Your SlideShare is downloading. ×
0
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
E-business by G. Schneider - Chapter 10 (edition 9)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

E-business by G. Schneider - Chapter 10 (edition 9)

2,888

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,888
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
308
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. E- BusinessNinth Edition Chapter 10Online Security 1
  • 2. Learning ObjectivesIn this chapter, you will learn about:• Online security issues• Security for client computers• Security for the communication channels between computers• Security for server computers• Organizations that promote computer, network, and Internet securityE-Business, Ninth Edition 2
  • 3. Online Security Issues Overview• Early Internet days – Most popular use: electronic mail• Today’s higher stakes – Electronic mail, shopping, all types of financial transactions• Common worry of Web shoppers – Stolen credit card as it transmits over the Internet – More likely to be stolen from computer where stored• Chapter topic: security in the context of electronic commerceE-Business, Ninth Edition 3
  • 4. Computers and Security: A Brief History• Originally: simple matter to determine who is using a computing resource – Accomplished using physical controls• Today: requires new security tools and methods• Modern electronic security techniques – Defense Department wartime use • “Orange Book”: rules for mandatory access control• Research today – Provides commercial security products and practical security techniquesE-Business, Ninth Edition 4
  • 5. Computer Security and Risk Management• Computer security – Asset protection from unauthorized access, use, alteration, destruction• Physical security – Includes tangible protection devices • Alarms, guards, fireproof doors, security fences, safes or vaults, and bombproof buildings• Logical security – Asset protection using nonphysical meansE-Business, Ninth Edition 5
  • 6. Computer Security and Risk Management (cont’d.)• Threat – Any act or object posing danger to computer assets• Countermeasure – Procedure (physical or logical) • Recognizes, reduces, eliminates threat – Extent and expense of countermeasures • Vary depending on asset importanceE-Business, Ninth Edition 6
  • 7. Computer Security and Risk Management (cont’d.)• Risk management model – Four general organizational actions • Impact (cost) and probability of physical threat – Also applicable for protecting Internet and electronic commerce assets from physical and electronic threats• Electronic threat examples: – Impostors, eavesdroppers, thieves• Eavesdropper (person or device) – Listen in on and copy Internet transmissionsE-Business, Ninth Edition 7
  • 8. FIGURE 10-1 Risk management modelE-Business, Ninth Edition 8
  • 9. Computer Security and Risk Management (cont’d.)• Crackers or hackers (people) – Write programs; manipulate technologies • Obtain unauthorized access to computers and networks• White hat hacker and black hat hacker – Distinction between good hackers and bad hackers• Good security scheme implementation – Identify risks – Determine how to protect threatened assets – Calculate costs to protect assetsE-Business, Ninth Edition 9
  • 10. Elements of Computer Security• Secrecy – Protecting against unauthorized data disclosure – Ensuring data source authenticity• Integrity – Preventing unauthorized data modification – Man-in-the-middle exploit • E-mail message intercepted; contents changed before forwarded to original destination• Necessity – Preventing data delays or denials (removal) – Delaying message or completely destroying itE-Business, Ninth Edition 10
  • 11. Security Policy and Integrated Security• Security policy – Assets to protect and why, protection responsibility, acceptable and unacceptable behaviors – Physical security, network security, access authorizations, virus protection, disaster recovery• Military policy: stresses separation of multiple levels of security• Corporate information classifications – Public – Company confidentialE-Business, Ninth Edition 11
  • 12. Security Policy and Integrated Security (cont’d.)• Steps to create security policy – Determine assets to protect from threats – Determine access to various system parts – Identify resources to protect assets – Develop written security policy – Commit resources• Comprehensive security plan goals – Protect privacy, integrity, availability; authentication – Selected to satisfy Figure 10-2 requirementsE-Business, Ninth Edition 12
  • 13. FIGURE 10-2 Requirements for secure electronic commerceE-Business, Ninth Edition 13
  • 14. Security Policy and Integrated Security (cont’d.)• Security policies information sources – WindowSecurity.com site – Information Security Policy World site• Absolute security: difficult to achieve – Create barriers deterring intentional violators – Reduce impact of natural disasters and terrorist acts• Integrated security – Having all security measures work together • Prevents unauthorized disclosure, destruction, modification of assetsE-Business, Ninth Edition 14
