6 e commerce security
- 1. 1
Naveed Siddiqui
PhD. M.B.E. PgDip Information Technology
Founder & CEO – Naveed Media Academy
www.facebook.com/NaveedAhmedSiddiqui33
www.linkedin.com/in/dr-naveed-siddiqui-191a4b2b
www.youtube.com/user/nvd30
www.youtube.com/user/NaveedAhmedSiddiqui3
nasiddiqui333@gmail.com
0092 337 0492400
Electronic Commerce
- 3. 3
Learning Objectives
1. Document the rapid rise in computer
and network security attacks.
2. Describe the common security
practices of businesses of all sizes.
3. Understand the basic elements of EC
security.
4. Explain the basic types of network
security attacks.
- 4. 4
Learning Objectives (cont.)
5. Describe common mistakes that
organizations make in managing
security.
6. Discuss some of the major
technologies for securing EC
communications.
7. Detail some of the major
technologies for securing EC
networks components.
- 5. 5
Brute Force Credit Card
Attack Story
The Problem
Spitfire Novelties usually generates
between 5 and 30 transactions per day
On September 12, 2002 in a “brute force”
credit card attack, Spitfire’s credit card
transaction processor processed 140,000
fake credit card charges worth $5.07 each
(62,000 were approved)
- 6. 6
Brute Force
Credit Card Attack (cont.)
The total value of the approved
charges was around $300,000
Spitfire found out about the
transactions only when they were
called by one of the credit card
owners who had been checking his
statement online and had noticed
the $5.07 charge
- 7. 7
Brute Force
Credit Card Attack (cont.)
Brute force credit card attacks require minimal
skill
Hackers run thousands of small charges
through merchant accounts, picking numbers at
random
When the perpetrator finds a valid credit card
number it can then be sold on the black market
Some modern-day black markets are actually
member-only Web sites like carderplanet.com,
shadowcrew.com, and counterfeitlibrary.com
- 8. 8
Brute Force
Credit Card Attack (cont.)
Relies on a perpetrator’s ability to
pose as a merchant requesting
authorization for a credit card
purchase requiring
A merchant ID
A password
Both
- 9. 9
Brute Force
Credit Card Attack (cont.)
Online Data’s credit card processing
services, all a perpetrator needed
was a merchant’s password in order
to request authorization
Online Data is a reseller of VeriSign
Inc. credit card gateway services
VeriSign blamed Online Data for the
incident
Online Data blamed Spitfire for not
changing their initial starter password
- 10. 10
Brute Force
Credit Card Attack Story (cont.)
In April 2002 hackers got into the
Authorize.Net card processing system
(largest gateway payment system on
the Internet)
Executed 13,000 credit card transactions,
of which 7,000 succeeded
Entry into the Authorize.Net system
required only a log-on name, not a
password
- 11. 11
Brute Force Solution
Online Data should assign strong
passwords at the start
Customers should modify those
passwords frequently
Authorization services such as
VeriSign and Authorize.Net should
have built-in safeguards that
recognize brute force attacks
- 12. 12
Brute Force Credit Card
Solution (cont.)
Signals that something is amiss:
A merchant issues an extraordinary
number of requests
Repeated requests for small amounts
emanating from the same merchants
- 13. 13
Brute Force
Credit Card Attack (cont.)
The Results
VeriSign halted the transactions
before they were settled, saving
Spitfire $316,000 in charges
Authorize.Net merchants were
charged $0.35 for each transaction
The criminals acquired thousands of
valid credit card numbers to sell on
the black market
- 14. 14
Brute Force
Credit Card Attack (cont.)
What we can learn…
Any type of EC involves a number of
players who use a variety of network
and application services that provide
access to a variety of data sources
A perpetrator needs only a single
weakness in order to attack a
system
- 15. 15
Brute Force
What We Can Learn
Some attacks require sophisticated
techniques and technologies
Most attacks are not sophisticated;
standard security risk management
procedures can be used to minimize
their probability and impact
- 16. 16
Accelerating Need for
E-Commerce Security
Annual survey conducted by the
Computer Security Institute and the
FBI
1. Organizations continue to
experience cyber attacks from
inside and outside of the
organization
- 17. 17
Accelerating Need for
E-Commerce Security (cont.)
2. The types of cyber attacks that
organizations experience were
varied
3. The financial losses from a cyber
attack can be substantial
4. It takes more than one type of
technology to defend against cyber
attacks
- 18. 18
Accelerating Need for
E-Commerce Security (cont.)
