SECURITY ENVIRONMENT

BY : JAYPAL SINGH CHOUDHARY

ANUPMA TRIPATHI SGSITS MBA

INTRODUCTION:

E-commerce security is the protection of e-commerce assets from unauthorized access, use of it.

The importance of securing e-commerce–      Secrecy: protection against unauthorized data disclosure and authentication of data source.

–      Integrity: prevention against unauthorized data modification.

–      Necessity: prevention against data delays or removal.

–      Non-repudiation: prevention against any one party from reneging on an agreement after the fact protect corporation's image and reputation.       

Unauthorized access

Loss of message confidentiality or integrity

User Identification

Access Control

Players:

◦ User community◦ Network Administration◦ Introducers

“$$”The Internet:open

virus

Hackers and crackers

Data being stolenElectronic mail can be intercepted and readCustomer’s credit card numbers may be read

Login/password and other access information stolen

Operating system shutdownFilesystem corruptionUser login information can be captured

E-mail is the most widely used application in the Internet.

Who wants to read your mail ?Business competitorsReporters,CriminalsFriends and Family

Two approaches are used:PGP: Pretty Good PrivacyPEM: Privacy-Enhanced Mail

Authentication problems

Impersonation attacks

Privacy problems

Hacking and similar attacks

Integrity problems

Repudiation problems

How to communicate securely:

SSL – “the web security protocols”

IPSEC – “the IP layer security protocol”

SMIME – “the email security protocol”

SET – “credit card transaction security protocol”

Secured HTTP (S-HTTP)Security on application layer

Protection mechanism:

Digital Signature

Message authentication

Message encryption

Support private & public key cryptograph

Enhanced HTTP data exchange

Non-repudiation

Authenticity

Confidentiality

Privacy

Availability

- Increased Data Access

- Much more valuable Data

- Scalability with Large User Communities

- Manageability

- Assurance

Applications that run on computersRely on servers for

FilesDevicesProcessing power

Example: E-mail clientAn application that enables you to

send and receive e-mail

ClientsClients are Applications

Servers

Computers or processes that manage network resourcesDisk drives (file servers)Printers (print servers) Network traffic (network servers)

Example: Database ServerA computer system that processes database

queries

Servers Manage Resources

Communication Networks

Networks Connect Clients and Servers

ELEMENTS OF A ELEMENTS OF A COMPREHENSIVE SECURITY COMPREHENSIVE SECURITY PROGRAMPROGRAMHave Good Passwords

Use Good Antiviral ProductsUse Good CryptographyHave Good FirewallsHave a Backup SystemAudit and Monitor Systems and

NetworksHave Training and Awareness

ProgramsTest Your Security Frequently

Principles

Certification authority

Malicious code◦ Viruses◦ Worms◦ Trojan horses◦ Bots, botnets

Unwanted programs ◦ Browser parasites◦ Adware◦ Spyware

Copyright © 2010 Pearson Education, Inc.

Slide 5-19

Phishing◦ Deceptive online attempt to obtain confidential

information

◦ Social engineering, e-mail scams, spoofing legitimate Web sites

◦ Use information to commit fraudulent acts (access checking accounts), steal identity

Hacking and cybervandalism◦ Hackers vs. crackers

◦ Cybervandalism: intentionally disrupting, defacing, destroying Web site

◦ Types of hackers: white hats, black hats, grey hats

Copyright © 2010 Pearson Education, Inc.

Slide 5-20

Credit card fraud/theft◦ Fear of stolen credit card information deters online

purchases

◦ Hackers target merchant servers; use data to establish credit under false identity

◦ Online companies at higher risk than offline

Spoofing: misrepresenting self by using fake e-mail address

Pharming: spoofing a Web site

◦ Redirecting a Web link to a new, fake Web site

۩ Electronic data security is important at a time when people are considering banking and other financial transaction by PCs.

۩ One major threat to data security is unauthorized network monitoring also called packet sniffing.

Messaging Security is a program that provides protection for companies messaging infrastructure.

It protects all the personal message of the company which are related to company’s vision and mission.

It is use to protect the systems from unauthorized access, disclosure, disruption, modification, perusal, inspection, recording or destruction.

Encryption is the mutation of informationin any form (text, video, and graphics)

intoa representation unreadable by anyonewithout a decryption key.

No can figure out the private key from the corresponding public key. Hence, the key management problems is mostly confined to the management of private keys

The need for sender and receiver to share secret information over public channels is completely eliminated.