SlideShare a Scribd company logo

Entrepreneurship & Commerce in IT - 11 - Security & Encryption

Download as PPTX, PDF
Sachintha Gunasena
Sachintha Gunasena

This series in about the Entrepreneurial and E-Commerce opportunities and how to harness the power of Information Technology to improve or revolutionize business. This session discusses about: the types of threats that could occur to an e-commerce business, and what are the prevention methods and technologies available for such threats.

Related slideshows

Security framework
Security frameworkSecurity framework
Security framework
 
Unit 3
Unit 3Unit 3
Unit 3
 
CNIT 123 Ch 1: Ethical Hacking Overview
CNIT 123 Ch 1: Ethical Hacking OverviewCNIT 123 Ch 1: Ethical Hacking Overview
CNIT 123 Ch 1: Ethical Hacking Overview
 
1 of 37
Entrepreneurship & Commerce in IT 11 Sachintha Gunasena MBCS http://lk.linkedin.com/in/sachinthadtg
Recap so far… Sachintha Gunasena MBCS http://lk.linkedin.com/in/sachinthadtg
Building an E-Commerce Website • Planning • Systems analysis and design • Building the system: In-house vs. outsourcing • Website hosting: In-house vs. outsourcing • System Testing • Implementation and maintenance • Website optimization factors • Choosing server software • Application servers • E-commerce merchant server software functionality • Merchant server software packages • Choosing the right hardware for your e-commerce site • Right-sizing your hardware platform • Other e-commerce site development tools • Personalization tools
Today…
Security and Encryption • The e-commerce security environment • Types of threats • Technology solutions • Protecting Internet communications • Encryption • Securing channels of communication • Secure socket layers (SSL) • Protecting networks - Firewalls • Protecting servers and clients – OS controls/Anti-virus software
The E-Commerce Security Environment • For most law-abiding citizens, the Internet holds the promise of a huge and convenient global marketplace • For criminals, the Internet has created entirely new – and profitable – ways to steal from the more than one billion Internet consumers worldwide • steal what? • products, services, cash, information • It’s also less risky to steal online • For example, rather than rob a bank in person, the Internet makes it possible to rob people remotely and almost anonymously
The E-Commerce Security Environment
The E-Commerce Security Environment
Security Implementation Concerns • Can there be too much security? • Yes. • adds overhead and expense to business operations • Expanding computer security also has other downsides: • Makes systems more difficult to use • Slows down processors • Increases data storage demands • May reduce individual’s abilities to remain anonymous
Threats • Three key points of vulnerability: • Client • Server • Communications channel
An E-Commerce Transaction
Vulnerable Points in an E- Commerce Transaction
Types of Threats • Viruses • needs a host • a virus attaches itself to executable code and is executed when the software program begins to run or an infected file is opened • Worms • does not need a host • replicates itself through the Internet • Trojans • code that is layered behind another program, • can perform covert, malicious functions • Logic Bombs • a version of a Trojan Horse, however, it is event or time specific
Types of Threats Cont.d • Bot networks • a number of Internet-connected computers communicating with other similar machines in an effort to complete repetitive tasks and objectives • zombie computer network / master host computer • used for spam or DDoS attacks • DDoS attacks • many computers are used to launch an attack on a particular E-Commerce server • a massive amount of invalid data is sent to the server • achieved by bot networks • Phishing • the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft
Types of Threats Cont.d • Data Packet Sniffing • an attacker can also use a sniffer to intercept the data packet flow and analyze the individual data packets • IP Spoofing • change the source address of a data packet to give it the appearance that it originated from another computer • used to start the launch of a Denial of Service Attack • Port Scanning • listening to the network ports of the E-Commerce server • figure out what kind of services are running on the E-Commerce server • figure out the vulnerabilities of the system in order to cause the greatest damage possible
Types of Threats Cont.d • Backdoors / Trapdoors • developers often leave “backdoors” to monitor the code as it is developed • Instead of a implementing a secure protocol in which to access the code, backdoors provide a quick way into the code • Backdoors provide a very easy vulnerability for the attacker to get into, and cause system wide damage to the E-Commerce server. • Data theft • create an additional, unauthorized copy • Identify theft • someone pretends to be someone else by assuming that person's identity • as a method to gain access to resources or obtain credit and other benefits in that person's name
Types of Threats Cont.d • Credit card fraud • obtain goods without paying • obtain unauthorized funds from an account • also an adjunct to identity theft • Spyware • software that aims to gather information about a person or organization without their knowledge • send such information to another entity without the consumer's consent • asserts control over a computer without the consumer's knowledge
