SlideShare a Scribd company logo

L1 introduction to e-security Online Security

Download as PPT, PDF
B
bayhehua

intro to e security

Education
1 of 43
范錚強 E-Commerce Security 1
范錚強 The Security Threats  Computer Crime and Security Survey 2012  90% computers exposed to security violations  40% computers detected external intrusions  25 % in 2010  85% computers detected virus  How do companies protect themselves from this hostile environment? 2 Source: Computer Security Institute (CSI)
范錚強 Myths of Information Security  Protection against hackers  Protection against virus  Segregation of external threats  … 3
范錚強 Brute Force Credit Card Attack Story  The Problem  Spitfire Novelties usually generates between 5 and 30 transactions per day  On September 12, 2002 in a “brute force” credit card attack, Spitfire’s credit card transaction processor processed 140,000 fake credit card charges worth $5.07 each (62,000 were approved) 4
范錚強 Brute Force Credit Card Attack (cont.)  The total value of the approved charges was around $300,000  Spitfire found out about the transactions only when they were called by one of the credit card owners who had been checking his statement online and had noticed the $5.07 charge 5
范錚強 Brute Force Credit Card Attack (cont.)  Brute force credit card attacks require minimal skill  Hackers run thousands of small charges through merchant accounts, picking numbers at random  When the perpetrator finds a valid credit card number it can then be sold on the black market  Some modern-day black markets are actually member-only Web sites like carderplanet.com, shadowcrew.com, and counterfeitlibrary.com 6
范錚強 Brute Force Credit Card Attack (cont.)  Relies on a perpetrator’s ability to pose as a merchant requesting authorization for a credit card purchase requiring  A merchant ID  A password  Both 7
范錚強 Brute Force Credit Card Attack (cont.)  Online Data’s credit card processing services, all a perpetrator needed was a merchant’s password in order to request authorization  Online Data is a reseller of VeriSign Inc. credit card gateway services  VeriSign blamed Online Data for the incident  Online Data blamed Spitfire for not changing their initial starter password 8
范錚強 Brute Force Credit Card Attack Story (cont.)  In April 2002 hackers got into the Authorize.Net card processing system (largest gateway payment system on the Internet)  Executed 13,000 credit card transactions, of which 7,000 succeeded  Entry into the Authorize.Net system required only a log- on name, not a password 9
范錚強 Brute Force Solution  Online Data should assign strong passwords at the start  Customers should modify those passwords frequently  Authorization services such as VeriSign and Authorize.Net should have built-in safeguards that recognize brute force attacks 10
范錚強 Brute Force Credit Card Solution (cont.)  Signals that something is amiss:  A merchant issues an extraordinary number of requests  Repeated requests for small amounts emanating from the same merchants 11
范錚強 Brute Force Credit Card Attack (cont.)  The Results  VeriSign halted the transactions before they were settled, saving Spitfire $316,000 in charges  Authorize.Net merchants were charged $0.35 for each transaction  The criminals acquired thousands of valid credit card numbers to sell on the black market 12
范錚強 Brute Force Credit Card Attack (cont.)  What we can learn…  Any type of EC involves a number of players who use a variety of network and application services that provide access to a variety of data sources  A perpetrator needs only a single weakness in order to attack a system 13
范錚強 Brute Force What We Can Learn  Some attacks require sophisticated techniques and technologies  Most attacks are not sophisticated; standard security risk management procedures can be used to minimize their probability and impact 14
范錚強 Accelerating Need for E-Commerce Security  Annual survey conducted by the Computer Security Institute and the FBI  Organizations continue to experience cyber attacks from inside and outside of the organization  Ransomeware 15
范錚強 Accelerating Need for E-Commerce Security (cont.)  The types of cyber attacks that organizations experience were varied  The financial losses from a cyber attack can be substantial  It takes more than one type of technology to defend against cyber attacks 16
范錚強 Accelerating Need for E-Commerce Security (cont.)  According to the statistics reported to CERT/CC over the past year (CERT/CC 2002)  The number of cyber attacks skyrocketed from approximately 22,000 in 2000 to over 82,000 in 2002  First quarter of 2003 the number was already over 43,000  Computer Emergency Response Team (CERT): Group of three teams at Carnegie Mellon University that monitors incidence of cyber attacks, analyze vulnerabilities, and provide guidance on protecting against attacks 17
范錚強 Security Is Everyone’s Business  Security practices of organizations of various sizes  Small organizations (10 to 100 computers)  The “haves” are centrally organized, devote a sizeable percentage of their IT budgets to security  The “have-nots” are basically clueless when it comes to IT security 18
范錚強 Security Is Everyone’s Business (cont.)  Medium organizations (100 to 1,000 computers)  Rarely rely on managerial policies in making security decisions, and they have little managerial support for their IT policies  The staff they do have is poorly educated and poorly trained—overall exposure to cyber attacks and intrusion is substantially greater than in smaller organizations 19
范錚強 Security Is Everyone’s Business (cont.)  Large organizations (1,000 to 10,000 computers)  Complex infrastructures and substantial exposure on the Internet  While aggregate IT security expenditures are fairly large, their security expenditures per employee are low  IT security is part-time and undertrained—sizeable percentage of the large organizations suffer loss or damage due to incidents  Base their security decisions on organizational policies 20
