Entrepreneurship & Commerce in IT - 11 - Security & Encryption

Entrepreneurship &

Commerce in IT

11

Sachintha Gunasena MBCS

http://lk.linkedin.com/in/sachinthadtg

Recap so far…



Building an E-Commerce

Website• Planning

• Systems analysis and design

• Building the system: In-house vs. outsourcing

• Website hosting: In-house vs. outsourcing

• System Testing

• Implementation and maintenance

• Website optimization factors

• Choosing server software

• Application servers

• E-commerce merchant server software functionality

• Merchant server software packages

• Choosing the right hardware for your e-commerce site

• Right-sizing your hardware platform

• Other e-commerce site development tools

• Personalization tools

Today…

Security and Encryption

• The e-commerce security environment

• Types of threats

• Technology solutions

• Protecting Internet communications

• Encryption

• Securing channels of communication

• Secure socket layers (SSL)

• Protecting networks - Firewalls

• Protecting servers and clients – OS controls/Anti-virus software

The E-Commerce Security

Environment• For most law-abiding citizens, the Internet holds the promise of a

huge and convenient global marketplace

• For criminals, the Internet has created entirely new – and profitable –

ways to steal from the more than one billion Internet consumers

worldwide

• steal what?

• products, services, cash, information

• It’s also less risky to steal online

• For example, rather than rob a bank in person, the Internet makes it

possible to rob people remotely and almost anonymously

The E-Commerce Security

Environment

Security Implementation

Concerns• Can there be too much security?

• Yes.

• adds overhead and expense to business operations

• Expanding computer security also has other downsides:

• Makes systems more difficult to use

• Slows down processors

• Increases data storage demands

• May reduce individual’s abilities to remain anonymous

Threats

• Three key points of vulnerability:

• Client

• Server

• Communications channel

An E-Commerce Transaction

Vulnerable Points in an E-

Commerce Transaction

Types of Threats• Viruses

• needs a host

• a virus attaches itself to executable code and is executed when the software program begins to run

or an infected file is opened

• Worms

• does not need a host

• replicates itself through the Internet

• Trojans

• code that is layered behind another program,

• can perform covert, malicious functions

• Logic Bombs

• a version of a Trojan Horse, however, it is event or time specific

Types of Threats Cont.d

• Bot networks

• a number of Internet-connected computers communicating with other similar machines in an effort to

complete repetitive tasks and objectives

• zombie computer network / master host computer

• used for spam or DDoS attacks

• DDoS attacks

• many computers are used to launch an attack on a particular E-Commerce server

• a massive amount of invalid data is sent to the server

• achieved by bot networks

• Phishing

• the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an

attempt to scam the user into surrendering private information that will be used for identity theft


• Data Packet Sniffing

• an attacker can also use a sniffer to intercept the data packet flow and analyze the

individual data packets

• IP Spoofing

• change the source address of a data packet to give it the appearance that it originated

from another computer

• used to start the launch of a Denial of Service Attack

• Port Scanning

• listening to the network ports of the E-Commerce server

• figure out what kind of services are running on the E-Commerce server

• figure out the vulnerabilities of the system in order to cause the greatest damage possible

Types of Threats Cont.d• Backdoors / Trapdoors

• developers often leave “backdoors” to monitor the code as it is developed

• Instead of a implementing a secure protocol in which to access the code, backdoors

provide a quick way into the code

• Backdoors provide a very easy vulnerability for the attacker to get into, and cause system

wide damage to the E-Commerce server.

• Data theft

• create an additional, unauthorized copy

• Identify theft

• someone pretends to be someone else by assuming that person's identity

• as a method to gain access to resources or obtain credit and other benefits in that

person's name


• Credit card fraud

• obtain goods without paying

• obtain unauthorized funds from an account

• also an adjunct to identity theft

• Spyware

• software that aims to gather information about a person or organization

without their knowledge

• send such information to another entity without the consumer's consent

• asserts control over a computer without the consumer's knowledge

Security Solutions

• Two lines of defence

• Technology Solutions

• Policy Solutions

Technology Solutions

• Redundant firewall protection

• stop cyberattacks before they can penetrate the network perimeter

• Web application protection

• Web Application Firewall

• protects from from application-level attacks like SQL injections and cross-site

scripting (XSS) attacks

• extends protection in places where traditional firewall’s can’t provide

• DoS/DDoS mitigation

• ward off DDoS events by providing a barrier between your server and the IP

flood


• SSL VPN

• create a secure connection for remote users who will be

administering the Web applications and hosting environment

• Vulnerability Monitoring

• scan your Web application code around the clock looking for

unexpected changes and malicious code that matches known

"diseases" in the threat database

• Antivirus protection

• reviews files and services stored on the physical server


• Two factor authentication

• requires Web site administrators to go through two layers of

security before obtaining access to the hosting environment

• unique because it challenges you with something you know

and something you have

• prevents password leaks

• Encrypted backup, service monitoring and response

• read more

Protecting Internet

Communications

• ideas?

