IMM Laudon Traver E-commerce4E Chapter05 Security
Transcript of IMM Laudon Traver E-commerce4E Chapter05 Security
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
1/31
-commerce. . .
Fourth Edition
Kenneth C. Laudon
Copyright 2007 Pearson Education, Inc. Slide 5-1
Chapter 5Online Security System
Copyright 2007 Pearson Education, Inc. Slide 5-2
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
2/31
Cyberwar in Estonia
What is a DDoS attack? Why did it prove to be
so effective against Estonia? What are botnets? Wh are the used in DDoS
attacks?
botnets? What percentage of spam is sent by
Can anything be done to stop DDoS attacks?
Copyright 2007 Pearson Education, Inc. Slide 5-3
Computer-generated Simulation of a DDoS
Attack
Copyright 2007 Pearson Education, Inc. Slide 5-4
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
3/31
The E-commerce Security Environment: The
losses significant but stable; individuals face
uninsured losses
IC3: Processed 200,000+ Internet crime complaints
suffered financial loss as a result
of stolen information growing
Copyright 2007 Pearson Education, Inc. Slide 5-5
Categories of Internet Crime Complaints
Copyright 2007 Pearson Education, Inc. Slide 5-6
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
4/31
Average Reported Losses for Various
Copyright 2007 Pearson Education, Inc. Slide 5-7
Type of Attacks against Computer
Copyright 2007 Pearson Education, Inc. Slide 5-8
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
5/31
The E-commerce Security Environment
Figure 5.4, Page 263
Copyright 2007 Pearson Education, Inc. Slide 5-9
Dimensions of E-commerce Security
displayed on a Web site or transmitted/received over theInternet has not been altered in an wa b anunauthorized party
Nonrepudiation: ability to ensure that e-commerceparticipants do not deny (repudiate) online actions
Authenticity: ability to identify the identity of a person orentity with whom you are dealing on the Internet
Confidentiality: ability to ensure that messages and dataare available only to those authorized to view them
Privacy: ability to control use of information a customerprov es a ou mse or erse o merc an
Availability: ability to ensure that an e-commerce site
Copyright 2007 Pearson Education, Inc. Slide 5-10
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
6/31
ustomer an erc ant erspect ves on t e
Different Dimensions of E-commerce SecuritTable 5.1, Page 264
Copyright 2007 Pearson Education, Inc. Slide 5-11
The Tension Between Security and
er a ues
.added, the more difficult a site is to use, and theslower it becomes
Too much security can harm profitability, while notenou h securit can ut ou out of business
Tension between the desire of individuals to actanonymously (to hide their identity) and the needs tomaintain public safety that can be threatened bycriminals or terrorists.
e nternet s ot anonymous an pervas ve, anideal communication tool for criminal and terrorist
Copyright 2007 Pearson Education, Inc. Slide 5-12
, .
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
7/31
Security Threats in the E-commerce
Three key points of vulnerability:
Client
Communications channel
Copyright 2007 Pearson Education, Inc. Slide 5-13
A Typical E-commerce Transaction . ,
Copyright 2007 Pearson Education, Inc. Slide 5-14
SOURCE: Boncella, 2000.
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
8/31
Vulnerable Points in an E-commerce
Figure 5.6, Page 267
Copyright 2007 Pearson Education, Inc. Slide 5-15
SOURCE: Boncella, 2000.
Most Common Security Threats in the
-
Malicious code viruses, worms, Tro ans
Unwanted programs (spyware, browser parasites)
Hacking and cybervandalism
re car rau e
Spoofing (pharming)/spam (junk) Web sites
DoS and dDoS attacks
Sniffin Insider attacks
Copyright 2007 Pearson Education, Inc. Slide 5-16
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
9/31
Malicious Code
Try to impair computers, steal email addresses, logoncredentials, personal data, and financial info.
replicate and spread to other files; most also deliver apayload of some sort (destructive or benign);
- , ,script viruses
Worms: Designed to spread from computer to
user or program like virus Tro an horse: A ears to be beni n but then does
something other than expected Bots: Can be covertly installed on computer;
to create a network of compromised computers forsending spam, generating a DDoS attack, and
Copyright 2007 Pearson Education, Inc. Slide 5-17
See Table 5.3 for notable examples of malicious
code
Installed without the users informed consent
Browser parasites: Can monitor and change
settin s of a users browser
Adware: Calls for unwanted pop-up ads
,as a users keystrokes, e-mail, IMs, etc.