范錚強 Security Is Everyone’s Business (cont.)  Very large organizations (more than 10,000 computers)  extremely complex environments that are difficult to manage even with a larger staff  rely on managerial policies in making IT security decisions  only a small percentage have a well-coordinated incident response plan 21
范錚強 Security Issues  From the user’s perspective:  Is the Web server owned and operated by a legitimate company?  Does the Web page and form contain some malicious or dangerous code or content?  Will the Web server distribute unauthorized information the user provides to some other party? 22
范錚強 Security Issues (cont.)  From the company’s perspective:  Will the user not attempt to break into the Web server or alter the pages and content at the site?  Will the user will try to disrupt the server so that it isn’t available to others? 23
范錚強 Security Issues (cont.)  From both parties’ perspectives:  Is the network connection free from eavesdropping by a third party “listening” on the line?  Has the information sent back and forth between the server and the user’s browser been altered? 24
范錚強 Security Requirements  Authentication  The process by which one entity verifies that another entity is who they claim to be  Authorization  The process that ensures that a person has the right to access certain resources  Auditing  The process of collecting information about attempts to access particular resources, use particular privileges, or perform other security actions 25
范錚強 Security Requirements (cont.)  Confidentiality  Keeping private or sensitive information from being disclosed to unauthorized individuals, entities, or processes  Integrity  As applied to data, the ability to protect data from being altered or destroyed in an unauthorized or accidental manner 26
范錚強 Security Issues (cont.)  Non-repudiation  The ability to limit parties from refuting that a legitimate transaction took place, usually by means of a signature 27
范錚強 Information Security Vulnerabilities Intentional Unintentional or Natural Causes Hardware exposure Thefts, vandalism, criminal acts Natural disasters, fire, floods, disk crash Information exposure Alteration of data, systematic updates Incompetence of programmers, missing Disclosure of information Unauthorized copy, network interception, fraud Careless Network intrusions Theft of information, alteration of data, use of computers as a crime tool ── 28
范錚強 Safeguarding information  Assess exposure and risk  Identification and protect any possible threats and vulnerabilities  Technical and procedural preventions  Understanding the characteristics of security technologies  SOP: Standard Operations Procedure  The strength of a chain is the strength of the weakest link 29
范錚強 Basic Security Concepts  Security is never ABSOLUTE  The balance between security and ease of use  Security is costly  What is your exposure and potential loss?  How much are you willing to pay?  There are technical and social dimensions in security issues  All perpetrators are human beings  Mostly internal employees 30
范錚強 Security and Ease of Use  What will you end up doing, if every time…  You have to unlock 10 locks to get home  You have to lock 10 door before you leave  Risk and Security measures should be balanced 31
范錚強 A simple case  When you take a vacation, you supervisor asks you to provide your password ..  Should you comply?  Can you refuse?  On what basis? 32
范錚強 The Onion of Security 33 Business Environment Legal Environment Insurance Security Plan Company Process Control Personnel Control Document Control User Control Recovery Plan Security Policy Application Input and output controls Program Control Audit Trail Access Control Physical Segregation Operations Control Hardware Comms. Control International Standards
范錚強 Some Basic Security Measures  Virus protection  Encryption  Special Key 34
范錚強 Virus Protection 35 Programs Files Analyze Program Look for virus Anti-Virus S/W Virus code Fix or Segregate Pass
范錚強 Encryption – general concept  Eg. My Phone number: 0916059841  Simple multiplication  Multiply by 13—011908777933  I send it to you and you devide by 13…  A simpler scheme  9807797118664201455098988941411426975 36 9807797118664201455098988941411426975 9807797118664201455098988941411426975 Key: we have to protect the encryption rule ──Is there any secrete?
范錚強 Symmetry Key Encryption 37 Encrypted Message Message Encrypted Message Encrypt Message Decrypt S R
范錚強 The concept of two keys  You open a SAFE in a bank  Open Account  Verification of Identity  Get a key – Private Key  Use  Verification of Identity, log  Bank officer take a public key, together with your private key, open the safe  Are you safe? Why? 38
范錚強 Asymmetric Key Encryption  RSA scheme  Invented by three mathematicians with last names starts with R/S/A.  Mathematically generate a pair of “keys”, KA and KB  Generated simultaneously. KA and KB are independent, one cannot be derived from another.  A file encrypted by key KA can only be decrypted by KB and not A, and vice versa  KA is kept private, and KB is open publicly 39
范錚強 Asymmetric Key Encryption for Confidentiality 40 Message Encrypted Message Encrypt with Public Key Encrypted Message Message S R Decrypt with Private Key
范錚強 Asymmetric Key Encryption for Non-repudiation 41 Message Encrypted Message R Public Encrypt Encrypted Message Message S R R Public Decrypt S Private Decrypt S Private Encrypt
范錚強 PKI/CA  PKI – Public Key Infrastructure  Encryption scheme based on RSA encryption  An infrastructure for effective operations  CA – Certificate Authority  Issuance of Keys  Trusted third party Cambridge Analytica example  Hierarchical structure of reference 42
范錚強 Issuance of Certificate by CA 43 Issuance of Certificate by CA Issuer Issue Date Holder Public Keu Open for Public Identification John X509 XXXX Contract Elec. Document 110111001 Digital Signature CA Certificate Private Key Public Key

