SlideShare ist ein Scribd-Unternehmen logo

E commerce security 4

Als DOCX, PDF herunterladen
A
Anne ndolo

The document discusses e-commerce security, including threats and strategies to address them. It provides definitions of key concepts like authentication, non-repudiation, access control, and discusses specific threats like spoofing, man-in-the-middle attacks, and denial of service attacks. Security strategies mentioned include SSL/TLS, digital signatures, encryption, and authentication. The document is comprehensive in outlining the security dimensions, issues, threats, and technical approaches involved in securing e-commerce transactions and systems.

Bildung
1 von 14
E-COMMERCE SECURITY The importance of e-commerce security is beyond doubt. And more and more online shops and companies are aware of their importance. Moreover, investment in cybersecurity will continue its dynamic growth, almost at the same time as digital threats, which will not cease. E-commerce security strategies include the use of HTTPS protocols and SSL certificates, the monitoring of transactions and periodic backups, among others. In the following lines, we will delve into these and other measures of proven effectiveness. E-commerce security is the protection of e-commerce assets from unauthorized access, use, alteration, or destruction. 6 dimensions of e-commerce security / Security Issues in E-Commerce Transactions 1. Authentication:- Authentication ensures that the origin of an electronic message is correctly identified. This means having the capability to determine who sent the message and from where or which machine. Without proper authentication, it will be impossible to know who actually placed an order and whether the order placed is genuine or not. 2. Non-Repudiation:- Non-Repudiation is closely related to authentication and this ensures that the sender cannot deny sending a particular message and the receiver cannot deny receiving a message. 3. Access Control:- If access control is properly implemented, many other security problems like lack of privacy will either be eliminated or mitigated. Access control ensures only those that legitimately require accesses to resources are given access and those without valid access cannot have access. 4. Confidentiality or Privacy:- Privacy ensures that only authorized parties can access information in any system. The information should not be distributed to parties that should not receive it. Issues related to privacy can be considered as a subset of issues related to access control. 5. Integrity:- Integrity ensures that only authorized parties can make changes to the documents transmitted over the network. E-Commerce Threats Cyber-security represents one of the most important e-Commerce feature. Without the existence and implementation of proper protocols, online store owners put themselves and also their customers at risk for payment fraud. Even stores that cater to a small target market can find themselves at a heightened risk if they leave gaps in their online security. Actually, smaller stores face the biggest threat from cyber-criminals because of insufficient Internet safety. It has been observed that one in five small online businesses falls victim to fraud every year, and more that 60 of these stores are forced to close within six months.
More than financial consequences, data breaches harm an e-Commerce website‘s reputation. Loyal customers will avoid continuing shopping at an online store that put their information at risk in the past. Therefore, using the right tools became compulsory, minimizing the risks of fraud. Threats may be from anyone with the capability, technology, opportunity, and intent to do harm. Potential threats can be foreign or domestic, internal or external, state-sponsored or a single rogue element. Terrorists, insiders, disgruntled employees, and hackers are included in this profile Some of the security concerns are Loss of Privacy/confidentiality, data misuse/abuse, Cracking, eavesdropping, spoofing, rootkits, Viruses, Trojans, worms, hostile ActiveX and Java, System unavailability, denial of service, natural disasters, power interruptions E-commerce activity takes place when there is a sender (customer), a receiver (the merchant) using a communication channel to do business. In this environment the sender has his own device or computer, uses the internet, logs in to the business portal of the merchant, the orders placed gets transmitted from one machine to another machine, often through a complex set of technology features. The threat to security is that the devices, the communication channel, the technology that is used, can all be compromised, thus causing damage or loss to both parties. The threats can be categorized into four areas depending on where or who gets effected. Intellectual property threats -- use existing materials found on the Internet without the owner's permission, e.g., music downloading, domain name (cyber squatting), software pirating 2. Client computer threats. The customer machine may be compromised due to Trojan horse, Active contents, Viruses 3. Communication channel threats can occur due to Sniffer program, Backdoor, Spoofing, Denial-of-service 4. Server threats maybe caused due to – Privilege settings, Server Side Include (SSI), Common Gateway Interface (CGI), File transfer, Spamming 5.Eavesdropping - This is the process of listening in or overhearing parts of a conversation. It also includes attackers listening in on your network traffic. It‘s generally a passive attack, for example, a co-worker may overhear your dinner plans because your speaker phone is set too loud. The opportunity to overhear a conversation is coupled with the carelessness of the parties in the conversation. 6.Snooping - This is when someone looks through your files in the hopes of finding something interesting whether it is electronic or on paper. In the case of physical snooping people might inspect your dumpster, recycling bins, or even your file cabinets; they can look under your keyboard for post-It-notes, or look for scraps of paper tracked to your bulletin board. Computer snooping on the other hand involves someone searching through your electronic files trying to find something interesting. 7. Interception - This can be either an active or passive process. In a networked environment,
apassive interception might involve someone who routinely monitors network traffic. Active interception might include putting a computer system between sender and receiver to capture information as it is sent. From the perspective of interception, this process is covert. The last thing a person on an intercept mission wants is to be discovered. Intercept missions can occur for years without the knowledge of the intercept parties. 8.Modification Attacks - This involves the deletion, insertion, or alteration of information in an unauthorized manner that is intended to appear genuine to the user. These attacks can be very hard to detect. The motivation of this type of attack may be to plant information, change grades in a class, alter credit card records, or something similar. Website defacements are a common form of modification attacks. 9.Repudiation Attacks - This makes data or information to appear to be invalid or misleading (Which can even be worse). For example, someone might access your email server and inflammatory information to others under the guise of one of your top managers. This information might prove embarrassing to your company and possibly do irreparable harm. This type of attack is fairly easy to accomplish because most email systems don't check outbound email for validity. Repudiation attacks like modification attacks usually begin as access attacks. 