esecurity

Need for e-Security

By Prof T.R. Vaidyanathan

Need for e-securityInformation resources are distributed throughout the organization and beyond because internet and wireless technologies extend and connect organizational boundaries. The time-to-exploitation of today’s most sophisticated spyware and mobile viruses has shrunk from months to days. Time-to-exploitation is the elapsed time between when vulnerability is discovered and when it is exploited. It staff have ever-shorter timeframes to find and fix flaws before being compromised by an attack.Data must be protected against existing and future attack schemes, and defenses must satisfy every-stricter government and international regulations.

Industry groups imposed their own standards to protect their customers and their members’ brand images and revenues. One example is the Payment Card Industry Data Security Standard (PCI DSS) created by Visa, Master card, American Express, and discover.PCI is required for all members, merchants, or service providers that store, process, or transmit cardholder data. Section 6.6. of PCI DSS mandates that retailers ensure that Web-facing applications are protected against known attacks by applying either of the following two methods:Have all customer application code reviewed for vulnerabilities by an application security firm.Install an application layer firewall in front of Web-facing applications. Each application will have its own firewall to protect against intrusion and malware.The purpose of the PCIDSS is to improve customers’ trust in e-commerce, especially when it comes to online payments, and to increase the Web Security of online merchants.

Security in E-commerce

The internet is a public consisting of thousands of private computer networks connected together which means that a private computer network system is exposed to potential threats from anywhere on the public network. Protection against these threats requires businesses to have stringent security measures in place. Therefore, good security measures are needed to trace the source of a cyber-crime.

Security in E-commerceThe goals of security are:Integrity of the data sent and receivedConfidentiality of the data so that it is not

accessible to othersThe data ought to be available to the

people for whom it is meant

Security in E-commerceMany internet users perceive that there is a large

risk to their privacy and security when they buy products and services or submit personal information online.

Although the perception of risk may be greater than the actual risks, it is still a cause for concern. Therefore, an e-business must address customers’ perceived risks just as much as any actual risks.

The important issue for an e-business is to have adequate security to protect its assets, revenue stream, customer privacy, and its own reputation


To provide the required level of protection, an organization needs a security policy to prevent unauthorized users from accessing resource on the private network and to protect against the unauthorized export of private information.

Even if an organization is not connected to the Internet, it may still want to establish an internal security policy to manage user access to certain portion of the network and protect sensitive or secret information

IS vulnerabilities and threats:One of the biggest mistakes managers make is underestimating vulnerabilities and threats. Most workers use their PCs and laptops for both work and leisure, and in era of multitasking, they often do both at the same time. The computer threats can be classified unintentional or intentional Unintentional threats fall into three major categories; human errors, environmental hazards and computer system failures

Human errors play a role in many computer problems. Errors can occur in the design of the hardware or information system. They can also occur in the programming, testing, data collection, data entry, authorization, and instructions. Not changing default passwords on a firewall creates a security hold. Human errors contribute to the majority of internal control.

Environmental hazards include earthquakes, severe storms (e.g. hurricanes, blizzards, or sand), floods, power, failures or strong fluctuations, fires(the most common hazard), defective air conditioning, explosions, radioactive fallout, and water-cooling-system failures. In addition to the primary damage, computer resources can be damaged by side effects, such as smoke and water. Such hazards may disrupt normal computer operations and result in long waiting periods and exorbitant costs while computer programs and data files are recreated.

Computer system failures can occur as the result of poor manufacturing, defective materials, and outdated or poorly maintained networks. Unintentional malfunctions can also happen for other reasons, ranging from lack of experience to inadequate testing.

The intentional threats include: theft of data; inappropriate use of data(e.g. manipulating inputs); theft of mainframe computer time; theft of equipment and/or programs; deliberate manipulation in handling, entering, processing, transferring, or programming data; labor strikes, riots, or sabotage; malicious damage to computer resources; destruction from viruses and similar attacks; and miscellaneous computer abuses and internet fraud. The scope of intentional threats can be against an entire country or economy.

Intentional crimes carried out on the Internet are called cybercrime. Hacker is the term often used to describe someone who gains unauthorized access to a computer system. Black-hat hackers, also referred to as crackers are criminals. A cracker is a malicious hacker, who may represent a serious problem for a corporation.

Social engineering: Hackers and crackers may involve unsuspecting insiders in their crimes. In a strategy called social engineering, criminals or corporate spies trick insiders into giving them information or access that they should not have. Social engineering is a collection of tactics used to manipulate people into performing actions of divulging confidential information. In most cases, the criminal never comes face-to-face with the victim, but communicates via the phone or e-mail.

