Chapter 12 E-Commerce Security. © Prentice Hall 20042 Learning Objectives 1.Document the rapid rise...

Chapter 12Chapter 12

E-Commerce SecurityE-Commerce Security

© Prentice Hall 2004© Prentice Hall 2004 22

Learning ObjectivesLearning Objectives

1.1. Document the rapid rise in Document the rapid rise in computer and network security computer and network security attacks.attacks.

2.2. Describe the common security Describe the common security practices of businesses of all sizes.practices of businesses of all sizes.

3.3. Understand the basic elements of Understand the basic elements of EC security.EC security.

4.4. Explain the basic types of network Explain the basic types of network security attacks.security attacks.


Learning Objectives Learning Objectives (cont.)(cont.)

5.5. Describe common mistakes that Describe common mistakes that organizations make in managing organizations make in managing security.security.

6.6. Discuss some of the major Discuss some of the major technologies for securing EC technologies for securing EC communications.communications.

7.7. Detail some of the major Detail some of the major technologies for securing EC technologies for securing EC networks components.networks components.


Brute Force Credit Card Brute Force Credit Card Attack StoryAttack Story

The ProblemThe ProblemSpitfire Novelties usually generates Spitfire Novelties usually generates between 5 and 30 transactions per between 5 and 30 transactions per dayday

On September 12, 2002 in a On September 12, 2002 in a “brute force” credit card attack, Spitfire’s Spitfire’s credit card transaction processor credit card transaction processor processed 140,000 fake credit card processed 140,000 fake credit card charges worth $5.07 each (62,000 charges worth $5.07 each (62,000 were approved)were approved)


Brute Force Brute Force Credit Card Attack Credit Card Attack (cont.)(cont.)

The total value of the approved The total value of the approved charges was around $300,000 charges was around $300,000

Spitfire found out about the Spitfire found out about the transactions only when they transactions only when they were called by one of the credit were called by one of the credit card owners who had been card owners who had been checking his statement online checking his statement online and had noticed the $5.07 and had noticed the $5.07 charge charge



Brute force credit card attacks require Brute force credit card attacks require minimal skillminimal skill

Hackers run thousands of small charges Hackers run thousands of small charges through merchant accounts, picking through merchant accounts, picking numbers at randomnumbers at random

When the perpetrator finds a valid credit When the perpetrator finds a valid credit card number it can then be sold on the card number it can then be sold on the black marketblack market

Some modern-day black markets are Some modern-day black markets are actually member-only Web sites like actually member-only Web sites like carderplanet.comcarderplanet.com, , shadowcrew.comshadowcrew.com, and , and counterfeitlibrary.comcounterfeitlibrary.com



Relies on a perpetrator’s ability Relies on a perpetrator’s ability to pose as a merchant to pose as a merchant requesting authorization for a requesting authorization for a credit card purchase requiringcredit card purchase requiring

A merchant IDA merchant ID

A passwordA password

Both Both



Online Data’s credit card processing Online Data’s credit card processing services, all a perpetrator needed services, all a perpetrator needed was a merchant’s password in order was a merchant’s password in order to request authorization to request authorization Online Data is a reseller of VeriSign Online Data is a reseller of VeriSign Inc. credit card gateway services Inc. credit card gateway services

VeriSign blamed Online Data for the VeriSign blamed Online Data for the incidentincidentOnline Data blamed Spitfire for not Online Data blamed Spitfire for not changing their initial starter passwordchanging their initial starter password


Brute Force Brute Force Credit Card Attack Story Credit Card Attack Story

(cont.)(cont.)

In April 2002 hackers got into the In April 2002 hackers got into the Authorize.Net card processing Authorize.Net card processing system (largest gateway payment system (largest gateway payment system on the Internet)system on the Internet)

Executed 13,000 credit card Executed 13,000 credit card transactions, of which 7,000 transactions, of which 7,000 succeededsucceeded

Entry into the Authorize.Net system Entry into the Authorize.Net system required only a log-on name, not a required only a log-on name, not a password password


Brute Force SolutionBrute Force Solution

Online Data should assign Online Data should assign strong passwords at the startstrong passwords at the start

Customers should modify those Customers should modify those passwords frequently passwords frequently

Authorization services such as Authorization services such as VeriSign and Authorize.Net VeriSign and Authorize.Net should have built-in safeguards should have built-in safeguards that recognize brute force that recognize brute force attacks attacks


Brute Force Credit Card Brute Force Credit Card Solution Solution (cont.)(cont.)