Recommended

Ec2009 ch10 e commerce security
Ec2009 ch10 e commerce securityEc2009 ch10 e commerce security
Ec2009 ch10 e commerce securityNuth Otanasap
 
6 e commerce security
6 e commerce security6 e commerce security
6 e commerce securityNaveed Ahmed Siddiqui
 
IBM Security Services
IBM Security ServicesIBM Security Services
IBM Security ServicesRainer Mueller
 
E commerce Security
E commerce Security E commerce Security
E commerce Security Wisnu Dewobroto
 
22 need-for-security
22 need-for-security22 need-for-security
22 need-for-securityAl Balqa Applied University
 
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONSE-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONSrausdeen anfas
 
Emerging Threats to Digital Payments - Is Your Business Ready
Emerging Threats to Digital Payments - Is Your Business ReadyEmerging Threats to Digital Payments - Is Your Business Ready
Emerging Threats to Digital Payments - Is Your Business ReadyChukwunonso Okoro, CFE, CAMS, CRISC
 
cyber terrorism
cyber terrorismcyber terrorism
cyber terrorismAccenture
 

Recommended

Ec2009 ch10 e commerce security
Ec2009 ch10 e commerce securityEc2009 ch10 e commerce security
Ec2009 ch10 e commerce securityNuth Otanasap
 
6 e commerce security
6 e commerce security6 e commerce security
6 e commerce securityNaveed Ahmed Siddiqui
 
