Upcoming SlideShare
Loading in...5







Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    05ch 05ch Presentation Transcript

    • Chapter 5 Security Threats to Electronic Commerce
    • Learning Objectives
      • In this chapter, you will learn about:
      • Important computer and electronic commerce security terms
      • The reason that secrecy, integrity, and necessity are three parts of any security program
      • The roles of copyright and intellectual property and their importance
      • Threats and countermeasures to eliminate or reduce threats
    • Learning Objectives
      • Specific threats to client machines, Web servers, and commerce servers
      • Methods that you can use to enhance security in back office products
      • The way in which security protocols help plug security holes
      • The roles that encryption and certificates play in assurance and secrecy
    • Security Overview
      • Computer security is the protection of assets from unauthorized access, use, alteration, or destruction.
      • Two types of security:
        • Physical security
        • Logical security
    • Types of Security
      • Physical security includes tangible protection devices such as alarms and guards.
      • Protection of assets using nonphysical means is called logical security.
    • Implication of Threat
      • Any act or object that poses a danger to computer assets is known as a threat.
      • Countermeasure is a procedure that recognizes, reduces, or eliminates a threat.
      • The risk management model shows four general actions to take for the threat.
      • Click to see Figure 5-1:
    • Computer Security Classification
      • Three computer security categories:
        • Secrecy
        • Integrity
        • Necessity
      • Secrecy refers to protecting against unauthorized data disclosure and ensuring the authenticity of the data’s source.
      • Integrity refers to preventing unauthorized data modification.
      • Necessity refers to preventing data delays or denials.
    • Copyright and Intellectual Property
      • Copyright is the protection of expression.
      • Intellectual property is the ownership of ideas and control over the tangible or virtual representation of those ideas.
      • U.S. Copyright Act of 1976
      • Copyright Clearance Center provides copyright information
    • Security Policy and Integrated Security
      • A security policy is a written statement describing:
        • Which assets to protect and why to protect
        • Who is responsible for that protection
        • Which behaviors are acceptable and which are not
      • The Center for Security Policy (CSP) hosts security debates and policies.
    • Security Policy and Integrated Security
      • A security policy is a written statement describing:
        • Which assets to protect and why to protect
        • Who is responsible for that protection
        • Which behaviors are acceptable and which are not
      • The Center for Security Policy (CSP) hosts security debates and policies.
    • Elements of a Security Policy
      • Authentication
      • Access control
      • Secrecy
      • Data integrity
      • Audit
    • Intellectual Property Threats
      • Copyright infringements on the Web occur because users are ignorant of what they can and cannot copy.
      • The Copyright Website tackles the issues of copyright and newsgroup postings and fair use.
    • Music Online
      • Music industry better illustrates the copyright and intellectual property issues.
      • Napster changed the way music is delivered.
      • The act of ripping a song without proper permission is a copyright violation.
    • Domain Names
      • Issues of intellectual property rights on Internet Domain Names:
        • Cybersquatting
        • Name changing
        • Name stealing
    • Cybersquatting
      • Cybersquatting is the practice of registering a domain name that is the trademark of another person or company in the hopes that the owner will pay huge amounts of money to acquire the URL.
      • On November 29, 1999, the U.S. Anticybersquating Consumer Protection Act was signed into law.
    • Name Changing
      • Name changing occurs when someone registers purposely misspelled variations of well-known domain names.
      • The practice of name changing is annoying to affected online businesses and confusing to their customers.
    • Name Stealing
      • Name stealing occurs when someone changes the ownership of the domain name assigned to the site to another site and owner.
      • Once domain name ownership is changed, the name stealer can manipulate the site.
    • Electronic Commerce Threats
      • There are three types of electronic commerce threats:
        • Client threats
        • Communication channel threats
        • Server threats
    • Client Threats
      • Web pages were mainly static.
      • The widespread use of active content has changed the function of Web pages.
      • Sources of client threats:
        • Active content
        • Java, Java Applets, and JavaScript
        • ActiveX Controls
        • Graphics, Plug-Ins, and E-mail Attachments
    • Active Content
      • Active content refers to programs that are embedded transparently in Web pages and that cause action to occur.
      • The best-known active content forms are Java applets, ActiveX controls, JavaScript, and VBScript.
      • Also include graphics and Web browser plug-ins.
    • Active Content
      • A Trojan horse is a program hidden inside another program or Web page that masks its true purpose.
      • A zombie is a program that secretly takes over another computer for the purpose of launching attacks on other computer.
      • Malicious cookie can destroy files stored on client computers.