Copyright 2007 Pearson Education, Inc. Slide 5-18
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
10/31
Phishing and Identity Theft
Any deceptive, online attempt by a third party
gain os popu ar ype: e-ma scam e er, e.g.,
Nigerians rich former oil minister seeking a bank,
account verification emails from eBay or CitiBankaskin to ive u ersonal account info, bank
account no., and credit card no. One of fastest growing forms of e-commerce crime
197,000 unique new phishing emails sentwithin the first 6 months of 2007, 18% increase
Copyright 2007 Pearson Education, Inc. Slide 5-19
compared to 2n half of 2006.
An Example of a Nigerian Letter E-Mail
Copyright 2007 Pearson Education, Inc. Slide 5-20
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
11/31
n xamp e o a s ng ac
Copyright 2007 Pearson Education, Inc. Slide 5-21
Hacking and Cybervandalism
Hacker: Individual who intends to gain
Cracker: Hacker with criminal intent (two terms Cybervandalism: Intentionally disrupting,
Types of hackers include:
the firms computer system
Black hats hackers with intention of causin harm Grey hats hackers breaking in and revealing system
flaws without disrupting site or attempting to profit from
Copyright 2007 Pearson Education, Inc. Slide 5-22
e r n s.
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
12/31
Credit Card Fraud
Fear that credit card information will be stolen
Overall rate of credit card fraud is lower than, . - .
transactions (CyberSource Corporation, 2007).
$50 for a stolen credit card. Hackers tar et credit card files and other
customer information files on merchant servers;use stolen data to establish credit under falseen y
One solution: New identity verification
Copyright 2007 Pearson Education, Inc. Slide 5-23
Spoofing (Pharming) and Spam (Junk)
e es Spoofing (Pharming)
Misrepresenting oneself by using fake e-mail addresses ormasquerading as someone else
Threatens inte rit of site authenticit
Spoofing a Web site is called pharming, which involvesredirecting a Web link to another IP address different from
Pharming is carried out by hacking local DNS servers.
true site, or altering orders and sending them to the truesite for processing and delivery.
true sender of a message.
S am Junk Web sites
Copyright 2007 Pearson Education, Inc. Slide 5-24
Use domain names similar to legitimate one, redirect traffic tospammer-redirection domains
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
13/31
DoS and DDoS Attacks
Denial of service (DoS) attack
ac ers oo e s e w use ess ra c o nun a eand overwhelm network
compromised workstations.
o. o o a ac s per ay grew rom ur nglast 6 months of 2004 to 927 during first 6
,
2005).