IBM Security Services
IBM Security ServicesIBM Security Services
IBM Security ServicesRainer Mueller
 
E commerce Security
E commerce Security E commerce Security
E commerce Security Wisnu Dewobroto
 
22 need-for-security
22 need-for-security22 need-for-security
22 need-for-securityAl Balqa Applied University
 
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONSE-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONSrausdeen anfas
 
Emerging Threats to Digital Payments - Is Your Business Ready
Emerging Threats to Digital Payments - Is Your Business ReadyEmerging Threats to Digital Payments - Is Your Business Ready
Emerging Threats to Digital Payments - Is Your Business ReadyChukwunonso Okoro, CFE, CAMS, CRISC
 
cyber terrorism
cyber terrorismcyber terrorism
cyber terrorismAccenture
 
cyber terrorism
cyber terrorism cyber terrorism
cyber terrorism Accenture
 
Module 1.pdf
Module 1.pdfModule 1.pdf
Module 1.pdfSitamarhi Institute of Technology
 
module 1 Cyber Security Concepts
module 1 Cyber Security Conceptsmodule 1 Cyber Security Concepts
module 1 Cyber Security ConceptsSitamarhi Institute of Technology
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityIllumeo
 
Cyber security
Cyber securityCyber security
Cyber securityVaibhav Jain
 
Cyber Security.docx
Cyber Security.docxCyber Security.docx
Cyber Security.docxTanushreeChakraborty27
 
C018131821
C018131821C018131821
C018131821IOSR Journals
 
Cybercrime
CybercrimeCybercrime
CybercrimeMobeenaJavid
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachUlf Mattsson
 
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...patmisasi
 
Emerging Threats and Trends in Cybersecurity: A Comprehensive Analysis
Emerging Threats and Trends in Cybersecurity: A Comprehensive AnalysisEmerging Threats and Trends in Cybersecurity: A Comprehensive Analysis
Emerging Threats and Trends in Cybersecurity: A Comprehensive AnalysisIRJET Journal
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingBinit Kumar
 
What Are Cyber Attacks All About? | Cyberroot Risk Advisory
What Are Cyber Attacks All About? | Cyberroot Risk AdvisoryWhat Are Cyber Attacks All About? | Cyberroot Risk Advisory
What Are Cyber Attacks All About? | Cyberroot Risk AdvisoryCR Group
 
Retail
Retail Retail
Retail CMR WORLD TECH
 
Ch01 Introduction to Security
Ch01 Introduction to SecurityCh01 Introduction to Security
Ch01 Introduction to SecurityInformation Technology
 
cyber security guidelines.pdf
cyber security guidelines.pdfcyber security guidelines.pdf
cyber security guidelines.pdfVarinSingh1
 
Chap 1 Fundamentals of Cyber Security _ Intr to Cyber types.pptx
Chap 1 Fundamentals of Cyber Security _ Intr to Cyber types.pptxChap 1 Fundamentals of Cyber Security _ Intr to Cyber types.pptx
Chap 1 Fundamentals of Cyber Security _ Intr to Cyber types.pptxSharmilaMore5
 
security and ethical challenges
security and ethical challengessecurity and ethical challenges
security and ethical challengesVineet Dubey
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
 
L2 e security AI Artificial Intelligence
L2 e security AI Artificial IntelligenceL2 e security AI Artificial Intelligence
L2 e security AI Artificial Intelligencebayhehua
 
e-business and e-commerce (1).ppt
e-business and e-commerce (1).ppte-business and e-commerce (1).ppt
e-business and e-commerce (1).pptbayhehua
 

More Related Content

Similar to L1 introduction to e-security Online Security

cyber terrorism
cyber terrorism cyber terrorism
cyber terrorism Accenture
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityIllumeo
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachUlf Mattsson
 
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...patmisasi
 
Emerging Threats and Trends in Cybersecurity: A Comprehensive Analysis
Emerging Threats and Trends in Cybersecurity: A Comprehensive AnalysisEmerging Threats and Trends in Cybersecurity: A Comprehensive Analysis
Emerging Threats and Trends in Cybersecurity: A Comprehensive AnalysisIRJET Journal
 
