SlideShare a Scribd company logo
1 of 56
UNIT - 2
Security threats to
e- business
Prepared by : II MBA Students, Class 2017-19, CBIT College - Proddatur
SECURITY IN E-COMMERCE
INTRODUCTION :-
eCommerce security refers to the principles which guide
safe electronic transactions, allowing the buying and selling of goods and
services through the Internet, but with protocols in place to provide safety for
those involved.
Definition :-
Ecommerce security is a set of protocols that safely guide ecommerce
transactions. Stringent security requirements must be in place to protect
companies from threats like credit card fraud, or they risk jeopardizing revenue
and customer trust, due to the inability to guarantee safe credit card
processing.
THREATS:-
 A threat is an object, person , or other entity that represents a constant danger to an
asset
 Management must be informed of the various kinds of threats facing the
organization.
 By examing each threat category managemenand t effectively protects information
through policy, education, training and technology.
THREATS TO INFORMATION SECURITY:-
1. Acts of human error or failure accidents, employee mistakes
2. Compromises to intellectual property piracy, copy right infringement
3. Deliberate acts of espionage or trespass unauthorized accesses and/or data
collection
4. Deliberate acts of information extortion block mail of information
disclosure
5. Deliberate acts of sabotage or vandalism destruction of systems or
information
6. Deliberate acts of theft illegal confiseation of equipment
or information
ACTS OF HUMAN ERROR OR FAILURE
• Includes acts done with no malicious intent
 Caused by ;
 In experience
 Improper training
 In correct assumption
 other circumstances
• Employees are greatest threats to information security- they are closest
to organization data
• Employee mistakes can easily lade to the following:
 Revealing classified data
 Entry to erroneous data
 Accidental delition or modification of data
 Storage of data in unprotected areas
 Failure to protect information
• Many of threats can be prevented with controls
ESPIONAGE/TRESPASS:
 Broad category of activities that breach confidentially
unauthorized accessing of information
shoulder surfing can occur any place a person is accessing confidential
information
competitive intelligence vs. espionage
 Controls implemented to mark the boundaries of an organization virtual
territory giving notice to tresassers that they are encroaching on the
organizations cyberspace
.
 Hackers uses skill, guile, or fraud to steal the property of someone else
NETWORK SECURITY GOALS:-
• Confidentiality:- only sender, intended receiver should understand message
contents
-sender encrypts the message
-receiver decrypts the message
-privacy
.
• Integrity:- sender and receiver want to make sure that the message are not
altered without detection.
• Availability:- service must be available to user (instead of non repudiation
in security service)
• Authentication:- sender and receiver want to confirm the identity of each
other
• Access control:- service must be accessible to users.
Some key factors for success in E-commerce
 providing value to customers
 Providing service and performance
 Look
 Advertising
 Personal attention
 Providing sense of community
 Providing reliability and security
 Providing a 360-degree view of the customer relationship
Security threats in the E-commerce environment
 Three key points of vulnerability:
-client
-server
-communications channel
 Most common threats:-
- malicious code
- hacking and cyber vandalism
- credit card fraud/theft
- spoiling
- denial of service attacks
- sniffing
- insider jobs
E-COMMERCE THREATS
What is an e-commerce
it means using the internet for unfair things . It may be intention of stealing, fraud and
security breach.
there are various types of e-commerce threats . Some are accident, some are purposeful and
some of then are due to human error . The most common threats are phishing attacks money thefts
, data miss use , hacking , credit card frauds and un protected service.
1. In accurate management:-
one of the main reason to e-commerce threats is poor management . When security is
not up to the mark it faces a very dangerous threat to the network and systems . Also security
threats occur when there are no proper budget are allocated for purchase of anti-virus software
licenses.
2 Price manipulation:-
modern e-commerce systems often face price manipulation problems . These systems
are fully automated right from the first visit to the find payment gate way stealing is the most
common intention of price manipulation . It allows an intruder to side or install a lower price into
the URL and get away with all the data.
3. Snoeshoe spam:-
Now spam is something which is very command . Almost each one of the us deals with spam
mails in our mail box . The spam messages problems has been actually solved but now it is turning out
to be a not so general issue. The reason for this is the very nature of a spam message.
4. malicious threats:-
these code threats typically involve viruses , worms , Trojan horses.
- viruses are normally external threats and can couupt the files on the website if they find their way
in the internal network . They can be very dangerous as they destroy the computer systems completely
and can damage the normal working of the computer . A virus always needs a host as they cannot
spread by themselves.
- worms are very much different and are more serious than viruses . It places itself directly through
the internet . It can infect millions of computers in a matter of just few hours.
- A Trojan horse is a programming code which can perform destructive functions . They normally
attacks your computer when you download something . So always check the source of the downloaded
file.
5. Hactivism:-
the full form of hactivism is hacking activism . At first it may seem like you should hardly be
aware of these cyber threat . After all it is a problem not directly related to you . Why you should be
bothered at all ?. How ever that’s not the case. Firstly hactivists do not target directly to those
associated only it politics. It can also be a socially motivated purpose. It is typically using social media
platforms to bring to light social issues . It can also include flooding an email address with so much
trafic that it temporarily shutrs down.
6. Wi-Fi eaves dropping:
It is also one of the easiest ways in e-commerce to steal personal data. It is like
a virtual listening of information which is shares over a Wi-Fi network which is not
encrypted . It can happen on public as well as on personal computers.
7. Other threats:-
Some other threats which include are data packet sniffing . If spoofing, and port
scanning. Data packet sniffing is also normally called as sniffers . An intruder can use
sniffer to attack a data packs. With if spoofing it is very difficult to track the attacker .
The purpose here is to change the source address and give it such a look that it should
look as through it originated from another computer.
ENCRYPTION
What is encryption?
The process of converting information or data into a code , especially to prevent
unauthorized access.
In computing encryption is the method by which
plaintext or any other type of data is converted from a readable from to an encoded
version that can only be decoded by another entity if they have access to a
decryption key.
Definition:-
Encryption is the process of using an algorithm to transform information to make
it unreadable for unauthorized users. This cryptographic method protects sensitive
data such as credit card numbers by encoding and transforming information into
unreadable cipher text.
How does encryption work:-
• The encryption/decryption key is comparable with a normal password - the one you
use for your email, for example. The key is an essential part of the process of
encoding and decoding data.
• Typically, a key is a random binary or an actual passphrase. The key “tells” the
algorithm what patterns it must follow in order to convert plaintext into ciphertext
(and the other way around).
• It almost goes without saying, but the key is a fundamental part of the protection of
the privacy of information, a message or a piece of data. The encryption and
decryption process can only be initiated by using the key.
• Due to the fact that algorithms are publicly available and can be accessed by
anyone, once a hacker gets a hold of the encryption key, the encrypted data can
easily be decrypted to plaintext.
Use of encryption:-
• Encryption is used to protect data in transit sent from all sorts of devices across all
sorts of networks, not just the internet; every time someone uses an ATM or buys
something online with a smartphone, makes a mobile phone call or presses a key
fob to unlock a car, encryption is used to protect the information being ...
Advantages
 Encrypted data can’t be easily read
 Strong encryption may require years of work to decrypt with
out the key
Disadvantages
 encrypted files draw attention to their value
 If you loose the key you loose the data
 For large files strong encryption may take significant time to
decrypt
CRYPTOGRAPHY
Definition:-
• It is an ancient art and science of writing in secret message
• Cryptography comes from Greek word crypto means hiding and GRAPHY
means writing
• It is the art of achieving security by encoding message to make them non
readable.
Technologies
 Encryption :-
It is the process of transforming so it unintelligible to anyone but the
intended recipient.
 Decryption:-
It is the process of transforming encrypted information so that it is
intelligible again
 Plaintext:-
The message to be transmitted or stored
 Cipher text:-
the disguised message or encrypted message
 Algorithm:-
the mathematical formula used for encryption and decryption
 Cipher:-
algorithm used for encryption and decryption
 Key:-
value used by algorithm to encrypt and decrypt
Types of cryptography:-
secret-key cryptography(systematic key cryptography):-
single key used for both encryption and decryption.
Public key cryptography(asymmetric key cryptography)
uses one key for encryption and another for decryption.
Hash function:-
it uses a mathematical transformation to irreversibly “encrypt”
information.
What are the three types of encryption
 Secret key symmetric encryption
- relatively simple first used by Julius Caesar
- both users have a password example:- DES
 Public key encryption
- two keys involved used on the internet
- example:- PGP – PRETTY GOOD PRIVACY
 One way function
- digital signature of certificate
- Unix login
Characteristics of cryptography:-
 The type of operations used for transforming plaintext to cipher text
 The number of keys used
 The way in which the plaintext is processed.
Applications of cryptography:-
 Key recovery:-
it is a technology that allows a key be revealed under certain circumstance
without the owner of the key revealing it.
 Remote access:-
passwords gives a level of security for secure access.
 Cell phone:-
prevent people from stealing cell phone nos, access code or eavesdropping.
 Access control:-
regulate access to satellite and cable TV.
Purpose of cryptography
 Authentication
 Privacy confidentiality
 Integrity
 Non-repudiation.
Advantages
 It is faster
 While transmission the chances of data being decrypted is null
 Uses password authentication to prove the receivers identity
Disadvantages
 Issue of key transportation
 It cannot provide digital signature that cannot be repudiated
Public key and private key
What is public and private key ?
a symmetric cryptography. Also known as public key
cryptography. uses public and private keys to encrypt and decrypt data . One
key is the pair can be shared with everyone ; it is called the public key the
other key in the pair is kept secret , it is called private key.
How does private key public key work ?
these distinguishing technique used in public key cryptography
is the uses of as symmetric key algorithms where a key used by one party to
performance encryption is not the same as the key used by another in
decryption , each user has a pair of cryptographic keys , a public encryption
key and a private decryption key .
Roles of private and public key
Private key
1. Private key faster compared to public key
2. Private key is symmetrical . Actually there
is only one key . The another is a copy of
it
3. Private key is a truly private should be
available with on only the communicating
parties
4. The two parties most have met before at
least share the key.
Public key
1. Relatively slow to encrypt /decrypt
2. Asymmetrical
3. Public key can be made public.
private key is truly secret.
4. That two parties need not have met.
The two may be strangers, half way
around the globe
Differences between public and private key
public key
• For symmetric encryption, the same key is used to
encrypt the message and to decrypt it. This key must be
random, or cryptographically generated in a way that
makes it look random.
For public-key encryption, instead the recipient
generates two keys together, a public encryption key and
a private decryption key. The message is encrypted with
the public key, and can only be decrypted with the
private key.
In practice, public-key encryption is almost always used
to exchange a secret key between the parties. That way
they only have to go through the complexity and
computation of the public-key system once, at least until
they forget the secret key (eg, until you close your
browser).
Public-key encryption is slower and more complicated
than symmetric encryption, but it's also much more
flexible. Consider connecting to your bank: you could
theoretically use symmetric cryptography if you shared a
key with your bank, for example by showing up to a
branch in person and exchanging secret random
numbers. Indeed, that's basically what a SecureID token
is: a shared secret between you and your bank. But it's
much easier exchange those secret random numbers over
the internet, encrypted with the bank's public key.
private key
• Private Key and Public Key is the unique pair,
which are normally indivisible. Both are
prerequisite to encrypt and decrypt the information
while transmitting to web browser to web server.
• There are two types of mechanism in Encryption
algorithm such as Symmetric Encryption and
Asymmetric Encryption.
• If you are using Symmetric encryption technology,
then you require only private key to encrypt and
decrpt functionality. If you are using Asymmetric
encryption technology then you need a unique pair
of private key and public key to encrypt and decrpt
the information.
• Private key used to store inside the server to decrpt
the information which comes from browser in the
mode of encryption. However, the information,
which is coming from browser require public key
to encrypt the data.
• Both of the key’s have different functionality,
which depends on the encryption technology. If
you are interested to learn more about Public and
Private Key, then here is our official blog post.
Digital signature
What is digital signature
A digital signature is an electronic signature that can be used to authenticate the identi of
the sender of a message
 It is a mathematical scheme for demonstrating the authenticity of a digital message or
document
 Each signatory has their own paired public and private key
 It consist three algorithms :-
1. A digital signature generation algorithm :-
 It consist of of a (mathematical) digital signature
 Randamly produces a key paire(public and private)
2. A signing algorithm:-
 Produces a signature
3. A digital signature verification algorithm:-
It consist of verification algorithm with a method for recovering data from the message.
ADVANTAGES OF DIGITAL SIGNATURE
• imposter prevention
• Message integrity
• Legal requirement
DISADVANTAGES OF DIGITAL SIGNATURE
• Digital signature involves the primary avenue for any business is month.
Requirements while you apply for a digital signature certificate
1. Submission of DSC Application form duly filled in by the applicant
Any individual applying for a Digital Signature Certificate is required to fill an Application Form
for online submission and verification of personal details by the certifying authority
2. Producing Photo ID proof
3. Producing Address proof
Steps to apply for a digital signature certificate
• STEP 1: Log on and select your type of entity. ...
• STEP 2: Fill the necessary details. ...
• STEP 3: Proof of identity and address. ...
• STEP 4: Payment for DSC. ...
• STEP 5: Post the documents required.
DIGITAL CERTIFICATES
WHAT IS DIGITAL CERTIFICATES:-
A digital certificate is an electronic” password “ that allows a person , organization to
exchange data securely over the internet using the public key infrastructure (PKI).digital
certificate is also know as a public key certificate or identity certificate
DEFINITION:-
A digital certificate authenticates the web credential of the sender and lets the recipients of an
encrypted message know that the data is from a trusted source or a sender who claims to be one
TYPES OF DIGITAL CERTIFICATES:-
they are three types
1.Secure socket layer certificate (SSL)
2.Software signing (CODE SIGNING CERTIFICATES)
3client certificates(DIGITAL ID)
• Secure Socket Layer
Secure Socket Layer [SSL] server Certificates are installed on a server. This can be a
server that hosts a website like www.digi-sign.com, a mail server, a directory or LDAP server, or any other type
of server that needs to be authenticated, or that wants to send and receive encrypted data. To automate the entire
life cycle of your SSL environment, see the Automated & Authenticated Certificate Delivery™ System.
• Code Signing Certificate
Code Signing Certificates are used to sign software or programmed code that is
downloaded over the Internet. It is the digital equivalent of the shrink-wrap or hologram seal used in the real
world to authenticate software and assure the user it is genuine and actually comes from the software publisher
that it claims.
• Client Certificate
Client Certificates or Digital IDs are used to identify one person to another, a person to a device
or gateway or one device to another device. Client Certificates are issued in their thousands and millions each
year and would be the principle reason for purchasing a CA.
Two people communicating by email will used a client certificate to authenticate or digitally
sign their respective communications. This Signature will assure each person that the email is genuine and
comes from the other person.
A person that is given access to a secure online service like a database, an extranet or
intranet will be authenticated to the gateway or entry point using a Client Certificate. This type of strong two
factor authentication replaces less secure usernames and passwords currently in use on many websites.
If two routers or a Virtual Private Network [VPN] connection needs to authenticate each