  • 15. Security Policy and Integrated Security (cont’d.)• Security policy points – Authentication: Who is trying to access site? – Access control: Who is allowed to log on to and access site? – Secrecy: Who is permitted to view selected information? – Data integrity: Who is allowed to change data? – Audit: Who or what causes specific events to occur, and when?E-Business, Ninth Edition 15
  • 16. Security for Client Computers• Client computers – Must be protected from threats• Threats – Originate in software and downloaded data – Malevolent server site masquerades as legitimate Web site • Users and client computers duped into revealing informationE-Business, Ninth Edition 16
  • 17. Cookies• Internet connection between Web clients and servers – Stateless connection • Independent information transmission • No continuous connection (open session) maintained between any client and server• Cookies – Small text files Web servers place on Web client – Identify returning visitors – Allow continuing open sessionE-Business, Ninth Edition 17
  • 18. Cookies (cont’d.)• Time duration cookie categories – Session cookies: exist until client connection ends – Persistent cookies: remain indefinitely – Electronic commerce sites use both• Cookie sources – First-party cookies • Web server site places them on client computer – Third-party cookies • Different Web site places them on client computerE-Business, Ninth Edition 18
  • 19. Cookies (cont’d.)• Disable cookies entirely – Complete cookie protection – Problem • Useful cookies blocked (along with others) • Full site resources not available• Web browser cookie management functions – Refuse only third-party cookies – Review each cookie before accepted – Provided by Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, OperaE-Business, Ninth Edition 19
  • 20. FIGURE 10-3 Mozilla Firefox dialog box for managing stored cookiesE-Business, Ninth Edition 20
  • 21. Web Bugs• Web bug – Tiny graphic that third-party Web site places on another site’s Web page – Purpose • Provide a way for a third-party site to place cookie on visitor’s computer• Internet advertising community: – Calls Web bugs “clear GIFs” or “1-by-1 GIFs” • Graphics created in GIF format • Color value of “transparent,” small as 1 pixel by 1 pixelE-Business, Ninth Edition 21
  • 22. Active Content• Active content – Programs embedded transparently in Web pages – Cause action to occur – E-commerce example • Place items into shopping cart; compute tax and costs• Advantages – Extends HTML functionality – Moves data processing chores to client computer• Disadvantages – Can damage client computerE-Business, Ninth Edition 22
  • 23. Active Content (cont’d.)• Cookies, Java applets, JavaScript, VBScript, ActiveX controls, graphics, Web browser plug-ins, e- mail attachments• Scripting languages: provide executable script – Examples: JavaScript and VBScript• Applet: small application program – Typically runs within Web browser • Browsers include tools limiting applets’ actions• Active content modules – Embedded in Web pages (invisible)E-Business, Ninth Edition 23
  • 24. FIGURE 10-4 Advanced JavaScript settings in Mozilla FirefoxE-Business, Ninth Edition 24
  • 25. Active Content (cont’d.)• Crackers: embed malicious active content• Trojan horse – Program hidden inside another program (Web page) • Masking true purpose• Zombie (Trojan horse) – Secretly takes over another computer – Launches attacks on other computers• Botnet (robotic network, zombie farm) – All controlled computers act as an attacking unitE-Business, Ninth Edition 25
  • 26. Java Applets• Java: platform-independent programming language – Provides Web page active content – Server sends applets with client-requested pages – Most cases: operation visible to visitor – Possibility: functions not noticed by visitor• Advantages – Adds functionality to business application’s functionality; relieves server-side programs• Disadvantage – Possible security violations (Trojan horse, zombie)E-Business, Ninth Edition 26
  • 27. Java Applets (cont’d.)• Java sandbox – Confines Java applet actions to set of rules defined by security model – Rules apply to all untrusted Java applets • Not established as secure – Java applets running within sandbox constraint • No full client system access• Java applet security information – Java Security PageE-Business, Ninth Edition 27
  • 28. JavaScript• JavaScript – Scripting language developed by Netscape – Enables Web page designers to build active content – Based loosely on Sun’s Java programming language – Can be used for attacks • Cannot commence execution on its own • User must start ill-intentioned JavaScript programE-Business, Ninth Edition 28