What Are Cyber Attacks All About? | Cyberroot Risk Advisory
What Are Cyber Attacks All About? | Cyberroot Risk AdvisoryWhat Are Cyber Attacks All About? | Cyberroot Risk Advisory
What Are Cyber Attacks All About? | Cyberroot Risk AdvisoryCR Group
 
cyber security guidelines.pdf
cyber security guidelines.pdfcyber security guidelines.pdf
cyber security guidelines.pdfVarinSingh1
 
Chap 1 Fundamentals of Cyber Security _ Intr to Cyber types.pptx
Chap 1 Fundamentals of Cyber Security _ Intr to Cyber types.pptxChap 1 Fundamentals of Cyber Security _ Intr to Cyber types.pptx
Chap 1 Fundamentals of Cyber Security _ Intr to Cyber types.pptxSharmilaMore5
 
security and ethical challenges
security and ethical challengessecurity and ethical challenges
security and ethical challengesVineet Dubey
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
 

Similar to L1 introduction to e-security Online Security (20)

cyber terrorism
cyber terrorism cyber terrorism
cyber terrorism
 
Module 1.pdf
Module 1.pdfModule 1.pdf
Module 1.pdf
 
module 1 Cyber Security Concepts
module 1 Cyber Security Conceptsmodule 1 Cyber Security Concepts
module 1 Cyber Security Concepts
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber Security.docx
Cyber Security.docxCyber Security.docx
Cyber Security.docx
 
C018131821
C018131821C018131821
C018131821
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breach
 
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
 
Emerging Threats and Trends in Cybersecurity: A Comprehensive Analysis
Emerging Threats and Trends in Cybersecurity: A Comprehensive AnalysisEmerging Threats and Trends in Cybersecurity: A Comprehensive Analysis
Emerging Threats and Trends in Cybersecurity: A Comprehensive Analysis
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
What Are Cyber Attacks All About? | Cyberroot Risk Advisory
What Are Cyber Attacks All About? | Cyberroot Risk AdvisoryWhat Are Cyber Attacks All About? | Cyberroot Risk Advisory
What Are Cyber Attacks All About? | Cyberroot Risk Advisory
 
Retail
Retail Retail
Retail
 
Ch01 Introduction to Security
Ch01 Introduction to SecurityCh01 Introduction to Security
Ch01 Introduction to Security
 
cyber security guidelines.pdf
cyber security guidelines.pdfcyber security guidelines.pdf
cyber security guidelines.pdf
 
Chap 1 Fundamentals of Cyber Security _ Intr to Cyber types.pptx
Chap 1 Fundamentals of Cyber Security _ Intr to Cyber types.pptxChap 1 Fundamentals of Cyber Security _ Intr to Cyber types.pptx
Chap 1 Fundamentals of Cyber Security _ Intr to Cyber types.pptx
 
security and ethical challenges
security and ethical challengessecurity and ethical challenges
security and ethical challenges
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
 

More from bayhehua

L2 e security AI Artificial Intelligence
L2 e security AI Artificial IntelligenceL2 e security AI Artificial Intelligence
L2 e security AI Artificial Intelligencebayhehua
 
e-business and e-commerce (1).ppt
e-business and e-commerce (1).ppte-business and e-commerce (1).ppt
e-business and e-commerce (1).pptbayhehua
 
lecture1.ppt
lecture1.pptlecture1.ppt
lecture1.pptbayhehua
 
lec8 GDP new ppt.pptx
lec8 GDP new ppt.pptxlec8 GDP new ppt.pptx
lec8 GDP new ppt.pptxbayhehua
 
lec11 Inflation and CPI.pptx
lec11 Inflation and CPI.pptxlec11 Inflation and CPI.pptx
lec11 Inflation and CPI.pptxbayhehua
 
lec10 unemployment.pptx
lec10 unemployment.pptxlec10 unemployment.pptx
lec10 unemployment.pptxbayhehua
 

More from bayhehua (6)

