MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Security.

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE

Security


Outline What is Security What is Electronic security Objectives of security Importance of security Types of security Security policy Security Tips


What is Security? That which secures; protection; a state of safety or safe keeping.


Electronic Security The process of preventing and detecting

unauthorized use of a computer based information system

Prevention measures to stop unauthorized users from accessing any part of the computer based information system


Importance of Security Privacy Crime Networks and their associated technologies

have opened the door to an increasing number of security threats. Important data can be lost, privacy can be

violated and the computer can even be used by an outside attacker to attack other computers on the Internet.


WHO MIGHT ATTACK? Hackers

In security circles, most of these people are known as "script kiddies."

Business rivals

Competitors may try to obtain information illicitly through your virtual back doors.


WHO MIGHT ATTACK? Foreign intelligence

Another area of concern is foreign espionage. France, Israel, and Russia are known to have active industrial espionage efforts underway against the United States.

Insiders

they may be hackers for their own amusement, for example, or they may be working for rivals or foreign intelligence agencies.


Internet Access

Corporate Intranet

Internet Presence

eCommerce

Extranets

Security Considerations

Internet BusinessValue


Objectives of Security Confidentiality Integrity Availability


Confidentiality The process used to protect secret information

from unauthorized disclosure. Secret data needs to be protected when it is

stored or when it is being transmitted over the network.


Integrity Refers to the unauthorized changing of creation

of values of data within the system. Data Integrity detects whether the data has been

modified during transmission. Such modification may be the result of an attack or a transmission error ( corruption).


Integrity (cont.) There are legal concerns regarding

Anonymity of source Ease of reproduction Detection of alteration Unauthorised disclosure attribution


Availability Caused by equipment malfunction, equipment

destruction (natural disaster) or equipment loss (theft).

Example: Computer Virus ( causes the system to be

unavailable for an extended period while the virus is removed and corrupted data is reprocessed).


Types of Security Technical Countermeasures Non-Technical Countermeasures

Physical Procedural


A Balanced Approach to Security

Security Conscious

People

Policies & Procedure

Network Controls

Security Software

Threats Resources


Technical Countermeasures Passwords Encryption Cryptography Digital Signatures Firewalls Key locks

Smart cards biometrics


Passwords computer system is password protected

Make passwords as meaningless as possible No real words (forward or backwards) Mixture of letters and numbers

Change passwords regularly

Never divulge passwords to anyone


Encryption Encryption technology ensures that messages

cannot be intercepted or read by anyone other than the authorized recipient.

Encryption is usually deployed to protect data that is transported over a public network such as the Internet and uses advance mathematical algorithms to ‘scramble’ messages and their attachments.


Where is Encryption used: ATM’s EFTPOS Internet transaction Protects medical records, corporate trades

secrets, air traffic control centres etc.


Cryptography It is the practical art of converting messages or data into

a different form, such that no-one can read them without having access to the 'key'.

The message may be converted using a 'code' (in which case each character or group of characters is substituted by an alternative one), or a 'cypher' or 'cipher' (in which case the message as a whole is converted, rather than individual characters).

Cryptanalysis is the science of 'breaking' or 'cracking' encryption schemes, i.e. discovering the decryption key.


Symmetric Cryptography

The same key is used for encrypting and decrypting messages


Public Key Cryptography

Multiple people encrypt messages using the recipient’s well-known public key. The recipient decrypts it with her private key.


Public Key Cryptography (cont.) A message encrypted with a Public Key can only

be decrypted with the private Key A message encrypted with the private key can

only be decrypted with the public key


Public Key Cryptography (cont.) Key Distribution

Certification Authority (CA) acts as a trusted third party which distributes digital certificates.

The digital certificates which are publicly distributed contain a user’s public key as well as other information such as the user’s personal details and the expiry date of the key.

Registration Authoriy verifies a user’s identity at the time the user applies for a digital certificate. Often the CA and an RA are the same entities.


Public Key Distribution


Digital Signatures Block of text that is used to verify that a

message really comes from the claimed sender. Can also be used to verify the time document

was sent. can only be generated by the sender and is very

difficult for anyone else to forge.


Digital Signature Process


Digital Envelopes1. Sender generates a random message key (K). Sender

encrypts the message (M) with K, creating the cipher text message (CM).

2. Sender encrypts K with recipient’s public key (RPubK), generating cipher text CK.

3. Sender computes a digital signature (S) using her private signature (SPrivK)

4. Sender sends CK, CM and S to recipient.5. Recipient uses his private key (RPrivK) to decrypt CK

and obtain K.6. Recipient uses K to decrypt CM and get M.7. Recipient uses sender’s public key (SPubK) to validate

S.


Firewalls A firewall is a device that is placed between your

system and the internet. It can monitor and filter any incoming and outgoing traffic.

Offers a single point at which security can be monitored and alarms generated.

Encryption can be used as a safeguard. There should be a security policy in place. An important point need to keep in mind that

firewalls are not always impenetrable.


Physical Countermeasures Is defined as the protection of its resources

against threats of damage, theft and natural disasters.

Involves a layered approach


Computer Security

Building Security

End User Security

Hacker Attacks

PhysicalIntrusion

UnauthenticatedAccessEnvironmental

Disruption


Building Security Guard Alarm system Surveillance system Perimeter security ( adequate lighting, security

fences) Warning signs Centralized control (response to an attack as

quickly as possible)


Procedural Conditions of use (layout expectations) Key locks Supervision Usage monitoring Safe storage of data Backup (make copies of data and softwares) User authorisation Intruder detection Monitoring and control Business Continuity Plans Disaster Recovery Plans


Disaster Recovery Plan Approved set of arrangements and procedures that

enable an organisation to respond to a disaster and resume its critical business functions within a defined time frame

Business Continuity Plan Process of developing advanced arrangements and

procedures that enable an organisation to respond to an event in such a manner that critical business functions continue without interruption or essential change


Natural Disasters Causes extensive damage such as:

Loss of power, communication lines and processing; buildings set on fire; building collapsing.

To overcomes the damages organizations should:

Secure external communication links; Install lighting protection; create firebreaks around buildings; insure appropriate building construction.


IT Security Policy Example

http://www.uts.edu.au/div/publications/policies/select/itsecurity.html


Assess the Situation

Fix High Risk Vulnerabilities

Secure the Perimeter

Secure the Interior

Deploy Monitors

Test\Attack High Risks

How to secure an environment


Security Tips Use protection software "anti-virus software" and

keep it up to date. Don't open email from unknown sources. Use hard-to-guess passwords. Protect your computer from Internet intruders --

use "firewalls". Don't share access to your computers with

strangers. Learn about file sharing risks. Back up your computer data.

MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Security.

Documents

Transcript of MANAGEMENT & LEGAL IMPLICATIONS OF eCOMMERCE Security.