other, a Client Certificate can be used and exchanged to prove the connection is trusted. This type of client
authentication occurs deep within the application and is not usually visible to the end user. This type of device-
to-device authentication often uses a particular IPSec Client Certificate.
Also, bespoke applications and hardware seeking to utilize IP technology securely can use Digital Certificates
to authenticate the application and/or for device-to-device authentication.
Advantages of digital certificate:-
Online Banking Advantages
• Many businesses rely on digital certificates for banking procedures. For example, a human services
organization that distributes customer incentive checks uses a digital certificate to validate each instrument.
Each time a check is created, a designated user employs an identifiable computer to upload and manage
each check prior to distribution. This alerts the bank of the amount and number of each check. In addition,
the digital certificate protects against fraudulent activity by assuring the party receiving the information you
are not an impostor. Online banking would not be possible without the use of digital certificates. According
to Bank of America, transactions cannot take place until the digital certificate has been verified.
Legal Advantages
• Digital certificates and signatures provide protection in legally binding situations. When sending email to a
bank, for example, a digital signature will verify that the information came from you. When agreeing to
legally binding requirements, digital certificates prevent you from becoming a victim of an impostor. In
addition, digital certificates and signatures prevent the recipient from denying the receipt of information.
Disadvantages of digital certificate:-
Financial Disadvantages
• Businesses must purchase digital certificates from certification authorities. A certificate authority acts as a
third-party issuer that ensures the acceptance of the certificate. Certification authorities typically require a
subscription to their service, which requires monthly payments to continue the relationship. In addition,
multiple certificates for different sites or purposes can become a costly endeavor.
Technological Disadvantages
• When considering digital certificates, you need to factor in many areas of existing technology. According to
The Institute of Internal Auditors, “auditors should recommend that senior and IT managers consider the
tool’s ease of use, integration with the existing software platform, the company’s product architecture, the
security of the tool (e.g., the strength of the algorithm used), vendor support, cost, and future flexibility
before deciding which tool to implement.” In addition, creating a platform that accepts all digital
certificates is a difficult undertaking, and human carelessness may compromise the safety of login
credentials.
SECURITY PROTOCOL OVER PUBLIC NETWORK
INTRODUCTION:-
Network security protocols are a type network protocol that ensures
thesecurity and integrity of data in transit over a network connection. Network
security protocols define the processes and methodology to secure network data from
any illegitimate attempt to review or extract the contents of data.
DEFINITION:-
A VPN is a private data network that makes use of
the public telecommunication infrastructure, such as the Internet, by
adding security procedures over the unsecure communication channels.
The security procedures that involve encryption are achieved through the use of a
tunneling protocol.
Types
• Application Security: It is important to have an application security since no app is created
perfectly. It is possible for any application to comprise of vulnerabilities, or holes, that are
used by attackers to enter your network. Application security thus encompasses the software,
hardware, and processes you select for closing those holes.
• Behavioral Analytics: In order to detect abnormal network behaviour, you will have to know
what normal behavior looks like. Behavioral analytics tools are capable of automatically
discerning activities that deviate from the norm. Your security team will thus be able to
efficiently detect indicators of compromise that pose a potential problem and rapidly
remediate threats.
• Data Loss Prevention (DLP): Organizations should guarantee that their staff does not send
sensitive information outside the network. They should thus use DLP technologies, network
security measures, that prevent people from uploading, forwarding, or even printing vital
information in an unsafe manner.
• Email Security: Email gateways are considered to be the number one threat vector for a
security breach. Attackers use social engineering tactics and personal information in order to
build refined phishing campaigns to deceive recipients and then send them to sites serving up
malware. An email security application is capable of blocking incoming attacks and
controlling outbound messages in order to prevent the loss of sensitive data.
• Firewalls: Firewalls place a barrier between your trusted internal network and untrusted
outside networks, like the Internet. A set of defined rules are employed to block or allow
traffic. A firewall can be software, hardware, or both. The free firewall efficiently manages
traffic on your PC, monitors in/out connections, and secures all connections when you are
online.
• Mobile Device Security: Mobile devices and apps are increasingly being targeted by
cybercriminals. 90% of IT control which devices can access your network. It is also necessary to
configure their connections in order to keep networorganizations could very soon support
corporate applications on personal mobile devices. There is indeed the necessity for you to k
traffic private.
• Network Segmentation: Software-defined segmentation places network traffic into varied
classifications and makes enforcing security policies a lot easier. The classifications are ideally
based on endpoint identity, not just IP addresses. Rights can be accessed based on location, role,
and more so that the right people get the correct level of access and suspicious devices are thus
contained and remediated.
• Security Information and Event Management (SIEM): SIEM products bring together all the
information needed by your security staff in order to identify and respond to threats. These
products are available in different forms, including virtual and physical appliances and server
software.
• Virtual Private Network (VPN): A VPN is another type of network security capable of
encrypting the connection from an endpoint to a network, mostly over the Internet. A remote-
access VPN typically uses IPsec or Secure Sockets Layer in order to authenticate the
communication between network and device.
• Web Security: A perfect web security solution will help in controlling your staff’s web use,
denying access to malicious websites, and blocking
• Wireless Security: The mobile office movement is presently gaining momentum along with
wireless networks and access points. However, wireless networks are not as secure as wired ones
and this makes way for hackers to enter. It is thus essential for the wireless security to be strong.
It should be noted that without stringent security measures installing a wireless LAN could be
like placing Ethernet ports everywhere. Products specifically designed for protecting a wireless
network will have to be used in order to prevent an exploit from taking place.
Advantages of Network Security
• Protect data
As discussed, network security keeps a check on unauthorized access. A network contains a lot
of confidential data like the personal client data. Anybody who breaks into the network may hamper these
sensitive data. So, network security should be there in place to protect them.
• Prevents cyber attack
Most of the attack on the network comes from internet. There are hackers who are experts in
this and then there are virus attacks. If careless, they can play with a lot of information available in the
network. The network security can prevent these attacks from harming the computers.
• Levels of access
The security software gives different levels of access to different users. The authentication of
the user is followed by the authorization technique where it is checked whether the user is authorized to access
certain resource. You may have seen certain shared documents password protected for security. The software
clearly knows which resources are accessible by whom.
• Centrally controlled
Unlike the desktop security software, the network security software is controlled by a
central user called network administrator. While the former is prone to worms and virus attacks, the latter can
prevent the hackers before they damage anything. This is because the software is installed in a machine having
no internet.
• Centralized updates
It is very important that the anti-virus software is timely updated. An old version may not
offer you enough security against attackers. But it is not guaranteed that every user of the network follows it
religiously. A network security system which is centralized offers this advantage of timely updates without
even the knowledge of the individuals.
• Disadvantages of Network Security
Network security is a real boon to the users to ensure the security of their data.
While it has many advantages, it has lesser disadvantages. Let us discuss some of them.
• Costly set up
The set up of a network security system can be a bit expensive. Purchasing the
software, installing it etc can become costly especially for smaller networks. Here we are not
talking about a single computer, but a network of computers storing massive data. So, the security
being of prime importance will definitely cost more. It cannot be ignored at any cost!
• Time consuming
The software installed on some networks is difficult to work with. It needs
authentication using two passwords to ensure double security which has to be entered every time
you edit a document. It also requires the passwords to be unique with numbers, special characters
and alphabets. The user may have to type a number of sample passwords before one is finalized
which takes a lot of time.
• Requires skilled staff
To manage large networks is not an easy task. It requires highly skilled
technicians who can handle any security issue that arises. A network administrator needs to be
employed to ensure smooth working of the network. He must be trained adequately to meet the
requirement.
• Careless admin
When the best software is installed and everything required is done, it is natural
for the admin to be careless at times. It is his job to check the logs regularly to keep a check on the
malicious users. But sometimes, he just trusts the system and that is when the attack happens. So,
it is very important that the admin remains vigilant always.
HTPP
Protocol and HTPP:-
A Protocol is a standard procedure for defining and regulating communication. For example TCP, UDP,
HTTP etc.
Hypertext Transfer Protocol, better known to millions of Web surfers as
HTTP, was invented in 1990 by Tim Berners-Lee at the CERN Laboratories in Geneva, Switzerland.
Today, it is the foundation of the World Wide Web and the Hypertext Markup Language or HTML.
Three versions of HTTP were developed: 0.9, 1.0 and 1.1. Both 1.0 and 1.1 are in common usage toda
HYPER TEXT TRANSFOR PROTOCOL:-
• The HTTP provides a standard for web browsers & servers to communicate.
• HTTP is the foundation of data communication for the WWW.
• HTTP is an application layer network protocol built on top of TCP.
• HTTP clients & servers communicate via HTTP request & response message.
• Hypertext is structured text that uses logical links(hyper links) between nodes containing text.
• HTTP is the protocol to exchange or transfer hypertext.
• HTTP is called a “stateless protocol” because each command is executed independently, without
any knowledge of the commands that came before it.
• E.g.- when you enter a URL in your browser, this actually sends an HTTP command to the web
server directing it to fetch & transmit the requested web page.
• There are 2 major versions of HTTP:-
HTTP/1.0
HTTP/1.1
HTTP CHARACTERISTICS:-
• Request response mechanism
-transaction is initiated by a client sending a request to server.
-server generates a response.
• Resource identification
-each HTTP request includes a URI(Uniform Resource Identifier).
• Statelessness
- the server does not maintain any information about the transaction.
• Meta data support
-metadata about the information can be exchanged in the business
HOW HTTP WORKS:-
 HTTP is implemented in two programs: a client program and a server program, executing on
different end systems, talk to each other by exchanging HTTP messages.
 The HTTP client first initiates a TCP connection with the server. Once the connection is
established, the browser and the server processes access TCP through their socket interfaces
HTTP REQUEST METODS
• The first line of an HTTP request message is called the request line; the subsequent
lines are called the header lines. The request line has three fields: the method field,
the URL field, and the HTTP version field. The method field can take on several
different values, including GET, POST, HEAD, PUT, and DELETE etc. The great
majority of HTTP request messages use the GET method. The GET method is used
when the browser requests an object, with the requested object identified in the
URL field.
• GET: Retrieve Document identified in URL.
• HEAD: Retrieve meta information about document identified in URL.
• DELETE: Delete specified URL.
• OPTIONS: Request information about available options.
• PUT: Store document under specified URL.
• POST: Give information to server.
• TRACE: Loopback request message.
• CONNECT: For use by Proxies
ADVANTAGES:-
• Platform independent - Allows straight cross platform porting.
• No Runtime support required to run properly.
• Usable over firewalls! Global applications possible.
• Not Connection Oriented – No network overhead to create and maintain session state and
information.
• Ease of programming. HTTP is coded in plain text and therefore is easier to follow and
implement than protocols that make use of codes that require lookups.
• Flexibility.
LIMITATIONS:-
• Privacy
Anyone can see content
• Integrity
someone might alter content. HTTP is insecure since no encryption methods are used.
Hence is subject to main in the middle and eavesdropping of sensitive information.
• Authentication
Not clear who you are talking with. Authentication is sent in the clear – Anyone who
intercepts the request can determine the username and password being used.
• Information sent via HTTP is not encrypted and can pose a threat to your privacy.
• Packet headers are larger than other protocols as they are needed for security and quality
assurance of the information being transferred.
SECURE SOCKETS LAYER
INTRODUCTION:-
SSL (Secure Sockets Layer) is a standard security protocol for establishing encrypted links between a
web server and a browser in an online communication. The usage of SSL technology ensures that all
data transmitted between the web server and browser remains encrypted.
DEFINITION:-
An SSL certificate is necessary to create SSL connection. You would need to give all details about
the identity of your website and your company as and when you choose to activate SSL on your web
server. Following this, two cryptographic keys are created - a Private Key and a Public Key.
What is SSL used for?
• The SSL protocol is used by millions of online business to protect their customers, ensuring their
online transactions remain confidential. A web page should use encryption when it expects users
to submit confidential data, including personal information, passwords, or credit card details. All
web browsers have the ability to interact with secured sites so long as the site's certificate is
issued by a trusted CA.
• Who issues SSL Certificates?
A certificate authority or certification authority (CA) issues SSL certificates.
On receiving an application, the CA verifies two factors: It confirms the legal
identity of the enterprise/company seeking the certificate and whether the
applicant controls the domain mentioned in the certificate. The issued SSL
certificates are chained to a 'trusted root' certificate owned by the CA. Most
popular internet browsers such as Firefox, Chrome, Internet Explorer,
Microsoft Edge, and others have these root certificates embedded in their
'certificate store'. Only if a website certificate chains to a root in its certificate
store will the browser allow a trusted and secure https connection. If a website
certificate does not chain to a root then the browser will display a warning that
the connection is not trusted.
Certificate Type
• Single Domain Certificates
• A single domain certificate allows a customer to secure one Fully Qualified Domain Name on a
single certificate. For example, a certificate purchased for www.domain.com will allow
customers to secure any and all pages on www.domain.com/. Single domain certificates are
available in DV, OV and EV variants at a variety of price points and warranty levels. The
straightforward nature of the single domain certificate makes it ideal for small to medium sized
businesses managing a limited number of websites. However, businesses that operate or
anticipate operating multiple websites may benefit from the added flexibility, convenience and
savings offered by wildcard or multi-domain certificates.
• Examples: Instant SSL, Instant SSL Pro, Instant SSL Premium
• Wildcard SSL Certificate
• A Wildcard certificates allows businesses to secure a single domain and unlimited sub-domains
of that domain. For example, a wildcard certificate for '*.domain.com' could also be used to
secure 'payments.domain.com', 'login.domain.com, 'anything-else.domain.com' etc. A wildcard
certificate will automatically secure any sub-domains that a business adds in the future. They
also help simplify management processes by reducing the number of certificates that need to be
tracked. For growing online businesses, Wildcard certificates provide a flexible, cost effective
alternative to multiple single certificate purchases
• Example: Comodo Premium SSL Wildcard
Multi Domain SSL Certificate
As the name suggests, a Multi-Domain certificate allows website owners to secure multiple, distinct
domains on a one certificate. For example, a single MDC can be used to secure domain-1.com,
domain-2.com, domain-3.co.uk, domain-4.net and so on. Indeed, an MDC will allow you to secure
up to 100 different domains (or wildcard domains) on a single certificate. Customers can easily add
or remove domains at any time. This simplifies SSL management because administrators need only
keep track of a single certificate with a unified expiry date for all domains instead of keeping tabs on
multiple certificates. In addition, MDCs usually represent a cost saving over the price of individual
certificates.
