2. • Complex issues of security, privacy, authentication and anonymity
have been thrust into the forefront as confidential information
increasingly traverses modern networks.
• Confidence, reliability and protection of information against security
threats is a crucial prerequisite for the functioning of electronic
commerce.
3. Security Threat
• Security threat is defined as a circumstance, condition or event with the
potential to cause economic hardship to data or network resources in
the form of destruction, disclosure, modification of data, denial of
service and/or fraud, waste and abuse
• The discussion of security concerns in electronic commerce can be
divided into two broad types:
• Client Server Security
• Data and Transaction Security
4. Security Concerns in electronic
commerce
• Client-server security
• Uses authorization methods to make sure that only valid users and programs
have access to information resources such as databases
• Access control mechanisms must be employed. Such as Password protection,
encrypted smart cards, biometrics and firewalls
• Data and transaction security
• Ensures privacy and confidentiality in electronic messages.
• The goal is to defeat any attempt to assume another identity while involved
with electronic mail or other forms of data communication.
5. Client-Server Network Security
• The biggest tasks system administrators face as they balance the opposing goals of
user maneuverability and easy access and site security and confidentiality of local
information.
• Network security on the internet is a major concern for commercial organizations.
• Use of internet for business purpose has raised many new security concerns now a
days.
7. Client-Server Network Security
• By connecting to the internet, a local network organization may be exposing itself
to the entire population on the Internet.
• An internet connection opens itself to access from other networks comprising the
public internet.
• They need to audit all access to the network. A system that records all log-on
attempts- particularly the unsuccessful ones, can alert managers to the need for
stronger measures.
• Hackers can use password guessing, password trapping, security holes in programs,
or common network access procedures to impersonate users and thus pose a
threat to the server.
8. Client-Server Network Security problems
• Physical Security holes results when individuals gain unauthorized physical access
to a computer. Eg: on the network, a hacker can gain access to network system
by guessing passwords of various users.
• Software Security holes when badly written programs or “privileged” software
are “compromised” into doing things they shouldn’t. Eg: rlogin hole in the IBM
RS-6000 workstations, which enabled a hacker to create a “root” shell or super
user access mode.
• Inconsistent usage holes result when a system administrator assembles a
combination of hardware and software such that the system is seriously flawed
from a security point of view.
9. Protection Methods
• At the file level, operating systems typically offer mechanisms such as access
control lists that specify the resources various users and groups are entitled to
access.
• Protection also called authorization or access control grants privileges to the
system or resource by checking user-specific information such as passwords.
• If consumers connect a computer to the Internet, they can easily log into it from
anywhere that the network reaches, but without proper access control, anyone
else can too.
10. Protection methods
• Trust Based Security
• Means to trust everyone and do nothing extra for protection.
• This approach assumes that no one ever makes an expensive breach
such as getting root access and deleting all files.
• This approach worked in the past, when the system administrator had to
worry about a limited threat. Today, this is no longer the case.
11. Protection methods
• Security through Obscurity
• The notion that any network can be secure as long as nobody outside its management group is
allowed to find out anything about its operational details and users are provided information on
a need-to-know basis.
• Hiding account passwords in binary files or scripts with the presumption that “nobody will ever
find them”.
• This method was quite successful with stand-alone systems. But its usefulness is minimal in the
UNIX world, where users are free to move around the file system, have a great understanding of
programming techniques, and have immense computing power at their fingertips.
• Many users have advanced knowledge of how their operating system works and through
experience can guess at the bits of knowledge considered confidential. This bypasses the whole
basis of STO and makes this method of security useless.
12. Protection methods
• Password Schemes
• First level barrier to accidental intrusion.
• Password schemes do little about deliberate attack, especially when common words or
proper names are selected as passwords.
• The simplest method used by most hackers is dictionary comparison, comparing a list of
encrypted user passwords against a dictionary of encrypted common words.
13. Protection methods
• Biometric Systems
• The most secure level of authorization which
involve some unique aspect of a person’s body. Eg:
fingerprints, palm prints, retinal patterns, voice
recognition, etc.,
• One biometric unit can serve for many workers
than for network or workstation access.
