Oz – Foundations of Electronic Commerce © 2002 Prentice Hall Security and Privacy Issues.
-
Upload
annabelle-cross -
Category
Documents
-
view
219 -
download
0
Transcript of Oz – Foundations of Electronic Commerce © 2002 Prentice Hall Security and Privacy Issues.
Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Security and Privacy Issues
2 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Learning Objectives List the major threats to networked
information systems Suggest a security measure for
each threat to networked information systems
Explain encryption and how it supports electronic signatures and digital certificates
3 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Learning Objectives Contrast the legitimate data-gathering
needs of businesses and government with individual privacy concerns
Discuss how the increased use of the Internet increases threats to privacy
Explain the relationship between consumer profiling and privacy issues
4 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
No security? No privacy? No commerce! Online security
From a corporate perspective - the ability to protect information sources from unauthorized access, modification, or destruction
From a consumer perspective - the perceived guarantee that no unauthorized party will have access to the transaction information
5 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Privacy concerns: Most people resent losing control of
the collection and use of their personal information
Controversial issue
Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
The threats
7 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Hacking HackerHacker - a person who accesses an
information system resource without permission Almost always the first step towards
criminal activity
8 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Web site page defacement The malicious alteration of text,
graphics, or audio content of pages May range from a cyber equivalent
of graffiti to valid pages being replaced with offensive comments
9 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Viruses Computer virus - a malicious
program that spreads through the exchange of files on disks or through networks Viruses that spread on their own through
networks are also called worms Viruses that have to be downloaded are
called Trojan horses
10 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Denial of service (DoS) Occurs when, due to hectic malicious
activity, an organization cannot serve its clients Flooding the servers with logins
Distributed denial of serviceDistributed denial of service (DDoS) - the attackers “hijack” hundreds of systems (zombieszombies) that simultaneously attack a site Impossible to stop
11 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Spoofing Usually means deception with the
purpose of gaining access, or making users thing that they are logged on a given site, when in reality they are logged on to another site Done by taking advantage of
vulnerabilities of the DNS system A serious spoofing attack may result
in massive fraud
Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
The remedies
13 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Authentication and confidentiality Authentication - the ability of the
system to verify that the users are who they “say” they are
Access codes ““what you know”:what you know”: userID and password ““what you are”:what you are”: biometrics
Unique physical features used for authentication
14 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Confidentiality = no one except the user and the system (or counterpart in an exchange) is able to know the content of an exchange EncryptionEncryption methods
Can also be used for authentication
15 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Transparency Trade-off between security and
convenience TRANSPARENCYTRANSPARENCY is achieved when
security measures are in place but are not noticeable to the users
16 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Firewalls Firewall - hardware and software
whose purpose is to block access to certain resources Controls communication between a
trusted network and the “untrusted” Internet
17 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
DeMilitarized Zone (DMZ) approach - the link between 2 servers, one of which is a proxy server A proxy proxy serverserver “represents” another
server for all information requests Operated by an ISP Double firewall architecture: both the
internal network server and the proxy server employ firewalls
18 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Antispoofing measures The telecommunication companies
that operate parts of the Internet must adopt spoof-proof software Encryption based
Ex.: DNS Security (DNSSEC)DNS Security (DNSSEC) allows Web sites to verify their domain names and corresponding IP addresses using digital signatures and public key encryption
19 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Backup Ideally, backup files should be
updated in real time The backup fully reflects the original
Backup files should be stored off-site Specialized companies
Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Encryption and its applications
21 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Encryption Encryption - the conversion of data
into a secret code Decryption - the conversion of the
secret code back into readable data Mathematical algorithms based on
key(s)key(s) The algorithm is not secret, only the
key is
22 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
The key is a binary number, 40 to 128 bits long The larger the key, the more difficult
it is to decipher the secret code The key is used both in encrypting
and in decrypting the data
23 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Symmetric keys: Both sender and recipient use the
same, agreed upon, key Difficult when the same person has to
communicate with many people A different key is required for each
recipient
24 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Asymmetric keys: The sender uses one key to encrypt the
message, while the receiver uses a different related key to decrypt it
Most common: public key method Each person has both a private and a
public key The private key is secret, while the public
key is freely distributed
25 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Electronic signatures Several forms:
User signs with a stylus on a special pad
Use a biometric of the signer
26 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Digital signatures An encrypted digest of the text that is
sent with a message AuthenticatesAuthenticates the sender of the
message Guarantees that the message was not message was not
alteredaltered Involves two phases:
The encryption software uses a hashing hashing algorithmalgorithm to create a message digest
The message digestmessage digest is encrypted using a private key
27 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Digital certificates Files that serve as the equivalent
of ID cards Must be used by both buyers and
sellers to authenticate a digital signature
Issued by certificate authorities Also issue private and public keys
28 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
A digital certificate contains: Its holder’s name A serial number Expiration date The holder’s public key The digital signature of the certificate
authority
29 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Secure Sockets Layer, SHTTP, and PGP
Secure Sockets Layer (SSL): Uses public key encryption The most popular security standard on
the Internet Secure HyperText Transport
Protocol (SHTTP): An alternative to SSL that only works
with HTTP
30 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Pretty Good Privacy (PGP): Used for secure private
communications Works in conjunction with the e-mail
program Must register the public key with a
PGP server
31 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Business continuity plans Almost all businesses are
dependent on the continuous availability of information systems Especially important for online
businesses Downtime - the time during which
systems are not functional
32 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Companies must have a clear business continuity plan Also known as business recovery
plan Encompass:
Hardware Software People Tasks
Must be periodically reexamined
Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Privacy
The ability of individuals to control information about
themselves
34 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Generally, the law does notnot give people ownership of information about themselves Legal limits on the collection and
dissemination of information exist Right to privacy is impliedimplied in the US
Constitution
35 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Threats to individual privacy: Government
So far, the Internet has been used very little to collect information about citizens
Business Always interested in information about
their customers Especially true about retailers
36 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Business needs Consumer information used primarily
to provide better customer service, and more effective targeted marketing
Individuals’ fears Consumer profiling Customer data as a saleable asset
To self-regulate or not to self-regulate?
37 Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Monitoring at the work place E-mail privacy
E-mail policies Web-browsing privacy
Policies about surfing the net for nonbusiness purposes
Oz – Foundations of Electronic Commerce© 2002 Prentice Hall
Security and Privacy Issues