Example: Comodo Multi-Domain Certificate, Comodo EV Multi-Domain Certificate
Unified Communications Certificate (UCC):
Unified Communications Certificates are specifically designed to secure Microsoft® Exchange and
Office Communications environments. UC certificates use the Subject Alternative Name (SAN) field
to allow customers to include up to 100 domains on a single certificate - eliminating the need for
different IP addresses per website that would be required otherwise. UC Certificates also support the
Microsoft Exchange Autodiscover service, a powerful feature which greatly eases client
administration. As with MDCs, a single UCC can greatly reduce SSL management duties while
allowing customers to realize cost savings over individual purchases.
Examples: Comodo Unified Communications Certificates
The Benefits of SSL Certificates
SSL is a simple yet secure channel to transmit the data securely. It is valuable to both customers and businesses
considering the level of security it brings to their cloud-based transactions.
• Kick out the Hackers
You have to be extremely cautious about phishing sites. These are an almost perfect replica of an original,
authentic site and have many techniques to lure you into providing your sensitive information.
But SSL identifies what we humans will not be able to and ensures that these fake sites will never see the light
of day.
It is difficult and impossible for fake sites to acquire SSL certificates and when customers are warned of the
absence of SSLcertificate, they will avoid falling prey to these fake sites.
As well SSL certificate will help you to protect your website from eavesdropping, man-in-middle-attack and
sniffing attacks.
• Boost Ranking & Increase Brand Value
• A few months ago, Google updated its algorithm and added HTTPS as a ranking signal. If your website is
secured with SSL certificate and web URL starts with a secure HTTPS protocol, then you will get the
ranking advantage in search engines.
• Using SSL dramatically improves the perception that users have of your brand. When your site has signed
by a trusted third party certificate, your customers are ensured that they are indeed on a valid and trusted
site. They will be less worried about security issues and will engage with you more effectively.
• Secure Payments to Experience Safe Shopping
• No one will dare to send their credit card information over a simple HTTP website. It is also mandatory for
a business site to have an SSL certificate to meet the PCI security standards set forth by the payment card
industries.
• Without the use of SSL, business sites cannot even dream of having a single successful credit card
transaction. By implementing SSL, visitors will find your website more trustworthy and experience secure
shopping over the HTTPS site.
• Build Trust with Extended Authentication
• Customers are becoming more and more security aware. As a lot of sensitive information,
such as bank passwords and personal details, are exchanged in a cloud platform, a secure
authentication mechanism must be provided to ensure data protection.
• SSL achieves this feat by issuing a server certificate along with the SSL certificate. This
server certificate increases the trust factor of the service provided and helps the customer
verify whether you are really who you claim to be.
• CAs follows a different validation process to authenticate your business reliability. The
process depends on which certificate you choose – domain validation, organization validation,
and extended validation. Domain Validation certificate verifies only domain authentication
and organization validation certificate validates your business reliability when extended
validation (EV) SSL certificate confirms your business existence and trustworthiness by
affirming legal documents. It ensures that the site is highly authenticated and secured to carry
online transactions by displaying must security trust mark “Green Bar”.
• Strongest Encryption to Secure Information
• All the information transferred over an SSL connection is encrypted and there is no way an
interceptor could decipher your information.
• Encryption algorithms like RSA, DSA, and ECC are currently used by most certificate
authorities. When the credit card data and other private information will travel between the
web server and users’ browser, the site will be secured with robust encryption (for example,
SHA256-bit encryption) that left no place for hackers to sniff transmitting information. So
you can rest assured that the information will always only reach the intended parties.
The Pros - Assuring Reasons Why Your Website must have SSL
• The obvious benefit of SSL encryption is that your website data will be safe from third-party hacking or
interception. The connections to and fro from the web browser to the server will remain intact.
• There are also a number of other benefits that make it compelling to invest in SSL certificates.
Improves trust
• A study by Bizrate found that a majority of US customer distrust to conduct online transactions due to credit
card and privacy concerns.
• With HTTPS such hesitation from customers to shop and pay online can be removed. Studies have proved that
displaying trust seals in online shops helps improve conversion rates significantly.
• Customers find it easier to divulge their payment instructions and private details like name, location, address,
etc. when the website is encrypted and immune to security threats.
Ensures Data Integrity
• Ebay, Home Depot, Target and a host of other retailers have been victims of hacking in the past. They lost
valuable customer information and even payment records because their websites lacked HTTPS protection. SSL
certificates can facilitate data integrity for online retailers. It ensures that the data stored in online servers are
always intact and protected from external threats.
Boosts SEO ranking
• Like we said at the beginning of the article, Google is all set to introduce HTTPS as a search engine ranking
signal. The search engine believes that this is necessary to cultivate a web culture where the data security of
users is protected by all means. In the coming months, Google will flag websites without HTTPS as ‘not safe’.
• In other words, if your website is HTTPS enabled, then you will be given preference over websites which are
not secure.
Establishes identity
• Extended Validation (EV) SSL certificates establish the legal ownership of a website. They give visitors the
assurance that the website they are visiting is indeed owned by the said organization
The Cons - Reasons why you may not want SSL certificate
They cost money
• Let’s face the hard truth. Nothing good ever comes free of cost. SSL encryption
which can guard your website from data security threats obviously costs a bit of
money. However, considering the benefits like SEO ranking, security, and customer
trust it delivers, this cost should not be a cause for concern.
Technical complications
• Although the SSL configuration is fairly simple for a techie it can sometimes be
complex for others. Especially in the case of multi-domain SSL certificates, there is
a high chance of error which will potentially scare away visitors. Applying the
HTTPS tag across all web pages is not easy and requires expertise.
Mobile configuration is not easy
• SSL certificates were primarily intended for website security, mobile devices may
not have been considered. This has meant that in recent years as the widespread
usage of mobile devices has developed, so too have many complications. Website
owners have to use third-party applications or build in-house applications to keep
websites functioning the same way as mobile devices.
FIREWALLAS SECURITY CONTROL
INTRODUCTION
A firewall is a system designed to prevent unauthorized access to or from a
private network. You can implement a firewall in either hardware or software form, or a
combination of both. Firewalls prevent unauthorized internet users from accessing private
networks connected to the internet, especially intranets
A firewall is software used to maintain the security of a private
network. Firewalls block unauthorized access to or from private networks and are often
employed ..
How Firewalls Work. :-
A firewall is simply a program or hardware device that filters the information coming
through the Internet connection into your private network or computer system. If an incoming
packet of information is flagged by the filters, it is not allowed through.
TYPES
Packet filtering firewalls
• This, the original type of firewall, operates inline at junction points where devices such as routers and
switches do their work.
• However, this firewall doesn't route packets, but instead compares each packet received to a set of established
criteria -- such as the allowed IP addresses, packet type, port number, etc. Packets that are flagged as
troublesome are, generally speaking, unceremoniously dropped -- that is, they are not forwarded and, thus,
cease to exist.
Circuit-level gateways
• Using another relatively quick way to identify malicious content, these devices monitor the TCP
handshakes across the network as they are established between the local and remote hosts to determine
whether the session being initiated is legitimate -- whether the remote system is considered trusted. They don't
inspect the packets themselves, however.
Stateful inspection firewalls
• State-aware devices, on the other hand, not only examine each packet, but also keep track of whether or not
that packet is part of an established TCP session. This offers more security than either packet filtering or
circuit monitoring alone, but exacts a greater toll on network performance.
• A further variant of stateful inspection is the multilayer inspection firewall, which considers the flow of
transactions in process across multiple layers of the ISO Open Systems Interconnection seven-layer model.
Application-level gateways
• This kind of device, technically a proxy, and sometimes referred to as a proxy firewall, combines some of the
attributes of packet filtering firewalls with those of circuit-level gateways. They filter packets not only
according to the service for which they are intended -- as specified by the destination port -- but also by
certain other characteristics, such as the HTTP request string.
• While gateways that filter at the application layer provide considerable data security, they can dramatically
affect network performance.
Next-gen firewalls
• This looser category is the most recent -- and least-well delineated -- of the types of firewalls.
A typical next-gen product combines packet inspection with stateful inspection, but also
includes some variety of deep packet inspection.
Firewall rule actions
Firewall rules can take the following actions:
• Allow: Explicitly allows traffic that matches the rule to pass, and then implicitly denies
everything else.
• Bypass: Allows traffic to bypass both firewall and intrusion prevention analysis. Use this
setting for media-intensive protocols or for traffic originating from trusted sources. A bypass
rule can be based on IP, port, traffic direction, and protocol.
• Deny: Explicitly blocks traffic that matches the rule.
• Force Allow: Forcibly allows traffic that would otherwise be denied by other rules.Traffic
permitted by a Force Allow rule will still be subject to analysis by the intrusion prevention
module.
• Log only: Traffic will only be logged. No other action will be taken.
More about Allow rules
Allow rules have two functions:
• Permit traffic that is explicitly allowed.
• Implicitly deny all other traffic.
Advantages :-
• Makes Security Transparent to End-Users.
• Easy to install.
• Packet filters make use of current network routers. Therefore implementing a
packet filter security system is typically less complicated than other network
security solutions.
• High speed
Disadvantages :-
• Packet filtering routers are not very secure.
• Difficulty of setting up packet filtering rules to the router
• There isn’t any sort of user based Authentication.
• Packet filter cannot authenticate information coming from a specific user.
PUBLIC KEY INFRASTRUCTURE FOR SECURITY
INTRODUCTION :-
A Public key infrastructure (PKI) is a set of roles, policies, and procedures
needed to create, manage, distribute, use, store & revoke digital certificates and manage public-
key encryption. ... An RA is responsible for accepting requests for digital certificates and
authenticating the entity making the request.
• How Does PKI Work?
PKI (or Public Key Infrastructure) is the framework of encryption and cybersecurity that protects
communications between the server (your website) and the client (the users). It works by using two
different cryptographic keys, a public key and a private key. The public key is available to any user
that connects with the website. The private key is a unique key generated when a connection is made,
and kept secret. When communicating, the client uses the public key to encrypt and decrypt, and the
server uses the private key. This protects the user’s information from theft or tampering.
PKI security is used in many different ways. The following are a few ways that PKI security can be
used.
• Securing Emails
• Securing web communications (such as retail transactions)
• Digitally signing software
• Digitally signing applications
• Encrypting files
• Decrypting files
• Smart card authentication
Components of Public Key Infrastructure (PKI)
• It starts with trust. ...
• Certification Authorities. ...
• Private and public keys. ...
• Certificate enrollment. ...
• Digital certificates. ...
• Usage scenarios. ...
• Maintaining security in a PKI environment
Benefits :-
• Secure access control. With a unique verifiable identity you can determine what level of
access to grant to that device. In addition, you can now deny access to anyone who does not
have a proper certificate – no cert, no way. In addition, if you find out a certificate has been
somehow compromised, because it is unique and identifiable, you can revoke its access
privileges and that certificate will no longer be granted access.
• Mutual Authentication. In the days before IoT and autonomous networked devices, the
device didn’t need to be authenticated, just the servers. You wanted to make sure that the
website you were logging into was actually a bank and not some bogus phishing site. The
bank authenticated your identity through your login and password. With IoT, the device needs
to be authenticated and the device also needs to authenticate the server it is talking to. With
digital certificates and secure elements, this is now practical.
Secure Over-the-Air (OTA) Update. The problem with many devices today is that they will accept
software updates from anyone. Remember, you want a device to only accept software that is verified
and comes from a trusted server. The certificates allow the device to prove it should receive an update
and which one, and the cryptography in the secure element allows the device to verify the server as
well as the signed code.
Advantages :
• PKI is a standards-based technology.
• It allows the choice of trust provider.
• It is highly scalable. Users maintain their own certificates, and certificate authentication involves
exchange of data between client and server only. This means that no third party authentication
server needs to be online. There is thus no limit to the number of users who can be supported using
PKI.
• PKI allows delegated trust. That is, a user who has obtained a certificate from a recognized and
trusted certificate authority can authenticate himself to a server the very first time he connects to
that server, without having previously been registered with the system.
• Although PKI is not notably a single sign-on service, it can be implemented in such a way as to
enable single sign-on.
Problems with PKI :-
1. PKI has too many moving parts
• Complexity is the enemy of good computer security. The more moving parts you have, the
easier it is to find weaknesses, and the harder it is to implement And few computer security
defenses have more moving parts than a properly set-up PKI.
• You need to begin with an offline root CA (certificate authority). It must be truly offline, or it's
subject to compromise. Then you need two or more CAs that do the work of issuing certificates.
Your CAs need to be protected by an HSM (hardware security module), which is a piece of
hardware that guards the most important private cryptography keys of the PKI. Normally, you
need a few of these, and the total cost can easily reach $100,000.
• You also need two or more websites to store the CA's own certificate and CRLs (certificate
revocation lists). You usually need two of these internally, on the network, and perhaps two
more externally. These days, most PKI designers recommend two or more OCSP (online
certificate status protocol) servers, which are supposed to create less CRL traffic between
clients and CA servers.
2. Even when PKI works perfectly, it doesn't work
• Worse, even when you set up PKI perfectly and without error, and it works the way it’s intended
to work ... it doesn't work! Well, it works, but that's only because people and applications tend
to ignore PKI errors.
• Everyone knows that the little padlock on the browser bar means that a website connection is
supposedly secure thanks to PKI.
• But the complexity of PKI means that many websites and applications end up with PKI errors,
which cause the little padlock to disappear or to remain unlocked. Many times the browser will
warn you that a website's digital certificate is not valid and recommend not going to the
website.
3. PKI doesn't solve the biggest security problems
• Despite points No. 1 and 2, I love PKI. It's very good at what it does if people,
devices, and applications don't ignore its warnings. But the biggest problem with
PKI isn't PKI itself. It's that almost all of the problems that PKI solves aren't the
ones being exploited by today's attackers.
• Most exploits occur due to unpatched software, followed by socially engineered
Trojan horse programs. Together, these two vectors probably account for 99 percent
off all successful attacks in most environments, and PKI doesn't fix either problem.
4. Eventually, PKI will stop working forever
• Here’s this is the real kicker. One day, all secrets protected by PKI will be revealed.
Yep, that's not a misprint.
• One day, the incredibly hard math, involving large prime numbers, won't be so
difficult to solve anymore. Public key cryptography only works because of the math
involved. But computers are only going to get better over time at solving
cryptographic puzzles.
• For example, one of the biggest promises of Quantum computing, whenever it
finally gets perfected, is that it will be able to immediately break open PKI-
protected secrets. Sometime in the near- to mid-term future, useful Quantum
computers will become a reality. When they do, most public crypto will fall.
THANK YOU

