Thương mại điện tử - E Commerce Security Environment - Chapter 04 - Part 1

CSC 330 E-CommerceTeacher Ahmed Mumtaz Mustehsan GM-IT CIIT Islamabad Virtual Campus, CIIT COMSATS Institute of Information TechnologyT1-Lecture-9T1-Lecture-9E Commerce Security Environment Chapter-04Part-IFor Lecture Material/Slides Thanks to: Copyright © 2010 Pearson Education, IncObjectivesUnderstand the scope of e-commerce crime and security problems.Describe the key dimensions of e-commerce security.Understand the tension between security and other values.Identify the key security threats in the e-commerce environment.T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-3Online Robbery - IntroductionIn comparison to robbing a bank, internet banking can be robbed remotely and more safelyStealing a music / video CD from shop is harder than downloading from illegal websitesIf you take internet as a global market place; Many fake websites exists online to trap users by putting some attractive contents and extra ordinary deals and offers, making the remote users to provide their credit card information etc. One can not break into physical home easily and breach the privacy but if the password of social networking account is hacked then the privacy is compromisedT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-4Cyber Attack - IntroductionDenial of Service Attack (DOS):When one computer sends or flood the high number of data packets to a targeted computer resulting in chocking the resources ( communication path, processor etc.)Distributed Denial of Service Attack (DDOS)when many computers attack on single websites, or online system from many locations in a single time resulting in overwhelming the system and creating congestion and many other impairments and making the system or website unavailable for legitimate usersT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-5Cyber Attack - IntroductionBotnet:Artificially intelligent or robot computers can work together. A group of such computers (even in millions) capable of being managed remotely by single person attack on some online system or website. Example:In 2007 1 million computers were used in an organized attack on govt. of Estonia’s important serversT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-6DDOST1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-7 CYBER Warfare Reference for studyRussia – Estonia Cyber war Twitter DDoSKorean DDoSTaught at US Military academies bh-fed-03-dodge.pdfiwar_wise.pdfT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-8 / Your PC may be part of BotnetBotnets are responsible for over 80% of the spam sent to the computer usersSome computer users download those spam files because of having less knowledgeSome computers become infected because of unavailability of antivirus softwareSome computers are compromised by means of using pirated software10 % of the world’s billion-plus computers on internet are capable of being captured by stealth malware programs which are installed by clicking malicious links and downloading hidden files.T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-9The E-commerce Security EnvironmentOverall size and losses of cybercrime unclearReporting issues2008 CSI survey: 49% respondent firms detected security breach in last yearOf those that shared numbers, average loss $288,000Underground economy marketplaceStolen information stored on underground economy serversCredit cards, bank information, personal identity etc etc are sold at these servers.T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-10Rates of different stolen objects at Underground e marketT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-11Types of Attacks Against Computer Systems (Cybercrime)T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-12Source: Based on data from Computer Security Institute, 2009.What Is Good E-commerce Security?To achieve highest degree of securityUse of New technologiesOrganizational policies and proceduresIndustry standards and government lawsOther factors to be looked in:Time value of Information Cost of security vs. potential lossSecurity often breaks at weakest linkT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-13The E-commerce Security EnvironmentT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-14Ideal E Commerce EnvironmentCapable of making secure commercial transactionAchieving highest degree of securityAdopting new technologiesGiving awareness to users about online safetyDefining and understanding industrial standardsImplementing governments lawsProsecuting the violators of lawsT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-15Dimensions of E-commerce SecurityT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-16Typical Transection facilitated by TechnologiesT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-17The Tension Between Security and Other ValuesSecurity vs. ease of useThe more security measures added, the more difficult a site is to use, and the slower it becomesSecurity vs. desire of individuals to act anonymouslyUse of technology by criminals to plan crimes or threaten nation-stateT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-18Security Threats in the E-commerce EnvironmentThree key points of vulnerability:ClientServerCommunications