Chap-10-e-commerce-security

Chap. 10 E-commerce
Security
Security for Server computers
Web server threats
Web servers can compromise secrecy if it allows automatic directory listings or by requiring users
to enter a user name and password.
Database threats
Ecom systems store user data and retrieve product info from databased connected to the web server.
Databases connected to the web contain valuable info that could damage a company if disclosed.
Firewalls
A firewall is a software or a hardware combination that is installed in a network to control the packet traffic that
moves through it. Companies will place a firewall at the internet entry point of their networks as it provides a
defense between a network and the internet.
All traffic from the inside to outside and from outside to inside the network must pass through it.
Only authorized traffic, as defined by the local security policy, is allowed to pass through it.
The firewall itself is immune to penetration.
Encryption Solutions
Encryption Algorithms
Logic that implements an encryption program. An encryption program being a program that transforms plain
text into cipher text. Once a message is sent over the network it gets encrypted and upon arrival at destin-
ation it is decoded by a decryption program. Someone can know the details of the algorithm and still not be
able to decipher the encrypted message without knowing the key that the algorithm used to encrypt the message.
Hash Coding
The process used to calcualte a number from a message. It is essentially a virtual fingerprint for the message. They are
designed so that the probability of two different messages resulting in the same hash value is extemely small. It is a way to
tell if a message has been altered in transit.
Asymmetric Encryption
Encodes messages by using two math related numeric keys.
Symmetric Encryption
Encodes a message with one of several available algorithms that use a single numeric key. Due to the fact
the same key is used, both the sender and receiver must know the key, however, the key must be guarded.
If the key is made public, all message previously sent are vulnerable.
Secure Sockets Layer
Protocol
Defined as a security handshake where the client and server sopmuter exchange a brief burst of messages. Each
computer identifies the other then SSL encrypts and decrypts info flowing between the two computers. SSL can
secure many different types of communication between computers in addition to HTTP. SSL allows the length of the
private session key generated by every encrypted transaction to be set at a variety of bit lengths
Key Definitions con'd
Key
long binary number used with encryption algorithm to "lock" the characters of the message
being protected so that they are undecipherable without the key.
Steganography
describes the process of hiding info. within another piece or medium of info.
Biometric security device
device that uses an element of a person's biological makeup to perform the identification.
Privacy
protection of individual rights to nondisclosure.
Sniffer programs
program that provides the mean to record info that passes through a computer or router that
handles internet traffic.
Cybervaldalism
electronic defecting of an existing web site's page.
Masquerading
pretending to be someone you are not, or representing a web site as an original when truely it
is fake.
Encryption
coding of info by using a math based program and a secret key to produce a string of characters
that is unintelligible.
Session Key
key used by an encryption algorithm to create cipher text from plain text during a single secure session.
Digital Signature
an encryption message digest.
Trusted
networks inside of a fire wall as opposed to untrusted which are networks outside the firewall.
Packet-filter firewall
examines all data flowing back and forth between the trusted network and the internet.
Proxy server firewall
firewalls that communicate with the internet on the private network's behalf.
Personal firewall
software-only firewalls on an individual client computer.
Communication Channel Security
The internet was not designed to be secure, it was truely
designed to provide redundancy one or more communication
lines were cut. Today, the internet remains relatively uncha-
nged from its original state. Therefore, any message being
transfered over the internet is subject to threats.
Secrecy Threats
Secrecy is the prevention of unauthorized info. disclosure. This is a technical
issue that requires complex physocal and logical mechanisms. Companies may
protect message against secrecy violations by using encryption. Moreover,
secrecy countermeasures protect outgoing messages.
Theft of sensitive
or personal info.
Protection of info. including credit cards, names, addresses. These threats can
occur any time someone submits info over the internet. Obviously this is a
serious problem.
Integrity Threats
An integrity threat happens when an unauthorized party alters a message stream
of info. They can cuase a change in the actions a person or copmany takes because
a mission-critical transmission has been altered. Examples of integrity threats include:
Cybervandalism and Masquerading
Necessity Threats
The act of disrupting normal computer processing, or denying process entry. A computer
that slows down to ultra slow speed may be experiencing a necessity threat. These sorts
of attacks will remove info altogether, or get rid of info from a transmission or file.
Wireless Network
Threats
Networks can use access points (WAPs) to provide network communications to computers. If
they are not protected, anyone within range can log in and get access to network resources.
The attackers that attack these networks are Wardrivers that practice the process of warchalking.
companies avoid becoming a target by turning on a security feature called WEP.
Security for Client Computers
Cookies
Cookies allow Web servers to maintain continuing open sessions with Web clients. An open session is necessary
to do a number of things that are important in online business activity. Cookies were invented to solve the stateless
connection problem by saving info about a Web user from one set of server-client message exchanges to another.
Cookies can be categorized by: Time Duration and by Source.
Web Bugs
a tiny graphic that a 3rd party web site places on another site's Web page. When a site visitor loads the web page,
the web bug is delivered by the 3rd party site, which can then place a cookie on the visitor's computer.
