Chapter 9 ESecurity

1
Chapter 9E-Security
2
OBJECTIVES
E-Security Objectives

• Security in Cyberspace
• Conceptualizing Security
• Designing for Security
• How Much Risk Can You Afford?
• Virus Computer Enemy 1
• Security Protection Recovery

3
ABUSE FAILURE
E-Security Security in Cyberspace

• Fraud
• Theft
• Disruption of Service
• Loss of Customer Confidence

4
WHY INTERNET IS DIFFERENT?
E-Security Security in Cyberspace
5
SECURITY CONCERNS
E-Security Conceptualizing Security

• Confidentiality
• Authentication
• Integrity
• Access Control
• Non-repudiation
• Firewalls

6
INFORMATION SECURITY DRIVERS
E-Security Conceptualizing Security

• Global trading
• Availability of reliable security packages
• Changes in attitudes toward security

7
PRIVACY FACTOR
E-Security Conceptualizing Security
8
DESIGNING FOR SECURITY
E-Security Designing for Security

• Adopt a reasonable security policy
• Consider web security needs
• Design the security environment
• Authorizing and monitoring the system

9
ADOPT A REASONABLE SECURITY POLICY
E-Security Designing for Security

• Policy
• Understanding the threats information must be
  protected against to ensure
• Confidentiality
• Integrity
• Privacy
• Should cover the entire e-commerce system
• Internet security practices
• Nature level of risks
• Procedure of failure recovery

10
DESIGN THE SECURITY ENVIRONMENT
E-Security Designing for Security
SECURITY CONSULTANT
CERTIFIED STAFF
Verify IT Staff Integrity
Guidelines
Password
Assignment
Test data
CUSTOMER SERVICE
Edit payment system
CERTIFIED WEBSITE
DATABASE
Verified Site
Authorized link
Exhibit - Logical procedure flow
11
SECURITY PERIMETER
E-Security Designing for Security

• Firewalls
• Authentication
• Virtual Private Networks (VPN)
• Intrusion Detection Devices

12
AUTHORIZING MONITORING SYSTEM
E-Security Designing for Security

• Monitoring
• Capturing processing details for evidence
• Verifying e-commerce is operating within security
  policy
• Verifying attacks have been unsuccessful

13
HOW MUCH RISK CAN YOU AFFORD?
E-Security How Much Risk Can You Afford?

• Determine specific threats inherent to the system
  design
• Estimate pain threshold
• Analyze the level of protection required

14
KINDS OF THREATS / CRIMES
E-Security How Much Risk Can You Afford?

• Physically-related
• Order-related
• Electronically-related

15
CLIENT SECURITY THREATS
E-Security How Much Risk Can You Afford?

• Why?
• Sheer Nuisances
• Deliberate Corruption of Files
• Rifling Stored Information
• How?
• Physical Attack
• Virus
• Computer-to-computer Attack

16
SERVER SECURIY THREATS
E-Security How Much Risk Can You Afford?

• Web server with an active port
• Windows NT server, not upgraded to act as
  firewall
• Anonymous FTP service
• Web server directories that can be accessed
  indexed

17
HOW HACKERS ACTIVATE A DENIAL OF SERVICE
E-Security How Much Risk Can You Afford?

• Break into less-secured computers connected to a
  high-bandwidth network
• Installs stealth program which duplicate itself
  indefinitely to congest network traffic
• Specifies a target network from a remote location
  and activates the planted program
• Victims network is overwhelmed users are
  denied access

18
VIRUS COMPUTER ENEMY 1
E-Security Virus Computer Enemy 1

• A malicious code replicating itself to cause
  disruption of the information infrastructure
• Attacks system integrity, circumvent security
  capabilities cause adverse operation
• Incorporate into computer networks, files other
  executable objects

19
TYPES OF VIRUSES
E-Security Virus Computer Enemy 1

• Boot Virus
• Attacks boot sectors of the hard drive
• Macro Virus
• Exploits macro commands in software application

20
VIRUS CHARACTERISTICS
E-Security Virus Computer Enemy 1

• Fast
• Easily invade and infect computer hard disk
• Slow
• Less likely to detect destroy
• Stealth
• Memory resident
• Able to manipulate its execution to disguise its
  presence

21
ANTI-VIRUS STRATEGY
E-Security Virus Computer Enemy 1

• Establish a set of simple enforceable rules
• Educate train users
• Inform users of the existing potential threats
  to the companys systems
• Update the latest anti-virus software periodically

22
BASIC INTERNET SECURITY PRACTICES
E-Security Security Protection Recovery

• Password
• Alpha-numeric
• Mix with upper and lower cases
• Change frequently
• No dictionary names
• Encryption
• Coding of messages in traffic between the
  customer placing an order and the merchants
  network processing the order

23
SECURITY RECOVERY
E-Security Security Protection Recovery

• Attack Detection
• Damage Assessment
• Correction Recovery
• Corrective Feedback

24
FIREWALL SECURITY
E-Security Firewall Security

• Firewall
• Enforces an access control policy between two
  networks
• Detects intruders, blocks them from entry, keeps
  track what they did notifies the system
  administrator

25
WHAT FIREWALL CAN PROTECT
E-Security Firewall Security

• Email services known to be problems
• Unauthorized external logins
• Undesirable material, e.g. pornography
• Unauthorized sensitive information

26
WHAT FIREWALL CANT PROTECT
E-Security Firewall Security

• Attacks without going through the firewall
• Weak security policy
• Traitors or disgruntled employees
• Viruses via floppy disks
• Data-driven attack

27
SPECIFIC FIREWALL FEATURES
E-Security Firewall Security

• Security Policy
• Deny Capability
• Filtering Ability
• Scalability
• Authentication
• Recognizing Dangerous Services
• Effective Audit Logs