10.Denial-of-service Attacks - They prevent access to resources by users by users authorized to use those resources. An attacker may try to bring down an Ecommerce website to prevent or deny usage by legitimate customers. DoS attacks are common on the internet, where they have hit large companies such as Amazon, Microsoft, and AT&T. These attacks are often widely publicized in the media. Several types of attacks can occur in this category. These attacks can deny access to information, applications, systems, or communications. A DoS attack on a system crashes the operation system (a simple reboot may restore the server to normal operation). A common DoS attack is to open as many TCP sessions as possible; this type of attack is called TCP SYN flood DoS attack. Two of the most common are the ping of death and the buffer overflow attack. The ping of death operates by sending Internet control message protocol (ICMP) packets that are larger than the system can handle. Buffer overflow attacks attempt to put more data into the buffer than it can handle. Code red, slapper and slammer are attacks that took advantage of buffer overflows, sPing is an example of ping of death. 11.Distributed Denial-of-service Attacks - This is similar to a DoS attack. This type of attack amplifies the concepts of DoS attacks by using multiple computer systems to conduct the attack against a single organization. These attacks exploit the inherent weaknesses of dedicated networks such as DSL and Cable. These permanently attached systems have little, if any, protection. The attacker can load an attack program onto dozens or even hundreds of computer systems that use DSL or Cable modems. The attack program lies dormant on these computers
until they get attack signal from the master computer. This signal triggers these systems which launch an attack simultaneously on the target network or system. 12.Back door Attacks - This can have two different meanings, the original term back door referred to troubleshooting and developer hooks into systems. During the development of a complicated operating system or application, programmers add back doors or maintenance hooks. These back doors allow them to examine operations inside the code while the program is running. The second type of back door refers to gaining access to a network and inserting a program or utility that creates an entrance for an attacker. The program may allow a certain user to log in without a password or gain administrative privileges. A number of tools exist to create a back door attack such as, Back Orifice (Which has been updated to work with windows server 2003 as well as earlier versions), Subseven, NetBus, and NetDevil. There are many more. Fortunately, most anti- virus software will recognize these attacks. 13.Spoofing Attacks - This is an attempt by someone or something to masquerade as someone else. This type of attack is usually considered as an access attack. The most popular spoofing attacks today are IP spoofing and DNS spoofing. The goal of IP spoofing is to make the data look like it came from a trusted host when it really didn't. With DNS spoofing, The DNS server is given information about a name server that it thinks is legitimate when it isn't. This can send users to a website other than the one they wanted to go to. 14.Man-in-the-Middle Attacks - This can be fairly sophisticated, this type of attack is also an access attack, but it can be used as the starting point of a modification attack. This involves placing a piece of software between a server and the user that neither the server administrators nor the user are aware of. This software intercepts data and then sends the information to the server as if nothing is wrong. The server responds back to the software, thinking it's communicating with the legitimate client. The attacking software continues sending information to the server and so forth. 15.Replay Attacks - These are becoming quite common, this occur when information is captured over a network. Replay attacks are used for access or modification attacks. In a distributed environment, logon and password information is sent over the network between the client and the authentication system. The attacker can capture this information and replay it later. This can also occur security certificates from systems such as Kerberos: The attacker resubmits the certificate, hoping to be validated by the authentication system, and circumvent any time sensitivity.
16.Password Guessing Attacks - This occur when an account is attacked repeatedly. This is accomplished by sending possible passwords to an account in a systematic manner. These attacks are initially carried out to gain passwords for an access or modification attack. There are two types of password guessing attacks: - Brute-force attack: Attempt to guess a password until a successful guess occurs. This occurs over a long period. To make passwords more difficult to guess, they should be longer than two or three characters (Six should be the bare minimum), be complex and have password lockout policies. 17. Dictionary attack: This uses a dictionary of common words to attempt to find the users password. Dictionary attacks can be automated, and several tools exist in the public domain to execute them. Well, there you have it, the only way basically to prevent these types of attacks is to get a good firewall, anti-virus software, and a good Intrusion Detection System (IDS). Tell your firewall to drop ICMP packets that will prevent ICMP flooding. The following counter measures are taken to overcome the above security threats. 1. Secure Electronic Transaction (SET): Secure Electronic Transaction (SET) is an open protocol which has the potential to emerge as a dominant force in the security of electronic transactions. Jointly developed by Visa and MasterCard, in conjunction with leading computer vendors such as IBM, Microsoft, Netscape RSA, and GTE. SET is an open standard protocol for protecting the privacy and ensuring the authenticity of electronic transactions.
Functions of SET - Provide confidentiality of payment and ordering information. -Ensure the integrity of all transmitted data. - Provide authentication that a card holder is a legitimate user of a credit card account. -Provide authentication that a merchant can accept credit card transactions through its relationship with a financial institution. -Ensure the use of best security practices and system design techniques to protect all legitimate parties in an electronic commerce transaction. -Create a protocol that neither depends on transport security mechanisms nor prevents their use. - Facilitate and encourage interoperability among software & network providers. Participants in the SET system
Scope of SET 1. Motivated by the large amount of unsecured credit-card based transactions on the Internet. 2. Network payments treated in a similar way to Mail Order/Telephone Order (MOTO) transactions. 3. SET applies only to the ‘front end’ of payment no need to change the ‘back end’. 4. SET only addresses Payment - other protocols for shopping, payment method selection etc. will be developed by others. Secure Socket Layer (SSL) -SSL is a protocol developed by Netscape for transmitting private documents via the Internet. -SSL uses cryptographic system that uses two keys to encrypt data a public key known to everyone and a private or secret key known only to the recipient of the message. -The SSL provides end-to-end secure data transmission between the web server and the web client. -It is sandwiched between the TCP/IP and the application layer. - Unlike TCP/IP that offers only reliable packet transfer, SSL ensures secure packet transfer. How SSL works? The SSL performs two functions-it authenticates the websites and ensures secure data transmission between the web server and the client. It achieves this either by using symmetric encryption or asymmetric encryption.