Signals that something is amiss:Signals that something is amiss:A merchant issues an extraordinary A merchant issues an extraordinary number of requests number of requests

Repeated requests for small Repeated requests for small amounts emanating from the same amounts emanating from the same merchants merchants



The ResultsThe ResultsVeriSign halted the transactions VeriSign halted the transactions before they were settled, saving before they were settled, saving Spitfire $316,000 in charges Spitfire $316,000 in charges Authorize.Net merchants were Authorize.Net merchants were charged $0.35 for each transactioncharged $0.35 for each transactionThe criminals acquired thousands The criminals acquired thousands of valid credit card numbers to sell of valid credit card numbers to sell on the black market on the black market



What we can learn…What we can learn…Any type of EC involves a number Any type of EC involves a number of players who use a variety of of players who use a variety of network and application services network and application services that provide access to a variety that provide access to a variety of data sources of data sources

A perpetrator needs only a single A perpetrator needs only a single weakness in order to attack a weakness in order to attack a systemsystem


Brute Force Brute Force What We Can LearnWhat We Can Learn

Some attacks require sophisticated Some attacks require sophisticated techniques and technologies techniques and technologies

Most attacks are not sophisticated; Most attacks are not sophisticated; standard security risk management standard security risk management procedures can be used to minimize procedures can be used to minimize their probability and impacttheir probability and impact


Accelerating Need forAccelerating Need forE-Commerce SecurityE-Commerce Security

Annual survey conducted by the Computer Security Institute and the FBI

1. Organizations continue to experience cyber attacks from inside and outside of the organization


Accelerating Need forAccelerating Need forE-Commerce Security E-Commerce Security

(cont.)(cont.)2. The types of cyber attacks that

organizations experience were varied

3. The financial losses from a cyber attack can be substantial

4. It takes more than one type of technology to defend against cyber attacks



(cont.)(cont.)National Infrastructure Protection National Infrastructure Protection Center (NIPC):Center (NIPC): A joint partnership, A joint partnership, under the auspices of the FBI, under the auspices of the FBI, among governmental and private among governmental and private industry; designed to prevent and industry; designed to prevent and protect the nation’s infrastructureprotect the nation’s infrastructure



(cont.)(cont.)Computer Emergency Response Computer Emergency Response Team (CERT):Team (CERT): Group of three Group of three teams at Carnegie Mellon teams at Carnegie Mellon University that monitors incidence University that monitors incidence of cyber attacks, analyze of cyber attacks, analyze vulnerabilities, and provide vulnerabilities, and provide guidance on protecting against guidance on protecting against attacksattacks



(cont.)(cont.)According to the statistics reported to CERT/CC over the past year (CERT/CC 2002)

The number of cyber attacks skyrocketed from approximately 22,000 in 2000 to over 82,000 in 2002First First quarter of 2003 the number was already over 43,000


Security Is Security Is Everyone’s BusinessEveryone’s Business

Security practices of organizations of various sizes

Small organizations (10 to 100 computers)

The “haves” are centrally organized, devote a sizeable percentage of their IT budgets to securityThe “have-nots” are basically clueless when it comes to IT security


Security Is Security Is Everyone’s Business Everyone’s Business

(cont.)(cont.)Medium organizations (100 to 1,000 computers)

Rarely rely on managerial policies in making security decisions, and they have little managerial support for their IT policiesThe staff they do have is poorly educated and poorly trained—overall exposure to cyber attacks and intrusion is substantially greater than in smaller organizations



(cont.)(cont.)Large organizations (1,000 to 10,000 computers)

Complex infrastructures and substantial exposure on the InternetWhile aggregate IT security expenditures are fairly large, their security expenditures per employee are low



(cont.)(cont.)Larger organizations

IT security is part-time and undertrained—sizeable percentage of the large organizations suffer loss or damage due to incidentsBase their security decisions on organizational policies



(cont.)(cont.)Very large organizations (more than 10,000 computers)

extremely complex environments that are difficult to manage even with a larger staffrely on managerial policies in making IT security decisionsonly a small percentage have a well-coordinated incident response plan


Security IssuesSecurity Issues

From the user’s perspective:From the user’s perspective:Is the Is the Web server owned and operated by a legitimate company?Does Does the Web page and form contain some malicious or dangerous code or content?Will the Will the Web server distribute unauthorized information the user provides to some other party?