Security Solutions • Two lines of defence • Technology Solutions • Policy Solutions
Technology Solutions • Redundant firewall protection • stop cyberattacks before they can penetrate the network perimeter • Web application protection • Web Application Firewall • protects from from application-level attacks like SQL injections and cross-site scripting (XSS) attacks • extends protection in places where traditional firewall’s can’t provide • DoS/DDoS mitigation • ward off DDoS events by providing a barrier between your server and the IP flood
Technology Solutions • SSL VPN • create a secure connection for remote users who will be administering the Web applications and hosting environment • Vulnerability Monitoring • scan your Web application code around the clock looking for unexpected changes and malicious code that matches known "diseases" in the threat database • Antivirus protection • reviews files and services stored on the physical server
Technology Solutions • Two factor authentication • requires Web site administrators to go through two layers of security before obtaining access to the hosting environment • unique because it challenges you with something you know and something you have • prevents password leaks • Encrypted backup, service monitoring and response • read more
Protecting Internet Communications • ideas?
Encryption • transforming plain text or data into cipher text that cannot be read by anyone other than the sender and the receiver • to secure stored information and to secure information transmission • [old way] • Symmetric Key Encryption • both the sender and the receiver use the same key to encrypt and decrypt the message • sent the key to each other over some communications media or in person • [updated way 1976] • Asymmetric Key Encryption / Public Key Cryptography • a class of cryptographic protocols based on algorithms that require two separate keys, one of which is secret (or private) and one of which is public • Although different, the two parts of this key pair are mathematically linked
Public Key Cryptography
Limitations to Encryption • All forms of encryption have limitations • It is not effective against insiders • Protecting private keys may also be difficult because they are stored on insecure desktop and laptop computers • Additional technology solutions exist for securing channels of communications, networks, and servers/clients
Securing Channels of Communication • Secure Sockets Layer (SSL) • Virtual Private Networks (VPNs)
Secure Socket Layer (SSL) • Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols designed to provide communications security over a computer network • use X.509 certificates and hence asymmetric cryptography to • authenticate the counterpart with whom they are communicating • and to negotiate a symmetric session key • session key is then used to encrypt data flowing between the parties
Secure Socket Layer (SSL) • allows • data/message confidentiality • message authentication codes for message integrity • message authentication • use in applications such as • web browsing • email • Internet faxing • instant messaging • voice-over-IP (VoIP)
Protecting Networks - Firewalls • a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts • a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules • establishes a barrier between a trusted, secure internal network and another outside network, such as the Internet, that is assumed to not be secure or trusted • network firewall • host-based firewall
Protecting Servers & Clients – OS Controls/Anti-virus Software • Operating system security enhancements • Anti-virus software
Policy Solutions • Management Policies • Business Procedures • Public Laws
Policy Solutions • An e-commerce security plan would include • a risk assessment • development of a security policy • implementation plan • creation of a security organization • a security audit
Policy Solutions • A Implementation may involve • expanded forms of access controls • IDs • passwords • access codes • biometrics • fingerprints • retina scans • speech recognition
Policy Solutions • more ideas?
References • http://www.technologyexecutivesclub.com/Articles/security/artThreatstoEcommerceServers.php • http://www.slideshare.net/Timothy212/ebusiness-environment-and-analysis • http://www.slideshare.net/omvikram/securityecommerce?qid=ae6a3149-f235-4e7d-81f0- 9e45da47bcd5&v=qf1&b=&from_search=4 • http://www.applicure.com/solutions/ecommerce-security • http://www.ecommercetimes.com/story/69577.html • http://www.ehow.com/how_5303365_protect-privacy-internet.html • http://www.slate.com/blogs/future_tense/2013/06/07/how_to_secure_and_encrypt_your_email_and_other_communications_fro m_prism.html • http://www.ecommerce-digest.com/staying-safe.html • http://econ.ucsb.edu/~doug/245a/Papers/ECommerce%20Privacy.pdf • http://www.zurich.ibm.com/pdf/news/Konsbruck.pdf • http://www.slideshare.net/m8817/security-in-ecommerce • http://paws.kettering.edu/~aborcher/articles/CC001.PDF • https://en.wikipedia.org/wiki/Transport_Layer_Security • https://en.wikipedia.org/wiki/Public-key_cryptography
Next Up… • Web Payment Systems Sachintha Gunasena MBCS http://lk.linkedin.com/in/sachinthadtg
Thank you. Sachintha Gunasena MBCS http://lk.linkedin.com/in/sachinthadtg