In symmetric encryption, a key called the private key is used both for encrypting and decrypting the data. For symmetric encryption to work, the sender & receiver should share the private key. This is possible only when the sender & receiver know each other. In asymmetric encryption, two separate keys are used to encrypt & decrypt data. The public key is shared with the other person and the private key is known only to the person who decrypts the data. So, the private key will remain a secret while the public key will be known to both the parties. Cryptography Cryptography is the process through which the messages are altered so that their meaning is hidden from adversaries who might intercept them.
Plain text is a message readable by anyone. Cipher text is plain text that has been modified to protect its secrecy. Encryption converts plain text to cipher text; Decryption converts cipher text to plain text. “Cryptography addresses the principles, means and methods used to disguise information in order to ensure its authenticity”. Cryptography is used to achieve:- · Confidentiality: only authorized persons can access information. · Integrity: information that was sent is what was received. · Authentication: guarantee of originator of electronic transmission. · Non-repudiation: originator of information cannot deny content or transmission. Types of Cryptography:- Ø Private Key Cryptography Ø Public Key Cryptography Private Key Cryptography In private-key cryptography, the sender and receiver agree beforehand on a secret private key. The plain text is somewhat combined with the key to create the cipher text. The method of combination is such that, it is hoped, an adversary could not determine the meaning of the message without decrypting the message, for which he needs the key.
Private-key methods are efficient and difficult to break. However, one major drawback is that the key must be exchanged between the sender and recipient beforehand, raising the issue of how to protect the secrecy of the key. Public Key Cryptography In public-key cryptography, two separate keys are used to encrypt & decrypt data. The public key is shared with the other person and the private key is known only to the person who decrypts the data. So, the private key will remain a secret while the public key will be known to both the parties. Public-key cryptography depends upon the notion of one-way functions: a one way function is a function that is easy to apply, but extremely difficult to invert.
Digital Signature A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged. “Digital signature is a computer data compilation of any symbol or series of symbols, executed, adopted or authorized by an individual to be legally binded equivalent to the individual’s handwritten signature”
A digital signature authenticates electronic documents in a similar manner a handwritten signature authenticates printed documents. A digital signature is issued by a Certification Authority (CA) and is signed with the CA’s private key. The recipient of a digitally signed message can verify that the message originated from the person whose signature is attached to the document and that the message has not been altered either intentionally or accidentally since it was signed. Also the signer of a document cannot later disown it by claiming that the signature was forged. When a message with a digital signature is transmitted & received, the following parties are involved:- Ø The signer who signs the document. Ø The verifier who receives the signed document & verifies the signature. Ø The arbitrator who arbitrates any disputes between the signer & the verifier if there is a disagreement on the validity of the digital signature. A digital signature typically contains the Owner’s public key, the Owner’s name, Expiration date of the public key, the name of the issuer (the CA that issued the Digital ID), Serial no. of the digital signature and the digital signature of the issuer. Digital signatures are based on a combination of public key encryption and one way hash function that converts a message of any length into a fixed length message digest known as hash function. The value of hash function is unique for the hashed data. Any change in the data, even deleting or altering a single character, results in a different value. The content of the hash data cannot be deduced from hash which is why it is called ‘one way’. The encrypted hash, along with other information, such as hashing algorithm is known as digital signature Virtual Private Network Ø A Virtual private network (VPN) extends a private network across a public network, such as the internet. Ø It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network. Ø This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption or a combination of the two. Ø VPN allows employees to securely access their company’s intranet while travelling outside the office.
Ø Similarly, VPNs securely and cost effectively connect geographically disparate offices of an organization, creating one cohesive virtual network. Ø VPN technology is also used by ordinary Internet users to connect to proxy servers for the purpose of protecting one’s identity. VPN Security v To prevent disclosure of private information, VPNs typically allow only authenticated remote access and make use of encryption techniques. VPN provides security by the use of tunneling products and through security procedures such as encryption. v The VPN security provides: · Confidentiality · Authentication · Integrity VPNs ensure privacy by providing a private tunnel through the internet for remote access to the network. For full VPN security, your VPN must be enhanced with a reliable user authentication mechanism, protecting end points of the VPN. Username and password authentication is not enough-this method is weak and highly susceptible to hacking, cracking, key loggers and other attacks. It only takes one compromised password for your organization to lose control over gains network access. Strong user authentication with a VPN provides true secure remote access for today’s mobile workforce. Extranet · Extranet is an extended intranet that connects multiple intranets through a secured tunneling internet. · Extranets act as a link to select individuals outside the company by allowing them access to the information stored inside the intranet. · Internet protocols are typically utilized by extranets so as to provide browser navigation even though the network is situated on a private server. A username and password system can be configured to sectors of the content so as to prevent users from accessing information they have no authorization for.
Firewall Firewall is software or hardware based network security system that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, based on a rule set. A firewall establishes a human barrier between a trusted, secure internal network & another network that is not assumed to be secure and trusted. Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and conversely many firewalls can perform basic routing functions. Difference between Computer Virus and Computer Worm