  • 29. ActiveX Controls• ActiveX control – Objects containing programs and properties Web designers place on Web pages• Component construction – Many different programming languages • Common: C++ and Visual Basic• Run on Windows operating systems computers• Executed on client computer like any other programE-Business, Ninth Edition 29
  • 30. ActiveX Controls (cont’d.)• Comprehensive ActiveX controls list – ActiveX page at Download.com• Security danger – Execute like other client computer programs – Have access to full system resources • Cause secrecy, integrity, and necessity violations – Actions cannot be halted once started• Web browsers – Provide notice of Active-X download or installE-Business, Ninth Edition 30
  • 31. Graphics and Plug-Ins• Graphics, browser plug-ins, and e-mail attachments can harbor executable content• Code embedded in graphic might harm client computer• Browser plug-ins (programs) – Enhance browser capabilities – Can pose security threats • 1999 RealPlayer plug-in • Plug-ins executing commands buried within mediaE-Business, Ninth Edition 31
  • 32. Viruses, Worms, and Antivirus Software• Programs display e-mail attachments by automatically executing associated programs – Word and Excel macro viruses can cause damage• Virus: software – Attaches itself to another program – Causes damage when host program activated• Worm: virus – Replicates itself on computers it infects – Spreads quickly through the Internet• Macro virus – Small program (macro) embedded in fileE-Business, Ninth Edition 32
  • 33. Viruses, Worms, and Antivirus Software (cont’d.)• ILOVEYOU virus (“love bug”) – Spread with amazing speed – Infected computers – Clogged e-mail systems – Replicated itself explosively through Outlook e-mail – Caused other harm• 2001 Code Red and Nimda – Multivector virus: entered computer system in several different ways (vectors)• 2002 and 2003 Bugbear: – New virus-worm combinationE-Business, Ninth Edition 33
  • 34. Viruses, Worms, and Antivirus Software (cont’d.)• Antivirus software – Detects viruses and worms – Either deletes or isolates them on client computer• 2005 and 2006 Zotob – New breed of Trojan horse-worm combination• 2007: Storm virus• 2008 and continuing into 2009: Conflicker• 2009 and 2010 – New viruses designed specifically to hijack users’ online banking sessionsE-Business, Ninth Edition 34
  • 35. FIGURE 10-5 Major viruses, worms, and Trojan horsesE-Business, Ninth Edition 35
  • 36. FIGURE 10-5 Major viruses, worms, and Trojan horses (cont.)E-Business, Ninth Edition 36
  • 37. FIGURE 10-5 Major viruses, worms, and Trojan horses (cont.)E-Business, Ninth Edition 37
  • 38. Digital Certificates• Digital certificate (digital ID) – E-mail message attachment or program embedded in Web page – Verifies sender or Web site – Contains a means to send encrypted message – Signed message or code • Provides proof of holder identified by the certificate – Used for online transactions • Electronic commerce, electronic mail, and electronic funds transfersE-Business, Ninth Edition 38
  • 39. FIGURE 10-6 Delmar Cengage Learning’s digital certificate information displayed in Firefox browserE-Business, Ninth Edition 39
  • 40. Digital Certificates (cont’d.)• Certification authority (CA) – Issues digital certificates to organizations, individuals• Digital certificates cannot be forged easily• Six main elements – Certificate owner’s identifying information – Certificate owner’s public key – Dates certificate is valid – Certificate serial number – Certificate issuer name – Certificate issuer digital signatureE-Business, Ninth Edition 40
  • 41. Digital Certificates (cont’d.)• Key – Number: usually long binary number • Used with encryption algorithm • “Lock” message characters being protected – Longer keys provide better protection• Identification requirements vary – Driver’s license, notarized form, fingerprints• Companies offering CA services – Thawte, VeriSign, DigiCert, Entrust, GeoTrust, Equifax Secure, RapidSSL.comE-Business, Ninth Edition 41
  • 42. Digital Certificates (cont’d.)• Secure Sockets Layer-Extended Validation (SSL- EV) digital certificate – Issued after more extensive verification confirmed• Annual fees – $200 to more than $1500• Digital certificates expire after period of time – Provides protection (users and businesses) – Must submit credentials for reevaluation periodicallyE-Business, Ninth Edition 42
  • 43. FIGURE 10-7 Internet Explorer address window display for an SSL-EV Web siteE-Business, Ninth Edition 43
  • 44. Steganography• Steganography – Hiding information within another piece of information• Can be used for malicious purposes• Hiding encrypted file within another file – Casual observer cannot detect anything of importance in container file – Two-step process • Encrypting file protects it from being read • Steganography makes it invisible• Al Qaeda used steganography to hide attack ordersE-Business, Ninth Edition 44