More Related Content

Entrepreneurship & Commerce in IT - 11 - Security & Encryption

  • 1. Entrepreneurship & Commerce in IT 11 Sachintha Gunasena MBCS http://lk.linkedin.com/in/sachinthadtg
  • 2. Recap so far… Sachintha Gunasena MBCS http://lk.linkedin.com/in/sachinthadtg
  • 3. Building an E-Commerce Website • Planning • Systems analysis and design • Building the system: In-house vs. outsourcing • Website hosting: In-house vs. outsourcing • System Testing • Implementation and maintenance • Website optimization factors • Choosing server software • Application servers • E-commerce merchant server software functionality • Merchant server software packages • Choosing the right hardware for your e-commerce site • Right-sizing your hardware platform • Other e-commerce site development tools • Personalization tools
  • 5. Security and Encryption • The e-commerce security environment • Types of threats • Technology solutions • Protecting Internet communications • Encryption • Securing channels of communication • Secure socket layers (SSL) • Protecting networks - Firewalls • Protecting servers and clients – OS controls/Anti-virus software
  • 6. The E-Commerce Security Environment • For most law-abiding citizens, the Internet holds the promise of a huge and convenient global marketplace • For criminals, the Internet has created entirely new – and profitable – ways to steal from the more than one billion Internet consumers worldwide • steal what? • products, services, cash, information • It’s also less risky to steal online • For example, rather than rob a bank in person, the Internet makes it possible to rob people remotely and almost anonymously
  • 9. Security Implementation Concerns • Can there be too much security? • Yes. • adds overhead and expense to business operations • Expanding computer security also has other downsides: • Makes systems more difficult to use • Slows down processors • Increases data storage demands • May reduce individual’s abilities to remain anonymous
  • 10. Threats • Three key points of vulnerability: • Client • Server • Communications channel
  • 12. Vulnerable Points in an E- Commerce Transaction
  • 13. Types of Threats • Viruses • needs a host • a virus attaches itself to executable code and is executed when the software program begins to run or an infected file is opened • Worms • does not need a host • replicates itself through the Internet • Trojans • code that is layered behind another program, • can perform covert, malicious functions • Logic Bombs • a version of a Trojan Horse, however, it is event or time specific
  • 14. Types of Threats Cont.d • Bot networks • a number of Internet-connected computers communicating with other similar machines in an effort to complete repetitive tasks and objectives • zombie computer network / master host computer • used for spam or DDoS attacks • DDoS attacks • many computers are used to launch an attack on a particular E-Commerce server • a massive amount of invalid data is sent to the server • achieved by bot networks • Phishing • the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft
  • 15. Types of Threats Cont.d • Data Packet Sniffing • an attacker can also use a sniffer to intercept the data packet flow and analyze the individual data packets • IP Spoofing • change the source address of a data packet to give it the appearance that it originated from another computer • used to start the launch of a Denial of Service Attack • Port Scanning • listening to the network ports of the E-Commerce server • figure out what kind of services are running on the E-Commerce server • figure out the vulnerabilities of the system in order to cause the greatest damage possible
  • 16. Types of Threats Cont.d • Backdoors / Trapdoors • developers often leave “backdoors” to monitor the code as it is developed • Instead of a implementing a secure protocol in which to access the code, backdoors provide a quick way into the code • Backdoors provide a very easy vulnerability for the attacker to get into, and cause system wide damage to the E-Commerce server. • Data theft • create an additional, unauthorized copy • Identify theft • someone pretends to be someone else by assuming that person's identity • as a method to gain access to resources or obtain credit and other benefits in that person's name
  • 17. Types of Threats Cont.d • Credit card fraud • obtain goods without paying • obtain unauthorized funds from an account • also an adjunct to identity theft • Spyware • software that aims to gather information about a person or organization without their knowledge • send such information to another entity without the consumer's consent • asserts control over a computer without the consumer's knowledge
  • 18. Security Solutions • Two lines of defence • Technology Solutions • Policy Solutions