More Related Content

What's hot

Regulatory Framework of E-Commerce
Regulatory Framework of E-CommerceRegulatory Framework of E-Commerce
Regulatory Framework of E-CommerceMamta Bhola
 
Online business transactions
Online business transactionsOnline business transactions
Online business transactionsJaipal Dhobale
 
1 introduction to e commerce
1 introduction to e commerce1 introduction to e commerce
1 introduction to e commercesajid ullah
 
Risks involved in E-payment
Risks involved in E-payment Risks involved in E-payment
Risks involved in E-payment 14_18
 
overview of electronic payment system
overview of electronic payment system overview of electronic payment system
overview of electronic payment system Kavitha Ravi
 
Network security for E-Commerce
Network security for E-CommerceNetwork security for E-Commerce
Network security for E-CommerceHem Pokhrel
 
E Business & E Commerce +
E Business & E Commerce +E Business & E Commerce +
E Business & E Commerce +UMaine
 
E commerce business models
E commerce business modelsE commerce business models
E commerce business modelsVikram g b
 
Advantages and Disadvantages of Ecommerce
Advantages and Disadvantages of EcommerceAdvantages and Disadvantages of Ecommerce
Advantages and Disadvantages of EcommerceAbsolute eCommerce
 
E-commerce- Security & Encryption
E-commerce- Security & EncryptionE-commerce- Security & Encryption
E-commerce- Security & EncryptionBiroja
 
electronic payment system
electronic payment system electronic payment system
electronic payment system RonakJain191
 

What's hot (20)

Regulatory Framework of E-Commerce
Regulatory Framework of E-CommerceRegulatory Framework of E-Commerce
Regulatory Framework of E-Commerce
 
E - Commerce
E - CommerceE - Commerce
E - Commerce
 
Online business transactions
Online business transactionsOnline business transactions
Online business transactions
 
1 introduction to e commerce
1 introduction to e commerce1 introduction to e commerce
1 introduction to e commerce
 
E payment
E paymentE payment
E payment
 
Risks involved in E-payment
Risks involved in E-payment Risks involved in E-payment
Risks involved in E-payment
 
overview of electronic payment system
overview of electronic payment system overview of electronic payment system
overview of electronic payment system
 
Edi ppt
Edi pptEdi ppt
Edi ppt
 
Network security for E-Commerce
Network security for E-CommerceNetwork security for E-Commerce
Network security for E-Commerce
 
Digital signatures and e-Commerce
Digital signatures and e-CommerceDigital signatures and e-Commerce
Digital signatures and e-Commerce
 
Electronic Payment System
Electronic Payment SystemElectronic Payment System
Electronic Payment System
 
E Business & E Commerce +
E Business & E Commerce +E Business & E Commerce +
E Business & E Commerce +
 
E payment methodss
E payment methodssE payment methodss
E payment methodss
 
e-cheque
e-chequee-cheque
e-cheque
 
E commerce business models
E commerce business modelsE commerce business models
E commerce business models
 
Advantages and Disadvantages of Ecommerce
Advantages and Disadvantages of EcommerceAdvantages and Disadvantages of Ecommerce
Advantages and Disadvantages of Ecommerce
 
E-commerce- Security & Encryption
E-commerce- Security & EncryptionE-commerce- Security & Encryption
E-commerce- Security & Encryption
 
EDI
 EDI EDI
EDI
 
E business
E businessE business
E business
 
electronic payment system
electronic payment system electronic payment system
electronic payment system
 

Similar to Security Threats in E-Commerce

Security for e commerce
Security for e commerceSecurity for e commerce
Security for e commerceMohsin Ahmad
 
E commerce security 4
E commerce security 4E commerce security 4
E commerce security 4Anne ndolo
 
Cyber Crime And Security
Cyber Crime And Security Cyber Crime And Security
Cyber Crime And Security ritik shukla
 
“In 2024 Guide to Cyber Security: Protect Your Data Today”
“In 2024  Guide to Cyber Security: Protect Your Data Today”“In 2024  Guide to Cyber Security: Protect Your Data Today”
“In 2024 Guide to Cyber Security: Protect Your Data Today”tunzida045
 
“In 2024 Guide to Cyber Security: Protect Your Data Today”
“In 2024  Guide to Cyber Security: Protect Your Data Today”“In 2024  Guide to Cyber Security: Protect Your Data Today”
“In 2024 Guide to Cyber Security: Protect Your Data Today”tunzida045
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineeringSweta Kumari Barnwal
 
