Chapter 5 Security Threats to Electronic Commerce
Learning Objectives <ul><li>In this chapter, you will learn about: </li></ul><ul><li>Important computer and electronic com...
Learning Objectives <ul><li>Specific threats to client machines, Web servers, and commerce servers </li></ul><ul><li>Metho...
Security Overview <ul><li>Computer security is the protection of assets from unauthorized access, use, alteration, or dest...
Types of Security <ul><li>Physical security includes tangible protection devices such as alarms and guards. </li></ul><ul>...
Implication of Threat <ul><li>Any act or object that poses a danger to computer assets is known as a threat. </li></ul><ul...
 
Computer Security Classification <ul><li>Three computer security categories:  </li></ul><ul><ul><li>Secrecy </li></ul></ul...
Copyright and Intellectual Property <ul><li>Copyright is the protection of expression. </li></ul><ul><li>Intellectual prop...
Security Policy and Integrated Security <ul><li>A security policy is a written statement describing: </li></ul><ul><ul><li...
Security Policy and Integrated Security <ul><li>A security policy is a written statement describing: </li></ul><ul><ul><li...
Elements of a Security Policy <ul><li>Authentication </li></ul><ul><li>Access control </li></ul><ul><li>Secrecy </li></ul>...
Intellectual Property Threats <ul><li>Copyright infringements on the Web occur because users are ignorant of what they can...
Music Online <ul><li>Music industry better illustrates the copyright and intellectual property issues. </li></ul><ul><li>N...
Domain Names <ul><li>Issues of intellectual property rights on Internet Domain Names: </li></ul><ul><ul><li>Cybersquatting...
Cybersquatting <ul><li>Cybersquatting is the practice of registering a domain name that is the trademark of another person...
Name Changing <ul><li>Name changing occurs when someone registers purposely misspelled variations of well-known domain nam...
Name Stealing <ul><li>Name stealing occurs when someone changes the ownership of the domain name assigned to the site to a...
Electronic Commerce Threats <ul><li>There are three types of electronic commerce threats: </li></ul><ul><ul><li>Client thr...
Client Threats <ul><li>Web pages were mainly static. </li></ul><ul><li>The widespread use of active content has changed th...
Active Content <ul><li>Active content refers to programs that are embedded transparently in Web pages and that cause actio...
Active Content <ul><li>A Trojan horse is a program hidden inside another program or Web page that masks its true purpose. ...
Java <ul><li>Java adds functionality to business applications and can handle transactions and a wide variety of actions on...
Java Applets <ul><li>Java applets that are loaded from a local file system are trusted. </li></ul><ul><li>Trusted applets ...
JavaScript <ul><li>JavaScript is a scripting language to enable Web page designers to build active content. </li></ul><ul>...
ActiveX Controls <ul><li>ActiveX is an object that contains programs and properties that Web designers place on Web pages ...
Graphics, Plug-Ins, and E-mail Attachments <ul><li>Graphics, browser plug-ins, and e-mail attachments can harbor executabl...
Virus <ul><li>A virus is software that attaches itself to another program and can cause damage when the host program is ac...
Communication Channel Threats <ul><li>The Internet is not at all secure. </li></ul><ul><li>Messages on the Internet travel...
Secrecy Threats <ul><li>Secrecy is the prevention of unauthorized information disclosure. </li></ul><ul><li>Privacy is the...
Integrity Threats <ul><li>An integrity threat exists when an unauthorized party can alter a message stream of information....
Necessity Threats <ul><li>The purpose of a necessity threat is to disrupt normal computer processing or to deny processing...
Server Threats <ul><li>Servers have vulnerabilities that can be exploited to cause destruction or to acquire information i...
Web Server Threats <ul><li>Setting up a Web server to run in high-privilege status can lead to a Web server threat. </li><...
 
Database Threats <ul><li>Databases connected to the Web could damage a company if it were disclosed or altered. </li></ul>...
 
Common Gateway Interface Threats <ul><li>Because CGIs are programs, they present a security threat if misused. </li></ul><...
Other Programming Threats <ul><li>Another serious Web server attack can come from programs executed by the server. </li></...
 
CERT <ul><li>DARPA created the Computer Emergency Response Team (CERT) Coordination Center to be located at Carnegie Mello...
 
