This series in about the Entrepreneurial and E-Commerce opportunities and how to harness the power of Information Technology to improve or revolutionize business.
This session discusses about:
the types of threats that could occur to an e-commerce business, and what are the prevention methods and technologies available for such threats.
3. Building an E-Commerce
Website
• Planning
• Systems analysis and design
• Building the system: In-house vs. outsourcing
• Website hosting: In-house vs. outsourcing
• System Testing
• Implementation and maintenance
• Website optimization factors
• Choosing server software
• Application servers
• E-commerce merchant server software functionality
• Merchant server software packages
• Choosing the right hardware for your e-commerce site
• Right-sizing your hardware platform
• Other e-commerce site development tools
• Personalization tools
5. Security and Encryption
• The e-commerce security environment
• Types of threats
• Technology solutions
• Protecting Internet communications
• Encryption
• Securing channels of communication
• Secure socket layers (SSL)
• Protecting networks - Firewalls
• Protecting servers and clients – OS controls/Anti-virus software
6. The E-Commerce Security
Environment
• For most law-abiding citizens, the Internet holds the promise of a
huge and convenient global marketplace
• For criminals, the Internet has created entirely new – and profitable –
ways to steal from the more than one billion Internet consumers
worldwide
• steal what?
• products, services, cash, information
• It’s also less risky to steal online
• For example, rather than rob a bank in person, the Internet makes it
possible to rob people remotely and almost anonymously
9. Security Implementation
Concerns
• Can there be too much security?
• Yes.
• adds overhead and expense to business operations
• Expanding computer security also has other downsides:
• Makes systems more difficult to use
• Slows down processors
• Increases data storage demands
• May reduce individual’s abilities to remain anonymous
10. Threats
• Three key points of vulnerability:
• Client
• Server
• Communications channel
13. Types of Threats
• Viruses
• needs a host
• a virus attaches itself to executable code and is executed when the software program begins to run
or an infected file is opened
• Worms
• does not need a host
• replicates itself through the Internet
• Trojans
• code that is layered behind another program,
• can perform covert, malicious functions
• Logic Bombs
• a version of a Trojan Horse, however, it is event or time specific
14. Types of Threats Cont.d
• Bot networks
• a number of Internet-connected computers communicating with other similar machines in an effort to
complete repetitive tasks and objectives
• zombie computer network / master host computer
• used for spam or DDoS attacks
• DDoS attacks
• many computers are used to launch an attack on a particular E-Commerce server
• a massive amount of invalid data is sent to the server
• achieved by bot networks
• Phishing
• the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an
attempt to scam the user into surrendering private information that will be used for identity theft
15. Types of Threats Cont.d
• Data Packet Sniffing
• an attacker can also use a sniffer to intercept the data packet flow and analyze the
individual data packets
• IP Spoofing
• change the source address of a data packet to give it the appearance that it originated
from another computer
• used to start the launch of a Denial of Service Attack
• Port Scanning
• listening to the network ports of the E-Commerce server
• figure out what kind of services are running on the E-Commerce server
• figure out the vulnerabilities of the system in order to cause the greatest damage possible
16. Types of Threats Cont.d
• Backdoors / Trapdoors
• developers often leave “backdoors” to monitor the code as it is developed
• Instead of a implementing a secure protocol in which to access the code, backdoors
provide a quick way into the code
• Backdoors provide a very easy vulnerability for the attacker to get into, and cause system
wide damage to the E-Commerce server.
• Data theft
• create an additional, unauthorized copy
• Identify theft
• someone pretends to be someone else by assuming that person's identity
• as a method to gain access to resources or obtain credit and other benefits in that
person's name
17. Types of Threats Cont.d
• Credit card fraud
• obtain goods without paying
• obtain unauthorized funds from an account
• also an adjunct to identity theft
• Spyware
• software that aims to gather information about a person or organization
without their knowledge
• send such information to another entity without the consumer's consent
• asserts control over a computer without the consumer's knowledge
19. Technology Solutions
• Redundant firewall protection
• stop cyberattacks before they can penetrate the network perimeter
• Web application protection
• Web Application Firewall
• protects from from application-level attacks like SQL injections and cross-site
scripting (XSS) attacks
• extends protection in places where traditional firewall’s can’t provide
• DoS/DDoS mitigation
• ward off DDoS events by providing a barrier between your server and the IP
flood
20. Technology Solutions
• SSL VPN
• create a secure connection for remote users who will be
administering the Web applications and hosting environment
• Vulnerability Monitoring
• scan your Web application code around the clock looking for
unexpected changes and malicious code that matches known
"diseases" in the threat database
• Antivirus protection
• reviews files and services stored on the physical server
21. Technology Solutions
• Two factor authentication
• requires Web site administrators to go through two layers of
security before obtaining access to the hosting environment
• unique because it challenges you with something you know
and something you have
• prevents password leaks
• Encrypted backup, service monitoring and response
• read more
23. Encryption
• transforming plain text or data into cipher text that cannot be read by anyone other than the
sender and the receiver
• to secure stored information and to secure information transmission
• [old way]
• Symmetric Key Encryption
• both the sender and the receiver use the same key to encrypt and decrypt the message
• sent the key to each other over some communications media or in person
• [updated way 1976]
• Asymmetric Key Encryption / Public Key Cryptography
• a class of cryptographic protocols based on algorithms that require two separate keys, one of
which is secret (or private) and one of which is public
• Although different, the two parts of this key pair are mathematically linked
25. Limitations to Encryption
• All forms of encryption have limitations
• It is not effective against insiders
• Protecting private keys may also be difficult
because they are stored on insecure desktop and
laptop computers
• Additional technology solutions exist for securing
channels of communications, networks, and
servers/clients
27. Secure Socket Layer (SSL)
• Transport Layer Security (TLS) and its predecessor, Secure
Sockets Layer (SSL), both of which are frequently referred to as
'SSL', are cryptographic protocols designed to provide
communications security over a computer network
• use X.509 certificates and hence asymmetric cryptography to
• authenticate the counterpart with whom they are communicating
• and to negotiate a symmetric session key
• session key is then used to encrypt data flowing between the
parties
28. Secure Socket Layer (SSL)
• allows
• data/message confidentiality
• message authentication codes for message integrity
• message authentication
• use in applications such as
• web browsing
• email
• Internet faxing
• instant messaging
• voice-over-IP (VoIP)
29. Protecting Networks -
Firewalls
• a technological barrier designed to prevent unauthorized or
unwanted communications between computer networks or hosts
• a network security system that monitors and controls the incoming
and outgoing network traffic based on predetermined security
rules
• establishes a barrier between a trusted, secure internal network
and another outside network, such as the Internet, that is
assumed to not be secure or trusted
• network firewall
• host-based firewall
30. Protecting Servers & Clients –
OS Controls/Anti-virus Software
• Operating system security enhancements
• Anti-virus software
32. Policy Solutions
• An e-commerce security plan would include
• a risk assessment
• development of a security policy
• implementation plan
• creation of a security organization
• a security audit
33. Policy Solutions
• A Implementation may involve
• expanded forms of access controls
• IDs
• passwords
• access codes
• biometrics
• fingerprints
• retina scans
• speech recognition