Challenges 14 security (1).pdf
Challenges 14  security (1).pdfChallenges 14  security (1).pdf
Challenges 14 security (1).pdfdhayadhayananth1
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptxKnownId
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...Rishav Gupta
 
E-Commerce security
E-Commerce security E-Commerce security
E-Commerce security Tawhid Rahman
 
Ceferov Cefer Intelectual Technologies
Ceferov Cefer Intelectual TechnologiesCeferov Cefer Intelectual Technologies
Ceferov Cefer Intelectual Technologiesyusifagalar
 
Cyber Safety and cyber security. Safety measures towards computer networks a...
Cyber Safety  and cyber security. Safety measures towards computer networks a...Cyber Safety  and cyber security. Safety measures towards computer networks a...
Cyber Safety and cyber security. Safety measures towards computer networks a...Ankita Shirke
 
CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?RONIKMEHRA
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfCareerera
 

Similar to Security Threats in E-Commerce (20)

Security for e commerce
Security for e commerceSecurity for e commerce
Security for e commerce
 
E commerce security 4
E commerce security 4E commerce security 4
E commerce security 4
 
Computer-Security.pptx
Computer-Security.pptxComputer-Security.pptx
Computer-Security.pptx
 
Cyber Crime And Security
Cyber Crime And Security Cyber Crime And Security
Cyber Crime And Security
 
Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Security issue in e commerce
 
“In 2024 Guide to Cyber Security: Protect Your Data Today”
“In 2024  Guide to Cyber Security: Protect Your Data Today”“In 2024  Guide to Cyber Security: Protect Your Data Today”
“In 2024 Guide to Cyber Security: Protect Your Data Today”
 
“In 2024 Guide to Cyber Security: Protect Your Data Today”
“In 2024  Guide to Cyber Security: Protect Your Data Today”“In 2024  Guide to Cyber Security: Protect Your Data Today”
“In 2024 Guide to Cyber Security: Protect Your Data Today”
 
Module 3-cyber security
Module 3-cyber securityModule 3-cyber security
Module 3-cyber security
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineering
 
Challenges 14 security (1).pdf
Challenges 14  security (1).pdfChallenges 14  security (1).pdf
Challenges 14 security (1).pdf
 
E Commerce security
E Commerce securityE Commerce security
E Commerce security
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...
 
Mim Attack Essay
Mim Attack EssayMim Attack Essay
Mim Attack Essay
 
E-Commerce security
E-Commerce security E-Commerce security
E-Commerce security
 
Ceferov Cefer Intelectual Technologies
Ceferov Cefer Intelectual TechnologiesCeferov Cefer Intelectual Technologies
Ceferov Cefer Intelectual Technologies
 
Cyber Safety and cyber security. Safety measures towards computer networks a...
Cyber Safety  and cyber security. Safety measures towards computer networks a...Cyber Safety  and cyber security. Safety measures towards computer networks a...
Cyber Safety and cyber security. Safety measures towards computer networks a...
 
CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdf
 

More from Dattatreya Reddy Peram (19)

SWOT Analysis - Individual
SWOT Analysis - IndividualSWOT Analysis - Individual
SWOT Analysis - Individual
 
Industry associations and bodies
Industry associations and bodiesIndustry associations and bodies
Industry associations and bodies
 
Licence Permit Raj 1947-1990
Licence Permit Raj 1947-1990Licence Permit Raj 1947-1990
Licence Permit Raj 1947-1990
 
Companies Act, 2013
Companies Act, 2013 Companies Act, 2013
Companies Act, 2013
 
Negotiation and its strategies
Negotiation and its strategiesNegotiation and its strategies
Negotiation and its strategies
 
Voluntary organisations (VO)
Voluntary organisations (VO)Voluntary organisations (VO)
Voluntary organisations (VO)
 
Non Governmental Organisations (NGOs)
Non Governmental Organisations (NGOs)Non Governmental Organisations (NGOs)
Non Governmental Organisations (NGOs)
 
Civil Society Organisation (CSO)
Civil Society Organisation (CSO)Civil Society Organisation (CSO)
Civil Society Organisation (CSO)
 
Non Profitable Organisations (NGO'S)
Non Profitable Organisations (NGO'S)Non Profitable Organisations (NGO'S)
Non Profitable Organisations (NGO'S)
 
Corporate social responsibility
Corporate social responsibilityCorporate social responsibility
Corporate social responsibility
 
Team work
Team workTeam work
Team work
 
Process of communication
Process of communicationProcess of communication
Process of communication
 
Communication network of the organisation
Communication network of the organisationCommunication network of the organisation
Communication network of the organisation
 
De marketing
De marketingDe marketing
De marketing
 
Types of communication
Types of communicationTypes of communication
Types of communication
 
E-Business Applications
E-Business ApplicationsE-Business Applications
E-Business Applications
 
E - Business Introduction
E - Business IntroductionE - Business Introduction
E - Business Introduction
 
Controlling
ControllingControlling
Controlling
 
Planning
PlanningPlanning
Planning
 

Recently uploaded

THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1GloryAnnCastre1
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4JOYLYNSAMANIEGO
 
How to Manage Engineering to Order in Odoo 17
How to Manage Engineering to Order in Odoo 17How to Manage Engineering to Order in Odoo 17
How to Manage Engineering to Order in Odoo 17Celine George
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQuiz Club NITW
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQuiz Club NITW
 
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxGrade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxkarenfajardo43
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationdeepaannamalai16
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptxmary850239
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxMichelleTuguinay1
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmStan Meyer
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...
IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...
IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...MerlizValdezGeronimo
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxSayali Powar
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Developmentchesterberbo7
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Narcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdfNarcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdfPrerana Jadhav
 

Recently uploaded (20)

THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1
 
Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4Daily Lesson Plan in Mathematics Quarter 4
Daily Lesson Plan in Mathematics Quarter 4
 
How to Manage Engineering to Order in Odoo 17
How to Manage Engineering to Order in Odoo 17How to Manage Engineering to Order in Odoo 17
How to Manage Engineering to Order in Odoo 17
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
 
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxGrade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentation
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and Film
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"
 
IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...
IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...
IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Development
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Narcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdfNarcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdf
 