L2 e security AI Artificial Intelligence
L2 e security AI Artificial IntelligenceL2 e security AI Artificial Intelligence
L2 e security AI Artificial Intelligence
 
e-business and e-commerce (1).ppt
e-business and e-commerce (1).ppte-business and e-commerce (1).ppt
e-business and e-commerce (1).ppt
 
lecture1.ppt
lecture1.pptlecture1.ppt
lecture1.ppt
 
lec8 GDP new ppt.pptx
lec8 GDP new ppt.pptxlec8 GDP new ppt.pptx
lec8 GDP new ppt.pptx
 
lec11 Inflation and CPI.pptx
lec11 Inflation and CPI.pptxlec11 Inflation and CPI.pptx
lec11 Inflation and CPI.pptx
 
lec10 unemployment.pptx
lec10 unemployment.pptxlec10 unemployment.pptx
lec10 unemployment.pptx
 

Recently uploaded

Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...anjaliyadav012327
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 

Recently uploaded (20)

Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 

L1 introduction to e-security Online Security

  • 2. 范錚強 The Security Threats  Computer Crime and Security Survey 2012  90% computers exposed to security violations  40% computers detected external intrusions  25 % in 2010  85% computers detected virus  How do companies protect themselves from this hostile environment? 2 Source: Computer Security Institute (CSI)
  • 3. 范錚強 Myths of Information Security  Protection against hackers  Protection against virus  Segregation of external threats  … 3
  • 4. 范錚強 Brute Force Credit Card Attack Story  The Problem  Spitfire Novelties usually generates between 5 and 30 transactions per day  On September 12, 2002 in a “brute force” credit card attack, Spitfire’s credit card transaction processor processed 140,000 fake credit card charges worth $5.07 each (62,000 were approved) 4
  • 5. 范錚強 Brute Force Credit Card Attack (cont.)  The total value of the approved charges was around $300,000  Spitfire found out about the transactions only when they were called by one of the credit card owners who had been checking his statement online and had noticed the $5.07 charge 5
  • 6. 范錚強 Brute Force Credit Card Attack (cont.)  Brute force credit card attacks require minimal skill  Hackers run thousands of small charges through merchant accounts, picking numbers at random  When the perpetrator finds a valid credit card number it can then be sold on the black market  Some modern-day black markets are actually member-only Web sites like carderplanet.com, shadowcrew.com, and counterfeitlibrary.com 6
  • 7. 范錚強 Brute Force Credit Card Attack (cont.)  Relies on a perpetrator’s ability to pose as a merchant requesting authorization for a credit card purchase requiring  A merchant ID  A password  Both 7
  • 8. 范錚強 Brute Force Credit Card Attack (cont.)  Online Data’s credit card processing services, all a perpetrator needed was a merchant’s password in order to request authorization  Online Data is a reseller of VeriSign Inc. credit card gateway services  VeriSign blamed Online Data for the incident  Online Data blamed Spitfire for not changing their initial starter password 8
  • 9. 范錚強 Brute Force Credit Card Attack Story (cont.)  In April 2002 hackers got into the Authorize.Net card processing system (largest gateway payment system on the Internet)  Executed 13,000 credit card transactions, of which 7,000 succeeded  Entry into the Authorize.Net system required only a log- on name, not a password 9
  • 10. 范錚強 Brute Force Solution  Online Data should assign strong passwords at the start  Customers should modify those passwords frequently  Authorization services such as VeriSign and Authorize.Net should have built-in safeguards that recognize brute force attacks 10
  • 11. 范錚強 Brute Force Credit Card Solution (cont.)  Signals that something is amiss:  A merchant issues an extraordinary number of requests  Repeated requests for small amounts emanating from the same merchants 11
  • 12. 范錚強 Brute Force Credit Card Attack (cont.)  The Results  VeriSign halted the transactions before they were settled, saving Spitfire $316,000 in charges  Authorize.Net merchants were charged $0.35 for each transaction  The criminals acquired thousands of valid credit card numbers to sell on the black market 12
  • 13. 范錚強 Brute Force Credit Card Attack (cont.)  What we can learn…  Any type of EC involves a number of players who use a variety of network and application services that provide access to a variety of data sources  A perpetrator needs only a single weakness in order to attack a system 13