  • 45. Physical Security for Clients• Client computers – Control important business functions – Same physical security as early systems• New physical security technologies – Fingerprint readers (less than $100) • Stronger protection than password approaches• Biometric security device – Identification using element of person’s biological makeup • Writing pads, eye scanners, palm reading scanners, reading back of hand vein patternE-Business, Ninth Edition 45
  • 46. Communication Channel Security• Internet – Not designed to be secure – Designed to provide redundancy• Remains unchanged from original insecure state – Message traveling on the Internet • Subject to secrecy, integrity, and necessity threatsE-Business, Ninth Edition 46
  • 47. Secrecy Threats• Secrecy – Prevention of unauthorized information disclosure – Technical issue • Requiring sophisticated physical and logical mechanisms• Privacy – Protection of individual rights to nondisclosure – Legal matterE-Business, Ninth Edition 47
  • 48. Secrecy Threats (cont’d.)• E-mail message – Secrecy violations protected using encryption • Protects outgoing messages – Privacy issues address whether supervisors are permitted to read employees’ messages randomly• Electronic commerce threat – Sensitive or personal information theft – Sniffer programs • Record information passing through computer or routerE-Business, Ninth Edition 48
  • 49. Secrecy Threats (cont’d.)• Electronic commerce threat (cont’d.) – Backdoor: electronic holes • Left open accidentally or intentionally • Content exposed to secrecy threats • Example: Cart32 shopping cart program backdoor – Stolen corporate information • Eavesdropper example• Web users continually reveal information – Secrecy breach – Possible solution: anonymous Web surfingE-Business, Ninth Edition 49
  • 50. Integrity Threats• Also known as active wiretapping – Unauthorized party alters message information stream• Integrity violation example – Cybervandalism • Electronic defacing of Web site• Masquerading (spoofing) – Pretending to be someone else – Fake Web site representing itself as originalE-Business, Ninth Edition 50
  • 51. Integrity Threats (cont’d.)• Domain name servers (DNSs) – Internet computers maintaining directories • Linking domain names to IP addresses – Perpetrators use software security hole • Substitute their Web site address in place of real one • Spoofs Web site visitors• Phishing expeditions – Capture confidential customer information – Common victims • Online banking, payment system usersE-Business, Ninth Edition 51
  • 52. Necessity Threats• Also known as delay, denial, denial-of-service (DoS) attack – Disrupt or deny normal computer processing – Intolerably slow-speed computer processing • Renders service unusable or unattractive• Distributed denial-of-service (DDoS) attack – Launch simultaneous attack on a Web site via botnets• DoS attacks – Remove information altogether – Delete transmission or file informationE-Business, Ninth Edition 52
  • 53. Necessity Threats (cont’d.)• Denial attack examples: – Quicken accounting program diverted money to perpetrator’s bank account – High-profile electronic commerce company received flood of data packets • Overwhelmed sites’ servers • Choked off legitimate customers’ accessE-Business, Ninth Edition 53
  • 54. Threats to the Physical Security of Internet Communications Channels• Internet’s packet-based network design: – Precludes it from being shut down • By attack on single communications link• Individual user’s Internet service can be interrupted – Destruction of user’s Internet link• Larger companies, organizations – Use more than one link to main Internet backboneE-Business, Ninth Edition 54
  • 55. Threats to Wireless Networks• Wireless Encryption Protocol (WEP) – Rule set for encrypting transmissions from the wireless devices to the WAPs• Wardrivers – Attackers drive around in cars – Search for accessible networks• Warchalking – Place chalk mark on building • Identifies easily entered wireless network nearby – Web sites include wireless access locations mapsE-Business, Ninth Edition 55
  • 56. Threats to Wireless Networks (cont’d.)• Example – Best Buy wireless point-of-sale (POS) • Failed to enable WEP • Customer launched sniffer program • Intercepted data from POS terminalsE-Business, Ninth Edition 56
  • 57. Encryption Solutions• Encryption: coding information using mathematically based program, secret key• Cryptography: science studying encryption – Science of creating messages only sender and receiver can read• Steganography – Makes text undetectable to naked eye• Cryptography converts text to other visible text – With no apparent meaningE-Business, Ninth Edition 57
  • 58. Encryption Solutions (cont’d.)• Encryption algorithms – Encryption program • Transforms normal text (plain text) into cipher text (unintelligible characters string) – Encryption algorithm • Logic behind encryption program • Includes mathematics to do transformation – Decryption program • Encryption-reversing procedureE-Business, Ninth Edition 58