14. Emerging Client-Server Security Threats
• Most common Threats
Malicious code
Phishing
Hacking and cybervandalism
Credit card fraud/theft
Spoofing (pharming)
Denial of service attacks
Sniffing
Insider jobs
Poorly designed server and client software
16. Malicious Code
• Viruses: computer program that has ability to replicate and spread to
other files; most also deliver a “payload” of some sort (may be
destructive or benign); include macro viruses, file-infecting viruses, and
script viruses
• Worms: designed to spread from computer to computer
• Trojan horse: appears to be benign, but then does something other
than expected
• Bots: can be covertly installed on computer; responds to external
commands sent by the attacker
17. Phishing
• Any deceptive, online attempt by a third party to obtain confidential
information for financial gain
• Most popular type: e-mail scam letter
• One of fastest growing forms of e-commerce crime
18. Hacking and Cybervandalism
• Hacker: Individual who intends to gain unauthorized access to
computer systems
• Cracker: Used to denote hacker with criminal intent (two terms
often used interchangeably)
• Cybervandalism: Intentionally disrupting, defacing or destroying a
Web site
• Types of hackers include:
White hats
Black hats
Grey hats
19. Credit Card Fraud
• Fear that credit card information will be stolen deters online
purchases
• Hackers target credit card files and other customer information files
on merchant servers; use stolen data to establish credit under false
identity
• One solution: New identity verification mechanisms
20. Spoofing (Pharming)
• Misrepresenting oneself by using fake e-mail addresses or
masquerading as someone else
• Threatens integrity of site; authenticity
21. DoS and dDoS Attacks
• Denial of service (DoS) attack: Hackers flood Web site with useless
traffic to inundate and overwhelm network
• Distributed denial of service (dDoS) attack: hackers use numerous
computers to attack target network from numerous launch points
22. Other Security Threats
• Sniffing: Type of eavesdropping program that monitors information
traveling over a network; enables hackers to steal proprietary
information from anywhere on a network
• Insider jobs: Single largest financial threat
• Poorly designed server and client software: Increase in complexity of
software programs has contributed to an increase is vulnerabilities
that hackers can exploit
24. What is a Firewall?
• A firewall is a barrier placed between the private
network and the outside world.
• All incoming and outgoing traffic most pass
through it.
• Can be used to separate address domains.
• Controls TCP protocols
• http, smtp, ftp, telnet etc
• Only one of many different security tool’s to
control and regulate network traffic
25. What do Firewalls Protect?
• Data
• Proprietary corporate information
• Financial information
• Sensitive employee or customer data
• Resources
• Computing resources
• Time resources
• Reputation
• Loss of confidence in an organization
• Intruder uses an organization’s network to attack other sites
26. Who do Firewalls Guard Against?
• Internal Users
• Hackers
• Corporate Espionage
• Terrorists
• Common Thieves
29. What are the types of Firewalls?
• A firewall can be either hardware-based or host-
based.
• A hardware-based firewall usually means specialized
network boxes, such as routers or switches,
containing customized hardware and software. This
kind of firewall is often expensive, complicated and
difficult to configure.
• A host-based firewall is easier to use for individuals
or small organizations. A host-based firewalls can be
understood as a piece of software running on an
individual’s PC, notebook or host. It is designed to
allow or restrict data transferred on a network based
on a set of rules.
Windows : windows defender
firewall
Unix: IP tables
30. • Generally, firewalls operate by screening packets and/or the
applications that pass through them, provide controllable
filtering of network traffic, allow restricted access to certain
applications, and block access to everything else.
• The actual mechanism that accomplishes filtering varies widely,
but in principle, the firewall can be thought of as a pair of
mechanisms: one to block incoming traffic and the other to
permit outgoing traffic.
• Some firewalls place a greater emphasis on blocking traffic, and
others emphasize permitting traffic.
31. • Firewalls range from simple traffic logging systems that record all
network traffic flowing through the firewall in a file or database for
auditing purposes to more complex methods such as IP packet
screening routers, hardened fire-wall hosts, and proxy application
gateways.
• The simplest firewall is a packet-filtering gateway or screening
router. Configured with filters to restrict packet traffic to designated
addresses, screening routers also limit the types of services that can
pass through them.