Empfohlen

Information 2nd lesson
Information 2nd lessonInformation 2nd lesson
Information 2nd lesson
Anne ndolo
 
E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and Threats
BPalmer13
 
Threats of E-Commerce in Database
Threats of E-Commerce in DatabaseThreats of E-Commerce in Database
Threats of E-Commerce in Database
Mentalist Akram
 
6. Security Threats with E-Commerce
6. Security Threats with E-Commerce6. Security Threats with E-Commerce
6. Security Threats with E-Commerce
Jitendra Tomar
 
K018146372
K018146372K018146372
K018146372
IOSR Journals
 
Ecommerce Security
Ecommerce SecurityEcommerce Security
Ecommerce Security
Rebecca Jones
 
MIS chap # 9.....
MIS chap # 9.....MIS chap # 9.....
MIS chap # 9.....
Syed Muhammad Zeejah Hashmi
 
E commerce
E commerceE commerce
E commerce
Kavita Sharma
 

Empfohlen

Information 2nd lesson
Information 2nd lessonInformation 2nd lesson
Information 2nd lesson
Anne ndolo
 
E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and Threats
BPalmer13
 
Threats of E-Commerce in Database
Threats of E-Commerce in DatabaseThreats of E-Commerce in Database
Threats of E-Commerce in Database
Mentalist Akram
 
6. Security Threats with E-Commerce
6. Security Threats with E-Commerce6. Security Threats with E-Commerce
6. Security Threats with E-Commerce
Jitendra Tomar
 
K018146372
K018146372K018146372
K018146372
IOSR Journals
 
Ecommerce Security
Ecommerce SecurityEcommerce Security
Ecommerce Security
Rebecca Jones
 
MIS chap # 9.....
MIS chap # 9.....MIS chap # 9.....
MIS chap # 9.....
Syed Muhammad Zeejah Hashmi
 
E commerce
E commerceE commerce
E commerce
Kavita Sharma
 
e-Commerce: Chapter 6
e-Commerce: Chapter 6e-Commerce: Chapter 6
e-Commerce: Chapter 6
annwhyjay
 
Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commerce
m8817
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...
Rishav Gupta
 
Bcbsc136
Bcbsc136Bcbsc136
Bcbsc136
saidawangui
 
Ecommerce final ppt
Ecommerce final pptEcommerce final ppt
Ecommerce final ppt
priyanka Garg
 
e commerce security and fraud protection
e commerce security and fraud protectione commerce security and fraud protection
e commerce security and fraud protection
tumetr1
 
Analysis the attack and E-commerce security
Analysis the attack and E-commerce securityAnalysis the attack and E-commerce security
Analysis the attack and E-commerce security
Army Institute Of Business Administration,Savar
 
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...
IJNSA Journal
 
Ecommerce security
Ecommerce securityEcommerce security
Ecommerce security
politegcuf
 
VTU - MIS Module 8 - Security and Ethical Challenges
VTU - MIS Module 8 - Security and Ethical ChallengesVTU - MIS Module 8 - Security and Ethical Challenges
VTU - MIS Module 8 - Security and Ethical Challenges
Priya Diana Mercy
 
Threats
ThreatsThreats
Threats
Mentalist Akram
 
Chapter7
Chapter7Chapter7
Chapter7
Knowlittle Matharu
 
Security issues in e commerce
Security issues in e commerceSecurity issues in e commerce
Security issues in e commerce
sadaf tst
 
Managers & global information technology
Managers & global information technologyManagers & global information technology
Managers & global information technology
Online
 
Security Threats in E-Commerce
Security Threats in E-CommerceSecurity Threats in E-Commerce
Security Threats in E-Commerce
Dattatreya Reddy Peram
 
Lkm 2011
Lkm 2011Lkm 2011
Lkm 2011
Anandavasagan
 
Security consideration with e commerce
Security consideration with e commerceSecurity consideration with e commerce
Security consideration with e commerce
StudsPlanet.com
 
Data protection and security
Data protection and securityData protection and security
Data protection and security
samina khan
 
Cloud computing
Cloud computingCloud computing
Cloud computing
Ali Raza
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slides
monchai sopitka
 
Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Security issue in e commerce
Bosco Technical Training Society, Don Bosco Technical School (Aff. GGSIP University, New Delhi)
 
Mim Attack Essay
Mim Attack EssayMim Attack Essay
Mim Attack Essay
Haley Johnson
 

Weitere ähnliche Inhalte

Was ist angesagt?

Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commerce
m8817
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...
Rishav Gupta
 
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...
IJNSA Journal
 
Security consideration with e commerce
Security consideration with e commerceSecurity consideration with e commerce
Security consideration with e commerce
StudsPlanet.com
 
Cloud computing
Cloud computingCloud computing
Cloud computing
Ali Raza
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slides
monchai sopitka
 

Was ist angesagt? (20)

e-Commerce: Chapter 6
e-Commerce: Chapter 6e-Commerce: Chapter 6
e-Commerce: Chapter 6
 
Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commerce
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...
 