Security Threats in E-Commerce

  • 1. UNIT - 2 Security threats to e- business Prepared by : II MBA Students, Class 2017-19, CBIT College - Proddatur
  • 2. SECURITY IN E-COMMERCE INTRODUCTION :- eCommerce security refers to the principles which guide safe electronic transactions, allowing the buying and selling of goods and services through the Internet, but with protocols in place to provide safety for those involved. Definition :- Ecommerce security is a set of protocols that safely guide ecommerce transactions. Stringent security requirements must be in place to protect companies from threats like credit card fraud, or they risk jeopardizing revenue and customer trust, due to the inability to guarantee safe credit card processing.
  • 3. THREATS:-  A threat is an object, person , or other entity that represents a constant danger to an asset  Management must be informed of the various kinds of threats facing the organization.  By examing each threat category managemenand t effectively protects information through policy, education, training and technology. THREATS TO INFORMATION SECURITY:- 1. Acts of human error or failure accidents, employee mistakes 2. Compromises to intellectual property piracy, copy right infringement 3. Deliberate acts of espionage or trespass unauthorized accesses and/or data collection 4. Deliberate acts of information extortion block mail of information disclosure 5. Deliberate acts of sabotage or vandalism destruction of systems or information 6. Deliberate acts of theft illegal confiseation of equipment or information
  • 4. ACTS OF HUMAN ERROR OR FAILURE • Includes acts done with no malicious intent  Caused by ;  In experience  Improper training  In correct assumption  other circumstances • Employees are greatest threats to information security- they are closest to organization data • Employee mistakes can easily lade to the following:  Revealing classified data  Entry to erroneous data  Accidental delition or modification of data  Storage of data in unprotected areas  Failure to protect information • Many of threats can be prevented with controls
  • 5. ESPIONAGE/TRESPASS:  Broad category of activities that breach confidentially unauthorized accessing of information shoulder surfing can occur any place a person is accessing confidential information competitive intelligence vs. espionage  Controls implemented to mark the boundaries of an organization virtual territory giving notice to tresassers that they are encroaching on the organizations cyberspace .  Hackers uses skill, guile, or fraud to steal the property of someone else
  • 6. NETWORK SECURITY GOALS:- • Confidentiality:- only sender, intended receiver should understand message contents -sender encrypts the message -receiver decrypts the message -privacy . • Integrity:- sender and receiver want to make sure that the message are not altered without detection. • Availability:- service must be available to user (instead of non repudiation in security service) • Authentication:- sender and receiver want to confirm the identity of each other • Access control:- service must be accessible to users.
  • 7. Some key factors for success in E-commerce  providing value to customers  Providing service and performance  Look  Advertising  Personal attention  Providing sense of community  Providing reliability and security  Providing a 360-degree view of the customer relationship
  • 8. Security threats in the E-commerce environment  Three key points of vulnerability: -client -server -communications channel  Most common threats:- - malicious code - hacking and cyber vandalism - credit card fraud/theft - spoiling - denial of service attacks - sniffing - insider jobs
  • 9. E-COMMERCE THREATS What is an e-commerce it means using the internet for unfair things . It may be intention of stealing, fraud and security breach. there are various types of e-commerce threats . Some are accident, some are purposeful and some of then are due to human error . The most common threats are phishing attacks money thefts , data miss use , hacking , credit card frauds and un protected service. 1. In accurate management:- one of the main reason to e-commerce threats is poor management . When security is not up to the mark it faces a very dangerous threat to the network and systems . Also security threats occur when there are no proper budget are allocated for purchase of anti-virus software licenses. 2 Price manipulation:- modern e-commerce systems often face price manipulation problems . These systems are fully automated right from the first visit to the find payment gate way stealing is the most common intention of price manipulation . It allows an intruder to side or install a lower price into the URL and get away with all the data.
  • 10. 3. Snoeshoe spam:- Now spam is something which is very command . Almost each one of the us deals with spam mails in our mail box . The spam messages problems has been actually solved but now it is turning out to be a not so general issue. The reason for this is the very nature of a spam message. 4. malicious threats:- these code threats typically involve viruses , worms , Trojan horses. - viruses are normally external threats and can couupt the files on the website if they find their way in the internal network . They can be very dangerous as they destroy the computer systems completely and can damage the normal working of the computer . A virus always needs a host as they cannot spread by themselves. - worms are very much different and are more serious than viruses . It places itself directly through the internet . It can infect millions of computers in a matter of just few hours. - A Trojan horse is a programming code which can perform destructive functions . They normally attacks your computer when you download something . So always check the source of the downloaded file. 5. Hactivism:- the full form of hactivism is hacking activism . At first it may seem like you should hardly be aware of these cyber threat . After all it is a problem not directly related to you . Why you should be bothered at all ?. How ever that’s not the case. Firstly hactivists do not target directly to those associated only it politics. It can also be a socially motivated purpose. It is typically using social media platforms to bring to light social issues . It can also include flooding an email address with so much trafic that it temporarily shutrs down.
  • 11. 6. Wi-Fi eaves dropping: It is also one of the easiest ways in e-commerce to steal personal data. It is like a virtual listening of information which is shares over a Wi-Fi network which is not encrypted . It can happen on public as well as on personal computers. 7. Other threats:- Some other threats which include are data packet sniffing . If spoofing, and port scanning. Data packet sniffing is also normally called as sniffers . An intruder can use sniffer to attack a data packs. With if spoofing it is very difficult to track the attacker . The purpose here is to change the source address and give it such a look that it should look as through it originated from another computer.
  • 12. ENCRYPTION What is encryption? The process of converting information or data into a code , especially to prevent unauthorized access. In computing encryption is the method by which plaintext or any other type of data is converted from a readable from to an encoded version that can only be decoded by another entity if they have access to a decryption key. Definition:- Encryption is the process of using an algorithm to transform information to make it unreadable for unauthorized users. This cryptographic method protects sensitive data such as credit card numbers by encoding and transforming information into unreadable cipher text.
  • 13. How does encryption work:- • The encryption/decryption key is comparable with a normal password - the one you use for your email, for example. The key is an essential part of the process of encoding and decoding data. • Typically, a key is a random binary or an actual passphrase. The key “tells” the algorithm what patterns it must follow in order to convert plaintext into ciphertext (and the other way around). • It almost goes without saying, but the key is a fundamental part of the protection of the privacy of information, a message or a piece of data. The encryption and decryption process can only be initiated by using the key. • Due to the fact that algorithms are publicly available and can be accessed by anyone, once a hacker gets a hold of the encryption key, the encrypted data can easily be decrypted to plaintext. Use of encryption:- • Encryption is used to protect data in transit sent from all sorts of devices across all sorts of networks, not just the internet; every time someone uses an ATM or buys something online with a smartphone, makes a mobile phone call or presses a key fob to unlock a car, encryption is used to protect the information being ...
  • 14. Advantages  Encrypted data can’t be easily read  Strong encryption may require years of work to decrypt with out the key Disadvantages  encrypted files draw attention to their value  If you loose the key you loose the data  For large files strong encryption may take significant time to decrypt
  • 15. CRYPTOGRAPHY Definition:- • It is an ancient art and science of writing in secret message • Cryptography comes from Greek word crypto means hiding and GRAPHY means writing • It is the art of achieving security by encoding message to make them non readable. Technologies  Encryption :- It is the process of transforming so it unintelligible to anyone but the intended recipient.  Decryption:- It is the process of transforming encrypted information so that it is intelligible again  Plaintext:- The message to be transmitted or stored
  • 16.  Cipher text:- the disguised message or encrypted message  Algorithm:- the mathematical formula used for encryption and decryption  Cipher:- algorithm used for encryption and decryption  Key:- value used by algorithm to encrypt and decrypt Types of cryptography:- secret-key cryptography(systematic key cryptography):- single key used for both encryption and decryption. Public key cryptography(asymmetric key cryptography) uses one key for encryption and another for decryption. Hash function:- it uses a mathematical transformation to irreversibly “encrypt” information.
  • 17. What are the three types of encryption  Secret key symmetric encryption - relatively simple first used by Julius Caesar - both users have a password example:- DES  Public key encryption - two keys involved used on the internet - example:- PGP – PRETTY GOOD PRIVACY  One way function - digital signature of certificate - Unix login
  • 18. Characteristics of cryptography:-  The type of operations used for transforming plaintext to cipher text  The number of keys used  The way in which the plaintext is processed. Applications of cryptography:-  Key recovery:- it is a technology that allows a key be revealed under certain circumstance without the owner of the key revealing it.  Remote access:- passwords gives a level of security for secure access.  Cell phone:- prevent people from stealing cell phone nos, access code or eavesdropping.  Access control:- regulate access to satellite and cable TV.
  • 19. Purpose of cryptography  Authentication  Privacy confidentiality  Integrity  Non-repudiation. Advantages  It is faster  While transmission the chances of data being decrypted is null  Uses password authentication to prove the receivers identity Disadvantages  Issue of key transportation  It cannot provide digital signature that cannot be repudiated
  • 20. Public key and private key What is public and private key ? a symmetric cryptography. Also known as public key cryptography. uses public and private keys to encrypt and decrypt data . One key is the pair can be shared with everyone ; it is called the public key the other key in the pair is kept secret , it is called private key. How does private key public key work ? these distinguishing technique used in public key cryptography is the uses of as symmetric key algorithms where a key used by one party to performance encryption is not the same as the key used by another in decryption , each user has a pair of cryptographic keys , a public encryption key and a private decryption key .
  • 21. Roles of private and public key Private key 1. Private key faster compared to public key 2. Private key is symmetrical . Actually there is only one key . The another is a copy of it 3. Private key is a truly private should be available with on only the communicating parties 4. The two parties most have met before at least share the key. Public key 1. Relatively slow to encrypt /decrypt 2. Asymmetrical 3. Public key can be made public. private key is truly secret. 4. That two parties need not have met. The two may be strangers, half way around the globe
  • 22. Differences between public and private key public key • For symmetric encryption, the same key is used to encrypt the message and to decrypt it. This key must be random, or cryptographically generated in a way that makes it look random. For public-key encryption, instead the recipient generates two keys together, a public encryption key and a private decryption key. The message is encrypted with the public key, and can only be decrypted with the private key. In practice, public-key encryption is almost always used to exchange a secret key between the parties. That way they only have to go through the complexity and computation of the public-key system once, at least until they forget the secret key (eg, until you close your browser). Public-key encryption is slower and more complicated than symmetric encryption, but it's also much more flexible. Consider connecting to your bank: you could theoretically use symmetric cryptography if you shared a key with your bank, for example by showing up to a branch in person and exchanging secret random numbers. Indeed, that's basically what a SecureID token is: a shared secret between you and your bank. But it's much easier exchange those secret random numbers over the internet, encrypted with the bank's public key. private key • Private Key and Public Key is the unique pair, which are normally indivisible. Both are prerequisite to encrypt and decrypt the information while transmitting to web browser to web server. • There are two types of mechanism in Encryption algorithm such as Symmetric Encryption and Asymmetric Encryption. • If you are using Symmetric encryption technology, then you require only private key to encrypt and decrpt functionality. If you are using Asymmetric encryption technology then you need a unique pair of private key and public key to encrypt and decrpt the information. • Private key used to store inside the server to decrpt the information which comes from browser in the mode of encryption. However, the information, which is coming from browser require public key to encrypt the data. • Both of the key’s have different functionality, which depends on the encryption technology. If you are interested to learn more about Public and Private Key, then here is our official blog post.
  • 23. Digital signature What is digital signature A digital signature is an electronic signature that can be used to authenticate the identi of the sender of a message  It is a mathematical scheme for demonstrating the authenticity of a digital message or document  Each signatory has their own paired public and private key  It consist three algorithms :- 1. A digital signature generation algorithm :-  It consist of of a (mathematical) digital signature  Randamly produces a key paire(public and private) 2. A signing algorithm:-  Produces a signature 3. A digital signature verification algorithm:- It consist of verification algorithm with a method for recovering data from the message.
  • 24. ADVANTAGES OF DIGITAL SIGNATURE • imposter prevention • Message integrity • Legal requirement DISADVANTAGES OF DIGITAL SIGNATURE • Digital signature involves the primary avenue for any business is month. Requirements while you apply for a digital signature certificate 1. Submission of DSC Application form duly filled in by the applicant Any individual applying for a Digital Signature Certificate is required to fill an Application Form for online submission and verification of personal details by the certifying authority 2. Producing Photo ID proof 3. Producing Address proof Steps to apply for a digital signature certificate • STEP 1: Log on and select your type of entity. ... • STEP 2: Fill the necessary details. ... • STEP 3: Proof of identity and address. ... • STEP 4: Payment for DSC. ... • STEP 5: Post the documents required.
  • 25. DIGITAL CERTIFICATES WHAT IS DIGITAL CERTIFICATES:- A digital certificate is an electronic” password “ that allows a person , organization to exchange data securely over the internet using the public key infrastructure (PKI).digital certificate is also know as a public key certificate or identity certificate DEFINITION:- A digital certificate authenticates the web credential of the sender and lets the recipients of an encrypted message know that the data is from a trusted source or a sender who claims to be one TYPES OF DIGITAL CERTIFICATES:- they are three types 1.Secure socket layer certificate (SSL) 2.Software signing (CODE SIGNING CERTIFICATES) 3client certificates(DIGITAL ID)
  • 26. • Secure Socket Layer Secure Socket Layer [SSL] server Certificates are installed on a server. This can be a server that hosts a website like www.digi-sign.com, a mail server, a directory or LDAP server, or any other type of server that needs to be authenticated, or that wants to send and receive encrypted data. To automate the entire life cycle of your SSL environment, see the Automated & Authenticated Certificate Delivery™ System. • Code Signing Certificate Code Signing Certificates are used to sign software or programmed code that is downloaded over the Internet. It is the digital equivalent of the shrink-wrap or hologram seal used in the real world to authenticate software and assure the user it is genuine and actually comes from the software publisher that it claims. • Client Certificate Client Certificates or Digital IDs are used to identify one person to another, a person to a device or gateway or one device to another device. Client Certificates are issued in their thousands and millions each year and would be the principle reason for purchasing a CA. Two people communicating by email will used a client certificate to authenticate or digitally sign their respective communications. This Signature will assure each person that the email is genuine and comes from the other person. A person that is given access to a secure online service like a database, an extranet or intranet will be authenticated to the gateway or entry point using a Client Certificate. This type of strong two factor authentication replaces less secure usernames and passwords currently in use on many websites. If two routers or a Virtual Private Network [VPN] connection needs to authenticate each other, a Client Certificate can be used and exchanged to prove the connection is trusted. This type of client authentication occurs deep within the application and is not usually visible to the end user. This type of device- to-device authentication often uses a particular IPSec Client Certificate. Also, bespoke applications and hardware seeking to utilize IP technology securely can use Digital Certificates to authenticate the application and/or for device-to-device authentication.
