Chapter 13 Understanding E-Security

1
Chapter 13Understanding E-Security
2
OBJECTIVES

• Security in Cyberspace
• Conceptualizing Security
• Designing for Security
• How Much Risk Can You Afford?
• Virus Computer Enemy 1
• Security Protection and Recovery

3
ABUSE FAILURE

• Fraud
• Theft
• Disruption of Service
• Loss of Customer Confidence

4
WHY INTERNET IS DIFFERENT?
Paper-Based Commerce Electronic Commerce
Signed paper Documents Digital Signature
Person-to-person Electronic via Web site
Physical Payment System Electronic Payment System
Merchant-customer Face-to-face Face-to-face Absence
Easy Detectability of modification Difficult Detectability
Easy Negotiability Difficult Negotiability
5
SECURITY CONCERNS

• Confidentiality
• Authentication
• Integrity
• Access Control
• Nonrepudiation
• Firewalls

6
INFORMATION SECURITY DRIVERS

• Global trading
• Availability of reliable security packages
• Changes in attitudes toward security

7
PRIVACY FACTOR
8
DESIGNING FOR SECURITY

• Adopt a reasonable security policy
• Consider Web security needs
• Design the security environment
• Authorizing and monitoring the system

9
ADOPT A REASONABLE SECURITY POLICY

• Policy
• Understanding the threats information must be
  protected against to ensure
• Confidentiality
• Integrity
• Privacy
• Should cover the entire e-commerce system
• Internet security practices
• Nature and level of risks
• Procedure of failure recovery

10
DESIGN THE SECURITY ENVIRONMENT
SECURITY CONSULTANT
CERTIFIED STAFF
Verify IT Staff Integrity
Guidelines
Password
Assignment
Test data
CUSTOMER SERVICE
Edit payment system
CERTIFIED WEBSITE
DATABASE
Verified Site
Authorized link
Exhibit - Logical procedure flow
11
SECURITY PERIMETER

• Firewalls
• Authentication
• Virtual Private Networks (VPN)
• Intrusion Detection Devices

12
AUTHORIZING MONITORING SYSTEM

• Monitoring
• Capturing processing details for evidence
• Verifying e-commerce is operating within security
  policy
• Verifying attacks have been unsuccessful

13
HOW MUCH RISK CAN YOU AFFORD?

• Determine specific threats inherent to the system
  design
• Estimate pain threshold
• Analyze the level of protection required

14
KINDS OF THREATS/CRIMES

• Physically-related
• Order-related
• Electronically-related

15
CLIENT SECURITY THREATS

• Why?
• Sheer Nuisances
• Deliberate Corruption of Files
• Rifling Stored Information
• How?
• Physical Attack
• Virus
• Computer-to-computer Attack

16
SERVER SECURIY THREATS

• Web server with an active port
• Windows NT server, not upgraded to act as
  firewall
• Anonymous FTP service
• Web server directories that can be accessed and
  indexed

17
HOW HACKERS ACTIVATE A DENIAL OF SERVICE

• Break into less-secured computers connected to a
  high-bandwidth network
• Installs stealth program which duplicate itself
  indefinitely to congest network traffic
• Specifies a target network from a remote location
  and activates the planted program
• Victims network is overwhelmed and users are
  denied access

18
VIRUS COMPUTER ENEMY 1

• A malicious code replicating itself to cause
  disruption of the information infrastructure
• Attacks system integrity, circumvent security
  capabilities and cause adverse operation
• Incorporate into computer networks, files and
  other executable objects

19
TYPES OF VIRUSES

• Boot Virus
• Attacks boot sectors of the hard drive
• Macro Virus
• Exploits macro commands in software application

20
VIRUS CHARACTERISTICS

• Fast
• Easily invade and infect computer hard disk
• Slow
• Less likely to detect and destroy
• Stealth
• Memory resident
• Able to manipulate its execution to disguise its
  presence

21
ANTIVIRUS STRATEGY

• Establish a set of simple enforceable rules
• Educate and train users
• Inform users of the existing and potential
  threats to the companys systems
• Update the latest antivirus software periodically

22
BASIC INTERNET SECURITY PRACTICES

• Password
• Alphanumeric
• Mix with upper and lower cases
• Change frequently
• No dictionary names
• Encryption
• Coding of messages in traffic between the
  customer placing an order and the merchants
  network processing the order

23
SECURITY RECOVERY

• Attack Detection
• Damage Assessment
• Correction and Recovery
• Corrective Feedback

24
FIREWALL SECURITY

• Firewall
• Enforces an access control policy between two
  networks
• Detects intruders, blocks them from entry, keeps
  track what they did and notifies the system
  administrator

25
WHAT FIREWALL CAN PROTECT

• E-mail services known to be problems
• Unauthorized external logins
• Undesirable material, e.g. pornography
• Unauthorized sensitive information

26
WHAT FIREWALL CANT PROTECT

• Attacks without going through the firewall
• Weak security policy
• Traitors or disgruntled employees
• Viruses via floppy disks
• Data-driven attack

27
SPECIFIC FIREWALL FEATURES

• Security Policy
• Deny Capability
• Filtering Ability
• Scalability
• Authentication
• Recognizing Dangerous Services
• Effective Audit Logs

28
Chapter 13Understanding E-Security