The Tension. Security vs. ease of use: the more security measures added, the more difficult a site is to use, and the slower it becomes

Similar documents
E-commerce. business. technology. society. Kenneth C. Laudon Carol Guercio Traver. Fifth Edition

CHAPTER 8 SECURING INFORMATION SYSTEMS

Most Common Security Threats (cont.)

e-commerce Study Guide Test 2. Security Chapter 10

Securing Information Systems

Chapter 6 Network and Internet Security and Privacy

CPET 581 E-Commerce & Business Technologies. References

Securing Information Systems

Securing Information Systems

Securing Information Systems

A Review Paper on Network Security Attacks and Defences

ISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :

Management of IT Infrastructure Security by Establishing Separate Functional Area with Spiral Security Model

Network Security Issues and Cryptography

Overview. SSL Cryptography Overview CHAPTER 1

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

E-Commerce Security Pearson Prentice Hall, Electronic Commerce 2008, Efraim Turban, et al.

ELECTRONIC BANKING & ONLINE AUTHENTICATION

Chapter 19 Security. Chapter 19 Security

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Chapter 4 Network and Internet Security

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

Introduction and Overview. Why CSCI 454/554?

Online Threats. This include human using them!

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

Ethics and Information Security. 10 주차 - 경영정보론 Spring 2014

3.5 SECURITY. How can you reduce the risk of getting a virus?

BEST PRACTICES FOR PERSONAL Security

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

CTS2134 Introduction to Networking. Module 08: Network Security

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

Verteilte Systeme (Distributed Systems)

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

14. Internet Security (J. Kurose)

E-commerce security: SSL/TLS, SET and others. 4.2

Discovering Computers Living in a Digital World

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

The Security Problem

Management Information Systems (MMBA 6110-SP) Research Paper: Internet Security. Michael S. Pallos April 3, 2002

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Cybersecurity glossary. Please feel free to share this.

Cryptography (Overview)

Security and Privacy

Chapter 10: Security and Ethical Challenges of E-Business

Introduction to Security. Computer Networks Term A15

E-Commerce/Web Security

Cyber Security Practice Questions. Varying Difficulty

CPET 499/ITC 250 Web Systems Chapter 16 Security. Topics

Securing Information Systems

Chapter 12. Information Security Management

CS 425 / ECE 428 Distributed Systems Fall 2017

Elementary Computing CSC 100. M. Cheng, Computer Science

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

Défense In-Depth Security. Samson Oduor - Internet Solutions Kenya Watson Kamanga - Seacom

Chapter 9 Security and Privacy

SMart esolutions Information Security

Security: Focus of Control

Security: Focus of Control. Authentication

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

Introduction to Computing

Introduction to Information Technology Turban, Rainer and Potter John Wiley & Sons, Inc. Copyright Chapter 12 1

(2½ hours) Total Marks: 75

Protecting Information Assets - Week 11 - Cryptography, Public Key Encryption and Digital Signatures. MIS 5206 Protecting Information Assets

Accounting Information Systems

Network Security Fundamentals

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Online Security and Safety Protect Your Computer - and Yourself!

Personal Cybersecurity

Chapter 4. Network Security. Part I

Security Using Digital Signatures & Encryption

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Security Digital Certificate Manager

Network Security and Cryptography. 2 September Marking Scheme

Unique Phishing Attacks (2008 vs in thousands)

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Copyright 2006 Prentice-Hall. All rights reserved. 1

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Security and Privacy. Xin Liu Computer Science University of California, Davis. Introduction 1-1

Malware, , Database Security

Security and Authentication


FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Security Architecture. Lecture 13: Prof. Shervin Shirmohammadi CEG

Computer Security. Assoc. Prof. Pannipa Phaiboonnimit. Adapted for English Section by Kittipitch Kuptavanich and Prakarn Unachak

Securing Information Systems

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

KALASALINGAM UNIVERSITY

FACTS WHAT DOES FARMERS STATE BANK DO WITH YOUR PERSONAL INFORMATION? WHY? WHAT? HOW? L QUESTIONS?

PCI Compliance. What is it? Who uses it? Why is it important?

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Quick recap on ing Security Recap on where to find things on Belvidere website & a look at the Belvidere Facebook page

SE420 Software Quality Assurance

Chapter 15: Security. Chapter 15: Security

HP Instant Support Enterprise Edition (ISEE) Security overview

Fighting the. Botnet Ecosystem. Renaud BIDOU. Page 1

IBM. Security Digital Certificate Manager. IBM i 7.1

A policy that the user agrees to follow before being allowed to access a network.

Transcription:

s10 Security 1

The Tension Security vs. ease of use: the more security measures added, the more difficult a site is to use, and the slower it becomes Security vs. desire of individuals to act anonymously 2

IS INTERNET FRAUD REALLY A PROBLEM?