National Infrastructure Protection
Center (NIPC): A joint partnership,
under the auspices of the FBI, among
governmental and private industry;
designed to prevent and protect the
nation’s infrastructure
- 19. 19
Accelerating Need for
E-Commerce Security (cont.)
Computer Emergency Response Team
(CERT): Group of three teams at
Carnegie Mellon University that
monitors incidence of cyber attacks,
analyze vulnerabilities, and provide
guidance on protecting against attacks
- 20. 20
Accelerating Need for
E-Commerce Security (cont.)
According to the statistics reported to
CERT/CC over the past year (CERT/CC
2002)
The number of cyber attacks
skyrocketed from approximately
22,000 in 2000 to over 82,000 in
2002
First quarter of 2003 the number
was already over 43,000
- 21. 21
Security Is
Everyone’s Business
Security practices of organizations of
various sizes
Small organizations (10 to 100
computers)
The “haves” are centrally organized,
devote a sizeable percentage of their IT
budgets to security
The “have-nots” are basically clueless
when it comes to IT security
- 22. 22
Security Is
Everyone’s Business (cont.)
Medium organizations (100 to 1,000
computers)
Rarely rely on managerial policies in
making security decisions, and they
have little managerial support for their
IT policies
The staff they do have is poorly
educated and poorly trained—overall
exposure to cyber attacks and intrusion
is substantially greater than in smaller
organizations
- 23. 23
Security Is
Everyone’s Business (cont.)
Large organizations (1,000 to
10,000 computers)
Complex infrastructures and substantial
exposure on the Internet
While aggregate IT security
expenditures are fairly large, their
security expenditures per employee are
low
- 24. 24
Security Is
Everyone’s Business (cont.)
Larger organizations
IT security is part-time and
undertrained—sizeable percentage of
the large organizations suffer loss or
damage due to incidents
Base their security decisions on
organizational policies
- 25. 25
Security Is
Everyone’s Business (cont.)
Very large organizations (more than
10,000 computers)
extremely complex environments that
are difficult to manage even with a
larger staff
rely on managerial policies in making IT
security decisions
only a small percentage have a well-
coordinated incident response plan
- 26. 26
Security Issues
From the user’s perspective:
Is the Web server owned and
operated by a legitimate company?
Does the Web page and form contain
some malicious or dangerous code
or content?
Will the Web server distribute
unauthorized information the user
provides to some other party?
- 27. 27
Security Issues (cont.)
From the company’s perspective:
Will the user not attempt to break
into the Web server or alter the
pages and content at the site?
Will the user will try to disrupt the
server so that it isn’t available to
others?
- 28. 28
Security Issues (cont.)
From both parties’ perspectives:
Is the network connection free from
eavesdropping by a third party
“listening” on the line?
Has the information sent back and
forth between the server and the
user’s browser been altered?
- 29. 29
Security Requirements
Authentication: The process by which
one entity verifies that another entity
is who they claim to be
Authorization: The process that
ensures that a person has the right to
access certain resources
- 34. 34
Types of Threats and Attacks
Nontechnical attack: An attack that
uses chicanery to trick people into
revealing sensitive information or
performing actions that compromise
the security of a network
- 36. 36
Types of
Threats and Attacks (cont.)
Social engineering: A type of
nontechnical attack that uses social
pressures to trick computer users into
compromising computer networks to
which those individuals have access
- 37. 37
Types of
Threats and Attacks (cont.)
Multiprong approach used to combat
social engineering:
1. Education and training
2. Policies and procedures
3. Penetration testing
- 38. 38
Types of
Threats and Attacks (cont.)
Technical attack: An attack
perpetrated using software and
systems knowledge or expertise
- 39. 39
Types of
Threats and Attacks (cont.)
Common (security) vulnerabilities and
exposures (CVEs): Publicly known
computer security risks, which are
collected, listed, and shared by a
board of security-related organizations
(cve.mitre.org)
- 40. 40
Types of
Threats and Attacks (cont.)
Denial-of-service (DoS) attack: An
attack on a Web site in which an
attacker uses specialized software to
send a flood of data packets to the
target computer with the aim of
overloading its resources
- 41. 41
Types of
Threats and Attacks (cont.)
Distributed denial-of-service (DDoS)
attack: A denial-of-service attack in
which the attacker gains illegal
administrative access to as many
computers on the Internet as possible
and uses these multiple computers to
send a flood of data packets to the
target computer
- 43. 43
Types of
Threats and Attacks (cont.)
Malware: A generic term for malicious
software
The severity of the viruses increased
substantially, requiring much more
time and money to recover
85% of survey respondents said
that their organizations had been
the victims of e-mail viruses in 2002
- 44. 44
Types of
Threats and Attacks (cont.)