Security Issues Security Issues (cont.)(cont.)

From the company’s perspective:From the company’s perspective:Will the user not attempt to break into the Web server or alter the pages and content at the site?

Will Will the user will try to disrupt the server so that it isn’t available to others?



From both parties’ perspectives:From both parties’ perspectives:Is Is the network connection free from eavesdropping by a third party “listening” on the line?

Has Has the information sent back and forth between the server and the user’s browser been altered?


Security RequirementsSecurity Requirements

Authentication:Authentication: The process by The process by which one entity verifies that which one entity verifies that another entity is who they claim another entity is who they claim to be to be

Authorization:Authorization: The process that The process that ensures that a person has the ensures that a person has the right to access certain resourcesright to access certain resources


Security Requirements Security Requirements (cont.)(cont.)

Auditing:Auditing: The process of The process of collecting information about collecting information about attempts to access particular attempts to access particular resources, use particular resources, use particular privileges, or perform other privileges, or perform other security actionssecurity actions



Confidentiality:Confidentiality: Keeping private or Keeping private or sensitive information from being sensitive information from being disclosed to unauthorized disclosed to unauthorized individuals, entities, or processesindividuals, entities, or processes



Integrity:Integrity: As applied to data, the As applied to data, the ability to protect data from being ability to protect data from being altered or destroyed in an altered or destroyed in an unauthorized or accidental mannerunauthorized or accidental manner



NonrepudiationNonrepudiation:: The ability to The ability to limit parties from refuting that a limit parties from refuting that a legitimate transaction took place, legitimate transaction took place, usually by means of a signatureusually by means of a signature


Types of Threats and Types of Threats and AttacksAttacks

Nontechnical attack:Nontechnical attack: An attack An attack that uses chicanery to trick that uses chicanery to trick people into revealing sensitive people into revealing sensitive information or performing actions information or performing actions that compromise the security of a that compromise the security of a networknetwork


Types of Types of Threats and Attacks Threats and Attacks (cont.)(cont.)



Social engineering:Social engineering: A type of A type of nontechnical attack that uses nontechnical attack that uses social pressures to trick computer social pressures to trick computer users into compromising users into compromising computer networks to which computer networks to which those individuals have accessthose individuals have access



Multiprong approach used to combat social engineering:

1. Education and training2. Policies and procedures3. Penetration testing



Technical attack:Technical attack: An attack An attack perpetrated using software and perpetrated using software and systems knowledge or expertise systems knowledge or expertise



Common (security) vulnerabilities Common (security) vulnerabilities and exposures (CVEs):and exposures (CVEs): Publicly Publicly known computer security risks, known computer security risks, which are collected, listed, and which are collected, listed, and shared by a board of security-shared by a board of security-related organizations related organizations ((cve.mitre.orgcve.mitre.org))



Denial-of-service (DoS) attack:Denial-of-service (DoS) attack: An An attack on a Web site in which an attack on a Web site in which an attacker uses specialized attacker uses specialized software to send a flood of data software to send a flood of data packets to the target computer packets to the target computer with the aim of overloading its with the aim of overloading its resourcesresources



Distributed denial-of-service (DDoS) Distributed denial-of-service (DDoS) attack:attack: A denial-of-service attack in A denial-of-service attack in which the attacker gains illegal which the attacker gains illegal administrative access to as many administrative access to as many computers on the Internet as computers on the Internet as possible and uses these multiple possible and uses these multiple computers to send a flood of data computers to send a flood of data packets to the target computerpackets to the target computer



Malware:Malware: A generic term for A generic term for malicious softwaremalicious software

The severity of the viruses increased substantially, requiring much more time and money to recover85% of survey respondents said that their organizations had been the victims of e-mail viruses in 2002



Malicious code takes a variety of forms—both pure and hybrid

Virus:Virus: A piece of software code that A piece of software code that inserts itself into a host, including inserts itself into a host, including the operating systems, to the operating systems, to propagate; it requires that its host propagate; it requires that its host program be run to activate itprogram be run to activate it



Worm:Worm: A software program that A software program that runs independently, consuming runs independently, consuming the resources of its host in order the resources of its host in order to maintain itself and is capable to maintain itself and is capable of propagating a complete of propagating a complete working version of itself onto working version of itself onto another machineanother machine



Macro virus or macro worm:Macro virus or macro worm: A A virus or worm that is executed virus or worm that is executed when the application object that when the application object that contains the macro is opened or contains the macro is opened or a particular procedure is a particular procedure is executedexecuted



Trojan horse:Trojan horse: A program that A program that appears to have a useful appears to have a useful function but that contains a function but that contains a hidden function that presents a hidden function that presents a security risksecurity risk


Managing EC SecurityManaging EC Security

Common mistakes in managing their security risks (McConnell 2002):

Undervalued informationNarrowly defined security boundariesReactive security managementDated security management processesLack of communication about security responsibilities


Managing EC Security Managing EC Security (cont.)(cont.)