Hackers use numerous computers to attack target
Copyright 2007 Pearson Education, Inc. Slide 5-25
Microsoft and Yahoo have experienced such attacks
en a o erv ce Ping Flooding
Attacker sends a flood of pings to the intended victim
The in ackets will saturate the victims bandwidth
Internet
Attackin S stem s
Victim SystemSOURCE: PETER SHIPLEY
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
14/31
Denial of Service SMURF ATTACK
Uses a ping packet with two extra twist ac er c ooses an unw ng v c m Spoofs the source address ICMP = Internet Control
Messa e Protocol
PERPETRATOR
1 SYN
VICTIM
10,000 SYN/ACKs -- VICTIM IS DEA
INNOCENT
REFLECTOR SITES
BANDWIDTH MULTIPLICATION:A T1 (1.54 Mbps) can easilyyield 100 MBbps of attack
Sent to IP broadcast address
ICMP echo replySOURCE: CISCO
o ac us ra eHacker
Unsecured ComputersHacker scansInternet for
1
that can be
compromised
Program
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
15/31
Hacker
o ac us ra e
Zombies
installs zombie
turning unsecuredcom uters intozombies
Hacker
o ac us ra e
ZombiesMasterServer
ac er se ec sa Master Server to
the zombies
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
16/31
Hacker
o ac us ra e
ZombiesMaster
Server
program, hacker sendscommands to MasterServer to launch zombieattack a ainst a
TargetedSystem
targeted system
Hacker
o ac us ra e
MasterZombies
Server
sends signal to
zombies to launchTargetedSystem
attack on targeteds stem
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
17/31
Hacker
o ac us ra e
MasterZombies
Server
Targeted system isoverwhelmed by bogus
down for legitimateusers
TargetedSystemRequest Denied
User
Other Securit Threats
monitors information traveling over a network;enables hackers to steal ro rietar informationfrom anywhere on a network
Insider obs: Sin le lar est financial threat
64% of business firms experienced an inside
(Computer Security Institute, 2007).
Increase in complexity of software programse. . MSs Win32 API has contributed to
Copyright 2007 Pearson Education, Inc. Slide 5-34
increase is vulnerabilities that hackers can exploit
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
18/31
Technology Solutions
Protecting Internet communications
encryp on Securin channels of communication SSL
S-HTTP, VPNs)
Protecting servers and clients
Copyright 2007 Pearson Education, Inc. Slide 5-35
Tools Available to Achieve Site SecurityFigure 5.9, Page 279
Copyright 2007 Pearson Education, Inc. Slide 5-36
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
19/31
Protecting Internet Communications:
Encryption
or data into cipher text that cannot be read by
Purpose: Secure stored information and
Provides:
Message integrity Nonrepudiation
Authentication
Confidentialit
Copyright 2007 Pearson Education, Inc. Slide 5-37
Symmetric Key Encryption
Also known as secret key encryption
o e sen er an rece ver use e same
digital key to encrypt and decrypt message Requires a different set of keys for each
transaction
Advanced Encryption Standard (AES): Most
offers 128-, 192-, and 256-bit encryption
2,048 bits
Copyright 2007 Pearson Education, Inc. Slide 5-38
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
20/31
2004 D. A. Menasc. All Rights Reserved.
Public Key Encryption
Solves symmetric key encryption problem of
Uses two mathematically related digital keys (kept secret by owner)
o eys use o encryp an ecryp message
Once key used to encrypt message, same keycannot be used to decrypt message
to encrypt message; recipient uses his/her
Copyright 2007 Pearson Education, Inc. Slide 5-40
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
21/31
2004 D. A. Menasc. All Rights Reserved.
Public Key Cryptography A Simple Case
Figure 5.10, Page 283
Copyright 2007 Pearson Education, Inc. Slide 5-42
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
22/31
Public Key Encryption using Digital
Public ke encr tion rovides confidentialit butnot authentication, integrity, and nonrepudiation
Application of hash function (mathematicalalgorithm) by sender prior to encryption produceshash (message) digest that recipient can use to
Hash function produces a fixed-length number.
Examples of hash function include MD4 and.
Double encryption with senders private keydi ital si nature hel s ensure authenticit and
Copyright 2007 Pearson Education, Inc. Slide 5-43
nonrepudiation
Messa eessage
1011010
Function SmallLarge (e.g., 128 bits)
2004 D. A. Menasc. All Rights Reserved.
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
23/31
A Digest Aessage
Function
= = = 2004 D. A. Menasc. All Rights Reserved.
essage
Function
2004 D. A. Menasc. All Rights Reserved.
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
24/31
Public Key Cryptography with Digital
Figure 5.11, Page 284
Copyright 2007 Pearson Education, Inc. Slide 5-47
Digital Envelopes
Addresses weaknesses of public keyencryption (computationally slow, decreases
transmission s eed, increases rocessintime) and symmetric key encryption (faster,
Uses symmetric key encryption to encryptocumen u pu c ey encryp on o
encrypt and send symmetric key
Copyright 2007 Pearson Education, Inc. Slide 5-48
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
25/31
Public Key Cryptography: Creating a
Figure 5.12, Page 286
Copyright 2007 Pearson Education, Inc. Slide 5-49
Digital Certificates and Public Key
Still missing a way to verify identity of Web sites.