Bcbsc136
Bcbsc136Bcbsc136
Bcbsc136
 
Ecommerce final ppt
Ecommerce final pptEcommerce final ppt
Ecommerce final ppt
 
e commerce security and fraud protection
e commerce security and fraud protectione commerce security and fraud protection
e commerce security and fraud protection
 
Analysis the attack and E-commerce security
Analysis the attack and E-commerce securityAnalysis the attack and E-commerce security
Analysis the attack and E-commerce security
 
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...
 
Ecommerce security
Ecommerce securityEcommerce security
Ecommerce security
 
VTU - MIS Module 8 - Security and Ethical Challenges
VTU - MIS Module 8 - Security and Ethical ChallengesVTU - MIS Module 8 - Security and Ethical Challenges
VTU - MIS Module 8 - Security and Ethical Challenges
 
Threats
ThreatsThreats
Threats
 
Chapter7
Chapter7Chapter7
Chapter7
 
Security issues in e commerce
Security issues in e commerceSecurity issues in e commerce
Security issues in e commerce
 
Managers & global information technology
Managers & global information technologyManagers & global information technology
Managers & global information technology
 
Security Threats in E-Commerce
Security Threats in E-CommerceSecurity Threats in E-Commerce
Security Threats in E-Commerce
 
Lkm 2011
Lkm 2011Lkm 2011
Lkm 2011
 
Security consideration with e commerce
Security consideration with e commerceSecurity consideration with e commerce
Security consideration with e commerce
 
Data protection and security
Data protection and securityData protection and security
Data protection and security
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slides
 

Ähnlich wie E commerce security 4

Computer Secutity.
Computer Secutity.Computer Secutity.
Computer Secutity.
angelaag98
 
Mis security system threads
Mis security system threadsMis security system threads
Mis security system threads
Leena Reddy
 
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSESE-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
IJNSA Journal
 
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docxThe uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
arnoldmeredith47041
 
First Union Bank Report
First Union Bank ReportFirst Union Bank Report
First Union Bank Report
Yogesh Kumar
 
computer security and its relationship to computer forensic
computer security and its relationship to computer forensic computer security and its relationship to computer forensic
computer security and its relationship to computer forensic
Shabnamkhan113
 

Ähnlich wie E commerce security 4 (20)

Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Security issue in e commerce
 
Mim Attack Essay
Mim Attack EssayMim Attack Essay
Mim Attack Essay
 
Network monitoring white paper
Network monitoring white paperNetwork monitoring white paper
Network monitoring white paper
 
Computer Secutity.
Computer Secutity.Computer Secutity.
Computer Secutity.
 
Computer-Security.pptx
Computer-Security.pptxComputer-Security.pptx
Computer-Security.pptx
 
Mis security system threads
Mis security system threadsMis security system threads
Mis security system threads
 
Network security and viruses
Network security and virusesNetwork security and viruses
Network security and viruses
 
Cybercrimes
CybercrimesCybercrimes
Cybercrimes
 
C018131821
C018131821C018131821
C018131821
 
Top 25 SOC Analyst interview questions.pdf
Top 25 SOC Analyst interview questions.pdfTop 25 SOC Analyst interview questions.pdf
Top 25 SOC Analyst interview questions.pdf
 
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSESE-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
 
Cybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfCybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdf
 
Cyber.pptx
Cyber.pptxCyber.pptx
Cyber.pptx
 
Data security
Data security Data security
Data security
 
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docxThe uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
 
First Union Bank Report
First Union Bank ReportFirst Union Bank Report
First Union Bank Report
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Network security chapter 1,2
Network security chapter 1,2Network security chapter 1,2
Network security chapter 1,2
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
computer security and its relationship to computer forensic
computer security and its relationship to computer forensic computer security and its relationship to computer forensic
computer security and its relationship to computer forensic
 

Mehr von Anne ndolo

Mehr von Anne ndolo (13)

E commerce class 2
E commerce class 2E commerce class 2
E commerce class 2
 
E market places
E market placesE market places
E market places
 
E market places 5
E market places 5E market places 5
E market places 5
 
E commerce technologies
E commerce technologiesE commerce technologies
E commerce technologies
 
E commerce technologies 3
E commerce technologies 3E commerce technologies 3
E commerce technologies 3
 
E commerce class 2
E commerce class 2E commerce class 2
E commerce class 2
 
Information governance a_necessity_in_to
Information governance a_necessity_in_toInformation governance a_necessity_in_to
Information governance a_necessity_in_to
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance framework
 
Big data security
Big data securityBig data security
Big data security
 
Big data security
Big data securityBig data security
Big data security
 
Introc
IntrocIntroc
Introc
 
Mom phd
Mom phdMom phd
Mom phd
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 

Kürzlich hochgeladen

Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
Chris Hunter
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
MateoGardella
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 

Kürzlich hochgeladen (20)

Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 

E commerce security 4

  • 1. E-COMMERCE SECURITY The importance of e-commerce security is beyond doubt. And more and more online shops and companies are aware of their importance. Moreover, investment in cybersecurity will continue its dynamic growth, almost at the same time as digital threats, which will not cease. E-commerce security strategies include the use of HTTPS protocols and SSL certificates, the monitoring of transactions and periodic backups, among others. In the following lines, we will delve into these and other measures of proven effectiveness. E-commerce security is the protection of e-commerce assets from unauthorized access, use, alteration, or destruction. 6 dimensions of e-commerce security / Security Issues in E-Commerce Transactions 1. Authentication:- Authentication ensures that the origin of an electronic message is correctly identified. This means having the capability to determine who sent the message and from where or which machine. Without proper authentication, it will be impossible to know who actually placed an order and whether the order placed is genuine or not. 2. Non-Repudiation:- Non-Repudiation is closely related to authentication and this ensures that the sender cannot deny sending a particular message and the receiver cannot deny receiving a message. 3. Access Control:- If access control is properly implemented, many other security problems like lack of privacy will either be eliminated or mitigated. Access control ensures only those that legitimately require accesses to resources are given access and those without valid access cannot have access. 4. Confidentiality or Privacy:- Privacy ensures that only authorized parties can access information in any system. The information should not be distributed to parties that should not receive it. Issues related to privacy can be considered as a subset of issues related to access control. 5. Integrity:- Integrity ensures that only authorized parties can make changes to the documents transmitted over the network. E-Commerce Threats Cyber-security represents one of the most important e-Commerce feature. Without the existence and implementation of proper protocols, online store owners put themselves and also their customers at risk for payment fraud. Even stores that cater to a small target market can find themselves at a heightened risk if they leave gaps in their online security. Actually, smaller stores face the biggest threat from cyber-criminals because of insufficient Internet safety. It has been observed that one in five small online businesses falls victim to fraud every year, and more that 60 of these stores are forced to close within six months.
  • 2. More than financial consequences, data breaches harm an e-Commerce website‘s reputation. Loyal customers will avoid continuing shopping at an online store that put their information at risk in the past. Therefore, using the right tools became compulsory, minimizing the risks of fraud. Threats may be from anyone with the capability, technology, opportunity, and intent to do harm. Potential threats can be foreign or domestic, internal or external, state-sponsored or a single rogue element. Terrorists, insiders, disgruntled employees, and hackers are included in this profile Some of the security concerns are Loss of Privacy/confidentiality, data misuse/abuse, Cracking, eavesdropping, spoofing, rootkits, Viruses, Trojans, worms, hostile ActiveX and Java, System unavailability, denial of service, natural disasters, power interruptions E-commerce activity takes place when there is a sender (customer), a receiver (the merchant) using a communication channel to do business. In this environment the sender has his own device or computer, uses the internet, logs in to the business portal of the merchant, the orders placed gets transmitted from one machine to another machine, often through a complex set of technology features. The threat to security is that the devices, the communication channel, the technology that is used, can all be compromised, thus causing damage or loss to both parties. The threats can be categorized into four areas depending on where or who gets effected. Intellectual property threats -- use existing materials found on the Internet without the owner's permission, e.g., music downloading, domain name (cyber squatting), software pirating 2. Client computer threats. The customer machine may be compromised due to Trojan horse, Active contents, Viruses 3. Communication channel threats can occur due to Sniffer program, Backdoor, Spoofing, Denial-of-service 4. Server threats maybe caused due to – Privilege settings, Server Side Include (SSI), Common Gateway Interface (CGI), File transfer, Spamming 5.Eavesdropping - This is the process of listening in or overhearing parts of a conversation. It also includes attackers listening in on your network traffic. It‘s generally a passive attack, for example, a co-worker may overhear your dinner plans because your speaker phone is set too loud. The opportunity to overhear a conversation is coupled with the carelessness of the parties in the conversation. 6.Snooping - This is when someone looks through your files in the hopes of finding something interesting whether it is electronic or on paper. In the case of physical snooping people might inspect your dumpster, recycling bins, or even your file cabinets; they can look under your keyboard for post-It-notes, or look for scraps of paper tracked to your bulletin board. Computer snooping on the other hand involves someone searching through your electronic files trying to find something interesting. 7. Interception - This can be either an active or passive process. In a networked environment,
  • 3. apassive interception might involve someone who routinely monitors network traffic. Active interception might include putting a computer system between sender and receiver to capture information as it is sent. From the perspective of interception, this process is covert. The last thing a person on an intercept mission wants is to be discovered. Intercept missions can occur for years without the knowledge of the intercept parties. 8.Modification Attacks - This involves the deletion, insertion, or alteration of information in an unauthorized manner that is intended to appear genuine to the user. These attacks can be very hard to detect. The motivation of this type of attack may be to plant information, change grades in a class, alter credit card records, or something similar. Website defacements are a common form of modification attacks. 9.Repudiation Attacks - This makes data or information to appear to be invalid or misleading (Which can even be worse). For example, someone might access your email server and inflammatory information to others under the guise of one of your top managers. This information might prove embarrassing to your company and possibly do irreparable harm. This type of attack is fairly easy to accomplish because most email systems don't check outbound email for validity. Repudiation attacks like modification attacks usually begin as access attacks. 