Upcoming SlideShare
Loading in …5
×

05ch

705 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
705
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
13
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

05ch

  1. 1. Chapter 5 Security Threats to Electronic Commerce
  2. 2. Learning Objectives <ul><li>In this chapter, you will learn about: </li></ul><ul><li>Important computer and electronic commerce security terms </li></ul><ul><li>The reason that secrecy, integrity, and necessity are three parts of any security program </li></ul><ul><li>The roles of copyright and intellectual property and their importance </li></ul><ul><li>Threats and countermeasures to eliminate or reduce threats </li></ul>
  3. 3. Learning Objectives <ul><li>Specific threats to client machines, Web servers, and commerce servers </li></ul><ul><li>Methods that you can use to enhance security in back office products </li></ul><ul><li>The way in which security protocols help plug security holes </li></ul><ul><li>The roles that encryption and certificates play in assurance and secrecy </li></ul>
  4. 4. Security Overview <ul><li>Computer security is the protection of assets from unauthorized access, use, alteration, or destruction. </li></ul><ul><li>Two types of security: </li></ul><ul><ul><li>Physical security </li></ul></ul><ul><ul><li>Logical security </li></ul></ul>
  5. 5. Types of Security <ul><li>Physical security includes tangible protection devices such as alarms and guards. </li></ul><ul><li>Protection of assets using nonphysical means is called logical security. </li></ul>
  6. 6. Implication of Threat <ul><li>Any act or object that poses a danger to computer assets is known as a threat. </li></ul><ul><li>Countermeasure is a procedure that recognizes, reduces, or eliminates a threat. </li></ul><ul><li>The risk management model shows four general actions to take for the threat. </li></ul><ul><li>Click to see Figure 5-1: </li></ul>
  7. 8. Computer Security Classification <ul><li>Three computer security categories: </li></ul><ul><ul><li>Secrecy </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Necessity </li></ul></ul><ul><li>Secrecy refers to protecting against unauthorized data disclosure and ensuring the authenticity of the data’s source. </li></ul><ul><li>Integrity refers to preventing unauthorized data modification. </li></ul><ul><li>Necessity refers to preventing data delays or denials. </li></ul>
  8. 9. Copyright and Intellectual Property <ul><li>Copyright is the protection of expression. </li></ul><ul><li>Intellectual property is the ownership of ideas and control over the tangible or virtual representation of those ideas. </li></ul><ul><li>U.S. Copyright Act of 1976 </li></ul><ul><li>Copyright Clearance Center provides copyright information </li></ul>
  9. 10. Security Policy and Integrated Security <ul><li>A security policy is a written statement describing: </li></ul><ul><ul><li>Which assets to protect and why to protect </li></ul></ul><ul><ul><li>Who is responsible for that protection </li></ul></ul><ul><ul><li>Which behaviors are acceptable and which are not </li></ul></ul><ul><li>The Center for Security Policy (CSP) hosts security debates and policies. </li></ul>
  10. 11. Security Policy and Integrated Security <ul><li>A security policy is a written statement describing: </li></ul><ul><ul><li>Which assets to protect and why to protect </li></ul></ul><ul><ul><li>Who is responsible for that protection </li></ul></ul><ul><ul><li>Which behaviors are acceptable and which are not </li></ul></ul><ul><li>The Center for Security Policy (CSP) hosts security debates and policies. </li></ul>
  11. 12. Elements of a Security Policy <ul><li>Authentication </li></ul><ul><li>Access control </li></ul><ul><li>Secrecy </li></ul><ul><li>Data integrity </li></ul><ul><li>Audit </li></ul>
  12. 13. Intellectual Property Threats <ul><li>Copyright infringements on the Web occur because users are ignorant of what they can and cannot copy. </li></ul><ul><li>The Copyright Website tackles the issues of copyright and newsgroup postings and fair use. </li></ul>
  13. 14. Music Online <ul><li>Music industry better illustrates the copyright and intellectual property issues. </li></ul><ul><li>Napster changed the way music is delivered. </li></ul><ul><li>The act of ripping a song without proper permission is a copyright violation. </li></ul>