• More complex and secure are application gateways.
32. IP Packet Screening Routers
• This is a static traffic routing service placed between the
network service provider's router and the internal network.
• The traffic routing service may be implemented at an IP
level via screening rules in a router or at an application
level via proxy gateways and services.
33.
34. • The firewall router filters incoming packets to permit or
deny IP packets based on several screening rules.
• These screening rules, implemented into the router are
automatically performed.
• Rules include target interface to which the packet is
routed, known source IP address, and incoming packet
protocol (TCP
, UDP
, ICMP)
• ICMP stands for Internet Control Message Protocol, a
network management tool of the TCP/IP protocol suite.
35. Disadvantages
Although properly configured routers can plug many
security holes, they do have several disadvantages.
• First, screening rules are difficult to specify, given the
vastly diverse needs of users.
• Second, screening routers are fairly inflexible and do
not easily extend to deal with functionality different
from that preprogrammed by the vendor.
• Lastly
, if the screening router is circumvented by a
hacker
, the rest of the network is open to attack.
36. Proxy Application Gateways
• A proxy application gateway is a special
server that typically runs on a firewall
machine.
• Their primary use is access to
applications such as the World Wide Web
from within a secure perimeter as shown
in figure below.
• Instead of talking directly to external
WWW servers, each request from the
client would be routed to a proxy on the
firewall that is defined by the user.
37. • The proxy knows how to get through the firewall.
• An application-Level proxy makes a firewall safely permeable for
users in an organization, without creating a potential security
hole through which hackers can get into corporate networks.
• The proxy waits for a request from inside the firewall, forwards
the request to the remote server outside the firewall, reads the
response, and then returns it to the client.
• In the usual case, all clients within a given subnet use the same
proxy.
• This makes it possible for the proxy to execute efficient caching
of documents that are requested by a number of clients.
• The proxy must be in a position to filter dangerous URLs and
malformed commands.
39. Hardened Firewall Host:
• A hardened firewall host is a stripped-down machine that has been
configured for increased security.
• This type of firewall requires inside or outside users to connect to
the trusted applications on the firewall machine before connecting
further
.
• Generally, these firewalls are configured to protect against
unauthenticated interactive log-ins from the external world.
• This, more than anything, helps prevent unauthorized users from
logging into machines on the network.
• The hardened firewall host method can provide a greater level of
audit and security, in return for increased configuration cost and
decreased 'level of service (because a proxy needs to be developed
for each desired service).
41. • Historically, computer security was provided by the use of account
passwords and limited physical access to a facility to bonafide users.
• Password schemes are not sufficient to prevent attacks from
sophisticated hackers.
• A growing threat on public and sometimes on even private networks is
the theft of information passes over them.
• Unsuspecting and amateur users logging into remote hosts are the most
vulnerable.
42. Data security
• Data security is of top importance at a time when people are considering
banking and financial transactions.
• Packet Sniffing (unauthorized network monitoring) is major threat to
data security.
• Sniffer attacks begin when a computer is compromised and the cracker
installs a packet sniffing program, which finds the log-in ID, Password and
username of the person logging into another machine from the network
traffic typically Telnet, FTP.
• If the compromised system is on a backbone network, intruders can
monitor any transit traffic traversing in the network.
43. Message security
• Messaging security is a program that provides protection for companies
messaging infrastructure.
• It protects all the personal message of the company which are related to
company’s vision and mission.
44. Types of Message Security
• Confidentiality
• The environment must protect all message traffic. After successful delivery to
their destination gateways, messages must be removed from the public
environment.
• Integrity
• Business transactions require that their contents remain unmodified during
transport.
• Authentication
• It is a mechanism whereby the receiver of a transaction or message can be
confident of the identity of the sender and /or the integrity of the message.
46. Encryption as the basis for
Data and Message Security
• Encryption: is the mutation of information in any form (text, video,
and graphics) into a representation unreadable by anyone without a
decryption key.