Malicious code takes a variety of
forms—both pure and hybrid
Virus: A piece of software code that
inserts itself into a host, including the
operating systems, to propagate; it
requires that its host program be run to
activate it
- 45. 45
Types of
Threats and Attacks (cont.)
Worm: A software program that runs
independently, consuming the
resources of its host in order to
maintain itself and is capable of
propagating a complete working
version of itself onto another
machine
- 46. 46
Types of
Threats and Attacks (cont.)
Macro virus or macro worm: A virus
or worm that is executed when the
application object that contains the
macro is opened or a particular
procedure is executed
- 47. 47
Types of
Threats and Attacks (cont.)
Trojan horse: A program that
appears to have a useful function
but that contains a hidden function
that presents a security risk
- 48. 48
Managing EC Security
Common mistakes in managing their
security risks (McConnell 2002):
Undervalued information
Narrowly defined security boundaries
Reactive security management
Dated security management
processes
Lack of communication about security
responsibilities
- 49. 49
Managing EC Security (cont.)
Security risk management: A
systematic process for determining the
likelihood of various security attacks
and for identifying the actions needed
to prevent or mitigate those attacks
- 50. 50
Managing EC Security (cont.)
Phases of security risk management
Assessment
Planning
Implementation
Monitoring
- 51. 51
Managing EC Security (cont.)
Phase 1: Assessment
Evaluate security risks by
determining assets, vulnerabilities
of their system, and potential
threats to these vulnerabilities
- 52. 52
Honeynet: A way to evaluate
vulnerabilities of an organization by
studying the types of attacks to which a
site is subjected, using a network of
systems called honeypots
Honeypots: Production systems (e.g.,
firewalls, routers, Web servers, database
servers) designed to do real work but to be
watched and studied as network intrusions
occur
- 53. 53
Managing EC Security (cont.)
Phase 2: Planning
Goal of this phase is to arrive at a
set of policies defining which threats
are tolerable and which are not
Policies also specify the general
measures to be taken against those
threats that are intolerable or high
priority
- 54. 54
Managing EC Security (cont.)
Phase 3: Implementation
Particular technologies are chosen
to counter high-priority threats
First step is to select generic types
of technology for each of the high
priority threats
- 55. 55
Managing EC Security (cont.)
Phase 4: Monitoring to determine
Which measures are successful
Which measures are unsuccessful and
need modification
Whether there are any new types of
threats
Whether there have been advances or
changes in technology
Whether there are any new business
assets that need to be secured
- 56. 56
Managing EC Security (cont.)
Methods of securing EC
Authentication system
Access control mechanism
Passive tokens
Active tokens
- 57. 57
Authentication
Authentication system: System that
identifies the legitimate parties to a
transaction, determines the actions
they are allowed to perform, and limits
their actions to only those that are
necessary to initiate and complete the
transaction
- 61. 61
Biometric Controls
Biometric systems: Authentication
systems that identify a person by
measurement of a biological
characteristic such as a fingerprint, iris
(eye) pattern, facial features, or voice
- 62. 62
Biometric Controls (cont.)
Physiological biometrics:
Measurements derived directly from
different parts of the body (e.g.,
fingerprints, iris, hand, facial
characteristics)
Behavioral biometrics: Measurements
derived from various actions and
indirectly from various body parts
(e.g., voice scans or keystroke
monitoring)
- 63. 63
Biometric Controls (cont.)
Fingerprint scanning: Measurement of
the discontinuities of a person’s
fingerprint, converted to a set of
numbers that are stored as a template
and used to authenticate identity
Iris scanning: Measurement of the
unique spots in the iris (colored part of
the eye), converted to a set of
numbers that are stored as a template
and used to authenticate identity
- 64. 64
Biometric Controls (cont.)
Voice scanning: Measurement of the
acoustical patterns in speech
production, converted to a set of
numbers that are stored as a template
and used to authenticate identity
- 65. 65
Biometric Controls (cont.)
Keystroke monitoring: Measurement of
the pressure, speed, and rhythm with
which a word is typed, converted to a
set of numbers that are stored as a
template and used to authenticate
identity; this biometric is still under
development
- 67. 67
Encryption Methods (cont.)
Private and public key encryption
Encryption: The process of
scrambling (encrypting) a message
in such a way that it is difficult,
expensive, or time-consuming for an
unauthorized person to unscramble
(decrypt) it
- 68. 68
Encryption Methods (cont.)