  14. 15. Domain Names <ul><li>Issues of intellectual property rights on Internet Domain Names: </li></ul><ul><ul><li>Cybersquatting </li></ul></ul><ul><ul><li>Name changing </li></ul></ul><ul><ul><li>Name stealing </li></ul></ul>
  15. 16. Cybersquatting <ul><li>Cybersquatting is the practice of registering a domain name that is the trademark of another person or company in the hopes that the owner will pay huge amounts of money to acquire the URL. </li></ul><ul><li>On November 29, 1999, the U.S. Anticybersquating Consumer Protection Act was signed into law. </li></ul>
  16. 17. Name Changing <ul><li>Name changing occurs when someone registers purposely misspelled variations of well-known domain names. </li></ul><ul><li>The practice of name changing is annoying to affected online businesses and confusing to their customers. </li></ul>
  17. 18. Name Stealing <ul><li>Name stealing occurs when someone changes the ownership of the domain name assigned to the site to another site and owner. </li></ul><ul><li>Once domain name ownership is changed, the name stealer can manipulate the site. </li></ul>
  18. 19. Electronic Commerce Threats <ul><li>There are three types of electronic commerce threats: </li></ul><ul><ul><li>Client threats </li></ul></ul><ul><ul><li>Communication channel threats </li></ul></ul><ul><ul><li>Server threats </li></ul></ul>
  19. 20. Client Threats <ul><li>Web pages were mainly static. </li></ul><ul><li>The widespread use of active content has changed the function of Web pages. </li></ul><ul><li>Sources of client threats: </li></ul><ul><ul><li>Active content </li></ul></ul><ul><ul><li>Java, Java Applets, and JavaScript </li></ul></ul><ul><ul><li>ActiveX Controls </li></ul></ul><ul><ul><li>Graphics, Plug-Ins, and E-mail Attachments </li></ul></ul>
  20. 21. Active Content <ul><li>Active content refers to programs that are embedded transparently in Web pages and that cause action to occur. </li></ul><ul><li>The best-known active content forms are Java applets, ActiveX controls, JavaScript, and VBScript. </li></ul><ul><li>Also include graphics and Web browser plug-ins. </li></ul>
  21. 22. Active Content <ul><li>A Trojan horse is a program hidden inside another program or Web page that masks its true purpose. </li></ul><ul><li>A zombie is a program that secretly takes over another computer for the purpose of launching attacks on other computer. </li></ul><ul><li>Malicious cookie can destroy files stored on client computers. </li></ul>
  22. 23. Java <ul><li>Java adds functionality to business applications and can handle transactions and a wide variety of actions on the client computer. </li></ul><ul><li>Java sandbox confines Java applet actions to a set of rules defined by the security model. </li></ul><ul><li>Java is a very powerful development language. Untrusted applets should not be allowed to access all of this power. The Java sandbox restricts applets from performing many activities. </li></ul><ul><li>These rules apply to all untrusted Java applets. </li></ul>
  23. 24. Java Applets <ul><li>Java applets that are loaded from a local file system are trusted. </li></ul><ul><li>Trusted applets have full access to system resources on the client computer. </li></ul><ul><li>Signed Java applets contain embedded digital signatures from a trusted third party, which are proof of the identity of the source of the applet. </li></ul>
  24. 25. JavaScript <ul><li>JavaScript is a scripting language to enable Web page designers to build active content. </li></ul><ul><li>JavaScript can invoke privacy and integrity attacks by executing code that destroys your hard disk. </li></ul><ul><li>JavaScript programs do not operate under the restrictions of the Java sandbox security model. </li></ul>
  25. 26. ActiveX Controls <ul><li>ActiveX is an object that contains programs and properties that Web designers place on Web pages to perform particular tasks. </li></ul><ul><li>ActiveX controls run only on computers running Windows and only on browsers that support them. </li></ul><ul><li>Because ActiveX controls have full access to your computer, they can cause secrecy, integrity, or necessity violations. </li></ul><ul><li>**ActiveX is a set of technologies that enable software components to interact with one another in a networked environment, regardless of the language in which the components were created. An ActiveX control is a user interface element created using ActiveX technology. ActiveX controls are small, fast, and powerful, and make it easy to integrate and reuse software components. </li></ul>
  26. 27. Graphics, Plug-Ins, and E-mail Attachments <ul><li>Graphics, browser plug-ins, and e-mail attachments can harbor executable content. </li></ul><ul><li>The code embedded in the graphic could be a potential threat. </li></ul><ul><li>Plug-ins performs their duties by executing commands buried within the media they are manipulating. </li></ul><ul><li>E-mail attachments provide a convenient way to send nontext information over a text-only system. </li></ul>
  27. 28. Virus <ul><li>A virus is software that attaches itself to another program and can cause damage when the host program is activated. </li></ul><ul><li>Worm viruses replicate themselves on other machines. </li></ul><ul><li>A macro virus is coded as a small program and is embedded in a file. </li></ul><ul><li>The term steganography describes information that is hidden within another piece of information. </li></ul>
  28. 29. Communication Channel Threats <ul><li>The Internet is not at all secure. </li></ul><ul><li>Messages on the Internet travel a random path from a source node to a destination node. </li></ul><ul><li>Internet channel security threats include: </li></ul><ul><ul><li>secrecy </li></ul></ul><ul><ul><li>integrity </li></ul></ul><ul><ul><li>necessity </li></ul></ul>
  29. 30. Secrecy Threats <ul><li>Secrecy is the prevention of unauthorized information disclosure. </li></ul><ul><li>Privacy is the protection of individual rights to nondisclosure. </li></ul><ul><li>Secrecy is a technical issue requiring sophisticated physical and logical mechanism. </li></ul><ul><li>Privacy protection is a legal matter. </li></ul>
  30. 31. Integrity Threats <ul><li>An integrity threat exists when an unauthorized party can alter a message stream of information. </li></ul><ul><li>Cyber vandalism is an example of an integrity violation. </li></ul><ul><li>Masquerading or spoofing is one means of creating havoc on Web sites. </li></ul>
  31. 32. Necessity Threats <ul><li>The purpose of a necessity threat is to disrupt normal computer processing or to deny processing entirely. </li></ul><ul><li>Necessity threat is also known as a delay, denial, or denial-of-service threat (DOS). </li></ul><ul><li>eBay faced the denial-of-service attack in early 2000. </li></ul>
  32. 33. Server Threats <ul><li>Servers have vulnerabilities that can be exploited to cause destruction or to acquire information illegally. </li></ul><ul><li>Server threats include: </li></ul><ul><ul><li>Web server threats </li></ul></ul><ul><ul><li>Database threats </li></ul></ul><ul><ul><li>Common gateway interface threats </li></ul></ul><ul><ul><li>Other programming threats </li></ul></ul>
  33. 34. Web Server Threats <ul><li>Setting up a Web server to run in high-privilege status can lead to a Web server threat. </li></ul><ul><li>The secrecy violation occurs when the contents of a server’s folder names are revealed to a Web browser. </li></ul><ul><li>The W3C Threat Document provides information about server security. </li></ul><ul><li>Click to see Figure 5-13: </li></ul>
  34. 36. Database Threats <ul><li>Databases connected to the Web could damage a company if it were disclosed or altered. </li></ul><ul><li>Anyone obtains user authentication information can masquerade as a legitimate user. </li></ul><ul><li>The Database threats resource center describes threats to database systems. </li></ul><ul><li>Click to see Figure 5-14: </li></ul>
  35. 38. Common Gateway Interface Threats <ul><li>Because CGIs are programs, they present a security threat if misused. </li></ul><ul><li>CGI scripts can be set up to run with high privileges, which causes a threat. </li></ul><ul><li>CGI programs or scripts can reside about anywhere on the Web server, they are hard to track down and manage. </li></ul>
  36. 39. Other Programming Threats <ul><li>Another serious Web server attack can come from programs executed by the server. </li></ul><ul><li>Buffer overflows can have moderate to very serious security consequences. </li></ul><ul><li>A mail bomb is the attack when thousands of people send a message to a particular address. </li></ul><ul><li>Click to see Figure 5-15: </li></ul>
  37. 41. CERT <ul><li>DARPA created the Computer Emergency Response Team (CERT) Coordination Center to be located at Carnegie Mellon University. </li></ul><ul><li>CERT posts “CERT alerts” to inform the Internet community about recent security events. </li></ul><ul><li>Click to see Figure 5-16: </li></ul>

×