  • 27. Advantages of digital certificate:- Online Banking Advantages • Many businesses rely on digital certificates for banking procedures. For example, a human services organization that distributes customer incentive checks uses a digital certificate to validate each instrument. Each time a check is created, a designated user employs an identifiable computer to upload and manage each check prior to distribution. This alerts the bank of the amount and number of each check. In addition, the digital certificate protects against fraudulent activity by assuring the party receiving the information you are not an impostor. Online banking would not be possible without the use of digital certificates. According to Bank of America, transactions cannot take place until the digital certificate has been verified. Legal Advantages • Digital certificates and signatures provide protection in legally binding situations. When sending email to a bank, for example, a digital signature will verify that the information came from you. When agreeing to legally binding requirements, digital certificates prevent you from becoming a victim of an impostor. In addition, digital certificates and signatures prevent the recipient from denying the receipt of information. Disadvantages of digital certificate:- Financial Disadvantages • Businesses must purchase digital certificates from certification authorities. A certificate authority acts as a third-party issuer that ensures the acceptance of the certificate. Certification authorities typically require a subscription to their service, which requires monthly payments to continue the relationship. In addition, multiple certificates for different sites or purposes can become a costly endeavor. Technological Disadvantages • When considering digital certificates, you need to factor in many areas of existing technology. According to The Institute of Internal Auditors, “auditors should recommend that senior and IT managers consider the tool’s ease of use, integration with the existing software platform, the company’s product architecture, the security of the tool (e.g., the strength of the algorithm used), vendor support, cost, and future flexibility before deciding which tool to implement.” In addition, creating a platform that accepts all digital certificates is a difficult undertaking, and human carelessness may compromise the safety of login credentials.
  • 28. SECURITY PROTOCOL OVER PUBLIC NETWORK INTRODUCTION:- Network security protocols are a type network protocol that ensures thesecurity and integrity of data in transit over a network connection. Network security protocols define the processes and methodology to secure network data from any illegitimate attempt to review or extract the contents of data. DEFINITION:- A VPN is a private data network that makes use of the public telecommunication infrastructure, such as the Internet, by adding security procedures over the unsecure communication channels. The security procedures that involve encryption are achieved through the use of a tunneling protocol.
  • 29. Types • Application Security: It is important to have an application security since no app is created perfectly. It is possible for any application to comprise of vulnerabilities, or holes, that are used by attackers to enter your network. Application security thus encompasses the software, hardware, and processes you select for closing those holes. • Behavioral Analytics: In order to detect abnormal network behaviour, you will have to know what normal behavior looks like. Behavioral analytics tools are capable of automatically discerning activities that deviate from the norm. Your security team will thus be able to efficiently detect indicators of compromise that pose a potential problem and rapidly remediate threats. • Data Loss Prevention (DLP): Organizations should guarantee that their staff does not send sensitive information outside the network. They should thus use DLP technologies, network security measures, that prevent people from uploading, forwarding, or even printing vital information in an unsafe manner. • Email Security: Email gateways are considered to be the number one threat vector for a security breach. Attackers use social engineering tactics and personal information in order to build refined phishing campaigns to deceive recipients and then send them to sites serving up malware. An email security application is capable of blocking incoming attacks and controlling outbound messages in order to prevent the loss of sensitive data. • Firewalls: Firewalls place a barrier between your trusted internal network and untrusted outside networks, like the Internet. A set of defined rules are employed to block or allow traffic. A firewall can be software, hardware, or both. The free firewall efficiently manages traffic on your PC, monitors in/out connections, and secures all connections when you are online.
  • 30. • Mobile Device Security: Mobile devices and apps are increasingly being targeted by cybercriminals. 90% of IT control which devices can access your network. It is also necessary to configure their connections in order to keep networorganizations could very soon support corporate applications on personal mobile devices. There is indeed the necessity for you to k traffic private. • Network Segmentation: Software-defined segmentation places network traffic into varied classifications and makes enforcing security policies a lot easier. The classifications are ideally based on endpoint identity, not just IP addresses. Rights can be accessed based on location, role, and more so that the right people get the correct level of access and suspicious devices are thus contained and remediated. • Security Information and Event Management (SIEM): SIEM products bring together all the information needed by your security staff in order to identify and respond to threats. These products are available in different forms, including virtual and physical appliances and server software. • Virtual Private Network (VPN): A VPN is another type of network security capable of encrypting the connection from an endpoint to a network, mostly over the Internet. A remote- access VPN typically uses IPsec or Secure Sockets Layer in order to authenticate the communication between network and device. • Web Security: A perfect web security solution will help in controlling your staff’s web use, denying access to malicious websites, and blocking • Wireless Security: The mobile office movement is presently gaining momentum along with wireless networks and access points. However, wireless networks are not as secure as wired ones and this makes way for hackers to enter. It is thus essential for the wireless security to be strong. It should be noted that without stringent security measures installing a wireless LAN could be like placing Ethernet ports everywhere. Products specifically designed for protecting a wireless network will have to be used in order to prevent an exploit from taking place.
  • 31. Advantages of Network Security • Protect data As discussed, network security keeps a check on unauthorized access. A network contains a lot of confidential data like the personal client data. Anybody who breaks into the network may hamper these sensitive data. So, network security should be there in place to protect them. • Prevents cyber attack Most of the attack on the network comes from internet. There are hackers who are experts in this and then there are virus attacks. If careless, they can play with a lot of information available in the network. The network security can prevent these attacks from harming the computers. • Levels of access The security software gives different levels of access to different users. The authentication of the user is followed by the authorization technique where it is checked whether the user is authorized to access certain resource. You may have seen certain shared documents password protected for security. The software clearly knows which resources are accessible by whom. • Centrally controlled Unlike the desktop security software, the network security software is controlled by a central user called network administrator. While the former is prone to worms and virus attacks, the latter can prevent the hackers before they damage anything. This is because the software is installed in a machine having no internet. • Centralized updates It is very important that the anti-virus software is timely updated. An old version may not offer you enough security against attackers. But it is not guaranteed that every user of the network follows it religiously. A network security system which is centralized offers this advantage of timely updates without even the knowledge of the individuals.
  • 32. • Disadvantages of Network Security Network security is a real boon to the users to ensure the security of their data. While it has many advantages, it has lesser disadvantages. Let us discuss some of them. • Costly set up The set up of a network security system can be a bit expensive. Purchasing the software, installing it etc can become costly especially for smaller networks. Here we are not talking about a single computer, but a network of computers storing massive data. So, the security being of prime importance will definitely cost more. It cannot be ignored at any cost! • Time consuming The software installed on some networks is difficult to work with. It needs authentication using two passwords to ensure double security which has to be entered every time you edit a document. It also requires the passwords to be unique with numbers, special characters and alphabets. The user may have to type a number of sample passwords before one is finalized which takes a lot of time. • Requires skilled staff To manage large networks is not an easy task. It requires highly skilled technicians who can handle any security issue that arises. A network administrator needs to be employed to ensure smooth working of the network. He must be trained adequately to meet the requirement. • Careless admin When the best software is installed and everything required is done, it is natural for the admin to be careless at times. It is his job to check the logs regularly to keep a check on the malicious users. But sometimes, he just trusts the system and that is when the attack happens. So, it is very important that the admin remains vigilant always.
  • 33. HTPP Protocol and HTPP:- A Protocol is a standard procedure for defining and regulating communication. For example TCP, UDP, HTTP etc. Hypertext Transfer Protocol, better known to millions of Web surfers as HTTP, was invented in 1990 by Tim Berners-Lee at the CERN Laboratories in Geneva, Switzerland. Today, it is the foundation of the World Wide Web and the Hypertext Markup Language or HTML. Three versions of HTTP were developed: 0.9, 1.0 and 1.1. Both 1.0 and 1.1 are in common usage toda HYPER TEXT TRANSFOR PROTOCOL:- • The HTTP provides a standard for web browsers & servers to communicate. • HTTP is the foundation of data communication for the WWW. • HTTP is an application layer network protocol built on top of TCP. • HTTP clients & servers communicate via HTTP request & response message. • Hypertext is structured text that uses logical links(hyper links) between nodes containing text. • HTTP is the protocol to exchange or transfer hypertext. • HTTP is called a “stateless protocol” because each command is executed independently, without any knowledge of the commands that came before it. • E.g.- when you enter a URL in your browser, this actually sends an HTTP command to the web server directing it to fetch & transmit the requested web page. • There are 2 major versions of HTTP:- HTTP/1.0 HTTP/1.1
  • 34. HTTP CHARACTERISTICS:- • Request response mechanism -transaction is initiated by a client sending a request to server. -server generates a response. • Resource identification -each HTTP request includes a URI(Uniform Resource Identifier). • Statelessness - the server does not maintain any information about the transaction. • Meta data support -metadata about the information can be exchanged in the business HOW HTTP WORKS:-  HTTP is implemented in two programs: a client program and a server program, executing on different end systems, talk to each other by exchanging HTTP messages.  The HTTP client first initiates a TCP connection with the server. Once the connection is established, the browser and the server processes access TCP through their socket interfaces
  • 35.
  • 36. HTTP REQUEST METODS • The first line of an HTTP request message is called the request line; the subsequent lines are called the header lines. The request line has three fields: the method field, the URL field, and the HTTP version field. The method field can take on several different values, including GET, POST, HEAD, PUT, and DELETE etc. The great majority of HTTP request messages use the GET method. The GET method is used when the browser requests an object, with the requested object identified in the URL field. • GET: Retrieve Document identified in URL. • HEAD: Retrieve meta information about document identified in URL. • DELETE: Delete specified URL. • OPTIONS: Request information about available options. • PUT: Store document under specified URL. • POST: Give information to server. • TRACE: Loopback request message. • CONNECT: For use by Proxies
  • 37.
  • 38. ADVANTAGES:- • Platform independent - Allows straight cross platform porting. • No Runtime support required to run properly. • Usable over firewalls! Global applications possible. • Not Connection Oriented – No network overhead to create and maintain session state and information. • Ease of programming. HTTP is coded in plain text and therefore is easier to follow and implement than protocols that make use of codes that require lookups. • Flexibility. LIMITATIONS:- • Privacy Anyone can see content • Integrity someone might alter content. HTTP is insecure since no encryption methods are used. Hence is subject to main in the middle and eavesdropping of sensitive information. • Authentication Not clear who you are talking with. Authentication is sent in the clear – Anyone who intercepts the request can determine the username and password being used. • Information sent via HTTP is not encrypted and can pose a threat to your privacy. • Packet headers are larger than other protocols as they are needed for security and quality assurance of the information being transferred.
  • 39. SECURE SOCKETS LAYER INTRODUCTION:- SSL (Secure Sockets Layer) is a standard security protocol for establishing encrypted links between a web server and a browser in an online communication. The usage of SSL technology ensures that all data transmitted between the web server and browser remains encrypted. DEFINITION:- An SSL certificate is necessary to create SSL connection. You would need to give all details about the identity of your website and your company as and when you choose to activate SSL on your web server. Following this, two cryptographic keys are created - a Private Key and a Public Key. What is SSL used for? • The SSL protocol is used by millions of online business to protect their customers, ensuring their online transactions remain confidential. A web page should use encryption when it expects users to submit confidential data, including personal information, passwords, or credit card details. All web browsers have the ability to interact with secured sites so long as the site's certificate is issued by a trusted CA.
  • 40. • Who issues SSL Certificates? A certificate authority or certification authority (CA) issues SSL certificates. On receiving an application, the CA verifies two factors: It confirms the legal identity of the enterprise/company seeking the certificate and whether the applicant controls the domain mentioned in the certificate. The issued SSL certificates are chained to a 'trusted root' certificate owned by the CA. Most popular internet browsers such as Firefox, Chrome, Internet Explorer, Microsoft Edge, and others have these root certificates embedded in their 'certificate store'. Only if a website certificate chains to a root in its certificate store will the browser allow a trusted and secure https connection. If a website certificate does not chain to a root then the browser will display a warning that the connection is not trusted.
  • 41. Certificate Type • Single Domain Certificates • A single domain certificate allows a customer to secure one Fully Qualified Domain Name on a single certificate. For example, a certificate purchased for www.domain.com will allow customers to secure any and all pages on www.domain.com/. Single domain certificates are available in DV, OV and EV variants at a variety of price points and warranty levels. The straightforward nature of the single domain certificate makes it ideal for small to medium sized businesses managing a limited number of websites. However, businesses that operate or anticipate operating multiple websites may benefit from the added flexibility, convenience and savings offered by wildcard or multi-domain certificates. • Examples: Instant SSL, Instant SSL Pro, Instant SSL Premium • Wildcard SSL Certificate • A Wildcard certificates allows businesses to secure a single domain and unlimited sub-domains of that domain. For example, a wildcard certificate for '*.domain.com' could also be used to secure 'payments.domain.com', 'login.domain.com, 'anything-else.domain.com' etc. A wildcard certificate will automatically secure any sub-domains that a business adds in the future. They also help simplify management processes by reducing the number of certificates that need to be tracked. For growing online businesses, Wildcard certificates provide a flexible, cost effective alternative to multiple single certificate purchases • Example: Comodo Premium SSL Wildcard