FBI 2007 INTERNET FRAUD 'According to the 2008 Internet Crime Complaint Center (IC3) Up 33% over 07 275,284 complaints loss from 72,940 cases of fraud referred to federal, state and local law enforcement was $246.6 million median dollar loss of $931 per complaint -- up from $239.1 million in total reported losses in 2007. The highest median dollar losses came from check fraud ($3,000), confidence fraud ($2,000), and Nigerian (West African 419) "advance fee" scams ($1,650). 4

5

world relies on physical security - Ecommerce world - reliance on electronic means to protect data, communications & transactions. THREE TYPES OF SECURITY DIMENSIONS 1. Infrastructure security (hard/software 2. Transactions security (web/moving) 3. Data/information security (message itself) 6

Do you see a Role for Laws and Public Policy New laws have granted local and national authorities new tools and mechanisms for identifying, tracing and prosecuting cybercriminals National Infrastructure Protection Center unit within National Cyber Security Division of Department of Homeland Security whose mission is to identify and combat threats against U.S. technology and telecommunications infrastructure USA Patriot Act Homeland Security Act Government policies and controls on encryption software 7

Name Some of the Most Common Security Threats in the E-commerce Environment Malicious code (viruses, worms, Trojans) Unwanted programs (spyware, browser parasites) Phishing/identity theft Hacking and cybervandalism Credit card fraud/theft Spoofing (pharming)/spam (junk) Web sites Sniffing Insider attacks Poorly designed server and client software DoS and ddos attacks

Malicious Code Viruses: Have ability to replicate and spread to other files; most also deliver a payload of some sort (destructive or benign); include macro viruses, file-infecting viruses, and script viruses Worms: Designed to spread from computer to computer Trojan horse: Appears to be benign, but then does something other than expected Bots: Can be covertly installed on computer; responds to external commands sent by the attacker

Unwanted Programs Installed without the user s informed consent Browser parasites: Can monitor and change settings of a user s browser Adware: Calls for unwanted pop-up ads Spyware: Can be used to obtain information, such as a user s keystrokes, e-mail, IMs, etc. Copyright 2007 Pearson Education, Inc.

Phishing and Identity Theft Any deceptive, online attempt by a third party to obtain confidential information for financial gain Most popular type: e-mail scam letter One of fastest growing forms of e-commerce crime Many of you have gotten the we are upgrading our server or the I am the wife of Amad who.. Copyright 2007 Pearson Education, Inc.

Hacking and Cybervandalism Hacker: Individual who intends to gain unauthorized access to computer systems Cracker: Hacker with criminal intent (two terms often used interchangeably) Cybervandalism: Intentionally disrupting, defacing or destroying a Web site Types of hackers include: White hats Black hats Grey hats

Spoofing (Pharming) Spoofing (Pharming) & Spam (Junk) Web Sites Misrepresenting oneself by using fake e-mail addresses or masquerading as someone else Threatens integrity of site; authenticity Spam (Junk) Web sites YATCHWORLD.COM Use domain names similar to legitimate one, redirect traffic to spammer-redirection domains

Other Security Threats tjmax Sniffing: Type of eavesdropping program that monitors information traveling over a network; enables hackers to steal proprietary information from anywhere on a network Insider jobs: Single largest financial threat Poorly designed server and client software: Increase in complexity of software programs has contributed to increase is vulnerabilities that hackers can exploit

DoS and DDoS Attacks Denial of service (DoS) attack Hackers flood Web site with useless traffic to inundate and overwhelm network Distributed denial of service (DDoS) attack Hackers use numerous computers to attack target network from numerous launch points

IS THE THREAT TO NATION S SECURITY Why did it prove to be so effective against Estonia? What are botnets? Why are they used in DDoS attacks? ATTACK ON ESTONIA MAY 9,10 2007 Denial of service (DoS) attack Hackers flood Web site with useless traffic to inundate and overwhelm network Distributed denial of service (DDoS) attack Hackers use numerous computers to attack target network from numerous launch points

DESIGN A SYSTEM TO SEND A SECURE MESSGE WHAT ARE YOUR INFRASTRUCTURE NEEDS? WHAT DOES THE SOFTWARE DO? WHAT TYPES OF SECURITY ARE THERE IN YOUR SYSTEM? HOW ARE COMPUTERS LINKED? HOW DO YOU KNOW WHO YOU ARE TALKING TO? 17

SECURTY NEEDS: Authentication: A way to verify user s identity before payments are made Integrity: Ensuring that information will not be accidentally or maliciously altered or destroyed, usually during transmission 18

SECURTY NEEDS: Encryption: making messages indecipherable except by those who have an authorized decryption key Non-repudiation: Merchants protection - customer s unjustifiable denial of placed orders customers protection -against merchants unjustifiable denial of payments 19

Securing Channels of Communication Secure Sockets Layer (SSL): Most common form used to establish a secure negotiated session (client-server session in which URL of requested document, along with contents, is encrypted) Part on customers PC so no special software needed Secure Electronic Transaction (SET): More complicated comprehensive security protocol - provides privacy, authenticity, integrity, repudiation must install Digital Wallet S-HTTP: Alternative method; provides a secure message-oriented communications protocol designed for use in conjunction with HTTP Virtual Private Networks (VPNs): Allow remote users to securely access internal networks via the Internet, using Point-to-Point Tunneling Protocols 20