Not all hackers are malicious. While-hat hackers perform ethical hacking, such as performing penetrating tests on their clients’ systems or searching the Internet to find the weak points so they can be fixed. The hackers use crime server to store stolen data for use in committing crimes.

Hacker is the term often used to describe someone who gains unauthorized access to a computer system. Whereas a cracker is a malicious hacker, who may represent a serious problem for a corporation. He is the one who breaks security on a system

The sole purpose of the hacking is to sneak through security systems, whereas cracker’s sole aim is to break into secure systems. Hackers are more interested in gaining knowledge about computer systems and possibly using this knowledge for playful pranks

Security in E-commerceDifferent security deficienciesVulnerable TCP /IP services – A number of the

TCP/IP services are not secure and can be compromised by knowledgeable intruders; services used in the local area networking environment for improving network management are especially vulnerable

Ease of spying and spoofing: Majority of Internet traffic is unencrypted: email, passwords, and file transfers can be monitored and captured using readily-available software. Intruders can then reuse passwords to break into systems

Security in E-commerce Lack of policy: Many sites are configured unintentionally

for wide-open internet access, without regard for potential for abuse from the internet: many sites permit more TCP /IP services than they require for their operations, an do not attempt to limit access information about their computers that could prove valuable to intruders

Complexity of configuration: Host security access controls are often complex to configure and monitor; controls that are accidentally misconfigured often result in unauthorized access.


Factors contributing the problems on the internet

How secure is the server software: Security should be in place to prevent any unauthorized remote logon to the system. It should be extremely difficult to make changes to the server software. The servers themselves should be physically located in a secure environment.

How secure are communications: Customer credit card information and other sensitive data that is being transmitted across the internet must the protected


How is the data protected once it is delivered to the e-business: Is stored in unencrypted text files at the websites? Is it moved to offline storage?

How are credit card transactions authenticated and authorized: Credit card transactions must be authenticated and authorized, so as to make it more secure for the users.

Method of attack on computing facilities Data tampering: It is a common means of attack that

overshadowed by other types of attacks. It refers to an attack when someone enters false, fabricated, or fraudulent data into a computer or change or deletes existing data. Data tampering is extremely serious because it may not be detected. This is the method often used by insiders and fraudsters.

Programming attacks: They are popular with computer criminals who use programming techniques to modify other computer programs. For these types of crimes, programming skill and knowledge of the targeted systems are needed. Examples are viruses, worms, Trojan horses, which are types of malicious code, called malware. Malware can be used to launch denial of service attacks.

Security in E-commerceDenial-of-service attacks: A denial-of-service

or DOS attack is an attack on a network that is designed to disable the network by flooding it with useless traffic or activity. A distributed denial –of-service, or DDoS, attack uses multiple computers to launch a DoS attack. While DoS attack does not do any technique damage, it can do substantial financial damage to e-business. The attackers first break, insecure computers on the internet into hundreds of random to install an attack program.

Security in E-commerceThen, he coordinates them all to attack the target

simultaneously. When the target is attacked from many places at once, the traditional defenses just do not work and the system crashes. In a distributed attack, it is difficult to figure out where the attack is coming from. It is also difficult to shut down all connections except the one it knows to be trustworthy in a public internet site. These denials-of service attacks do not affect the data on the websites. They cannot steal credit card numbers or other proprietary information. No financial gain out these attacks. It achieves big loss of income or loss of reputation for big corporation.

Security in E-commerceViruses: Viruses are the most common security

risk faced by e-business today. It is a small program that inserts into other program files that then become “infected”, just as a virus in nature embeds itself in normal human cells. The virus is spread when an infected program is executed, and this further infects other programs. Examples of virus effects include inability to boot, deletion of files or entire hard drives, inability to create or save files, and thousands of other possibilities. Viruses are generally introduced into computer systems via e-mail or by unauthorized network access

Security in E-commerceTrojan horse: This takes its name from a story in

Homer’s Iliad, and is a special type of virus that emulates a benign application. It appears to do something useful or entertaining but actually does something else as well, as destroying or creating a “back door” entry point to give an intruder access to the system. A Trojan horse may be an e-mail in the form of attachment or a downloaded program.

Worm: This is a special type of virus that does not directly alter program files. Instead, a worm replaces a document or an application with its own code and then uses that code to position itself. Worms are often not noticed until their uncontrolled replication consumes system resources and slows down or stops the system.

Security in E-commerceMacro virus: Macro is a short program written in

an application such as Microsoft Word or Excel to accomplish a series of keystrokes. A macro virus is a virus that infects Microsoft Word or Excel macros. Macro viruses can be introduced into a computer system as part of a Word or an Excel document received as an e-mail attachment or as a file on disk. Opening the e-mail attachment or file triggers the macro virus.