  • 42. Multi Domain SSL Certificate As the name suggests, a Multi-Domain certificate allows website owners to secure multiple, distinct domains on a one certificate. For example, a single MDC can be used to secure domain-1.com, domain-2.com, domain-3.co.uk, domain-4.net and so on. Indeed, an MDC will allow you to secure up to 100 different domains (or wildcard domains) on a single certificate. Customers can easily add or remove domains at any time. This simplifies SSL management because administrators need only keep track of a single certificate with a unified expiry date for all domains instead of keeping tabs on multiple certificates. In addition, MDCs usually represent a cost saving over the price of individual certificates. Example: Comodo Multi-Domain Certificate, Comodo EV Multi-Domain Certificate Unified Communications Certificate (UCC): Unified Communications Certificates are specifically designed to secure Microsoft® Exchange and Office Communications environments. UC certificates use the Subject Alternative Name (SAN) field to allow customers to include up to 100 domains on a single certificate - eliminating the need for different IP addresses per website that would be required otherwise. UC Certificates also support the Microsoft Exchange Autodiscover service, a powerful feature which greatly eases client administration. As with MDCs, a single UCC can greatly reduce SSL management duties while allowing customers to realize cost savings over individual purchases. Examples: Comodo Unified Communications Certificates
  • 43. The Benefits of SSL Certificates SSL is a simple yet secure channel to transmit the data securely. It is valuable to both customers and businesses considering the level of security it brings to their cloud-based transactions. • Kick out the Hackers You have to be extremely cautious about phishing sites. These are an almost perfect replica of an original, authentic site and have many techniques to lure you into providing your sensitive information. But SSL identifies what we humans will not be able to and ensures that these fake sites will never see the light of day. It is difficult and impossible for fake sites to acquire SSL certificates and when customers are warned of the absence of SSLcertificate, they will avoid falling prey to these fake sites. As well SSL certificate will help you to protect your website from eavesdropping, man-in-middle-attack and sniffing attacks. • Boost Ranking & Increase Brand Value • A few months ago, Google updated its algorithm and added HTTPS as a ranking signal. If your website is secured with SSL certificate and web URL starts with a secure HTTPS protocol, then you will get the ranking advantage in search engines. • Using SSL dramatically improves the perception that users have of your brand. When your site has signed by a trusted third party certificate, your customers are ensured that they are indeed on a valid and trusted site. They will be less worried about security issues and will engage with you more effectively. • Secure Payments to Experience Safe Shopping • No one will dare to send their credit card information over a simple HTTP website. It is also mandatory for a business site to have an SSL certificate to meet the PCI security standards set forth by the payment card industries. • Without the use of SSL, business sites cannot even dream of having a single successful credit card transaction. By implementing SSL, visitors will find your website more trustworthy and experience secure shopping over the HTTPS site.
  • 44. • Build Trust with Extended Authentication • Customers are becoming more and more security aware. As a lot of sensitive information, such as bank passwords and personal details, are exchanged in a cloud platform, a secure authentication mechanism must be provided to ensure data protection. • SSL achieves this feat by issuing a server certificate along with the SSL certificate. This server certificate increases the trust factor of the service provided and helps the customer verify whether you are really who you claim to be. • CAs follows a different validation process to authenticate your business reliability. The process depends on which certificate you choose – domain validation, organization validation, and extended validation. Domain Validation certificate verifies only domain authentication and organization validation certificate validates your business reliability when extended validation (EV) SSL certificate confirms your business existence and trustworthiness by affirming legal documents. It ensures that the site is highly authenticated and secured to carry online transactions by displaying must security trust mark “Green Bar”. • Strongest Encryption to Secure Information • All the information transferred over an SSL connection is encrypted and there is no way an interceptor could decipher your information. • Encryption algorithms like RSA, DSA, and ECC are currently used by most certificate authorities. When the credit card data and other private information will travel between the web server and users’ browser, the site will be secured with robust encryption (for example, SHA256-bit encryption) that left no place for hackers to sniff transmitting information. So you can rest assured that the information will always only reach the intended parties.
  • 45. The Pros - Assuring Reasons Why Your Website must have SSL • The obvious benefit of SSL encryption is that your website data will be safe from third-party hacking or interception. The connections to and fro from the web browser to the server will remain intact. • There are also a number of other benefits that make it compelling to invest in SSL certificates. Improves trust • A study by Bizrate found that a majority of US customer distrust to conduct online transactions due to credit card and privacy concerns. • With HTTPS such hesitation from customers to shop and pay online can be removed. Studies have proved that displaying trust seals in online shops helps improve conversion rates significantly. • Customers find it easier to divulge their payment instructions and private details like name, location, address, etc. when the website is encrypted and immune to security threats. Ensures Data Integrity • Ebay, Home Depot, Target and a host of other retailers have been victims of hacking in the past. They lost valuable customer information and even payment records because their websites lacked HTTPS protection. SSL certificates can facilitate data integrity for online retailers. It ensures that the data stored in online servers are always intact and protected from external threats. Boosts SEO ranking • Like we said at the beginning of the article, Google is all set to introduce HTTPS as a search engine ranking signal. The search engine believes that this is necessary to cultivate a web culture where the data security of users is protected by all means. In the coming months, Google will flag websites without HTTPS as ‘not safe’. • In other words, if your website is HTTPS enabled, then you will be given preference over websites which are not secure. Establishes identity • Extended Validation (EV) SSL certificates establish the legal ownership of a website. They give visitors the assurance that the website they are visiting is indeed owned by the said organization
  • 46. The Cons - Reasons why you may not want SSL certificate They cost money • Let’s face the hard truth. Nothing good ever comes free of cost. SSL encryption which can guard your website from data security threats obviously costs a bit of money. However, considering the benefits like SEO ranking, security, and customer trust it delivers, this cost should not be a cause for concern. Technical complications • Although the SSL configuration is fairly simple for a techie it can sometimes be complex for others. Especially in the case of multi-domain SSL certificates, there is a high chance of error which will potentially scare away visitors. Applying the HTTPS tag across all web pages is not easy and requires expertise. Mobile configuration is not easy • SSL certificates were primarily intended for website security, mobile devices may not have been considered. This has meant that in recent years as the widespread usage of mobile devices has developed, so too have many complications. Website owners have to use third-party applications or build in-house applications to keep websites functioning the same way as mobile devices.
  • 47. FIREWALLAS SECURITY CONTROL INTRODUCTION A firewall is a system designed to prevent unauthorized access to or from a private network. You can implement a firewall in either hardware or software form, or a combination of both. Firewalls prevent unauthorized internet users from accessing private networks connected to the internet, especially intranets A firewall is software used to maintain the security of a private network. Firewalls block unauthorized access to or from private networks and are often employed .. How Firewalls Work. :- A firewall is simply a program or hardware device that filters the information coming through the Internet connection into your private network or computer system. If an incoming packet of information is flagged by the filters, it is not allowed through.
  • 48. TYPES Packet filtering firewalls • This, the original type of firewall, operates inline at junction points where devices such as routers and switches do their work. • However, this firewall doesn't route packets, but instead compares each packet received to a set of established criteria -- such as the allowed IP addresses, packet type, port number, etc. Packets that are flagged as troublesome are, generally speaking, unceremoniously dropped -- that is, they are not forwarded and, thus, cease to exist. Circuit-level gateways • Using another relatively quick way to identify malicious content, these devices monitor the TCP handshakes across the network as they are established between the local and remote hosts to determine whether the session being initiated is legitimate -- whether the remote system is considered trusted. They don't inspect the packets themselves, however. Stateful inspection firewalls • State-aware devices, on the other hand, not only examine each packet, but also keep track of whether or not that packet is part of an established TCP session. This offers more security than either packet filtering or circuit monitoring alone, but exacts a greater toll on network performance. • A further variant of stateful inspection is the multilayer inspection firewall, which considers the flow of transactions in process across multiple layers of the ISO Open Systems Interconnection seven-layer model. Application-level gateways • This kind of device, technically a proxy, and sometimes referred to as a proxy firewall, combines some of the attributes of packet filtering firewalls with those of circuit-level gateways. They filter packets not only according to the service for which they are intended -- as specified by the destination port -- but also by certain other characteristics, such as the HTTP request string. • While gateways that filter at the application layer provide considerable data security, they can dramatically affect network performance.
  • 49. Next-gen firewalls • This looser category is the most recent -- and least-well delineated -- of the types of firewalls. A typical next-gen product combines packet inspection with stateful inspection, but also includes some variety of deep packet inspection. Firewall rule actions Firewall rules can take the following actions: • Allow: Explicitly allows traffic that matches the rule to pass, and then implicitly denies everything else. • Bypass: Allows traffic to bypass both firewall and intrusion prevention analysis. Use this setting for media-intensive protocols or for traffic originating from trusted sources. A bypass rule can be based on IP, port, traffic direction, and protocol. • Deny: Explicitly blocks traffic that matches the rule. • Force Allow: Forcibly allows traffic that would otherwise be denied by other rules.Traffic permitted by a Force Allow rule will still be subject to analysis by the intrusion prevention module. • Log only: Traffic will only be logged. No other action will be taken. More about Allow rules Allow rules have two functions: • Permit traffic that is explicitly allowed. • Implicitly deny all other traffic.
  • 50. Advantages :- • Makes Security Transparent to End-Users. • Easy to install. • Packet filters make use of current network routers. Therefore implementing a packet filter security system is typically less complicated than other network security solutions. • High speed Disadvantages :- • Packet filtering routers are not very secure. • Difficulty of setting up packet filtering rules to the router • There isn’t any sort of user based Authentication. • Packet filter cannot authenticate information coming from a specific user.
  • 51. PUBLIC KEY INFRASTRUCTURE FOR SECURITY INTRODUCTION :- A Public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store & revoke digital certificates and manage public- key encryption. ... An RA is responsible for accepting requests for digital certificates and authenticating the entity making the request. • How Does PKI Work? PKI (or Public Key Infrastructure) is the framework of encryption and cybersecurity that protects communications between the server (your website) and the client (the users). It works by using two different cryptographic keys, a public key and a private key. The public key is available to any user that connects with the website. The private key is a unique key generated when a connection is made, and kept secret. When communicating, the client uses the public key to encrypt and decrypt, and the server uses the private key. This protects the user’s information from theft or tampering. PKI security is used in many different ways. The following are a few ways that PKI security can be used. • Securing Emails • Securing web communications (such as retail transactions) • Digitally signing software • Digitally signing applications • Encrypting files • Decrypting files • Smart card authentication
  • 52. Components of Public Key Infrastructure (PKI) • It starts with trust. ... • Certification Authorities. ... • Private and public keys. ... • Certificate enrollment. ... • Digital certificates. ... • Usage scenarios. ... • Maintaining security in a PKI environment Benefits :- • Secure access control. With a unique verifiable identity you can determine what level of access to grant to that device. In addition, you can now deny access to anyone who does not have a proper certificate – no cert, no way. In addition, if you find out a certificate has been somehow compromised, because it is unique and identifiable, you can revoke its access privileges and that certificate will no longer be granted access. • Mutual Authentication. In the days before IoT and autonomous networked devices, the device didn’t need to be authenticated, just the servers. You wanted to make sure that the website you were logging into was actually a bank and not some bogus phishing site. The bank authenticated your identity through your login and password. With IoT, the device needs to be authenticated and the device also needs to authenticate the server it is talking to. With digital certificates and secure elements, this is now practical.
  • 53. Secure Over-the-Air (OTA) Update. The problem with many devices today is that they will accept software updates from anyone. Remember, you want a device to only accept software that is verified and comes from a trusted server. The certificates allow the device to prove it should receive an update and which one, and the cryptography in the secure element allows the device to verify the server as well as the signed code. Advantages : • PKI is a standards-based technology. • It allows the choice of trust provider. • It is highly scalable. Users maintain their own certificates, and certificate authentication involves exchange of data between client and server only. This means that no third party authentication server needs to be online. There is thus no limit to the number of users who can be supported using PKI. • PKI allows delegated trust. That is, a user who has obtained a certificate from a recognized and trusted certificate authority can authenticate himself to a server the very first time he connects to that server, without having previously been registered with the system. • Although PKI is not notably a single sign-on service, it can be implemented in such a way as to enable single sign-on.
  • 54. Problems with PKI :- 1. PKI has too many moving parts • Complexity is the enemy of good computer security. The more moving parts you have, the easier it is to find weaknesses, and the harder it is to implement And few computer security defenses have more moving parts than a properly set-up PKI. • You need to begin with an offline root CA (certificate authority). It must be truly offline, or it's subject to compromise. Then you need two or more CAs that do the work of issuing certificates. Your CAs need to be protected by an HSM (hardware security module), which is a piece of hardware that guards the most important private cryptography keys of the PKI. Normally, you need a few of these, and the total cost can easily reach $100,000. • You also need two or more websites to store the CA's own certificate and CRLs (certificate revocation lists). You usually need two of these internally, on the network, and perhaps two more externally. These days, most PKI designers recommend two or more OCSP (online certificate status protocol) servers, which are supposed to create less CRL traffic between clients and CA servers. 2. Even when PKI works perfectly, it doesn't work • Worse, even when you set up PKI perfectly and without error, and it works the way it’s intended to work ... it doesn't work! Well, it works, but that's only because people and applications tend to ignore PKI errors. • Everyone knows that the little padlock on the browser bar means that a website connection is supposedly secure thanks to PKI. • But the complexity of PKI means that many websites and applications end up with PKI errors, which cause the little padlock to disappear or to remain unlocked. Many times the browser will warn you that a website's digital certificate is not valid and recommend not going to the website.
  • 55. 3. PKI doesn't solve the biggest security problems • Despite points No. 1 and 2, I love PKI. It's very good at what it does if people, devices, and applications don't ignore its warnings. But the biggest problem with PKI isn't PKI itself. It's that almost all of the problems that PKI solves aren't the ones being exploited by today's attackers. • Most exploits occur due to unpatched software, followed by socially engineered Trojan horse programs. Together, these two vectors probably account for 99 percent off all successful attacks in most environments, and PKI doesn't fix either problem. 4. Eventually, PKI will stop working forever • Here’s this is the real kicker. One day, all secrets protected by PKI will be revealed. Yep, that's not a misprint. • One day, the incredibly hard math, involving large prime numbers, won't be so difficult to solve anymore. Public key cryptography only works because of the math involved. But computers are only going to get better over time at solving cryptographic puzzles. • For example, one of the biggest promises of Quantum computing, whenever it finally gets perfected, is that it will be able to immediately break open PKI- protected secrets. Sometime in the near- to mid-term future, useful Quantum computers will become a reality. When they do, most public crypto will fall.