  • 59. Encryption Solutions (cont’d.)• Encryption algorithms (cont’d.) – National Security Agency controls dissemination – U.S. government banned publication of details • Illegal for U.S. companies to export – Encryption algorithm property • May know algorithm details • Unable to decipher encrypted message without knowing key encrypting the message – Key type subdivides encryption into three functions • Hash coding, asymmetric encryption, symmetric encryptionE-Business, Ninth Edition 59
  • 60. Encryption Solutions (cont’d.)• Hash coding – Process uses Hash algorithm – Calculates number (hash value) from any length message – Unique message fingerprint – Good hash algorithm design • Probability of collision is extremely small (two different messages resulting in same hash value) – Determining message alteration during transit • No match with original hash value and receiver computed valueE-Business, Ninth Edition 60
  • 61. Encryption Solutions (cont’d.)• Asymmetric encryption (public-key encryption) – Encodes messages using two mathematically related numeric keys – Public key: one key freely distributed to public • Encrypt messages using encryption algorithm – Private key: second key belongs to key owner • Kept secret • Decrypt all messages receivedE-Business, Ninth Edition 61
  • 62. Encryption Solutions (cont’d.)• Asymmetric encryption (cont’d.) – Pretty Good Privacy (PGP) – Software tools using different encryption algorithms • Perform public key encryption – Individuals download free versions • PGP Corporation site, PGP International site • Encrypt e-mail messages – Sells business site licensesE-Business, Ninth Edition 62
  • 63. Encryption Solutions (cont’d.)• Symmetric encryption (private-key encryption) – Encodes message with one of several available algorithms • Single numeric key to encode and decode data – Message receiver must know the key – Very fast and efficient encoding and decoding – Key must be guardedE-Business, Ninth Edition 63
  • 64. Encryption Solutions (cont’d.)• Symmetric encryption (cont’d.) – Problems • Difficult to distribute new keys to authorized parties while maintaining security, control over keys • Private keys do not work well in large environments – Data Encryption Standard (DES) • Encryption algorithms adopted by U.S. government • Most widely used private-key encryption system • Fast computers break messages encoded with smaller keysE-Business, Ninth Edition 64
  • 65. Encryption Solutions (cont’d.)• Symmetric encryption (cont’d.) – Triple Data Encryption Standard (Triple DES, 3DES) • Stronger version of Data Encryption Standard – Advanced Encryption Standard (AES) • Alternative encryption standard • Most government agencies use today – Longer bit lengths increase difficulty of cracking keysE-Business, Ninth Edition 65
  • 66. Encryption Solutions (cont’d.)• Comparing asymmetric and symmetric encryption systems – Advantages of public-key (asymmetric) systems • Small combination of keys required • No problem in key distribution • Implementation of digital signatures possible – Disadvantages of public-key systems • Significantly slower than private-key systems • Do not replace private-key systems (complement them) – Web servers accommodate encryption algorithms • Must communicate with variety of Web browsersE-Business, Ninth Edition 66
  • 67. FIGURE 10-8 Comparison of (a) hash coding, (b) private-key, and (c) public-key encryptionE-Business, Ninth Edition 67
  • 68. Encryption Solutions (cont’d.)• Comparing asymmetric and symmetric encryption systems (cont’d.) – Secure Sockets Layer (SSL) • Goal: secures connections between two computers – Secure Hypertext Transfer Protocol (S-HTTP) • Goal: send individual messages securelyE-Business, Ninth Edition 68
  • 69. Encryption Solutions (cont’d.)• Secure sockets layer (SSL) protocol – Provides security “handshake” – Client and server exchange brief burst of messages – All communication encoded • Eavesdropper receives unintelligible information – Secures many different communication types • HTTP, FTP, Telnet – HTTPS: protocol implementing SSL • Precede URL with protocol name HTTPSE-Business, Ninth Edition 69
  • 70. Encryption Solutions (cont’d.)• Secure sockets layer (SSL) protocol (cont’d.) – Encrypted transaction generates private session key • Bit lengths vary (40-bit, 56-bit, 128-bit, 168-bit) – Session key • Used by encryption algorithm • Creates cipher text from plain text during single secure session – Secrecy implemented using public-key and private- key encryption • Private-key encryption for nearly all communicationsE-Business, Ninth Edition 70
  • 71. FIGURE 10-9 Establishing an SSL sessionE-Business, Ninth Edition 71