pipelineT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-19A Typical E-commerce TransactionT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-20SOURCE: Boncella, 2000.Vulnerable Points in an E-commerce EnvironmentT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-21SOURCE: Boncella, 2000.Most Common Security ThreatsMalicious codeVirusesvirus is a computer program that has the ability to replicate or make copies of itself, and spread to other filesWormsworm is designed to spread from computer to computerTrojan horsesTrojan horse appears to be nonthreatening, but then does something other than expectedBots, botnets Software Robots called bots (As Explained)T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-22Most Common Security Threats in the E-commerce EnvironmentUnwanted programs: Browser parasitesAdwareSpywareT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-23T1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-24SpywareSoftware that sits on your computer Monitors everything that you do and sends out reports to Marketing agenciesUsually ties to a POP-UP serverTop SpywareI-Look UpCoolWebSearchN-CASEGATORDoubleClick If you have ever loaded ICQ on your PC you have SpywareIf you have ever loaded KAZAA on your PC you have SpywareIf you have ever loaded Quicken or TurboTax you have SpywareT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-25Most Common Security ThreatsPhishingDeceptive online attempt to obtain confidential informationSocial engineering, e-mail scams, spoofing legitimate Web sitesUse information to commit fraudulent acts (access checking accounts), steal identityHacking and cyber-vandalismHackers vs. crackershacker is an individual who intends to gain unauthorized access to a computer systemT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-26Most Common Security Threatscracker is the term typically used within the hacking community to demote a hacker with criminal intentCyber-vandalism: intentionally disrupting, defacing, destroying Web siteTypes of hackers: white hats are “good” hackers that help organizations locate and fix security flawsblack hats are hackers who act with the intention of causing harmgrey hats are hackers who believe they are pursuing some greater good by breaking in and revealing system flawsT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-27Most Common Security ThreatsCredit card fraud/theftFear of stolen credit card information deters online purchasesHackers target merchant servers; use data to establish credit under false identityOnline companies at higher risk than offlineSpoofing: misrepresenting self by using fake e-mail address or other form of identification spoofing a Web site also called Pharming: Redirecting a Web link to a new, fake Web siteSpam/junk Web sitesSplogsT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-28Snoop and SniffT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-29Most Common Security ThreatsDenial of service (DoS) attackHackers flood site with useless traffic to overwhelm networkDistributed denial of service (DDoS) attackHackers use multiple computers to attack target networkSniffingEavesdropping program that monitors information traveling over a networkInsider jobsSingle largest financial threatPoorly designed server and client softwareT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-30The Virus: Computer Enemy Number OneMost serious attack on a client computer or a server in an Internet environment is the virusA virus is a malicious code that replicates itself and can be used to disrupt the information infrastructureViruses commonly compromise system integrity, circumvent security capabilities, and cause adverse operation by taking advantage of the information system of the networkT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-31Types of VirusesFile virus is one that attacks executable filesBoot virus attacks the boot sectors of the hard drive and diskettesMacro virus exploits the macro commands in software applications such as Microsoft WordT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-32Levels of Virus DamageT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-33Steps for Antivirus StrategyEstablish a set of simple enforceable rules for others to followEducate and train users on how to check for viruses on a diskInform users of the existing and potential threats to the company’s systems and the sensitivity of information they containPeriodically update the latest antivirus softwareT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-34Getting Rid of VirusesGet a good Virus Projection SoftwareFree (not Recommended)Anti-VirAvastAVGNot FreeNorton AntiVirusMacAfeeFree for UMFK students and staff Update definition files oftenT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-35Spyware SolutionsEnforce strict user Web policies on surfing and downloading activitiesInstall a desktop firewall on every laptop and desktop - not give users administrator privilegesConfigure an e-mail gateway to block all executable e-mail attachmentsEnsure desktop antivirus software signatures are up to date - Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-36End of: T1-Lecture-9E Commerce Security Environment Chapter-04Part-IThank YouT1-Lecture-9 Ahmed Mumtaz Mustehsan Copyright © 2010 Pearson Education, Inc1-37