third party called certificate authority (CA) Di ital certificate includes:
Name of subject/company Subjects public key
Expiration date Issuance date Digital signature of certification authority (trusted third
party institution) that issues certificate
Public Key Infrastructure (PKI): refers to the CAs
and digital certificate procedures that are
Copyright 2007 Pearson Education, Inc. Slide 5-50
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
26/31
Digital Certificates and Certification
Figure 5.13, Page 287
Copyright 2007 Pearson Education, Inc. Slide 5-51
Limits to Encryption Solutions
PKI applies mainly to protecting messages intransit
Protection of private keys by individuals may beap azar
No uarantee that verif in com uter of merchantis secure
, -
Copyright 2007 Pearson Education, Inc. Slide 5-52
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
27/31
Securing Channels of Communication
Secure Sockets Layer (SSL): Most common form ofsecurin channels of communication; used to
establish a secure negotiated session (client-serversession in which URL of requested document, alongw con en s, s encryp e
S-HTTP: Alternative method; provides a secure-
for use in conjunction with HTTP
between two computers, S-HTTP is designed to send
Virtual Private Networks (VPNs): Allow remote usersto securel access internal networks via the Internet
Copyright 2007 Pearson Education, Inc. Slide 5-54
using Point-to-Point Tunneling Protocol (PPTP)
Secure Negotiated Sessions Using SSLgure . , age
Copyright 2007 Pearson Education, Inc. Slide 5-55
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
28/31
Protecting Networks: Firewalls and
Proxy Servers
communications packets; prevents some packetsfrom enterin the network based on a securitpolicy
Firewall methods include: Packet filters looks inside data packets to decide
whether they are destined for a prohibited port oror g nate rom a pro te a ress.
Application gateways filters communications based,
source or destination of the message.
Copyright 2007 Pearson Education, Inc. Slide 5-56
packet filters, but can compromise system performance
Protecting Networks: Firewalls and
all communications originating from or being
Initially for limiting access of internal clients to
Can be used to restrict access to certainypes o s es, suc as porno, auc on, or
stock-trading sites, or to cache frequently-accesse e pages o re uce own oatimes
Copyright 2007 Pearson Education, Inc. Slide 5-57
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
29/31
Firewalls and Proxy ServersFigure 5.15, Page 293
Copyright 2007 Pearson Education, Inc. Slide 5-58
Protecting Servers and Clients
Operating system controls: Authenticationand access control mechanisms
-expensive way to prevent threats to system
Copyright 2007 Pearson Education, Inc. Slide 5-59
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
30/31
A Security Plan: Management Policies
Perform risk assessment: assessment of risks and
Develop security policy: set of statements prioritizing
identifying mechanisms for achieving targets
Develo im lementation lan: action ste s needed toachieve security plan goals
Create securit or anization: in char e of securit ;
educates and trains users, keeps management aware ofsecurity issues; administers access controls,au en ca on proce ures an au or za on po c es
Perform security audit: review of security practices and
Copyright 2007 Pearson Education, Inc. Slide 5-60
Developing an E-commerce Security
Figure 5.16, Page 295
Copyright 2007 Pearson Education, Inc. Slide 5-61
-
7/25/2019 IMM Laudon Traver E-commerce4E Chapter05 Security
31/31
The Role of Laws and Public Policy
New laws have granted local and national authoritiesnew tools and mechanisms for identif in , tracin
and prosecuting cybercriminals National Infrastructure Protection Center unit
within National Cyber Security Division ofDepartment of Homeland Security whose mission
. .technology and telecommunications infrastructure
Homeland Security Act overnmen po c es an con ro s on encryp on
software
Copyright 2007 Pearson Education, Inc. Slide 5-63