Several antivirus software vendors maintain up-to-date information such as the Virus Information Library at Mcafee.com, the Anti Viral Pro Virus Encyclopedia on viruses, worms, Trojan horses and hoaxes.

Botnets: A botnet is a collection of bots (computer infected by software robots). Those infected computers, called zombies, can be controlled and organized into a network of zombies on the command of a remote botmaster (also called bot herder). Botnets expose infected computers, as well as other network computers, to the following threats.

A zombie (also known as a bot) is a computer that a remote attacker has accessed and set up to forward transmissions (including spam and viruses) to other computers on the Internet. The purpose is usually either financial gain or malice. Attackers typically exploit multiple computers to create a botnet, also known as a zombie army.

Spyware: Zombies can be commanded to monitor and steal personal or financial data

Adware: Zombies can be ordered to download and display advertisements. Some zombies even force an infected system’s browser to visit a specific Web site.

Spam: Most junk email is sent by zombies. Owners of infected computers usually or blissfully unaware that their machines are being used to commit a crime.

Phishing: Zombies can seek out weak servers that are suitable for hosting, a phishing Website, which looks like a legitimate Web site, to trick the user into inputting confidential data.

Phishing: Zombies can seek out weak servers that are suitable for hosting a phishing Web site, which looks like a legitimate Web site, to trick the users into inputting confidential data.

Malware Defenses: Anti-Malware Technology: Anti-Malware tools are designed to

detect malicious codes and prevent users from downloading them. They can also scan systems for the presence of worms, Trojan horses, and other types of threats. Anti-malware may not be alone to detect a previously unknown exploit.

Intrusion Detection Systems (IDS): An IDS scans for unusual or suspicious traffic. It can identify; the start of a Dos attack by the traffic pattern, alerting the network administrator to take defensive action, such as switching to another IP address and diverting critical servers from the path of the attack.

Intrusion Prevention Systems (IPS) It is designed to take immediate action-such as blocking specific IP addresses-whenever a traffic-flow anomaly is detected. ASIC (application-specific integrated circuit)-based IPS have the power and analysis capabilities to detect and block Dos attacks, functioning somewhat like an automated circuit breaker.

IT Security Management The objective of IT security management practices

is to defend all of the components of an information system, specifically data, software applications, hardware, and networks.

Successful implementation of any IT project depends on the commitment and involvement of executive management, also referred to as the “tone at the top”. The same is true of IT Security

Senior Management Commitment and Support: An IT security model beings with senior management and support. Senior Managers' influence is needed to implement and maintain security, ethical standards, privacy practices, and internal control.

Security Policies and Training: The next step is to develop a security policy and provide training to ensure that everyone is aware of and understands them. The greater the understanding of how security affects production levels, customer and supplier relationships, revenue streams, and management’s liability, the more security will be incorporated into business projects and proposals.

Most critical is an acceptable use policy (AUP) that informs users of their responsibilities in order to 1) prevent misuse of information and computer resources and 2) reduce exposure to fines, sanctions, and legal liability.

Defense Strategy: The defense strategy and controls that should be used depend on what needs to be protected and the cost-benefit analysis. That is, companies should neither underinvest nor overinvest. The following are the major objectives of defense strategies:

Prevention and deterrence: Properly designed controls may prevent errors from occurring, deter criminals from attacking the system and, better yet, deny access to unauthorized people.

Detection; The earlier an attack is detected, the easier it is to combat, and the less damage is done. Detection can be performed in many cases by using special diagnostic software, at a minimal cost.

Containment(contain the damage): This objective is to minimize or limit losses once a malfunction has occurred. It is also called damage control. This can be accomplished, for example, by including a fault-tolerant system that permits operation in a degraded mode until full recovery is made.

Recovery: A recovery plan explains how to fix a damaged information system as quickly as possible. Replacing rather than repairing components is one route to fast recovery.

Correction: Correcting the causes of damaged systems can prevent the problem from occurring again.

Awareness and compliance. All organization members must be educated about the hazards and must comply with the security rules and regulations

The major categories of general controls are: Physical control. It refers to the protection of

computer facilities and resources. Appropriate physical security may include several controls such as

I. Design of the data centre(e.g. the site should be non combustible and waterproof)

II. Shielding against electromagnetic fieldsIII. Good fire prevention, detection, and extinguishing

systems, including sprinkler systems, water pumps, and adequate drainage facilities

IV. Emergency power shutoff and backup batteries, which must be maintained to operational condition

V. Properly designed, maintained, and operated air-conditioning system

VI. Motion detector alarms that detect physical intrusion

The major categories of general controls are(contd):Access Control: It is the management of who is

and is not authorized to use a company’s hardware and software. It involves authorization(having right to access) and authentication, which is also called user identification (proving that the use is who he claims to be). Authentication includes

Something only the user knows, such as password Something only the user has, for example, a

smart card or a token Something only the user is, such as a signature,

voice, fingerprint, or retinal (eye scan; implemented via biometric controls, which can be physical or behavioral.