    • Java
      • Java adds functionality to business applications and can handle transactions and a wide variety of actions on the client computer.
      • Java sandbox confines Java applet actions to a set of rules defined by the security model.
      • Java is a very powerful development language. Untrusted applets should not be allowed to access all of this power. The Java sandbox restricts applets from performing many activities.
      • These rules apply to all untrusted Java applets.
    • Java Applets
      • Java applets that are loaded from a local file system are trusted.
      • Trusted applets have full access to system resources on the client computer.
      • Signed Java applets contain embedded digital signatures from a trusted third party, which are proof of the identity of the source of the applet.
    • JavaScript
      • JavaScript is a scripting language to enable Web page designers to build active content.
      • JavaScript can invoke privacy and integrity attacks by executing code that destroys your hard disk.
      • JavaScript programs do not operate under the restrictions of the Java sandbox security model.
    • ActiveX Controls
      • ActiveX is an object that contains programs and properties that Web designers place on Web pages to perform particular tasks.
      • ActiveX controls run only on computers running Windows and only on browsers that support them.
      • Because ActiveX controls have full access to your computer, they can cause secrecy, integrity, or necessity violations.
      • **ActiveX is a set of technologies that enable software components to interact with one another in a networked environment, regardless of the language in which the components were created. An ActiveX control is a user interface element created using ActiveX technology. ActiveX controls are small, fast, and powerful, and make it easy to integrate and reuse software components.
    • Graphics, Plug-Ins, and E-mail Attachments
      • Graphics, browser plug-ins, and e-mail attachments can harbor executable content.
      • The code embedded in the graphic could be a potential threat.
      • Plug-ins performs their duties by executing commands buried within the media they are manipulating.
      • E-mail attachments provide a convenient way to send nontext information over a text-only system.
    • Virus
      • A virus is software that attaches itself to another program and can cause damage when the host program is activated.
      • Worm viruses replicate themselves on other machines.
      • A macro virus is coded as a small program and is embedded in a file.
      • The term steganography describes information that is hidden within another piece of information.
    • Communication Channel Threats
      • The Internet is not at all secure.
      • Messages on the Internet travel a random path from a source node to a destination node.
      • Internet channel security threats include:
        • secrecy
        • integrity
        • necessity
    • Secrecy Threats
      • Secrecy is the prevention of unauthorized information disclosure.
      • Privacy is the protection of individual rights to nondisclosure.
      • Secrecy is a technical issue requiring sophisticated physical and logical mechanism.
      • Privacy protection is a legal matter.
    • Integrity Threats
      • An integrity threat exists when an unauthorized party can alter a message stream of information.
      • Cyber vandalism is an example of an integrity violation.
      • Masquerading or spoofing is one means of creating havoc on Web sites.
    • Necessity Threats
      • The purpose of a necessity threat is to disrupt normal computer processing or to deny processing entirely.
      • Necessity threat is also known as a delay, denial, or denial-of-service threat (DOS).
      • eBay faced the denial-of-service attack in early 2000.
    • Server Threats
      • Servers have vulnerabilities that can be exploited to cause destruction or to acquire information illegally.
      • Server threats include:
        • Web server threats
        • Database threats
        • Common gateway interface threats
        • Other programming threats
    • Web Server Threats
      • Setting up a Web server to run in high-privilege status can lead to a Web server threat.
      • The secrecy violation occurs when the contents of a server’s folder names are revealed to a Web browser.
      • The W3C Threat Document provides information about server security.
      • Click to see Figure 5-13:
    • Database Threats
      • Databases connected to the Web could damage a company if it were disclosed or altered.
      • Anyone obtains user authentication information can masquerade as a legitimate user.
      • The Database threats resource center describes threats to database systems.
      • Click to see Figure 5-14:
    • Common Gateway Interface Threats
      • Because CGIs are programs, they present a security threat if misused.
      • CGI scripts can be set up to run with high privileges, which causes a threat.
      • CGI programs or scripts can reside about anywhere on the Web server, they are hard to track down and manage.
    • Other Programming Threats
      • Another serious Web server attack can come from programs executed by the server.
      • Buffer overflows can have moderate to very serious security consequences.
      • A mail bomb is the attack when thousands of people send a message to a particular address.
      • Click to see Figure 5-15:
    • CERT
      • DARPA created the Computer Emergency Response Team (CERT) Coordination Center to be located at Carnegie Mellon University.
      • CERT posts “CERT alerts” to inform the Internet community about recent security events.
      • Click to see Figure 5-16: