2. SECURITY REQUIREMENTS FOR E-
COMMERCE
Privacy – about who can see and who should not
Authenticity – to know the identities of
communicating parties
Integrity – assurance that stored or transmitted
information is unaltered
Reliability – assurance that systems will be
available when needed and will perform
consistently.
Blocking – ability to block unwanted information or
intrusions
5. Input controls
Security codes
Encryption
Data entry screens
Error signals
Control totals (record count, batch totals)
Processing Controls
Software controls – checks right data processing
Hardware controls – malfunction detection circuitry, redundant
components, special-purpose microprocessors and associated
circuitry
Fire walls
Checkpoints
6. Output Controls
Security Codes – ensures that information products are
complete and are available to authorized users in timely manner.
Encryption
Control totals = input + processing controls
Control listings – provides hard copy evidence of all output
produced.
End user feedback
Storage controls – how can we protect our data resources?
Security Codes
Encryption
Backup files
Library procedures
Database administration
7.
8.
9. FACILITY CONTROLS
Methods that protect an organizations computing
and network facilities and their contents from loss
or destruction.
Network security – may be provided by specialized
system software packages called system security
monitors.
Protects from unauthorized use, fraud and destruction
(identification codes and passwords).
Also restricts the use of computer, programs and data
files.
Collects attempts of improper use.
10. FACILITY CONTROLS
1. Encryption –
scrambling the data
using mathematical
algorithms, or keys.
Software encryption
standards are RSA
data security & PGP
(Pretty Good Privacy)
11. FACILITY CONTROLS
2. Firewalls
External firewall keeps out unauthorized internet
users.
Internal firewall prevents users from accessing
sensitive human resources and financial data.
Passwords and browser security features control
access to specific intranet resources.
12. FACILITY CONTROLS
3. Physical Protection Controls –
Identification badges
Electronic door locks
Burglar alarms
Security police
CCTV, etc
Fire detection and extinguishing systems
Fireproof storage vaults
Emergency power controls
Humidity
Dust controls
13. FACILITY CONTROLS
4. Biometric Controls – devices use special
sensors to measure and digitize a biometric
profile
Voice verification
Finger prints
Hand geometry
Signature dynamics
Keystroke analysis
Retina scanning
Face recognition
14. FACILITY CONTROLS
5. Failure Controls – reasons of system failure
are:
Power failure
Electronic circuitry malfunctions
Telecommunications network problems
Hidden programming errors
Computer viruses
Computer operator errors
Electronic damage
15.
16. PROCEDURAL CONTROLS
1. Standard Procedures and
documentation – an IS organization
develops and follows standard
procedures for its operations
This promotes quality and minimizes
errors and fraud
Documentation helps in the maintenance
of the system and must be kept up to
date
17. PROCEDURAL CONTROLS
2. Authorization requirements –
requests for systems development and
program changes need review before
authorization
Conversion to new hardware, software,
network components and installation requires
a formal notification
18. PROCEDURAL CONTROLS
3. Disaster Recovery – damage can be caused by:
Hurricanes
Earthquakes
Fire
Floods
Criminal and terrorists acts
Human error
Disaster recovery plans are made by
organizations which specifies –
Which employee will participate in disaster recovery
and what will be their duties
What hardware, software and facilities will be used
Priority of applications that will be processed.
19. PROCEDURAL CONTROLS
4. Controls for End User Computing – this
includes –
Methods for testing user-developed systems for
compliance with company policies and work
procedures
Methods for notifying other users when changes
are planned
Thorough documentation of user-developed
systems
Training several people in the operation and
maintenance of a system
Formal backup and recovery procedures
Security controls
20. AUDITING INFORMATION SYSTEMS
Information system should be audited periodically.
Review and evaluate whether proper and
adequate system, procedural, facility and
managerial controls have been developed and
implemented.
2 types
Auditing around the computer system – verifying
the accuracy and Suitability of input data and
output produced
Auditing through the computer system –
verifying the accuracy and integrity of software.
Auditors develop test programs to test the
data.
21. Audit Trial
Presence of documentation that allows a transaction to be
traced through all stages of its information processing.
Electronic audit trial / Control logs – automatically
records all network activity on magnetic disk or tape
devices
22. Denial of Service Attacks
Denial of service attacks depend on three
layers of networked computer systems
The victim’s website
The victim’s Internet service provider
Zombie or slave computers that have been commandeered by
the cybercriminals
22
23. Defending Against Denial of Service
At Zombie Machines
Set and enforce security policies
Scan for vulnerabilities
At the ISP
Monitor and block traffic spikes
At the Victim’s Website
Create backup servers and network connections
23
24.
25. 4 ETHICAL DIMENSIONS
Egoism – what is best for a given individual is right
Natural – promote health and life, propagate,
pursue knowledge of world and God, have close
relationships with other people.
Utilitarianism – those actions are right that produce
the greatest good for the greatest number of
people.
Respect for persons –
26. WESTERN AND NON-WESTERN VALUES
Non-western Western Common Values
Kyosei (Japanese): Individual liberty Respect for human
Living and working dignity
together for the
common good
Dharma (Hindu): the Political participation Respect for basic
Fulfillment of inherited rights
duty
Zakat (Muslim): the Human rights Good citizenship
duty to give alms to
the Muslim poor
31. SPOOFING
To fool. In networking, the term is used to describe a variety
of ways in which hardware and software can be fooled. IP
spoofing, for example, involves trickery that makes a
message appear as if it came from an authorized IP address
E.g. - A technique used to gain unauthorized access to
computers, whereby the intruder sends messages to a
computer with an IP address indicating that the message is
coming from a trusted host. To engage in IP spoofing,
a hacker must first use a variety of techniques to find an IP
address of a trusted host and then modify the packet headers
so that it appears that the packets are coming from that host.
32. OUTSOURCING
Is a phrase used to describe the practice of seeking resources -
- or subcontracting -- outside of an organizational structure for
all or part of an IT (Information Technology) function.
Outsourcing for functions ranging from infrastructure
to software development, maintenance and support.
For example, an enterprise might outsource its IT
management because it is cheaper to contract a third-party to
do so than it would be to build its own in-house IT
management team. Or a company might outsource all of
its data storage needs because it does not want to buy and
maintain its own data storage devices. Most large
organizations only outsource a portion of any given IT
function.
33. Information Protection - Why?
• Information are an important strategic and operational
asset for any organization.
• Damages and misuses of information affect not only a
single user or an application; they may have disastrous
consequences on the entire organization
• Additionally, the advent of the Internet as well as
networking capabilities has made the access to
information much easier
35. Information Security: Examples
• Consider a payroll database in a
corporation, it must be ensured that:
- salaries of individual employees are not
disclosed to arbitrary users of the database
- salaries are modified by only those
individuals that are properly authorized
- pay-checks are printed on time at the end of
each pay period
36. Information Security: Examples
• In a military environment, it is important
that:
- the target of a missile is not given to an
unauthorized user
- the target is not arbitrarily modified
- the missile is launched when it is fired
37. Information Security - main requirements
• Confidentiality - it refers to information protection from
unauthorized read operations
- the term privacy is often used when data to be protected
refer to individuals
• Integrity - it refers to information protection from
modifications; it involves several goals:
- Assuring the integrity of information with respect to the original
information (relevant especially in web environment) - often referred
to as authenticity
- Protecting information from unauthorized modifications
- Protecting information from incorrect modifications - referred to as
semantic integrity
• Availability - it ensures that access to information is not
denied to authorized subjects
38. Information Security -
additional requirements
• Information Quality - it is not considered
traditionally as part of information security but
it is very relevant
• Completeness - it refers to ensure that subjects
receive all information they are entitled to
access, according to the stated security policies
39. Classes of Threats
• Disclosure
- Snooping (Interfering), Trojan Horses
• Deception
-Modification, spoofing (fooling), repudiation (denial) of orig
Denial of receipt
• Disruption
- Modification
• Usurpation
- Modification, spoofing, delay, denial of service
40. Goals of Security
• Prevention
- Prevent attackers from violating security
policy
• Detection
- Detect attackers’ violation of security policy
• Recovery
- Stop attack, assess and repair damage
- Continue to function correctly even if attack
succeeds
41. Information Security - How?
• Information must be protected at various
levels:
- The operating system
- The network
- The data management system
- Physical protection is also important
42. Information Security - Mechanisms
• Confidentiality is enforced by the access control
mechanism
• Integrity is enforced by the access control mechanism
and by the integrity constraints
• Availability is enforced by the recovery mechanism and
by detection techniques.
43. Information Security - How?
Additional mechanisms
• User authentication - to verify the identity of subjects
wishing to access the information
• Information authentication - to ensure information
authenticity - it is supported by signature mechanisms
• Encryption - to protect information when being
transmitted across systems and when being stored on
secondary storage
• Intrusion detection - to protect against impersonation of
legitimate users and also against insider threats