The major categories of general controls are(contd):Biometric Control: It is an automated method of

verifying the identify of a person, based on physical or behavioral characteristics. The most common biometrics are a) finger print,2) retinal scan, 3) voice scan) and 4) signature.

Administrative Control: It deals with issuing guidelines and monitoring compliance with the guidelines.

Application Controls; Sophisticated attacks are aimed at the application level, and many applications are not designed to withstand such attacks. For better survivability, information processing methodologies are being replaced with agent technology. An agent is able to adapt itself based on changes occurring in an unpredictable environment.

Network security:

The Factors that influence the level of risk at the Internet sites

Sites that are connected to the internet face significant risk in some form by intruders. The following factors would influence the level of risk

Number of systems connected to the site Services utilized by the site Interconnectivity of the site to the internet Site’s profile, or how well-known the site is Site’s readiness to handle computer security incidents.If more number of systems is connected, it is difficult to

control their security. Similarly if a site is connected to the internet at several points, it is likely to be more vulnerable to attacks than a site with a single gateway.

Security in E-commerceWebsite DefacementWebsite vandalism or defacement can be the result

of a hacker breaking into a network, accessing the website files, and modifying the HTML to physically change webpage. Not only do website defacements embarrass an e-business, but some website defacement can have serious financial repercussion.

E-mail security:Email users who desire confidentiality and sender

authentication use encryption. Encryption is simply intended to keep personal thoughts personal. There are two good programs to encrypt e-mails and they are Pretty Good Privacy (PGP) and Privacy Enhanced Mail (PEM).

Security in E-commerce Website SECURITY The network performance is to be monitored continuously

to prevent an unauthorized access by an hacker. Setting up logging, and monitoring established network reference points, called bench marks can alert an e-business to security problems. A skilled system administrator and other well-trained technicians, who use these benchmarks to monitor and manage the network and servers, are critical.

The following tools should be used to protect an business network and website.

Password Firewalls Intrusion detection systems Virus scanning software

Security in E-commerce Password: Password is a code used to gain access to a computer

network. Often, a computer user chooses a bad password, such as a short, common word- a name, or birthday so that the user can remember the password easily. The packer penetrates the network security by using software that “guesses” a password by trying millions of common words until one of the words is accepted. Passwords that require a minimum length of six characters in a mix of letters and numbers increase the number of potentials passwords into billions and make it more difficult for a hacker to guess them. This apart, the computer user should change passwords regularly. It is always good to have different passwords on each system, if the user has access multiple systems.

Firewall: It is software or hardware used to isolate and protect a private system or a network from the public network. Firewalls can control the type of information that is allowed to pass from the public network to the private work, as well as what services inside the firewall are accessible from the outside. Firewalls can also log activity, to provide an audit in case the network is penetrated

Security in E-commerceIntrusion detection systems: It is the ability to

analyze real-time data to detect, log and stop unauthorized network access as it happens. Business can install intrusion detection systems that monitor the network for real-time intrusions and respond to intrusions in a variety of user-detected ways. An intrusion detection system can defend a website against DoS attacks by adding more servers to increase the traffic the website can handle, by using filters and routers to manage traffic, and by having a backup plan to reroute legitimate traffic during attack. Cisco’s Secure Intrusion System and Network ICE’s ICEpac Security Suite are the best examples.

Security in E-commerceVirus scanning software that includes

e-mail scanning should be installed on all network computers. Antivirus software should be kept updated. Communication ports should be used to allow data to enter and exit the network. The system administrator should close all unused communication ports. Up-to-date security patches for operating systems should be installed as soon as the patches are available, to prevent the hackers from exploiting the built-in system weaknesses.

Security in E-commerce HOW TO ENSURE TRANSACTION SECURITY AND DATA

PROTECTION. Transaction security, especially for credit card transaction,

and the protection of customer data are as important as website and network security. The tools are:

Using predefined key to encrypt and decrypt the data during transmission.

Using the Secure Socket Layer (SSL) protocol to protect data transmitted over the

internet. SSL provides encryption of data between the browser on the customer’s computer and the software on the web server, allowing data such as credit information to be transmitted securely. SSL uses digital certificates so that a web browser can authenticate the server it is connected to, making sure that credit card data is going to the appropriate server


Moving sensitive customer information such as credit card numbers offline, or encrypting the information if it is to be stored online

Removing all files and data from storage devices, including disk drives and tapes, before getting of the devices and

Shredding all hard-copy documents containing sensitive information before trashing them

esecurity

Documents

Transcript of esecurity