  • 14. 范錚強 Brute Force What We Can Learn  Some attacks require sophisticated techniques and technologies  Most attacks are not sophisticated; standard security risk management procedures can be used to minimize their probability and impact 14
  • 15. 范錚強 Accelerating Need for E-Commerce Security  Annual survey conducted by the Computer Security Institute and the FBI  Organizations continue to experience cyber attacks from inside and outside of the organization  Ransomeware 15
  • 16. 范錚強 Accelerating Need for E-Commerce Security (cont.)  The types of cyber attacks that organizations experience were varied  The financial losses from a cyber attack can be substantial  It takes more than one type of technology to defend against cyber attacks 16
  • 17. 范錚強 Accelerating Need for E-Commerce Security (cont.)  According to the statistics reported to CERT/CC over the past year (CERT/CC 2002)  The number of cyber attacks skyrocketed from approximately 22,000 in 2000 to over 82,000 in 2002  First quarter of 2003 the number was already over 43,000  Computer Emergency Response Team (CERT): Group of three teams at Carnegie Mellon University that monitors incidence of cyber attacks, analyze vulnerabilities, and provide guidance on protecting against attacks 17
  • 18. 范錚強 Security Is Everyone’s Business  Security practices of organizations of various sizes  Small organizations (10 to 100 computers)  The “haves” are centrally organized, devote a sizeable percentage of their IT budgets to security  The “have-nots” are basically clueless when it comes to IT security 18
  • 19. 范錚強 Security Is Everyone’s Business (cont.)  Medium organizations (100 to 1,000 computers)  Rarely rely on managerial policies in making security decisions, and they have little managerial support for their IT policies  The staff they do have is poorly educated and poorly trained—overall exposure to cyber attacks and intrusion is substantially greater than in smaller organizations 19
  • 20. 范錚強 Security Is Everyone’s Business (cont.)  Large organizations (1,000 to 10,000 computers)  Complex infrastructures and substantial exposure on the Internet  While aggregate IT security expenditures are fairly large, their security expenditures per employee are low  IT security is part-time and undertrained—sizeable percentage of the large organizations suffer loss or damage due to incidents  Base their security decisions on organizational policies 20
  • 21. 范錚強 Security Is Everyone’s Business (cont.)  Very large organizations (more than 10,000 computers)  extremely complex environments that are difficult to manage even with a larger staff  rely on managerial policies in making IT security decisions  only a small percentage have a well-coordinated incident response plan 21
  • 22. 范錚強 Security Issues  From the user’s perspective:  Is the Web server owned and operated by a legitimate company?  Does the Web page and form contain some malicious or dangerous code or content?  Will the Web server distribute unauthorized information the user provides to some other party? 22
  • 23. 范錚強 Security Issues (cont.)  From the company’s perspective:  Will the user not attempt to break into the Web server or alter the pages and content at the site?  Will the user will try to disrupt the server so that it isn’t available to others? 23
  • 24. 范錚強 Security Issues (cont.)  From both parties’ perspectives:  Is the network connection free from eavesdropping by a third party “listening” on the line?  Has the information sent back and forth between the server and the user’s browser been altered? 24
  • 25. 范錚強 Security Requirements  Authentication  The process by which one entity verifies that another entity is who they claim to be  Authorization  The process that ensures that a person has the right to access certain resources  Auditing  The process of collecting information about attempts to access particular resources, use particular privileges, or perform other security actions 25
  • 26. 范錚強 Security Requirements (cont.)  Confidentiality  Keeping private or sensitive information from being disclosed to unauthorized individuals, entities, or processes  Integrity  As applied to data, the ability to protect data from being altered or destroyed in an unauthorized or accidental manner 26
