Prentice Hall, 2002 1 Chapter 13 E-Commerce Security.
-
date post
20-Dec-2015 -
Category
Documents
-
view
217 -
download
0
Transcript of Prentice Hall, 2002 1 Chapter 13 E-Commerce Security.
Prentice Hall, 2002 2
Learning Objectives
Document the rapid rise in computer and network security attacksUnderstand the factors contributing to the rise in EC security breachesExplain the basic types of network security attacks
Prentice Hall, 2002 3
Learning Objectives (cont.)
Discuss the major steps in developing a security risk management systemDescribe the major types of attacks against EC systemsDiscuss some of the major technologies for securing EC
Prentice Hall, 2002 4
Bringing Down an EC Site:Mere Child’s Play
Distributed Denial of Service (DDoS) attacks can inundate a site with so many requests that legitimate traffic is virtually halted
Attacker used software to send a flood of data packets to the target computer(s) with the aim of overloading its resources
Prentice Hall, 2002 5
Figure 13-1Using Zombies in a Distributed Denial of Service Attack
Source: Scambray et al. (2000)
Prentice Hall, 2002 6
Bringing Down an EC Site:Mere Child’s Play (cont.)
Distributed Denial of Service (DDoS) attacks
Zombie—machine on which the DDoS software is loaded, unknown to the owner
Home computers with cable modems or DSL service that are left on all the timeBusiness Web servers located outside the firewall
Availability of free tools and scripts make it easy to mount a DDOS attack
Prentice Hall, 2002 7
Figure 13-2Attack Sophistication vs. Intruder Technical Knowledge
Source: Special permission to reproduce the CERT ©/CC graphic © 2000 by Carnegie Melon University, in Electronic Commerce 2002 in Allen et al. (2000).
Prentice Hall, 2002 8
The Need for Security
Data from Computer Security Institute and FBI indicate:
Cyber attacks are on the increaseInternet connections are increasingly a point of attack
The variety of attacks is on the riseThe reporting of serious crimes to law enforcement has declined
Prentice Hall, 2002 9
Table 13-2Incidents and Vulnerabilities Reported to CERT
Figures from Computer Emergency Response Team
(CERT)
Prentice Hall, 2002 10
Why Now?
Security systems are only as strong as their weakest pointsSecurity and ease of use (or implementation) are antithetical to one anotherSecurity takes a back seat to market pressures
Prentice Hall, 2002 11
Why Now? (cont.)
Security of an EC site depends on the security of the Internet as a wholeSecurity vulnerabilities are increasing faster than they can be combatedSecurity compromised by common applications
Prentice Hall, 2002 12
Basic Security Issues
User’s perspectiveIs Web server owned and operated by legitimate company?Web page and form contain some malicious code content?Will Web server distribute the user’s information to another party?
Company’s perspective
Will the user attempt to break into the Web server or alter the site?Will the user try to disrupt the server so it isn’t available to others?
Issues at a simple marketing site:
Prentice Hall, 2002 13
Basic Security Issues (cont.)
Issues at a simple marketing site:User and company perspective
Is network connection free from eavesdropping?Has information sent back and forth between server and browser been altered?
Prentice Hall, 2002 14
Basic Security Issues (cont.)
Major security issues in ECAuthenticationAuthorizationAuditingConfidentiality or privacyIntegrityAvailabilityNon-repudiation
Prentice Hall, 2002 15
Security Risk Management
Required to determine security needs
4 phases of risk management
AssessmentPlanningImplementationMonitoring
Definitions involved in risk management
Assets—anything of value worth securingThreat—eventuality representing danger to an assetVulnerability—weakness in a safeguard
Prentice Hall, 2002 16
Security Risk Management (cont.)
Assessment phase—evaluation of assets, threats, vulnerabilities
Determine organizational objectivesInventory assetsDelineate threatsIdentify vulnerabilitiesQuantify the value of each risk
Prentice Hall, 2002 18
Security Risk Management (cont.)
Planning phase of risk management—arrive at a set of security policies
Define specific policiesEstablish processes for audit and reviewEstablish an incident response team and contingency plan
Prentice Hall, 2002 19
Security Risk Management (cont.)
Implementation phase of risk management—choose particular technologies to deal with high priority threatsMonitoring phase of risk management—ongoing processes used to determine which measures are successful, unsuccessful and need modification
Prentice Hall, 2002 20
Types of Threats and Attacks
Nontechnical vs. technical attacksSteps in a hacker’s attack
Discover key elements of networkScan for vulnerabilitiesHack in and gain administrator privilegesDisable auditing & traces from log filesSteal files, modify data, steal source code, etc.Install back doors, etc to permit undetectable reentryReturn at will to do more damage
Prentice Hall, 2002 21
Types of Threats and Attacks (cont.)
The playersHackersCrackersScript kiddies
Systems and software bugs and misconfigurations
Prentice Hall, 2002 22
Types of Threats and Attacks (cont.)
IP fragmentation (teardrop, bonk, boink, nestea, and others)DNS spoofing
Ping of deathSmurf attackSYNFloodBuffer overflows
Denial-of-service (DoS) attacks
Prentice Hall, 2002 23
Types of Threats and Attacks (cont.)
Input validation attacksIntercepted transmissionsMalicious code
VirusesWormsMacro viruses and macro wormsTrojan horses
Malicious mobile code
Prentice Hall, 2002 24
Security Technologies
Firewalls and access controlFirewall—network node that isolates private network from public network
Packet-filtering routersApplication-level proxiesScreened host firewall
Prentice Hall, 2002 28
Security Technologies (cont.)
Virtual private networks (VPNs)—use public Internet to carry information but remains private
Encryption—scramble communicationsAuthentication—ensure information remains untampered with and comes from legitimate sourceAccess control—verify identity of anyone using network
Prentice Hall, 2002 29
Security Technologies (cont.)
Protocol tunneling—ensure confidentiality and integrity of data transmitted
Point-to-point tunneling (PTP)Layer 2 tunneling protocol (L2PT)
Intrusion Detection Systems (IDS)
Prentice Hall, 2002 30
Managerial Issues
Recognize the business consequences of poor securitySecurity through obscurity doesn't workIt’s the business that counts, not the technologySecurity is an on-going, closed-loop processEven for EC sites, internal breaches are more prevalent than external breaches