Security risk management:Security risk management: A A systematic process for systematic process for determining the likelihood of determining the likelihood of various security attacks and for various security attacks and for identifying the actions needed to identifying the actions needed to prevent or mitigate those attacksprevent or mitigate those attacks



Phases of security risk Phases of security risk managementmanagement

AssessmentPlanningImplementationMonitoring



Phase 1: AssessmentPhase 1: AssessmentEvaluate security risks by determining assets, vulnerabilities of their system, and potential threats to these vulnerabilities


Honeynet: A way to evaluate Honeynet: A way to evaluate vulnerabilities of an organization by vulnerabilities of an organization by studying the types of attacks to studying the types of attacks to which a site is subjected, using a which a site is subjected, using a network of systems called network of systems called honeypotshoneypots

Honeypots:Honeypots: Production systems (e.g., Production systems (e.g., firewalls,firewalls, routers, Web servers, routers, Web servers, database servers) designed to do real database servers) designed to do real work but to be watched and studied work but to be watched and studied as network intrusions occuras network intrusions occur



Phase 2: PlanningPhase 2: PlanningGoal of this phase is to arrive at Goal of this phase is to arrive at a set of policies defining which a set of policies defining which threats are tolerable and which threats are tolerable and which are notare not

Policies also specify the general Policies also specify the general measures to be taken against measures to be taken against those threats that are those threats that are intolerable or high priorityintolerable or high priority



Phase 3: ImplementationPhase 3: ImplementationParticular technologies are chosen to counter high-priority threats

First step is to select First step is to select generic types of technology for each of the high priority threats



Phase 4: Monitoring to determinePhase 4: Monitoring to determineWhich measures are successfulWhich measures are unsuccessful and need modificationWhether there are any new types of threatsWhether there have been advances or changes in technologyWhether there are any new business assets that need to be secured



Methods of securing ECMethods of securing ECAuthentication systemAuthentication system

Access control mechanismAccess control mechanism

Passive tokensPassive tokens

Active tokensActive tokens


AuthenticationAuthentication

Authentication system:Authentication system: System System that identifies the legitimate that identifies the legitimate parties to a transaction, parties to a transaction, determines the actions they are determines the actions they are allowed to perform, and limits allowed to perform, and limits their actions to only those that their actions to only those that are necessary to initiate and are necessary to initiate and complete the transactioncomplete the transaction


Authentication Authentication (cont.)(cont.)

Access control mechanism:Access control mechanism: Mechanism that limits the actions Mechanism that limits the actions that can be performed by an that can be performed by an authenticated person or groupauthenticated person or group



Passive tokens:Passive tokens: Storage devices Storage devices (e.g., magnetic strips) used in a (e.g., magnetic strips) used in a two-factor authentication system two-factor authentication system that contain a secret codethat contain a secret code



Active tokens:Active tokens: Small, stand-alone Small, stand-alone electronic devices in a two factor electronic devices in a two factor authentication system that authentication system that generate one-time passwordsgenerate one-time passwords


Biometric ControlsBiometric Controls

Biometric systems:Biometric systems: Authentication systems that Authentication systems that identify a person by identify a person by measurement of a biological measurement of a biological characteristic such as a characteristic such as a fingerprint, iris (eye) pattern, fingerprint, iris (eye) pattern, facial features, or voicefacial features, or voice


Biometric Controls Biometric Controls (cont.)(cont.)

