1 e-commerce and security revised 3/21/2000. 2 myths about business risks in the information age...
TRANSCRIPT
1
E-Commerce and Security
revised 3/21/2000
2
Myths about Business Risksin the Information Age
Security is only about protecting “things” We don’t have any information anyone would
want Security problems have never happened here. Firewalls provide enough security Technology will solve the security problem The “enemy” is outside Our people won’t tolerate tight security My PC is secure, so I’m secure The Internet can’t be used for secure
communications
The Economist and Arthur Andersen
3
Electronic Commerce Threats
Client Threats Active Content
Java applets, Active X controls, JavaScript, and VBScript
Programs that interpret or execute instructions embedded in downloaded objects
Malicious active content can be embedded into seemingly innocuous Web pages
Cookies remember user names, passwords, and other commonly referenced information
4
Communication Channel Threats
Secrecy Threats Secrecy is the prevention of unauthorized
information disclosure Privacy is the protection of individual
rights to nondisclosure Theft of sensitive or personal information
is a significant danger Your IP address and browser you use are
continually revealed while on the web
5
Communication Channel Threats
Anonymizer A Web site that provides a measure of
secrecy as long as it’s used as the portal to the Internet
http://www.anonymizer.comIntegrity Threats
Also known as active wiretapping Unauthorized party can alter data
Change the amount of a deposit or withdrawal
6
Communication Channel Threats
Necessity Threats Also known as delay or denial threats Disrupt normal computer processing
Deny processing entirelySlow processing to intolerably slow speedsRemove file entirely, or delete information
from a transmission or fileDivert money from one bank account to
another
7
Protecting Client Computers
Active content, delivered over the Internet in dynamic Web pages, can be one of the most serious threats to client computers
Threats can hide in Web pages Downloaded graphics and plug-ins E-mail attachments
8
Protecting Client Computers
Cookies Small pieces of text stored on your computer
and contain sensitive information that is not encrypted
Anyone can read and interpret cookie data Do not harm client machines directly, but
potentially could still cause damage
Misplaced trust Web sites that aren’t really what they seem
and trick the user into revealing sensitive data
9
Monitoring Active ContentNetscape Navigator and Microsoft Internet
Explorer browsers are equipped to allow the user to monitor active content before allowing it to download Netscape - Edit/Preference Internet Explorer - Tools/Internet Options
Digital certificates provide assurance to clients and servers that the participant is authenticated Authenticated by digital signature of CA Public key in certificate verifies digital signature
10
Protecting Electronic Commerce Channels
Protecting assets while they are in transit between client computers and remote servers
Providing channel security includes Channel secrecy Guaranteeing message integrity Ensuring channel availability Authentication
11
Providing Transaction Privacy
Encryption The coding of information by using a
mathematically based program and secret key to produce unintelligible characters
SteganographyMakes text invisible to the naked eye
CryptographyConverts text to strings that appear to have no
meaningScience that studies encryption
12
Secure Sockets Layer (SSL) Protocol
Secures many types of connections between two computers on Internet
Developed by NetscapeHad backing of AppleSoft, DEC,
MasterCard InternationalProvides a security handshake in
which the client and server computers exchange the level of security to be used, certificates, among other things
13
Secure Sockets Layer (SSL) Protocol
Provides either 40-bit or 128-bit encryptionSecures data packets at network layerSecures connections between two
computers; checks certificatesSession keys are used to create the cipher
text from plain text during the sessionCan secure communications in addition to
HTTP (i.e., FTP)Uses public and private key encryption
14
Secure HTTP (S-HTTP) ProtocolExtension to HTTP that provides numerous
security features Client and server authentication Spontaneous encryption Request/response nonrepudiation
Provides symmetric and public-key encryption, and message digests (summaries of messages as integers)
Open protocol designed to secure web transactions using special packet headers
15
Secure Electronic TransactionBacked by MasterCard, Visa, IBM, Netscape and
MicrosoftSecures credit card transactionsUses digital certificate
consumer’s name few digits of consumer’s credit card name of bank that issued card
Merchant uses public key cryptography to verify consumer’s identity
Provides confidentiality of payment infoProvides merchant authentication
16
Firewalls
Control damage to your data and computer systems
Protect against spoofingImplement access controls based on
contents of the packets of data transmitted between two parties or devices on a network
Single point of control for security on network