Security of E-Commerce - PowerPoint PPT Presentation

Loading...

PPT – Security of E-Commerce PowerPoint presentation | free to download - id: 56a7f4-N2JhN



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Security of E-Commerce

Description:

94% of organisations expect to implement security improvements to their computer systems. 42% claim cyber security as their top risk. poll data provided by Symantec – PowerPoint PPT presentation

Number of Views:207
Avg rating:3.0/5.0
Slides: 51
Provided by: francikNa
Learn more at: http://francik.name
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Security of E-Commerce


1
Security of E-Commerce
  • Jarek Francik
  • Kingston University
  • November 2011(updated version)

2
Outline
  • Introduction Can you feel safe in the e-world?
  • e-riskWhere are we really exposed?
  • RemediesSome technical solutions (firewalls,
    SSL)
  • Electronic PaymentHow secure it may be?
  • ConclusionCan we feel safe in the e-world
    (revisited)?

3
  • In 2010
  • 94 of organisations expect to implement security
    improvements to their computer systems
  • 42 claim cyber security as their top risk
  • poll data provided by Symantec

4
  • "Computer security is difficult (maybe even
    impossible), but imagine for a moment that we've
    achieved it Unfortunately, this still isn't
    enough. For this miraculous computer system to do
    anything useful, it is going to have to interact
    with users in some way, at some time, for some
    reason. And this interaction is the biggest
    security risk of them all. People often represent
    the weakest link in the security chain and are
    chronically responsible for the failure of
    security systems
    (Schneier, 2000)

5
(No Transcript)
6
INTRODUCTIONCan you feel safe in the e-world?
7
Can you feel safe in the e-world?
8
Can you feel safe in the e-world?
Sniffer on Internet backbone
Breaking into store database
Eavesdropping at ISP
Line Tapping
9
Can you feel safe in the e-world?
  • Alices risks
  • The merchant may cheatshe will be billed for
    the order but will never get a CD In fact
    merchant cannot charge Alices card untilthey go
    through extensive application and verification
    procedure done by the credit card company
  • Alices credit card number may be stolenshe
    will be billed for orders she never made
  • In fact Alice is not liable or her liability is
    strongly limited in case of fraudulent card
    transactions
  • Information provided by Alice may be used against
    her (spam!)
  • The merchant may take over Alices web browser
    and use it to get information about her tastes
    and desires (spyware)

10
Can you feel safe in the e-world?
  • Merchants risks
  • Alice may be in fact the merchants competitor
    (or a robot) sniffing stores inventory and price
    list
  • Alice may be in fact Jason, a hacker who has
    stolen Alices credit card number and buys CDs
    illegally
  • Jason may break into the merchants computer and
    steal all credit card information this opens the
    merchant to liability
  • Jason may change the orders so that to obtain
    hundreds of CDs (for the price of one)
  • Jason may insert reverse charge orders and get
    money to his card
  • Jason may sabotage the on-line shop by changing
    or destroying other customers orders
  • Jason may sabotage the on-line shop by lowering
    prices on the store site

11
  • "A company may have purchased the best security
    technologies that money can buy, trained their
    people so well that they lock up all their
    secrets before going home at night, and hired
    building guards from the best security firm in
    the business. The company is still totally
    vulnerable... the human factor is truly
    security's weakest link" 
  • Mitnick and Simon (2002).

12
Can you feel safe in the e-world?
Kevin Mitnick, The Art of Deception
13
Can you feel safe in the e-world?
  • You can use encrypted transmission (SSL) to stop
    eavesdropping
  • You can buy firewalls to protect your databases
  • But how to defend against a social engineering
    attack?

14
E-RISKWhere we are really exposed?
source http//tnaron.wordpress.com
15
Where we are really exposed?
  • Physical Security
  • Reliability of equipment and network connection
  • Direct access
  • Accidental loss (e.g. memory sticks, laptops)
  • Robbery (physical)
  • Human Factor
  • passwords
  • lack of awareness what information is sensitive
  • accidental leakage of information (not intended
    e-mails)
  • disloyalty (dishonest or dissatisfied personnel)

16
Where we are really exposed?
  • Malware
  • viruses, worms, Trojan horses and spyware
  • Hacker Attacks
  • Denial-of-service (DOS) attacks
  • Access to sensitive data
  • Altering the website
  • Access to customer or partner information
  • Corruption of business data

17
Where we are really exposed?
  • Methods of hacker attacks
  • Exploits - using system bugs or glitches, e.g.
  • Buffer overflows
  • Input validation errors (SQL and code injections,
    directory traversal)
  • Cross-site scripting
  • HTTP header injections
  • Eavesdropping, wi-fi eavesdropping
  • Indirect attacks
  • Backdoors
  • Denial-of-service (DOS) attacks
  • Social attack (social engineering)
  • Direct access attacks (physical)

18
Where we are really exposed?
  • Impact of hacker attacks
  • Direct financial loss (fraud or litigation)
  • Subsequent loss (result of unwelcome publicity)
  • Loss of a market share (if customer confidence
    affected)
  • Legal liability and criminal charges

19
Where we are really exposed?
  • CIA Security Goals
  • Confidentiality (secrecy, privacy)
  • Access control and user authorisation
  • Integrity
  • Data integrity (authorisation and control for
    data modification)
  • Origin integrity
  • proving your identity
  • non-repudiation (you cannot deny you sent it...)
  • Availability
  • Accessibility of assets at appropriate time

20
Where we are really exposed?
  • Methodology
  • Review existing controls
  • Identify areas where more work is needed
  • Monitor technological progress
  • Anticipate potential new threats
  • Read the headlines!

