can send/receive encrypted data for balance of session


WLANs and Security

• WLANs are most vulnerable at wireless access points

• Hackers need only an 802.11b-enabled laptop, an inexpensive antennae, and WLAN access point detection software, such as NetStumbler

• Using “meaningful” access point names and “default” settings on wireless access points simplifies hacker’s job

• Using Wireless Equivalent Privacy (WEP) security protocol (IEEE 802.11b Wi-Fi) provides encryption and authentication of wireless transmissions


IrDA and Bluetooth Security

• Short distances and line-of-sight requirements for IrDA devices make “sniffers” impractical

• Using laptops with default IrDA port settings in public places (such as airports) automatically allows networking with other IrDA devices without authentication or passwords

• Bluetooth uses 128-bit link key, private encryption keys, user PIN and device addresses for transmission security

• Bluetooth vulnerability: device address sent with each transmission and user PINs can be compromised easily by theft or loss of device


Security Audits

• Security audit is a comprehensive review and assessment of an e-business’s security vulnerabilities

• A complete security audit should include: reviewing security policies, employee security training, and the physical security of thee-business’s offices and network facilities

• Audits can include examining the technical security of a network via penetration testing or actual attempted hacking attacks by security audit personnel


Penetration Test Protection

• When evaluating security firms request:– Proof of insurance: cover cost of fixing

damage/losses caused by penetration testing– Nondisclosure agreements: prevent disclosure of

test results, network and proprietary information– Scanning tools: determine what scanning tools will

be used for testing– Scope of engagement: scope of audit and test

plans– Documentation: final detailed accounting of audit,

including individual test results, findings

E-Business Technologies1 Chapter 7 E-Business Network and Web Site Security.

Documents

ebusiness network

general ebusiness

physical security

ebusiness servers fee

web site security risks

web site security slide

external network

network facilities location