  • 72. Encryption Solutions (cont’d.)• Secure HTTP (S-HTTP) – Extension to HTTP providing security features • Client and server authentication, spontaneous encryption, request/response nonrepudiation – Symmetric encryption for secret communications – Public-key encryption to establish client/server authentication – Client or server can use techniques separately • Client browser security through private (symmetric) key • Server may require client authentication using public- key techniquesE-Business, Ninth Edition 72
  • 73. Encryption Solutions (cont’d.)• Secure HTTP (S-HTTP) (cont’d.) – Establishing secure session • SSL carries out client-server handshake exchange to set up secure communication • S-HTTP sets up security details with special packet headers exchanged in S-HTTP – Headers define security technique type – Header exchanges state: • Which specific algorithms that each side supports • Whether client or server (or both) supports algorithm • Whether security technique required, optional, refusedE-Business, Ninth Edition 73
  • 74. Encryption Solutions (cont’d.)• Secure HTTP (S-HTTP) (cont’d.) – Secure envelope (complete package) • Encapsulates message • Provides secrecy, integrity, and client/server authenticationE-Business, Ninth Edition 74
  • 75. Ensuring Transaction Integrity with Hash Functions• Integrity violation – Message altered while in transit • Difficult and expensive to prevent • Security techniques to detect • Harm: unauthorized message changes undetected• Apply two algorithms to eliminate fraud and abuse – Hash algorithms: one-way functions • No way to transform hash value back – Message digest • Small integer summarizing encrypted informationE-Business, Ninth Edition 75
  • 76. Ensuring Transaction Integrity with Digital Signatures• Hash functions: potential for fraud – Solution: sender encrypts message digest using private key• Digital signature – Encrypted message digest (message hash value)• Digital signature provides: – Integrity, nonrepudiation, authentication• Provide transaction secrecy – Encrypt entire string (digital signature, message)• Digital signatures: same legal status as traditional signaturesE-Business, Ninth Edition 76
  • 77. FIGURE 10-10 Sending and receiving a digitally signed messageE-Business, Ninth Edition 77
  • 78. Security for Server Computers• Server vulnerabilities – Exploited by anyone determined to cause destruction or acquire information illegally• Entry points – Web server and its software – Any back-end programs containing data• No system is completely safe• Web server administrator – Ensures security policies documented; considered in every electronic commerce operationE-Business, Ninth Edition 78
  • 79. Web Server Threats• Compromise of secrecy – By allowing automatic directory listings – Solution: turn off folder name display feature• Sensitive file on Web server – Holds Web server username-password pairs – Solution: store authentication information in encrypted formE-Business, Ninth Edition 79
  • 80. Web Server Threats (cont’d.)• Passwords that users select – Easily guessable • Dictionary attack programs cycle through electronic dictionary, trying every word as password – Solution: use password assignment software to check user password against dictionaryE-Business, Ninth Edition 80
  • 81. Database Threats• Usernames and passwords – Stored in unencrypted table – Database fails to enforce security altogether • Relies on Web server to enforce security• Unauthorized users – Masquerade as legitimate database users• Trojan horse programs hide within database system – Reveal information – Remove all access controls within databaseE-Business, Ninth Edition 81
  • 82. Other Programming Threats• Java or C++ programs executed by server – Passed to Web servers by client – Reside on server – Use a buffer • Memory area set aside holding data read from file or database – Buffer overrun (buffer overflow error) • Programs filling buffers malfunction and overfill buffer • Excess data spilled outside designated buffer memory • Cause: error in program or intentional • 1998 Internet wormE-Business, Ninth Edition 82
  • 83. Other Programming Threats (cont’d.)• Insidious version of buffer overflow attack – Writes instructions into critical memory locations – Web server resumes execution by loading internal registers with address of attacking program’s code• Reducing potential buffer overflow damage – Good programming practices – Some hardware functionality• Mail bomb attack – Hundreds (thousands) send message to particular addressE-Business, Ninth Edition 83
  • 84. Threats to the Physical Security of Web Servers• Protecting Web servers – Put computers in CSP facility • Security on CSP physical premise is maintained better – Maintain server content’s backup copies at remote location – Rely on service providers • Offer managed services including Web server security – Hire smaller, specialized security service providersE-Business, Ninth Edition 84
  • 85. Access Control and Authentication• Controlling who and what has access to Web server• Authentication – Identity verification of entity requesting computer access• Server user authentication – Server must successfully decrypt user’s digital signature-contained certificate – Server checks certificate timestamp – Server uses callback system• Certificates provide attribution in a security breachE-Business, Ninth Edition 85