47. Goals of Encryption
• Security Goals:
• Privacy (Secrecy, confidentiality) : Only the intended recipient can see the
communication
• Authenticity(Integrity) : the communication is generated by the alleged
sender
48. Encryption Methods
• Secret Key Cryptography
• use of a shared key
• Public Key Cryptography
• Pair of Public key and private key
49. Cryptography : The science of secret writing
Plaintext= means the message
Encryption=encoding(hiding the contents from outsiders) the
message
Ciphertext= the encrypted message
Decryption=the process of retrieving the plaintext from the
ciphertext
“Encryption” and “Decryption” makes use of a “key and a
coding method”.
50. Symmetric Key Encryption
• Also known as secret key encryption
• Both the sender and receiver use the same digital key to encrypt and
decrypt message
• Requires a different set of keys for each transaction
• Data Encryption Standard (DES): Most widely used symmetric key
encryption today; uses 56-bit encryption key; other types use 128-bit
keys up through 2048 bits
51.
52. Public Key Encryption
• Public key cryptography solves symmetric key encryption problem of
having to exchange secret key
• Uses two mathematically related digital keys – public key (widely
disseminated) and private key (kept secret by owner)
• Both keys are used to encrypt and decrypt message
• Once key is used to encrypt message, same key cannot be used to
decrypt message
• For example, sender uses recipient’s public key to encrypt message;
recipient uses his/her private key to decrypt it
53.
54. Advantages
• No one can figure out the private key from the corresponding
public key. Hence, the key management problem is confined
to the management of private keys. This ensures
confidentiality.
• The need for sender and receiver to share secret information
over public channels is completely eliminated.
55. RSA and Public-key Cryptography
• RSA is the most commonly used public key algorithm, although it is
vulnerable to attack.
• Named after its inventors, Ron Rivest, AdiShamir and Len Adleman, of
the MIT, RSA was first published in 1978.
• It is used for encryption as well as for electronic signatures (discussed
later). RSA lets you choose the size of your public key.
• The 512-bit keys are considered insecure or weak.
• The 768-bit keys are secure from everything but 1024-bit keys are secure
from virtually anything.
56. Digital Signatures
• is a type of asymmetric cryptography used to simulate the security
properties of a signature in digital, rather than written, form.
• is an electronic signature that can be used to authenticate the
identity of the sender of a message or the signer of a document, and
possibly to ensure that the original content of the message or
document that has been sent is unchanged.
• Digital signature schemes normally give two algorithms, one for
signing which involves the user's secret or private key, and one for
verifying signatures which involves the user's public key. The output
of the signature process is called the "digital signature.“
• Digital signatures are easily transportable, cannot be imitated by
someone else, and can be automatically time-stamped.
• The ability to ensure that the original signed message arrived means
that the sender cannot easily repudiate it later.
57. Transmit via the Internet
User
Use A’s Private key to sign the document
User B received
the document with signature attached
Verify the signature
by A’s public key
at the directory
ed
User B
58. E-mail Security flaws
• E-mail is the most widely used application in the Internet.
• Email is sent in plain text.
• Email uses outdated protocol, SMTP.
• Includes a header full of revealing metadata.
• Can easily become intercepted.
59. Encrypted Documents and Electronic Mail
• E-mail is typically encrypted for the reason that all network
correspondence is open for eavesdropping.
• Examination of encrypted information is non-trivial; each file must be
decrypted even before it cant be examined.
• The E-mail encryption schemes are
• Privacy Enhanced Mail (PEM)
• Pretty Good Privacy (PGP)
60. Privacy Enhanced Mail(PEM)
• It is designed to work with current Internet e-mail formats.
• It includes Encryption, authentication, and key management and
allows use of both public-key and secret-key cryptosystems.
61. Pretty Good Privacy (PGP)
• Provides a confidentiality and authentication service that can be used
for electronic mail and file storage applications.
• Developed by Phil Zimmermann
• Selected the best available cryptographic algorithms as building blocks.
• Integrated these algorithms into a general-purpose applications that is
independent of operating system and processor and that is based on a small
set of easy-to-use commands.
• Made the package and its documentation, including the source code, freely
available via the internet, bulletin boards, and commercial networks.
• Entered into an agreement with a company to provide a fully compatible, low
cost commercial version of PGP.