8/19/2019 Ass-B_Ques2

1/3

Explain diferent security threats in the context o e-commerce orthe above company.

E-commerce  is defned as the buying and selling o products or services overelectronic systems such as the Internet and to a lesser extent, other computernetworks. It is generally regarded as the sales and commercial unction o e-

Business. There has been a massive increase in the level o trade conductedelectronically since the widespread penetration o the Internet. wide variety o commerce is conducted via e!ommerce, including electronic unds transer,supply chain management, Internet marketing, online transaction processing,electronic data interchange "#$I%, inventory management systems, andautomated data collection systems.

 This massive increase in the uptake o e!ommerce has led to a new generation o associated security threats, but any e!ommerce system must meet our integralre&uirements'a% (rivacy ) inormation exchanged must be kept rom unauthori*ed parties

B% Integrity ) the exchanged inormation must not be altered or tampered withc% uthentication ) both sender and recipient must prove their identities to eachother andd% +on-repudiation ) proo is re&uired that the exchanged inormation was indeedreceived.

 These basic maxims o e!ommerce are undamental to the conduct o securebusiness online. urther to the undamental maxims o e!ommerce above,e!ommerce providers must also protect against a number o dierent externalsecurity threats, most notably $enial o ervice "$o/s%. These are where anattempt is made to make a computer resource unavailable to its intended usersthrough a variety o mechanisms discussed below. The fnancial services sectorstill bears the brunt o e-crime, accounting or 012 o all attacks. But the sectorthat experienced the greatest increase in the number o attacks was e!ommerce.

Privacy(rivacy has become a ma3or concern or consumers with the rise o identity thetand impersonation, and any concern or consumers must be treated as a ma3orconcern or e!ommerce providers. ccording to !onsumer 4eports 5oney dviser"(errotta, 1667%, the 8 ttorney 9eneral has announced multiple indictmentsrelating to a massive international security breach involving nine ma3or retailers

and more than :6 million credit- and debit-card numbers. 8 attorneys think thatthis may be the largest hacking and identity-thet case ever prosecuted by the 3ustice department. Both #8 and 8 legislation at both the ederal and statelevels mandates certain organi*ations to inorm customers about inormationuses and disclosures.

Integrity, Authentication & on-!epudiationIn any e-commerce system the actors o data integrity, customer ; clientauthentication and non-repudiation are critical to the success o any onlinebusiness. $ata integrity is the assurance that data transmitted is consistent andcorrect, that is, it has not been tampered or altered in any way during

transmission. uthentication is a means by which both parties in an onlinetransaction can be confdent that they are who they say they are and non-repudiation is the idea that no party can dispute that an actual event online took

8/19/2019 Ass-B_Ques2

2/3

place. (roo o data integrity is typically the easiest o these actors tosuccessully accomplish. data hash or checksum, such as 5$< or !4!, isusually su=cient to establish that the likelihood o data being undetectablychanged is extremely low. +otwithstanding these security measures, it is stillpossible to compromise data in transit through techni&ues such as phishing orman-in- the-middle attacks. These >aws have led to the need or thedevelopment o strong verifcation and security measurements such as digitalsignatures and public key inrastructures "(?I%."echnical Attac#s Technical attacks are one o the most challenging types o security compromisean e-commerce provider must ace. (erpetrators o technical attacks, and inparticular $enial-o-ervice attacks, typically target sites or services hosted onhigh-profle web servers such as banks, credit card payment gateways, largeonline retailers and popular social networking sites.

$enial o %ervice $o%' attac#s consists o overwhelming a server, a networkor a website in order to paraly*e its normal activity. $eending against $o

attacks is one o the most challenging security problems on the Internet today. ma3or di=culty in thwarting these attacks is to trace the source o the attack, asthey oten use incorrect or spooed I( source addresses to disguise the true origino the attack.

 The 8nited tates !omputer #mergency 4eadiness Team defnes symptoms o denial-o-service attacks to include'@ 8nusually slow network perormance@ 8navailability o a particular web site@ Inability to access any web site@ $ramatic increase in the number o spam emails received

$o% attac#s can be executed in a number o diferent (ays including'ICMP Flood (Smurf Attack)  ) where perpetrators will send large numbers o I(packets with the source address aked to appear to be the address o the victim. The network/s bandwidth is &uickly used up, preventing legitimate packets romgetting through to their destination.

Teardrop Attack –  Teardrop attack involves sending mangled I( ragments withoverlapping, over-si*ed, payloads to the target machine. bug in the T!(AI(ragmentation re-assembly code o various operating systems causes the

ragments to be improperly handled, crashing them as a result o this.

Phlashing – lso known as a (ermanent denial-o-service "($o% is an attack thatdamages a system so badly that it re&uires replacement or reinstallation o hardware. (erpetrators exploit security >aws in the remote managementinteraces o the victim/s hardware, be it routers, printers, or other networkinghardware. These >aws leave the door open or an attacker to remotely update/the device frmware to a modifed, corrupt or deective frmware image, thereorebricking the device and making it permanently unusable or its original purpose.

Distriuted Denial!of!Ser"ice Attacks  - $istributed $enial o ervice "$$o%

attacks are one o the greatest security ear or IT managers. In a matter o minutes, thousands o vulnerable computers can >ood the victim website bychoking legitimate tra=c "Tari& et al., 166C%. distributed denial o service attack

8/19/2019 Ass-B_Ques2

3/3

"$$o% occurs when multiple compromised systems >ood the bandwidth orresources o a targeted system, usually one or more web servers.

#rute Force Attacks  ) brute orce attack is a method o deeating acryptographic scheme by trying a large number o possibilitiesD or example, alarge number o the possible keys in a key space in order to decrypt a message.Brute orce ttacks, although perceived to be low-tech in nature are not a thingo the past.

on-"echnical Attac#sPhishing Attac#s(hishing is the criminally raudulent process o attempting to ac&uire sensitiveinormation such as usernames, passwords and credit card details, bymas&uerading as a trustworthy entity in an electronic communication. (hishingscams generally are carried out by emailing the victim with a raudulent/ emailrom what purports to be a legitimate organi*ation re&uesting sensitiveinormation. Ehen the victim ollows the link embedded within the email they are

brought to an elaborate and sophisticated duplicate o the legitimateorgani*ations website. (hishing attacks generally target bank customers, onlineauction sites "such as eBay%, online retailers "such as ama*on% and servicesproviders "such as (ay(al%.

%ocial Engineeringocial engineering is the art o manipulating people into perorming actions ordivulging confdential inormation. ocial engineering techni&ues includepretexting "where the raudster creates an invented scenario to get the victim todivulge inormation%, Interactive voice recording "IF4% or phone phishing "wherethe raudster gets the victim to divulge sensitive inormation over the phone% and

baiting with Tro3ans horses "where the raudster baits/ the victim to load malwareunto a system%. ocial engineering has become a serious threat to e-commercesecurity since it is di=cult to detect and to combat as it involves human/ actorswhich cannot be patched akin to hardware or sotware, albeit sta training andeducation can somewhat thwart the attack "Gasle et al., 166