  • 86. Access Control and Authentication (cont’d.)• Usernames and passwords – Provide some protection element• Maintain usernames in plain text – Encrypt passwords with one-way encryption algorithm• Problem – Site visitor may save username and password as a cookie • Might be stored in plain text• Access control list (ACL) – Restrict file access to selected usersE-Business, Ninth Edition 86
  • 87. Firewalls• Firewall – Software, hardware-software combination – Installed in a network to control packet traffic• Placed at Internet entry point of network – Defense between network and the Internet • Between network and any other network• Principles – All traffic must pass through it – Only authorized traffic allowed to pass – Immune to penetrationE-Business, Ninth Edition 87
  • 88. Firewalls (cont’d.)• Trusted: networks inside firewall• Untrusted: networks outside firewall• Filter permits selected messages though network• Separate corporate networks from one another – Coarse need-to-know filter • Firewalls segment corporate network into secure zones• Organizations with large multiple sites – Install firewall at each location • All locations follow same security policyE-Business, Ninth Edition 88
  • 89. Firewalls (cont’d.)• Should be stripped of unnecessary software• Packet-filter firewalls – Examine all data flowing back and forth between trusted network (within firewall) and the Internet• Gateway servers – Filter traffic based on requested application – Limit access to specific applications • Telnet, FTP, HTTP• Proxy server firewalls – Communicate with the Internet on private network’s behalfE-Business, Ninth Edition 89
  • 90. Firewalls (cont’d.)• Perimeter expansion problem – Computers outside traditional physical site boundary• Servers under almost constant attack – Install intrusion detection systems • Monitor server login attempts • Analyze for patterns indicating cracker attack • Block further attempts originating from same IP address• Personal firewalls – Software-only firewalls on individual client computers – Gibson Research Shields Up! Web siteE-Business, Ninth Edition 90
  • 91. Organizations that Promote Computer Security• Following the Internet Worm of 1988 – Organizations formed to share information • About threats to computer systems• Principle followed – Sharing information about attacks and defenses for attacks • Helps everyone create better computer securityE-Business, Ninth Edition 91
  • 92. CERT• Housed at Carnegie Mellon University – Software Engineering Institute• Maintains effective, quick communications infrastructure among security experts – Security incidents avoided, handled quickly• Provides security risk information• Posts security event alerts• Primary authoritative source for viruses, worms, and other types of attack informationE-Business, Ninth Edition 92
  • 93. Other Organizations• 1989: SANS Institute – Education and research efforts • Research reports, security alerts, and white papers – SANS Internet Storm Center Web site • Current information on location, intensity of computer attacks worldwide• CERIAS – Multidisciplinary information security research and education – CERIAS Web site • Computer, network, communications security resourcesE-Business, Ninth Edition 93
  • 94. Other Organizations (cont’d.)• Center for Internet Security – Not-for-profit cooperative organization – Helps electronic commerce companies• CSO Online – Articles from CSO Magazine – Computer security-related news items• Infosecurity.com – Articles about all types of online security issues• U.S. Department of Justice’s Cybercrime site – Computer crimes; intellectual property violationsE-Business, Ninth Edition 94
  • 95. Computer Forensics and Ethical Hacking• Computer forensics experts (ethical hackers) – Computer sleuths hired to probe PCs – Locate information usable in legal proceedings – Job of breaking into client computers• Computer forensics field – Responsible for collection, preservation, and computer-related evidence analysis• Companies hire ethical hackers to test computer security safeguardsE-Business, Ninth Edition 95
  • 96. Summary• E-commerce attacks disclose and manipulate proprietary information• Key security provisions – Secrecy, integrity, available service• Client threats and solutions – Virus threats, active content threats, cookies• Communication channels’ threats and solutions – Encryption provides secrecyE-Business, Ninth Edition 96
  • 97. Summary (cont’d.)• Web Server threats and solutions – Threats from programs, backdoors• Security organizations – Share information about threats, defenses• Computer forensics – “Break into” computers searching for legal use data – White hat hackers can help identify weaknessesE-Business, Ninth Edition 97

×