Physiological biometrics:Physiological biometrics: Measurements derived directly Measurements derived directly from different parts of the body from different parts of the body (e.g., fingerprints, iris, hand, (e.g., fingerprints, iris, hand, facial characteristics)facial characteristics)Behavioral biometrics:Behavioral biometrics: Measurements derived from Measurements derived from various actions and indirectly from various actions and indirectly from various body parts (e.g., voice various body parts (e.g., voice scans or keystroke monitoring)scans or keystroke monitoring)



Fingerprint scanning:Fingerprint scanning: Measurement of Measurement of the discontinuities of a person’s the discontinuities of a person’s fingerprint, converted to a set of fingerprint, converted to a set of numbers that are stored as a template numbers that are stored as a template and used to authenticate identityand used to authenticate identityIris scanning:Iris scanning: Measurement of the Measurement of the unique spots in the iris (colored part unique spots in the iris (colored part of the eye), converted to a set of of the eye), converted to a set of numbers that are stored as a template numbers that are stored as a template and used to authenticate identityand used to authenticate identity



Voice scanning:Voice scanning: Measurement of Measurement of the acoustical patterns in speech the acoustical patterns in speech production, converted to a set of production, converted to a set of numbers that are stored as a numbers that are stored as a template and used to template and used to authenticate identityauthenticate identity



Keystroke monitoring:Keystroke monitoring: Measurement of the pressure, Measurement of the pressure, speed, and rhythm with which a speed, and rhythm with which a word is typed, converted to a set of word is typed, converted to a set of numbers that are stored as a numbers that are stored as a template and used to authenticate template and used to authenticate identity; this biometric is still under identity; this biometric is still under developmentdevelopment


Encryption MethodsEncryption Methods

Public key infrastructure (PKI):Public key infrastructure (PKI): A A scheme for securing e-payments scheme for securing e-payments using public key encryption and using public key encryption and various technical componentsvarious technical components


Encryption Methods Encryption Methods (cont.)(cont.)

Private and public key encryptionPrivate and public key encryptionEncryption:Encryption: The process of The process of scrambling (encrypting) a scrambling (encrypting) a message in such a way that it is message in such a way that it is difficult, expensive, or time-difficult, expensive, or time-consuming for an unauthorized consuming for an unauthorized person to unscramble (decrypt) person to unscramble (decrypt) itit



Plaintext:Plaintext: An unencrypted An unencrypted message in human-readable formmessage in human-readable form

Ciphertext:Ciphertext: A plaintext message A plaintext message after it has been encrypted into a after it has been encrypted into a machine-readable formmachine-readable form

Encryption algorithm:Encryption algorithm: The The mathematical formula used to mathematical formula used to encrypt the plaintext into the encrypt the plaintext into the ciphertext, and vice versaciphertext, and vice versa



Symmetric (private) key systemSymmetric (private) key systemKey:Key: The secret code used to The secret code used to encrypt and decrypt a messageencrypt and decrypt a message

Symmetric (private) key system:Symmetric (private) key system: An encryption system that uses An encryption system that uses the same key to encrypt and the same key to encrypt and decrypt the messagedecrypt the message



Data Encryption Standard (DES):Data Encryption Standard (DES): The standard symmetric encryption The standard symmetric encryption algorithm supported the NIST and algorithm supported the NIST and used by U.S. government agencies used by U.S. government agencies until October 2, 2000until October 2, 2000

Rijndael:Rijndael: The new Advanced The new Advanced Encryption Standard used to secure Encryption Standard used to secure U.S. government communications U.S. government communications since October 2, 2000since October 2, 2000


Elements of PKIElements of PKI

Digital signature:Digital signature: An identifying An identifying code that can be used to code that can be used to authenticate the identity of the authenticate the identity of the sender of a documentsender of a document

PortableCannot be easily repudiated or imitated, and can be time-stamped


Elements of PKI Elements of PKI (cont.)(cont.)



Digital signatures include:Digital signatures include:Hash:Hash: A mathematical computation that A mathematical computation that is applied to a message, using a private is applied to a message, using a private key, to encrypt the messagekey, to encrypt the message

Message digest:Message digest: A summary of a A summary of a message, converted into a string of message, converted into a string of digits, after the hash has been applieddigits, after the hash has been applied

Digital envelope:Digital envelope: The combination of the The combination of the encrypted original message and the encrypted original message and the digital signature, using the recipient’s digital signature, using the recipient’s public keypublic key



Digital certificate:Digital certificate: Verification Verification that the holder of a public or that the holder of a public or private key is who they claim to private key is who they claim to bebe

Certificate authorities (CAs):Certificate authorities (CAs): Third Third parties that issue digital parties that issue digital certificatescertificates


Security ProtocolsSecurity Protocols

Secure Socket Layer (SSL):Secure Socket Layer (SSL): Protocol that utilizes standard Protocol that utilizes standard certificates for authentication and certificates for authentication and data encryption to ensure privacy data encryption to ensure privacy or confidentialityor confidentiality

Transport Layer Security (TLS):Transport Layer Security (TLS): As As of 1996, another name for the of 1996, another name for the SSL protocolSSL protocol


Security Protocols Security Protocols (cont.)(cont.)