Active Content
refers to programs that are embedded transparently in web pages and that cause action to occur. In ecom
active content is used to place items into a shopping cart and compute a total invoice amount, including tax,
handling, and shipping. It extends the functionality of HTML and moves some data processing chores from the
busy server machine to the user's client computer.
Java Applets
Java is a programming language developed by Sun that is used widely in web pages to provide active content.
Java adds functionality to business applications and can handle transactions and a wide variety of actions on the
client computer. That relieves an otherwise busy server-side program from handling lots of transactions at the same time.
Java Script
scripting language developed by Netscape to enable web page designers to build active content. JavaScript can be used
for attacks by executing cose that destroys a client's hard disk. It can also record the URLs of web pages a user visits and
capture info. Furthermore, a JavaScript program cannot start on its own, but all that it takes is clicking a button.
Active X control
is an object that contains programs and properties that web designers place on web pages to perform particular
tasks. Only runs on computers with windows operating systems. The security danger with Active X controls is the
once they are downloaded, they executelike anyother program on a client computer, they have full access to system's
resources.
Graphics and Plug-ins
Some graphic files formats have been designed to specifically contain instructions on how to render a graphic. Meaning any
page containing such a graphic could be a threat. Plug-ins are programs that enhance capabilities of browsers. They are
beneficial in performing tasks such as playing video clips and displaying movies. However, users download these plug-ins and
install them so their browsers can display content that is not included in the original HTML.
Viruses, Worms, and Anti-
virus software
A virus is a form of software that attaches itself to another program that can cause damage to a host system. A
worm is a kind of virus that reproduces itself on computers that it infects. Both of these annoyances moves rapidly
through the internet. Antivirus software can detect viruses and worms and can delete them or isolate them on the
host computer so they cannot run (ex: Norton, Symantec, McAfee).
Digital Certificates
is an attachment to an email or program embedded in a web page that varifies that the sender is who they claim to be. These
certificates contain a means to send an encrypted message which is encoded so others cannot read it. The encrypted message
identifies the software publisher. They are used for many types of online transactions including email and ecom. This certificate
is an assurance that the software was created by a specific company.
Contains 6 main elements:
Certificate owner's i.d.ing info, such as name, org., address
Certificate owner's public key
Date between which the certificate is valid
Serial number of certificate
Name of the certificate issuer
Digital signature of the certificate user
Types of Security
Physical Security
includes tangible protection devices, such as alarms, guards, fireproof doors,
security fences, safes or vaults, and bombproof buildings.
Logical Security
Protection of assets using nonphysical means.
Online Security Issues
Managing Risk
Rick management model applies to protecting ecom assets from all kinds of threats.
A threat is judged based on on the potential seriousness of its happening. Orgs must
identify risks, determine how to protect assets, and calculate how much to spend to
protect those assets.
Computer Security Class-
ifications
Secrecy
protecting against unauthorized data disclosure and ensuring the authenticity
of the data source.
Integrity
preventing unauthorized data modification.
Necessity
preventing data delays or denials (removal).
Security Policy and Integrated
Security
Any org. concerned about protecting ecom assets should have a security policy. This policy
must be continually upgraded. First step the company must take in creating a policy is to deter-
mine which assets to protect from which threats. The comprehensive plan for security should
protect a system's privacy, integrity, and availability, and authenticate users.
Elements of a security policy:
Authentication: who is trying to access the ecom site?
Access Control: Who is allowed to log on to and access the ecom site?
Secrecy: Who is permitted to view selected info?
Data integrity: Who is allowed to change data?
Audit: Who or what causes specific events to occur, and when?
Key Definitions
Computer Security
the protection of assets from unauthorized access, use, alteration, or destruction.
Threat
act or object that poses a danger to computer assets.
Eavesdropper
person or device that can listen in on and copy internet transmissions.
Cracker/Hacker
people who write programs or manipulate tech. to obtain unauthorized access to computers and
networks.
White hat hacker
hackers that use their skills for positive purposes.
Black hat hacker
hackers that use their skills for ill purposes.
Man-in-the-middle exploit
contents of an email that are often changed in a way that negates the message's original content.
Stateless Connection
connection between a client and server over internet where by each transmission of info is independent;
no continuous connection is maintained.
Cookie
small text files that Web servers place on Web client computers to identify returning visitors.
Session cookies
cookie that exists only until you shut down your browser.
Persistent cookies
cookie that exists indefinitely.
1st party cookies
cookies placed on the client computer by the Web server site.
3rd party cookies
cookies that originates on a web site other than the site being visited.
Trojan Horse
program hidden inside another program of web page that masks its true purpose.
Zombie
is a trojan horse that secretly takes over another computer for the purpose of launching attacks on other computers.
Java Sandbox
browser security feature that limits the actions that can be preformed by a Java applet that has been downloaded from web.
Certification authority
company that issues digital certificates to an org. or individuals.
8