  • 19. Technology Solutions • Redundant firewall protection • stop cyberattacks before they can penetrate the network perimeter • Web application protection • Web Application Firewall • protects from from application-level attacks like SQL injections and cross-site scripting (XSS) attacks • extends protection in places where traditional firewall’s can’t provide • DoS/DDoS mitigation • ward off DDoS events by providing a barrier between your server and the IP flood
  • 20. Technology Solutions • SSL VPN • create a secure connection for remote users who will be administering the Web applications and hosting environment • Vulnerability Monitoring • scan your Web application code around the clock looking for unexpected changes and malicious code that matches known "diseases" in the threat database • Antivirus protection • reviews files and services stored on the physical server
  • 21. Technology Solutions • Two factor authentication • requires Web site administrators to go through two layers of security before obtaining access to the hosting environment • unique because it challenges you with something you know and something you have • prevents password leaks • Encrypted backup, service monitoring and response • read more
  • 23. Encryption • transforming plain text or data into cipher text that cannot be read by anyone other than the sender and the receiver • to secure stored information and to secure information transmission • [old way] • Symmetric Key Encryption • both the sender and the receiver use the same key to encrypt and decrypt the message • sent the key to each other over some communications media or in person • [updated way 1976] • Asymmetric Key Encryption / Public Key Cryptography • a class of cryptographic protocols based on algorithms that require two separate keys, one of which is secret (or private) and one of which is public • Although different, the two parts of this key pair are mathematically linked
  • 25. Limitations to Encryption • All forms of encryption have limitations • It is not effective against insiders • Protecting private keys may also be difficult because they are stored on insecure desktop and laptop computers • Additional technology solutions exist for securing channels of communications, networks, and servers/clients
  • 26. Securing Channels of Communication • Secure Sockets Layer (SSL) • Virtual Private Networks (VPNs)
  • 27. Secure Socket Layer (SSL) • Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols designed to provide communications security over a computer network • use X.509 certificates and hence asymmetric cryptography to • authenticate the counterpart with whom they are communicating • and to negotiate a symmetric session key • session key is then used to encrypt data flowing between the parties
  • 28. Secure Socket Layer (SSL) • allows • data/message confidentiality • message authentication codes for message integrity • message authentication • use in applications such as • web browsing • email • Internet faxing • instant messaging • voice-over-IP (VoIP)
  • 29. Protecting Networks - Firewalls • a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts • a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules • establishes a barrier between a trusted, secure internal network and another outside network, such as the Internet, that is assumed to not be secure or trusted • network firewall • host-based firewall
  • 30. Protecting Servers & Clients – OS Controls/Anti-virus Software • Operating system security enhancements • Anti-virus software
  • 31. Policy Solutions • Management Policies • Business Procedures • Public Laws
  • 32. Policy Solutions • An e-commerce security plan would include • a risk assessment • development of a security policy • implementation plan • creation of a security organization • a security audit
  • 33. Policy Solutions • A Implementation may involve • expanded forms of access controls • IDs • passwords • access codes • biometrics • fingerprints • retina scans • speech recognition
  • 35. References • http://www.technologyexecutivesclub.com/Articles/security/artThreatstoEcommerceServers.php • http://www.slideshare.net/Timothy212/ebusiness-environment-and-analysis • http://www.slideshare.net/omvikram/securityecommerce?qid=ae6a3149-f235-4e7d-81f0- 9e45da47bcd5&v=qf1&b=&from_search=4 • http://www.applicure.com/solutions/ecommerce-security • http://www.ecommercetimes.com/story/69577.html • http://www.ehow.com/how_5303365_protect-privacy-internet.html • http://www.slate.com/blogs/future_tense/2013/06/07/how_to_secure_and_encrypt_your_email_and_other_communications_fro m_prism.html • http://www.ecommerce-digest.com/staying-safe.html • http://econ.ucsb.edu/~doug/245a/Papers/ECommerce%20Privacy.pdf • http://www.zurich.ibm.com/pdf/news/Konsbruck.pdf • http://www.slideshare.net/m8817/security-in-ecommerce • http://paws.kettering.edu/~aborcher/articles/CC001.PDF • https://en.wikipedia.org/wiki/Transport_Layer_Security • https://en.wikipedia.org/wiki/Public-key_cryptography
  • 36. Next Up… • Web Payment Systems Sachintha Gunasena MBCS http://lk.linkedin.com/in/sachinthadtg
  • 37. Thank you. Sachintha Gunasena MBCS http://lk.linkedin.com/in/sachinthadtg