Secure Electronic Transaction Secure Electronic Transaction (SET):(SET): A protocol designed to A protocol designed to provide secure online credit card provide secure online credit card transactions for both consumers transactions for both consumers and merchants; developed jointly and merchants; developed jointly by Netscape, Visa, MasterCard, by Netscape, Visa, MasterCard, and othersand others


Securing EC NetworksSecuring EC Networks

Technologies for organizational Technologies for organizational networksnetworks

Firewall:Firewall: A network node consisting of A network node consisting of both hardware and software that isolates both hardware and software that isolates a private network from a public networka private network from a public network

Packet-filtering routers:Packet-filtering routers: Firewalls that Firewalls that filter data and requests moving from the filter data and requests moving from the public Internet to a private network public Internet to a private network based on the network addresses of the based on the network addresses of the computer sending or receiving the computer sending or receiving the requestrequest


Securing EC Networks Securing EC Networks (cont.)(cont.)

Packet filters:Packet filters: Rules that can Rules that can accept or reject incoming packets accept or reject incoming packets based on source and destination based on source and destination addresses and the other addresses and the other identifying informationidentifying information

Application-level proxy:Application-level proxy: A firewall A firewall that permits requests for Web that permits requests for Web pages to move from the public pages to move from the public Internet to the private networkInternet to the private network



Bastion gateway:Bastion gateway: A special A special hardware server that utilizes hardware server that utilizes application-level proxy software to application-level proxy software to limit the types of requests that can limit the types of requests that can be passed to an organization’s be passed to an organization’s internal networks from the public internal networks from the public InternetInternetProxies:Proxies: Special software programs Special software programs that run on the gateway server and that run on the gateway server and pass repackaged packets from one pass repackaged packets from one network to the othernetwork to the other



Personal firewalls:Personal firewalls:Personal firewall:Personal firewall: A network A network node designed to protect an node designed to protect an individual user’s desktop system individual user’s desktop system from the public network by from the public network by monitoring all the traffic that monitoring all the traffic that passes through the computer’s passes through the computer’s network interface cardnetwork interface card



VPNsVPNsVirtual private network (VPN):Virtual private network (VPN): A A network that uses the public network that uses the public Internet to carry information but Internet to carry information but remains private by using remains private by using encryption to scramble the encryption to scramble the communications, authentication to communications, authentication to ensure that information has not ensure that information has not been tampered with, and access been tampered with, and access control to verify the identity of control to verify the identity of anyone using the networkanyone using the network



Protocol tunneling:Protocol tunneling: Method used Method used to ensure confidentiality and to ensure confidentiality and integrity of data transmitted integrity of data transmitted over the Internet, by encrypting over the Internet, by encrypting data packets, sending them in data packets, sending them in packets across the Internet, and packets across the Internet, and decrypting them at the decrypting them at the destination addressdestination address



Intrusion detection systems Intrusion detection systems (IDSs):(IDSs): A special category of A special category of software that can monitor activity software that can monitor activity across a network or on a host across a network or on a host computer, watch for suspicious computer, watch for suspicious activity, and take automated activity, and take automated action based on what it seesaction based on what it sees



Network-based IDS uses rules to analyze suspicious activity at the perimeter of a network or at key locations in the networkConsists of a monitor—a software package that scans the software agents that reside on various host computers and feed information back to the monitor


Managerial IssuesManagerial Issues

1. Have we budgeted enough for security?

2. What are the business consequences of poor security?

3. Which e-commerce sites are vulnerable to attack?


Managerial Issues Managerial Issues (cont.)(cont.)

4. What is the key to establishing strong e-commerce security?

5. What steps should businesses follow inestablishing a security plan?

6. Should organizations be concerned with internal security threats?


SummarySummary

1. Increase in computer attacks.2. Security is everyone’s business.3. Basic security issues.4. Basic types of network security

attacks.5. Managing EC security.6. Securing EC communications.7. Technologies for securing

networks

Chapter 12 E-Commerce Security. © Prentice Hall 20042 Learning Objectives 1.Document the rapid rise...

Documents

Transcript of Chapter 12 E-Commerce Security. © Prentice Hall 20042 Learning Objectives 1.Document the rapid rise...