Plaintext: An unencrypted message
in human-readable form
Ciphertext: A plaintext message
after it has been encrypted into a
machine-readable form
Encryption algorithm: The
mathematical formula used to
encrypt the plaintext into the
ciphertext, and vice versa
- 69. 69
Encryption Methods (cont.)
Symmetric (private) key system
Key: The secret code used to encrypt
and decrypt a message
Symmetric (private) key system: An
encryption system that uses the
same key to encrypt and decrypt the
message
- 70. 70
Encryption Methods (cont.)
Data Encryption Standard (DES):
The standard symmetric encryption
algorithm supported the NIST and
used by U.S. government agencies
until October 2, 2000
Rijndael: The new Advanced
Encryption Standard used to secure
U.S. government communications
since October 2, 2000
- 72. 72
Elements of PKI
Digital signature: An identifying code
that can be used to authenticate the
identity of the sender of a document
Portable
Cannot be easily repudiated or
imitated, and can be time-stamped
- 74. 74
Elements of PKI (cont.)
Digital signatures include:
Hash: A mathematical computation that is
applied to a message, using a private key,
to encrypt the message
Message digest: A summary of a message,
converted into a string of digits, after the
hash has been applied
Digital envelope: The combination of the
encrypted original message and the digital
signature, using the recipient’s public key
- 75. 75
Elements of PKI (cont.)
Digital certificate: Verification that the
holder of a public or private key is who
they claim to be
Certificate authorities (CAs): Third
parties that issue digital certificates
- 76. 76
Security Protocols
Secure Socket Layer (SSL): Protocol
that utilizes standard certificates for
authentication and data encryption to
ensure privacy or confidentiality
Transport Layer Security (TLS): As of
1996, another name for the SSL
protocol
- 77. 77
Security Protocols (cont.)
Secure Electronic Transaction (SET): A
protocol designed to provide secure
online credit card transactions for both
consumers and merchants; developed
jointly by Netscape, Visa, MasterCard,
and others
- 78. 78
Securing EC Networks
Technologies for organizational
networks
Firewall: A network node consisting of
both hardware and software that isolates
a private network from a public network
Packet-filtering routers: Firewalls that
filter data and requests moving from the
public Internet to a private network based
on the network addresses of the computer
sending or receiving the request
- 79. 79
Securing EC Networks (cont.)
Packet filters: Rules that can accept
or reject incoming packets based on
source and destination addresses
and the other identifying
information
Application-level proxy: A firewall
that permits requests for Web pages
to move from the public Internet to
the private network
- 80. 80
Securing EC Networks (cont.)
Bastion gateway: A special hardware
server that utilizes application-level
proxy software to limit the types of
requests that can be passed to an
organization’s internal networks
from the public Internet
Proxies: Special software programs
that run on the gateway server and
pass repackaged packets from one
network to the other
- 82. 82
Securing EC Networks (cont.)
Personal firewalls:
Personal firewall: A network node
designed to protect an individual
user’s desktop system from the
public network by monitoring all the
traffic that passes through the
computer’s network interface card
- 83. 83
Securing EC Networks (cont.)
VPNs
Virtual private network (VPN): A
network that uses the public
Internet to carry information but
remains private by using encryption
to scramble the communications,
authentication to ensure that
information has not been tampered
with, and access control to verify the
identity of anyone using the network
- 84. 84
Securing EC Networks (cont.)
Protocol tunneling: Method used to
ensure confidentiality and integrity
of data transmitted over the
Internet, by encrypting data
packets, sending them in packets
across the Internet, and decrypting
them at the destination address
- 85. 85
Securing EC Networks (cont.)
Intrusion detection systems (IDSs): A
special category of software that can
monitor activity across a network or on
a host computer, watch for suspicious
activity, and take automated action
based on what it sees
- 86. 86
Securing EC Networks (cont.)
Network-based IDS uses rules to
analyze suspicious activity at the
perimeter of a network or at key
locations in the network
Consists of a monitor—a software
package that scans the software
agents that reside on various host
computers and feed information back
to the monitor
- 87. 87
Managerial Issues
1. Have we budgeted enough for
security?
2. What are the business consequences
of poor security?
3. Which e-commerce sites are
vulnerable to attack?
- 88. 88
Managerial Issues (cont.)
4. What is the key to establishing
strong e-commerce security?
5. What steps should businesses follow
inestablishing a security plan?
6. Should organizations be concerned
with internal security threats?
- 89. 89
Summary
1. Increase in computer attacks.
2. Security is everyone’s business.
3. Basic security issues.
4. Basic types of network security
attacks.
5. Managing EC security.
6. Securing EC communications.
7. Technologies for securing networks