SECURE SOCKET LAYER - SSL AUTOMATICALLY ENCRYPTS TCP/IP WEB, EMAIL ETC - SERVER SECURITY HIGHEST LEVEL URL IS HTTPS COMMUNICATIONS ARE ENCRYPTED Variety of encryption algorithms and authentication methods. While SSL can encrypt credit cards from consumer to merchant more needed for security * 21

Cyber criminals (full length) Bank hacking Hacker caught 22

ENCRYPTON WHAT ARE THE 2 TYPES 1. PRIVATE/SECRET KEY Some believe penetrable. Maybe secure enoug 2. PUBLIC KEY Most popular algorithm is RSA (Rivest, Shamir and Adelman) Various key sizes (e.g. 1,024 bits) Most secure - Never known to be broken (to date) 23

24

Symmetric Key Encryption Private / Secret Key Both the sender and receiver use the same digital key to encrypt and decrypt message Requires a different set of keys for each transaction Advanced Encryption Standard (AES): Most widely used symmetric key encryption today; offers 128-, 192-, and 256-bit encryption keys; other standards use keys with up to 2,048 bits 25

Private Key 26

Private/Secret Key Cryptography (symmetric) 64 bit key Data Encryption Standard DES Most widely accepted algorithm SET uses DES Original Message Sender Key sender = Key receiver Public key sent Scrambled Message Internet Scrambled Message Key receiver Message received Decryption Receiver public key Encryption 27

Public Key Encryption Solves symmetric key encryption problem of having to exchange secret key Uses two mathematically related digital keys public key (widely disseminated) and private key (kept secret by owner) Both keys used to encrypt and decrypt message Once key used to encrypt message, same key cannot be used to decrypt message For example, sender uses recipient s public key to encrypt message; recipient uses his/her private key to decrypt it 28

1. Public Key Cryptography two stages of decryption Public Key receiver- delivered in advance Private Key receiver Message Code has info about private key to open Original Message Sender Scrambled Message Internet Public key Public Key Message decrypted with R s private key Original Message Receiver Decryption Public key used to transmit secret key of DES algorithm because faster/efficient in handling encryption/decryption 1 st private key 2 nd public key 29

Public Key Encryption using Digital Signatures and Hash Digests Application of hash function (mathematical algorithm) by sender prior to encryption produces hash digest that recipient can use to verify integrity of data Double encryption with sender s private key (digital signature) helps ensure authenticity and nonrepudiation 30

Digital Envelopes Addresses weaknesses of public key encryption (computationally slow, decreases transmission speed, increases processing time) and symmetric key encryption (faster, but more secure) Uses symmetric key encryption to encrypt document but public key encryption to encrypt and send symmetric key 31

1. DIGITAL SIGNATURE two stages of decryption 1. Public Key sender- delivered in advance to receiver 2. ENCRYPTED S private KEY - public key to open Message Original Message Sender Scrambled Message Internet Private Key DIGITAL SIGNATURE ATTACHED > Digital Envelope. Encrypting secret/private key with public key Public Key sender private key Scrambled Message decrypted with R s public key Decryption 1 st private key 2 nd public key Original Message Receiver 32

Digital Envelopes Addresses weaknesses of public key encryption (computationally slow, decreases transmission speed, increases processing time) and symmetric key encryption (faster, but more secure) Uses symmetric key encryption to encrypt document but public key encryption to encrypt and send symmetric key 33

Certificate Security Schemes Identifying the holder of a public key (Key-Exchange) Issued by a trusted certificate authority (CA) Name : Dr. Kip key-exchange Key : Signature Key : Serial # : 29483756 Other Data : 10236283025273 Class of certificate Dates valid Issuing authority digital signature Expires : 6/18/03 Signed : KB s Signature 34

CHECK IT OUT VERISIGN Only CA open to public 3 levels of certificates COMMERCIAL CAs Cylink GTE BBN NETSCAPE * In the case of credit cards authorities CCAs GCA Geopolitical Certificate Authority (verisign) certify Card CAs W3 FOR FAQs ON INTERNET SECURITY http://www.w3.org/security/faq/www-security-faq.html 35

Digital Certificates & Certifying Authorities Digital Certificates 3 RD Party-Verify holder of a public & private key is who they claim to be Certifying Authorities (CAs) Maintain responsibility for checking user s identity Verifying validity of digital certificates Issue digital certificates Verify the information creates a certificate that contains the applicant s public key along with identifying information Uses their private key to encrypt certificate and sends the signed certificate to applicant 36

37

38

39

40

How an Online Credit Transaction Works Figure 5.18, Page 308 Copyright 2007 Pearson Education, Inc. Slide 5-41

BREAK!!! 42

Public key 43

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback