Your SlideShare is downloading. ×
0
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
05ch
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

05ch

463

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
463
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. Chapter 5 Security Threats to Electronic Commerce
  2. Learning Objectives <ul><li>In this chapter, you will learn about: </li></ul><ul><li>Important computer and electronic commerce security terms </li></ul><ul><li>The reason that secrecy, integrity, and necessity are three parts of any security program </li></ul><ul><li>The roles of copyright and intellectual property and their importance </li></ul><ul><li>Threats and countermeasures to eliminate or reduce threats </li></ul>
  3. Learning Objectives <ul><li>Specific threats to client machines, Web servers, and commerce servers </li></ul><ul><li>Methods that you can use to enhance security in back office products </li></ul><ul><li>The way in which security protocols help plug security holes </li></ul><ul><li>The roles that encryption and certificates play in assurance and secrecy </li></ul>
  4. Security Overview <ul><li>Computer security is the protection of assets from unauthorized access, use, alteration, or destruction. </li></ul><ul><li>Two types of security: </li></ul><ul><ul><li>Physical security </li></ul></ul><ul><ul><li>Logical security </li></ul></ul>
  5. Types of Security <ul><li>Physical security includes tangible protection devices such as alarms and guards. </li></ul><ul><li>Protection of assets using nonphysical means is called logical security. </li></ul>
  6. Implication of Threat <ul><li>Any act or object that poses a danger to computer assets is known as a threat. </li></ul><ul><li>Countermeasure is a procedure that recognizes, reduces, or eliminates a threat. </li></ul><ul><li>The risk management model shows four general actions to take for the threat. </li></ul><ul><li>Click to see Figure 5-1: </li></ul>
  7.  
  8. Computer Security Classification <ul><li>Three computer security categories: </li></ul><ul><ul><li>Secrecy </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Necessity </li></ul></ul><ul><li>Secrecy refers to protecting against unauthorized data disclosure and ensuring the authenticity of the data’s source. </li></ul><ul><li>Integrity refers to preventing unauthorized data modification. </li></ul><ul><li>Necessity refers to preventing data delays or denials. </li></ul>
  9. Copyright and Intellectual Property <ul><li>Copyright is the protection of expression. </li></ul><ul><li>Intellectual property is the ownership of ideas and control over the tangible or virtual representation of those ideas. </li></ul><ul><li>U.S. Copyright Act of 1976 </li></ul><ul><li>Copyright Clearance Center provides copyright information </li></ul>
  10. Security Policy and Integrated Security <ul><li>A security policy is a written statement describing: </li></ul><ul><ul><li>Which assets to protect and why to protect </li></ul></ul><ul><ul><li>Who is responsible for that protection </li></ul></ul><ul><ul><li>Which behaviors are acceptable and which are not </li></ul></ul><ul><li>The Center for Security Policy (CSP) hosts security debates and policies. </li></ul>
  11. Security Policy and Integrated Security <ul><li>A security policy is a written statement describing: </li></ul><ul><ul><li>Which assets to protect and why to protect </li></ul></ul><ul><ul><li>Who is responsible for that protection </li></ul></ul><ul><ul><li>Which behaviors are acceptable and which are not </li></ul></ul><ul><li>The Center for Security Policy (CSP) hosts security debates and policies. </li></ul>
  12. Elements of a Security Policy <ul><li>Authentication </li></ul><ul><li>Access control </li></ul><ul><li>Secrecy </li></ul><ul><li>Data integrity </li></ul><ul><li>Audit </li></ul>
  13. Intellectual Property Threats <ul><li>Copyright infringements on the Web occur because users are ignorant of what they can and cannot copy. </li></ul><ul><li>The Copyright Website tackles the issues of copyright and newsgroup postings and fair use. </li></ul>
  14. Music Online <ul><li>Music industry better illustrates the copyright and intellectual property issues. </li></ul><ul><li>Napster changed the way music is delivered. </li></ul><ul><li>The act of ripping a song without proper permission is a copyright violation. </li></ul>