10.Denial-of-service Attacks - They prevent access to resources by users by users authorized to use those resources. An attacker may try to bring down an Ecommerce website to prevent or deny usage by legitimate customers. DoS attacks are common on the internet, where they have hit large companies such as Amazon, Microsoft, and AT&T. These attacks are often widely publicized in the media. Several types of attacks can occur in this category. These attacks can deny access to information, applications, systems, or communications. A DoS attack on a system crashes the operation system (a simple reboot may restore the server to normal operation). A common DoS attack is to open as many TCP sessions as possible; this type of attack is called TCP SYN flood DoS attack. Two of the most common are the ping of death and the buffer overflow attack. The ping of death operates by sending Internet control message protocol (ICMP) packets that are larger than the system can handle. Buffer overflow attacks attempt to put more data into the buffer than it can handle. Code red, slapper and slammer are attacks that took advantage of buffer overflows, sPing is an example of ping of death. 11.Distributed Denial-of-service Attacks - This is similar to a DoS attack. This type of attack amplifies the concepts of DoS attacks by using multiple computer systems to conduct the attack against a single organization. These attacks exploit the inherent weaknesses of dedicated networks such as DSL and Cable. These permanently attached systems have little, if any, protection. The attacker can load an attack program onto dozens or even hundreds of computer systems that use DSL or Cable modems. The attack program lies dormant on these computers
  • 4. until they get attack signal from the master computer. This signal triggers these systems which launch an attack simultaneously on the target network or system. 12.Back door Attacks - This can have two different meanings, the original term back door referred to troubleshooting and developer hooks into systems. During the development of a complicated operating system or application, programmers add back doors or maintenance hooks. These back doors allow them to examine operations inside the code while the program is running. The second type of back door refers to gaining access to a network and inserting a program or utility that creates an entrance for an attacker. The program may allow a certain user to log in without a password or gain administrative privileges. A number of tools exist to create a back door attack such as, Back Orifice (Which has been updated to work with windows server 2003 as well as earlier versions), Subseven, NetBus, and NetDevil. There are many more. Fortunately, most anti- virus software will recognize these attacks. 13.Spoofing Attacks - This is an attempt by someone or something to masquerade as someone else. This type of attack is usually considered as an access attack. The most popular spoofing attacks today are IP spoofing and DNS spoofing. The goal of IP spoofing is to make the data look like it came from a trusted host when it really didn't. With DNS spoofing, The DNS server is given information about a name server that it thinks is legitimate when it isn't. This can send users to a website other than the one they wanted to go to. 14.Man-in-the-Middle Attacks - This can be fairly sophisticated, this type of attack is also an access attack, but it can be used as the starting point of a modification attack. This involves placing a piece of software between a server and the user that neither the server administrators nor the user are aware of. This software intercepts data and then sends the information to the server as if nothing is wrong. The server responds back to the software, thinking it's communicating with the legitimate client. The attacking software continues sending information to the server and so forth. 15.Replay Attacks - These are becoming quite common, this occur when information is captured over a network. Replay attacks are used for access or modification attacks. In a distributed environment, logon and password information is sent over the network between the client and the authentication system. The attacker can capture this information and replay it later. This can also occur security certificates from systems such as Kerberos: The attacker resubmits the certificate, hoping to be validated by the authentication system, and circumvent any time sensitivity.
  • 5. 16.Password Guessing Attacks - This occur when an account is attacked repeatedly. This is accomplished by sending possible passwords to an account in a systematic manner. These attacks are initially carried out to gain passwords for an access or modification attack. There are two types of password guessing attacks: - Brute-force attack: Attempt to guess a password until a successful guess occurs. This occurs over a long period. To make passwords more difficult to guess, they should be longer than two or three characters (Six should be the bare minimum), be complex and have password lockout policies. 17. Dictionary attack: This uses a dictionary of common words to attempt to find the users password. Dictionary attacks can be automated, and several tools exist in the public domain to execute them. Well, there you have it, the only way basically to prevent these types of attacks is to get a good firewall, anti-virus software, and a good Intrusion Detection System (IDS). Tell your firewall to drop ICMP packets that will prevent ICMP flooding. The following counter measures are taken to overcome the above security threats. 1. Secure Electronic Transaction (SET): Secure Electronic Transaction (SET) is an open protocol which has the potential to emerge as a dominant force in the security of electronic transactions. Jointly developed by Visa and MasterCard, in conjunction with leading computer vendors such as IBM, Microsoft, Netscape RSA, and GTE. SET is an open standard protocol for protecting the privacy and ensuring the authenticity of electronic transactions.
  • 6. Functions of SET - Provide confidentiality of payment and ordering information. -Ensure the integrity of all transmitted data. - Provide authentication that a card holder is a legitimate user of a credit card account. -Provide authentication that a merchant can accept credit card transactions through its relationship with a financial institution. -Ensure the use of best security practices and system design techniques to protect all legitimate parties in an electronic commerce transaction. -Create a protocol that neither depends on transport security mechanisms nor prevents their use. - Facilitate and encourage interoperability among software & network providers. Participants in the SET system
  • 7. Scope of SET 1. Motivated by the large amount of unsecured credit-card based transactions on the Internet. 2. Network payments treated in a similar way to Mail Order/Telephone Order (MOTO) transactions. 3. SET applies only to the ‘front end’ of payment no need to change the ‘back end’. 4. SET only addresses Payment - other protocols for shopping, payment method selection etc. will be developed by others. Secure Socket Layer (SSL) -SSL is a protocol developed by Netscape for transmitting private documents via the Internet. -SSL uses cryptographic system that uses two keys to encrypt data a public key known to everyone and a private or secret key known only to the recipient of the message. -The SSL provides end-to-end secure data transmission between the web server and the web client. -It is sandwiched between the TCP/IP and the application layer. - Unlike TCP/IP that offers only reliable packet transfer, SSL ensures secure packet transfer. How SSL works? The SSL performs two functions-it authenticates the websites and ensures secure data transmission between the web server and the client. It achieves this either by using symmetric encryption or asymmetric encryption.