  • 27. 范錚強 Security Issues (cont.)  Non-repudiation  The ability to limit parties from refuting that a legitimate transaction took place, usually by means of a signature 27
  • 28. 范錚強 Information Security Vulnerabilities Intentional Unintentional or Natural Causes Hardware exposure Thefts, vandalism, criminal acts Natural disasters, fire, floods, disk crash Information exposure Alteration of data, systematic updates Incompetence of programmers, missing Disclosure of information Unauthorized copy, network interception, fraud Careless Network intrusions Theft of information, alteration of data, use of computers as a crime tool ── 28
  • 29. 范錚強 Safeguarding information  Assess exposure and risk  Identification and protect any possible threats and vulnerabilities  Technical and procedural preventions  Understanding the characteristics of security technologies  SOP: Standard Operations Procedure  The strength of a chain is the strength of the weakest link 29
  • 30. 范錚強 Basic Security Concepts  Security is never ABSOLUTE  The balance between security and ease of use  Security is costly  What is your exposure and potential loss?  How much are you willing to pay?  There are technical and social dimensions in security issues  All perpetrators are human beings  Mostly internal employees 30
  • 31. 范錚強 Security and Ease of Use  What will you end up doing, if every time…  You have to unlock 10 locks to get home  You have to lock 10 door before you leave  Risk and Security measures should be balanced 31
  • 32. 范錚強 A simple case  When you take a vacation, you supervisor asks you to provide your password ..  Should you comply?  Can you refuse?  On what basis? 32
  • 33. 范錚強 The Onion of Security 33 Business Environment Legal Environment Insurance Security Plan Company Process Control Personnel Control Document Control User Control Recovery Plan Security Policy Application Input and output controls Program Control Audit Trail Access Control Physical Segregation Operations Control Hardware Comms. Control International Standards
  • 34. 范錚強 Some Basic Security Measures  Virus protection  Encryption  Special Key 34
  • 35. 范錚強 Virus Protection 35 Programs Files Analyze Program Look for virus Anti-Virus S/W Virus code Fix or Segregate Pass
  • 36. 范錚強 Encryption – general concept  Eg. My Phone number: 0916059841  Simple multiplication  Multiply by 13—011908777933  I send it to you and you devide by 13…  A simpler scheme  9807797118664201455098988941411426975 36 9807797118664201455098988941411426975 9807797118664201455098988941411426975 Key: we have to protect the encryption rule ──Is there any secrete?
  • 37. 范錚強 Symmetry Key Encryption 37 Encrypted Message Message Encrypted Message Encrypt Message Decrypt S R
  • 38. 范錚強 The concept of two keys  You open a SAFE in a bank  Open Account  Verification of Identity  Get a key – Private Key  Use  Verification of Identity, log  Bank officer take a public key, together with your private key, open the safe  Are you safe? Why? 38
  • 39. 范錚強 Asymmetric Key Encryption  RSA scheme  Invented by three mathematicians with last names starts with R/S/A.  Mathematically generate a pair of “keys”, KA and KB  Generated simultaneously. KA and KB are independent, one cannot be derived from another.  A file encrypted by key KA can only be decrypted by KB and not A, and vice versa  KA is kept private, and KB is open publicly 39
  • 40. 范錚強 Asymmetric Key Encryption for Confidentiality 40 Message Encrypted Message Encrypt with Public Key Encrypted Message Message S R Decrypt with Private Key
  • 41. 范錚強 Asymmetric Key Encryption for Non-repudiation 41 Message Encrypted Message R Public Encrypt Encrypted Message Message S R R Public Decrypt S Private Decrypt S Private Encrypt
  • 42. 范錚強 PKI/CA  PKI – Public Key Infrastructure  Encryption scheme based on RSA encryption  An infrastructure for effective operations  CA – Certificate Authority  Issuance of Keys  Trusted third party Cambridge Analytica example  Hierarchical structure of reference 42
  • 43. 范錚強 Issuance of Certificate by CA 43 Issuance of Certificate by CA Issuer Issue Date Holder Public Keu Open for Public Identification John X509 XXXX Contract Elec. Document 110111001 Digital Signature CA Certificate Private Key Public Key