Post on 18-Dec-2015
Electronic Commerce Security
Presented by:Chris Brawley
Chris Avery
Online Security Issues
Email – people worry about interception of private messages.
Web Shopping – concerns about revealing credit card #’s is still prevalent.
Doubts remain about companies willingness to keep private information secure.
Online Security Issues
Computer Security – the protection of assets from unauthorized access, use, alteration, or destruction.
- Physical Security
- Logical Security
- Threat
Online Security Issues
Managing Risk Counter
measures Eavesdropper Hackers
Online Security Issues
Computer Security Classifications1. Secrecy: refers to protecting against
unauthorized data disclosure and assuring authenticity of data sources.
2. Integrity: refers to preventing unauthorized data modification.
3. Necessity: refers to preventing data delays or denials.
Online Security Issues
Security Policy and Integrated Security
Security policy: A written statement describing which assets to protect and why they are being protected, who is responsible for protection, and which behaviors are acceptable and which are not.
Online Security Issues
Creating a security policyStep 1: Determine which assets to protect.
Step 2: Determine who should have access.
Step 3: Determine what resources are available to protect the assets.
Step 4: Commit resources to building software, hardware, and physical barriers that implement the security policy.
Security for Client Computers
Cookies: Small text files that Web servers place on Web client computers to identify returning visitors.
Helps to maintain open sessions.
Shopping cart and payment processing both need open sessions to work properly.
Security for Client Computers
Two ways of classifying cookies:1. By time duration
Session Cookies Persistent Cookies
2. By source First-party Cookies Third-party Cookies
Security for Client Computers Active Content: Programs that run on the
client computer. Extends functionality of HTMLE.g. shopping carts that compute amounts,
taxes, shipping, etc… Best known forms: cookies, Java applets,
JavaScript, VBScript, and ActiveX controls.
Trojan HorseZombies
Java AppletsJava is a programming language developed by
Sun Microsystems that is used widely in web pages to provide active content.
Java adds functionality to business applications and can handle transactions and a wide variety of actions on the client computer.
Security for Client Computers
JavaScript: A programming language developed by Netscape to enable Web page designers to build active content.
Can be used for attacks.Can also record URLs of Web pages
The do not execute on their own.
Security for Client Computers
Security for Client Computers
ActiveX Controls: An object that contains programs and properties that Web designers place on Web pages to perform particular tasks.
Run only on computers with Windows Security riskActiveX actions cannot be halted once they are
executed.
Example of ActiveX Warning:
Viruses, Worms, and Antivirus Software
Virus: Software that attaches itself to another program and can cause damage when the host program is activated.
Worm: A type of virus that replicates itself on the computers that it infects.
Email attachments are common carriers.
Security for Client Computers
Antivirus Software: detects viruses and worms and either deletes them or isolates them on the client computer so they cannot run.
Are only effective if software is kept current.
SymantecMcAfee
Security for Client Computers
Digital Certificates: An attachment to an e-mail message or a program embedded in a Web page that verifies that the sender or Web site is who or what it claims to be.
- Signed Code
Security for Client Computers
Digital Certificates
- Do not attest to the quality of the
software.
- Simply is an assurance that the software
was created by a specific company.
- Digital Certificates are not easily forged.
Security for Client Computers
Digital Certificates include six elements:
• Certificate owners ID• Certificate owners public key• Dates between which the certificate is valid• Serial number of the certificate• Name of the certificate issuer• Digital signature of the certificate issuer
Security for Client Computers
Steganography: describes the process of hiding information within another piece of information.
Physical Security for ClientsFingerprint readersBiometric security devices
Security for Client Computers
Communication Channel Security
Secrecy Threats
Secrecy is the prevention of unauthorized information disclosure.
Privacy is the protection of individual rights to nondisclosure.
The Privacy Council created an extensive Web site surrounding privacy.
Anonymizer
Integrity Threats
Also called active wiretapping. Cybervandalism Masquerading or spoofing
Necessity Threats
• Denial of Service (DoS) attack
Threats to the Physical Security of Internet Communications Channels The Internet was designed from inception to
withstand attacks on its physical links. However, an individual user’s Internet service
can be interrupted by destruction of that user’s link.
Few individuals have multiple connections to an ISP. Larger companies often have two or more links to the main backbone of the Internet.
Threats to Wireless Networks
If not protected properly anyone within range can access any of the resources on the wireless network.
Default SSID, username and password WEP WPA
Encryption Solutions
Encryption Algorithms Hash Coding Asymmetric Encryption Symmetric Encryption (aka Private Key
Encryption)
Secure Sockets Layer (SSL) Protocol Provides a security “handshake”. Encrypts web traffic for senstive
information use as username/password, credit card information and other personal data.
Session key
Secure Sockets Layer (SSL) Protocol
Secure HTTP (S-HTTP)
• Extension to HTTP that provides security features such as:
Client and server authentication Spontaneous encryption Request/response nonrepudiation
• Developed by CommerceNet• Symmetric encryption and public key encryption • Defines from SSL in how it establishes a secure
session
Ensuring Transaction Integrity with Hash Functions Integrity violation One-way functions Message digest
Ensuring Transaction Integrity with Digital Signatures Provides positive identification of the
sender and assures the merchant that the message was not altered.
Not the same as digital signatures used to sign documents electronically.
Guaranteeing Transaction Delivery
Transmission Control Protocol is responsible for end-to-end control of packets.
TCP ensures that packets aren’t missing. No special protocols or software required.
Security For Server Computers
Web Server Threats
Automatic directory listings Requiring username and password
multiple name Username and Password file Weak passwords
Dictionary attack programs
Database Threats
Storage of username/password in unencrypted format
Trojan horse programs
Other Programming Threats
Buffer overrun or buffer overflow Mail bomb
Threats to the Physical Security of Web Servers Use a secure offsite provider Maintain backup servers and backups of
web server Level 3, PSINet, and Verio Security
Services
Access Control and Authentication
Controls who has access to the web server
Uses certificates, username and password Access Control List
Firewalls
Provides a defense between a network and the Internet or between a network and any other network that could pose a threatAll traffic from outside to inside and from outside
to inside the network must pass through it.Only authorized traffic, as defined by the local
security policy, is allowed to pass though itThe firewall itself is immune to penetration
Types of Firewalls
Packet filter Gateway server Proxy server
Firewall Issues
Perimeter expansion Intrusion detection systems
Organizations That Promote Computer Security CERT Microsoft Security Research SANS Institute BuqTraq CSO Online
US Government Agencies
US Department of Justice’s Cybercrime US Department of Homeland Security’s
National Infrastructure Protection Center
Computer Forensics and Ethnical Hacking Some corporations hire ethnical hackers to
do penetration tests Ethnical Hacking is used to locate data
that can be used in legal proceedings Computer forensics is used to collect,
preserve and analysis of computer related evidence.