  • 8. In symmetric encryption, a key called the private key is used both for encrypting and decrypting the data. For symmetric encryption to work, the sender & receiver should share the private key. This is possible only when the sender & receiver know each other. In asymmetric encryption, two separate keys are used to encrypt & decrypt data. The public key is shared with the other person and the private key is known only to the person who decrypts the data. So, the private key will remain a secret while the public key will be known to both the parties. Cryptography Cryptography is the process through which the messages are altered so that their meaning is hidden from adversaries who might intercept them.
  • 9. Plain text is a message readable by anyone. Cipher text is plain text that has been modified to protect its secrecy. Encryption converts plain text to cipher text; Decryption converts cipher text to plain text. “Cryptography addresses the principles, means and methods used to disguise information in order to ensure its authenticity”. Cryptography is used to achieve:- · Confidentiality: only authorized persons can access information. · Integrity: information that was sent is what was received. · Authentication: guarantee of originator of electronic transmission. · Non-repudiation: originator of information cannot deny content or transmission. Types of Cryptography:- Ø Private Key Cryptography Ø Public Key Cryptography Private Key Cryptography In private-key cryptography, the sender and receiver agree beforehand on a secret private key. The plain text is somewhat combined with the key to create the cipher text. The method of combination is such that, it is hoped, an adversary could not determine the meaning of the message without decrypting the message, for which he needs the key.
  • 10. Private-key methods are efficient and difficult to break. However, one major drawback is that the key must be exchanged between the sender and recipient beforehand, raising the issue of how to protect the secrecy of the key. Public Key Cryptography In public-key cryptography, two separate keys are used to encrypt & decrypt data. The public key is shared with the other person and the private key is known only to the person who decrypts the data. So, the private key will remain a secret while the public key will be known to both the parties. Public-key cryptography depends upon the notion of one-way functions: a one way function is a function that is easy to apply, but extremely difficult to invert.
  • 11. Digital Signature A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged. “Digital signature is a computer data compilation of any symbol or series of symbols, executed, adopted or authorized by an individual to be legally binded equivalent to the individual’s handwritten signature”
  • 12. A digital signature authenticates electronic documents in a similar manner a handwritten signature authenticates printed documents. A digital signature is issued by a Certification Authority (CA) and is signed with the CA’s private key. The recipient of a digitally signed message can verify that the message originated from the person whose signature is attached to the document and that the message has not been altered either intentionally or accidentally since it was signed. Also the signer of a document cannot later disown it by claiming that the signature was forged. When a message with a digital signature is transmitted & received, the following parties are involved:- Ø The signer who signs the document. Ø The verifier who receives the signed document & verifies the signature. Ø The arbitrator who arbitrates any disputes between the signer & the verifier if there is a disagreement on the validity of the digital signature. A digital signature typically contains the Owner’s public key, the Owner’s name, Expiration date of the public key, the name of the issuer (the CA that issued the Digital ID), Serial no. of the digital signature and the digital signature of the issuer. Digital signatures are based on a combination of public key encryption and one way hash function that converts a message of any length into a fixed length message digest known as hash function. The value of hash function is unique for the hashed data. Any change in the data, even deleting or altering a single character, results in a different value. The content of the hash data cannot be deduced from hash which is why it is called ‘one way’. The encrypted hash, along with other information, such as hashing algorithm is known as digital signature Virtual Private Network Ø A Virtual private network (VPN) extends a private network across a public network, such as the internet. Ø It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network. Ø This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption or a combination of the two. Ø VPN allows employees to securely access their company’s intranet while travelling outside the office.
  • 13. Ø Similarly, VPNs securely and cost effectively connect geographically disparate offices of an organization, creating one cohesive virtual network. Ø VPN technology is also used by ordinary Internet users to connect to proxy servers for the purpose of protecting one’s identity. VPN Security v To prevent disclosure of private information, VPNs typically allow only authenticated remote access and make use of encryption techniques. VPN provides security by the use of tunneling products and through security procedures such as encryption. v The VPN security provides: · Confidentiality · Authentication · Integrity VPNs ensure privacy by providing a private tunnel through the internet for remote access to the network. For full VPN security, your VPN must be enhanced with a reliable user authentication mechanism, protecting end points of the VPN. Username and password authentication is not enough-this method is weak and highly susceptible to hacking, cracking, key loggers and other attacks. It only takes one compromised password for your organization to lose control over gains network access. Strong user authentication with a VPN provides true secure remote access for today’s mobile workforce. Extranet · Extranet is an extended intranet that connects multiple intranets through a secured tunneling internet. · Extranets act as a link to select individuals outside the company by allowing them access to the information stored inside the intranet. · Internet protocols are typically utilized by extranets so as to provide browser navigation even though the network is situated on a private server. A username and password system can be configured to sectors of the content so as to prevent users from accessing information they have no authorization for.
  • 14. Firewall Firewall is software or hardware based network security system that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, based on a rule set. A firewall establishes a human barrier between a trusted, secure internal network & another network that is not assumed to be secure and trusted. Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and conversely many firewalls can perform basic routing functions. Difference between Computer Virus and Computer Worm