21
Customer reassurance
22
Customer reassurance
  • Provide information about the company(address,
    telephone, about us, contact us)
  • Provide order, delivery returns guarantee
  • Present symbols of trust quality labels,
    guarantees, secured payment
  • Show off with recommendations and awards
  • Privacy Protection

23
Customer reassurance
  • Legal Acts
  • Data Protection Act
  • Computer Misuse Act
  • Standards
  • ISO/IEC 27001

24
REMEDIESSome technical solutions(and not only
technical)
25
Some technical solutions(and not only technical)
  • Malware
  • proper maintenance (antivir software, good
    practice)
  • Human Factor
  • 1. make them aware
  • 2. make them aware
  • 3. make them aware
  • Physical Failures
  • proper maintenance, procedures
  • Hacker Attacks

26
Some technical solutions(and not only technical)
  • The Web Security Problem
  • Securing the server and the data that are on it
  • restricted access
  • minimised number of services available
  • proper maintenance frequent upgrades
  • using a firewall
  • Securing the information in transit
  • encryption SSL Secure Socket Layer

27
Some technical solutions(and not only technical)
  • The Web Security Problem
  • Securing the server and the data that are on it
  • restricted access
  • minimised number of services available
  • proper maintenance frequent upgrades
  • using a firewall
  • Securing the information in transit
  • encryption SSL Secure Socket Layer

28
Firewall
  • A Firewall is
  • A Controlled Point of Access for All Traffic that
    Enters the Internal Network
  • A Controlled Point of Access for All Traffic that
    Leaves the Internal Network

29
Firewall
Internet
Firewall
Internal Network
30
Where to place a firewall?
Web Server
FIREWALL
FIREWALL
31
Where to place a firewall?
Perimeter Network
Internet
ExternalFirewall
InternalFirewall
32
SSL Cryptography
33
SSL Cryptography
INTELLIGENCE PROBLEM (WWII) Alice wants to send
a crypted message to Bob. They need to share the
same key. Alice created a key, but how to let Bob
know it?
  • Symmetrical Cryptography

34
SSL Cryptography
KEY MAY BE INTERCEPTED!!!
35
SSL Cryptography
  • Asymmetrical Cryptography

36
SSL Cryptography
  • Asymmetrical Cryptography makes it possible to
    use separate keys for encryption and decryption.
  • To exchange messages- use public key to
    encrypt- use private key to decrypt

37
SSL Cryptography
1. Bob creates a pair of different keys
DECRYPTIONKEY
2. Bob sends one of the keys to Alice
4. But only Bob has the decryption key!
3. Everyone can get Bobs public key and use
it to encrypt a message
38
SSL Cryptography
  • Electronic Signature

39
SSL Cryptography
  • Asymmetrical Cryptography makes it possible to
    use separate keys for encryption and decryption.
  • To exchange messages- use public key to
    encrypt- use private key to decrypt
  • To use electronic signature
  • - use private key to encrypt- use public key to
    decrypt

40
SSL Server Certification
CERTIFICATION AUTHORITY (CA)
WEB SERVER
WE
3. We cannot decrypt the visit card unless
it is signed by CA
41
SSL How It Works
2. We verify the VISIT CARD
3. We extract server PUBLIC KEY from the VISIT
CARD
4. We generate a SESSION KEY
5. We encrypt the SESSION KEY with the servers
PUBLIC KEY
7. Server decrypts the SESSION KEY with its
PRIVATE KEY
8. Now a two-way encrypted communication is
possible
42
Electronic Payment Revisited
CARD PAYMENT SYSTEM
CUSTOMERSBANK
SHOPS BANK
SHOP
CUSTOMER
43
and now
44
and nowCan you feel safe in the e-world?
45
Can you feel safe in the e-world?
  • Web security is not "all or nothing" it is a
    matter of degree
  • More security more reduced your risk
  • Reduce risk as much as practical (affordable)
  • Take additional measures for quick recoveryin
    case of a security incident
  • Computer Security is not just a product you can
    purchase, it must be an integrated partof the
    organisation and its operation

46
Books (images from Amazon)
47
(No Transcript)
48
Appendix Algorithm of Diffy Hellman
  • Bob and Alice want to agree a secret key
  • however
  • They have only a public channel to communicate
  • PROBLEM How to keep the agreed number secret if
    all the communication between them may be
    intercepted?

49
Appendix Algorithm of Diffy Hellman
  1. Choose n and gn 11 (takie ze (n-1)/2 is a
    prime number)g 9, so that ngtggt1

k 9 68 mod 11 3
50
(No Transcript)
About PowerShow.com