  15. Domain Names <ul><li>Issues of intellectual property rights on Internet Domain Names: </li></ul><ul><ul><li>Cybersquatting </li></ul></ul><ul><ul><li>Name changing </li></ul></ul><ul><ul><li>Name stealing </li></ul></ul>
  16. Cybersquatting <ul><li>Cybersquatting is the practice of registering a domain name that is the trademark of another person or company in the hopes that the owner will pay huge amounts of money to acquire the URL. </li></ul><ul><li>On November 29, 1999, the U.S. Anticybersquating Consumer Protection Act was signed into law. </li></ul>
  17. Name Changing <ul><li>Name changing occurs when someone registers purposely misspelled variations of well-known domain names. </li></ul><ul><li>The practice of name changing is annoying to affected online businesses and confusing to their customers. </li></ul>
  18. Name Stealing <ul><li>Name stealing occurs when someone changes the ownership of the domain name assigned to the site to another site and owner. </li></ul><ul><li>Once domain name ownership is changed, the name stealer can manipulate the site. </li></ul>
  19. Electronic Commerce Threats <ul><li>There are three types of electronic commerce threats: </li></ul><ul><ul><li>Client threats </li></ul></ul><ul><ul><li>Communication channel threats </li></ul></ul><ul><ul><li>Server threats </li></ul></ul>
  20. Client Threats <ul><li>Web pages were mainly static. </li></ul><ul><li>The widespread use of active content has changed the function of Web pages. </li></ul><ul><li>Sources of client threats: </li></ul><ul><ul><li>Active content </li></ul></ul><ul><ul><li>Java, Java Applets, and JavaScript </li></ul></ul><ul><ul><li>ActiveX Controls </li></ul></ul><ul><ul><li>Graphics, Plug-Ins, and E-mail Attachments </li></ul></ul>
  21. Active Content <ul><li>Active content refers to programs that are embedded transparently in Web pages and that cause action to occur. </li></ul><ul><li>The best-known active content forms are Java applets, ActiveX controls, JavaScript, and VBScript. </li></ul><ul><li>Also include graphics and Web browser plug-ins. </li></ul>
  22. Active Content <ul><li>A Trojan horse is a program hidden inside another program or Web page that masks its true purpose. </li></ul><ul><li>A zombie is a program that secretly takes over another computer for the purpose of launching attacks on other computer. </li></ul><ul><li>Malicious cookie can destroy files stored on client computers. </li></ul>
  23. Java <ul><li>Java adds functionality to business applications and can handle transactions and a wide variety of actions on the client computer. </li></ul><ul><li>Java sandbox confines Java applet actions to a set of rules defined by the security model. </li></ul><ul><li>Java is a very powerful development language. Untrusted applets should not be allowed to access all of this power. The Java sandbox restricts applets from performing many activities. </li></ul><ul><li>These rules apply to all untrusted Java applets. </li></ul>
  24. Java Applets <ul><li>Java applets that are loaded from a local file system are trusted. </li></ul><ul><li>Trusted applets have full access to system resources on the client computer. </li></ul><ul><li>Signed Java applets contain embedded digital signatures from a trusted third party, which are proof of the identity of the source of the applet. </li></ul>
  25. JavaScript <ul><li>JavaScript is a scripting language to enable Web page designers to build active content. </li></ul><ul><li>JavaScript can invoke privacy and integrity attacks by executing code that destroys your hard disk. </li></ul><ul><li>JavaScript programs do not operate under the restrictions of the Java sandbox security model. </li></ul>
  26. ActiveX Controls <ul><li>ActiveX is an object that contains programs and properties that Web designers place on Web pages to perform particular tasks. </li></ul><ul><li>ActiveX controls run only on computers running Windows and only on browsers that support them. </li></ul><ul><li>Because ActiveX controls have full access to your computer, they can cause secrecy, integrity, or necessity violations. </li></ul><ul><li>**ActiveX is a set of technologies that enable software components to interact with one another in a networked environment, regardless of the language in which the components were created. An ActiveX control is a user interface element created using ActiveX technology. ActiveX controls are small, fast, and powerful, and make it easy to integrate and reuse software components. </li></ul>