Encryption• transforming plain text or data into cipher text that cannot be read by anyone other than the

sender and the receiver

• to secure stored information and to secure information transmission

• [old way]

• Symmetric Key Encryption

• both the sender and the receiver use the same key to encrypt and decrypt the message

• sent the key to each other over some communications media or in person

• [updated way 1976]

• Asymmetric Key Encryption / Public Key Cryptography

• a class of cryptographic protocols based on algorithms that require two separate keys, one of

which is secret (or private) and one of which is public

• Although different, the two parts of this key pair are mathematically linked

Public Key Cryptography

Limitations to Encryption

• All forms of encryption have limitations

• It is not effective against insiders

• Protecting private keys may also be difficult

because they are stored on insecure desktop and

laptop computers

• Additional technology solutions exist for securing

channels of communications, networks, and

servers/clients

Securing Channels of

Communication

• Secure Sockets Layer (SSL)

• Virtual Private Networks (VPNs)

Secure Socket Layer (SSL)

• Transport Layer Security (TLS) and its predecessor, Secure

Sockets Layer (SSL), both of which are frequently referred to as

'SSL', are cryptographic protocols designed to provide

communications security over a computer network

• use X.509 certificates and hence asymmetric cryptography to

• authenticate the counterpart with whom they are communicating

• and to negotiate a symmetric session key

• session key is then used to encrypt data flowing between the

parties

Secure Socket Layer (SSL)

• allows

• data/message confidentiality

• message authentication codes for message integrity

• message authentication

• use in applications such as

• web browsing

• email

• Internet faxing

• instant messaging

• voice-over-IP (VoIP)

Protecting Networks -

Firewalls• a technological barrier designed to prevent unauthorized or

unwanted communications between computer networks or hosts

• a network security system that monitors and controls the incoming

and outgoing network traffic based on predetermined security

rules

• establishes a barrier between a trusted, secure internal network

and another outside network, such as the Internet, that is

assumed to not be secure or trusted

• network firewall

• host-based firewall

Protecting Servers & Clients –

OS Controls/Anti-virus Software

• Operating system security enhancements

• Anti-virus software

Policy Solutions

• Management Policies

• Business Procedures

• Public Laws

Policy Solutions

• An e-commerce security plan would include

• a risk assessment

• development of a security policy

• implementation plan

• creation of a security organization

• a security audit

Policy Solutions

• A Implementation may involve

• expanded forms of access controls

• IDs

• passwords

• access codes

• biometrics

• fingerprints

• retina scans

• speech recognition

Policy Solutions

• more ideas?

References• http://www.technologyexecutivesclub.com/Articles/security/artThreatstoEcommerceServers.php

• http://www.slideshare.net/Timothy212/ebusiness-environment-and-analysis

• http://www.slideshare.net/omvikram/securityecommerce?qid=ae6a3149-f235-4e7d-81f0-

9e45da47bcd5&v=qf1&b=&from_search=4

• http://www.applicure.com/solutions/ecommerce-security

• http://www.ecommercetimes.com/story/69577.html

• http://www.ehow.com/how_5303365_protect-privacy-internet.html

• http://www.slate.com/blogs/future_tense/2013/06/07/how_to_secure_and_encrypt_your_email_and_other_communications_fro

m_prism.html

• http://www.ecommerce-digest.com/staying-safe.html

• http://econ.ucsb.edu/~doug/245a/Papers/ECommerce%20Privacy.pdf

• http://www.zurich.ibm.com/pdf/news/Konsbruck.pdf

• http://www.slideshare.net/m8817/security-in-ecommerce

• http://paws.kettering.edu/~aborcher/articles/CC001.PDF

• https://en.wikipedia.org/wiki/Transport_Layer_Security

• https://en.wikipedia.org/wiki/Public-key_cryptography

http://www.technologyexecutivesclub.com/Articles/security/artThreatstoEcommerceServers.php

http://www.slideshare.net/Timothy212/ebusiness-environment-and-analysis

http://www.slideshare.net/omvikram/securityecommerce?qid=ae6a3149-f235-4e7d-81f0-9e45da47bcd5&v=qf1&b=&from_search=4

http://www.applicure.com/solutions/ecommerce-security

http://www.ecommercetimes.com/story/69577.html

http://www.ehow.com/how_5303365_protect-privacy-internet.html

http://www.slate.com/blogs/future_tense/2013/06/07/how_to_secure_and_encrypt_your_email_and_other_communications_from_prism.html

http://www.ecommerce-digest.com/staying-safe.html

http://econ.ucsb.edu/~doug/245a/Papers/ECommerce Privacy.pdf

http://www.zurich.ibm.com/pdf/news/Konsbruck.pdf

http://www.slideshare.net/m8817/security-in-ecommerce

http://paws.kettering.edu/~aborcher/articles/CC001.PDF

https://en.wikipedia.org/wiki/Transport_Layer_Security

https://en.wikipedia.org/wiki/Public-key_cryptography

Next Up…

• Web Payment Systems



Thank you.



Entrepreneurship & Commerce in IT - 11 - Security & Encryption

Small Business & Entrepreneurship

Transcript of Entrepreneurship & Commerce in IT - 11 - Security & Encryption