  27. Graphics, Plug-Ins, and E-mail Attachments <ul><li>Graphics, browser plug-ins, and e-mail attachments can harbor executable content. </li></ul><ul><li>The code embedded in the graphic could be a potential threat. </li></ul><ul><li>Plug-ins performs their duties by executing commands buried within the media they are manipulating. </li></ul><ul><li>E-mail attachments provide a convenient way to send nontext information over a text-only system. </li></ul>
  28. Virus <ul><li>A virus is software that attaches itself to another program and can cause damage when the host program is activated. </li></ul><ul><li>Worm viruses replicate themselves on other machines. </li></ul><ul><li>A macro virus is coded as a small program and is embedded in a file. </li></ul><ul><li>The term steganography describes information that is hidden within another piece of information. </li></ul>
  29. Communication Channel Threats <ul><li>The Internet is not at all secure. </li></ul><ul><li>Messages on the Internet travel a random path from a source node to a destination node. </li></ul><ul><li>Internet channel security threats include: </li></ul><ul><ul><li>secrecy </li></ul></ul><ul><ul><li>integrity </li></ul></ul><ul><ul><li>necessity </li></ul></ul>
  30. Secrecy Threats <ul><li>Secrecy is the prevention of unauthorized information disclosure. </li></ul><ul><li>Privacy is the protection of individual rights to nondisclosure. </li></ul><ul><li>Secrecy is a technical issue requiring sophisticated physical and logical mechanism. </li></ul><ul><li>Privacy protection is a legal matter. </li></ul>
  31. Integrity Threats <ul><li>An integrity threat exists when an unauthorized party can alter a message stream of information. </li></ul><ul><li>Cyber vandalism is an example of an integrity violation. </li></ul><ul><li>Masquerading or spoofing is one means of creating havoc on Web sites. </li></ul>
  32. Necessity Threats <ul><li>The purpose of a necessity threat is to disrupt normal computer processing or to deny processing entirely. </li></ul><ul><li>Necessity threat is also known as a delay, denial, or denial-of-service threat (DOS). </li></ul><ul><li>eBay faced the denial-of-service attack in early 2000. </li></ul>
  33. Server Threats <ul><li>Servers have vulnerabilities that can be exploited to cause destruction or to acquire information illegally. </li></ul><ul><li>Server threats include: </li></ul><ul><ul><li>Web server threats </li></ul></ul><ul><ul><li>Database threats </li></ul></ul><ul><ul><li>Common gateway interface threats </li></ul></ul><ul><ul><li>Other programming threats </li></ul></ul>
  34. Web Server Threats <ul><li>Setting up a Web server to run in high-privilege status can lead to a Web server threat. </li></ul><ul><li>The secrecy violation occurs when the contents of a server’s folder names are revealed to a Web browser. </li></ul><ul><li>The W3C Threat Document provides information about server security. </li></ul><ul><li>Click to see Figure 5-13: </li></ul>
  35.  
  36. Database Threats <ul><li>Databases connected to the Web could damage a company if it were disclosed or altered. </li></ul><ul><li>Anyone obtains user authentication information can masquerade as a legitimate user. </li></ul><ul><li>The Database threats resource center describes threats to database systems. </li></ul><ul><li>Click to see Figure 5-14: </li></ul>
  37.  
  38. Common Gateway Interface Threats <ul><li>Because CGIs are programs, they present a security threat if misused. </li></ul><ul><li>CGI scripts can be set up to run with high privileges, which causes a threat. </li></ul><ul><li>CGI programs or scripts can reside about anywhere on the Web server, they are hard to track down and manage. </li></ul>
  39. Other Programming Threats <ul><li>Another serious Web server attack can come from programs executed by the server. </li></ul><ul><li>Buffer overflows can have moderate to very serious security consequences. </li></ul><ul><li>A mail bomb is the attack when thousands of people send a message to a particular address. </li></ul><ul><li>Click to see Figure 5-15: </li></ul>
  40.  
  41. CERT <ul><li>DARPA created the Computer Emergency Response Team (CERT) Coordination Center to be located at Carnegie Mellon University. </li></ul><ul><li>CERT posts “CERT alerts” to inform the Internet community about recent security events. </li></ul><ul><li>Click to see Figure 5-16: </li></ul>
  42.  

×