information systems security information security for web- based applications
TRANSCRIPT
![Page 1: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/1.jpg)
Information Systems Security
Information Security for Web-based Applications
![Page 2: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/2.jpg)
The full picture
![Page 3: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/3.jpg)
Securing web sites Reduce the attack surface of the web
server Prevent unauthorized access to web sites
and applications Isolate web sites and applications Configure user authentication Encrypt confidential data exchanged with
clients Maintain web sites and application
security
![Page 4: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/4.jpg)
Securing web sites
Reduce the attack surface of the web server Enable only essential OS components
and services Enable only web server components and
services Enable only MIME types Configure OS security settings
![Page 5: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/5.jpg)
Securing web sites
Prevent unauthorized access to web sites and applications Store content on a dedicated disk
volume Set web site permissions Set IP address and domain name
restrictions Set NTFS file system permissions
![Page 6: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/6.jpg)
Securing web sites
Isolate web sites and applications To prevent multiple web sites and
applications from adversely affect with one another
Have to create application pool, assign web sites and applications to them, and assign proper service account and permission
Complicated procedure
![Page 7: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/7.jpg)
Securing web sites
Configure user authentication Select appropriate authentication
methodDigestAdvanced digestIntegrated windowsClient certificatesMS .NET passport
![Page 8: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/8.jpg)
Securing web sites
Encrypt confidential data exchanged with clients Use of Secure Socket Layer (SSL)
Install server certificatehttps instead of http
Use IPSec or VPN for remote administration
![Page 9: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/9.jpg)
Securing web sites
Maintain web sites and application security Obtain up-to-date security updates Enable server security logs Enable web server application logs Review security policies, processes and
procedures
![Page 10: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/10.jpg)
Reading
Microsoft: Improving Web Application Security: Threats and Countermeasures
Chapter 1 “Web Application Security Fundamentals”
Chapter 4 “Design Guidelines for Secure Web Applications” is good but a bit too advanced for most students
![Page 11: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/11.jpg)
![Page 12: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/12.jpg)
Problem in e-Commerce
The transaction is done online. The customer and the company cannot see each other. How can they trust each other? Who are you? Can I trust you? What if I cannot receive my goods? What if I cannot receive the payment?
![Page 13: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/13.jpg)
Certificate Authority
Now the CA comes in. It give a digital identity to all concerned party. It verifies the company is okay to do business with, and the customer is also okay
This is not done by the government but by some commercial organizations
PKI is used as the technology to provide the digital identification
![Page 14: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/14.jpg)
What is PKI
The set of hardware, software, people and procedures need to create, store, distribute, revoke key/certificates based on public key cryptography
![Page 15: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/15.jpg)
PKI infrastructure and software development
PKI uses of public key cryptography for authentication and access control of a user, guaranteeing the integrity and non-repudiation of documents signed by the user, and confidentiality of data.
![Page 16: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/16.jpg)
PKI infrastructure and software development
Certificate Authority Registration Authority Certificate
Name Issuing CA Expiration date Public key
Certificate Revocation List
![Page 17: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/17.jpg)
X.509 Certificate structure
![Page 18: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/18.jpg)
PKI
PKI employs a pair of keys for each user: a private key which is known only to the user himself, and a public key which is published by some authority, in the form of a digital certificate (certificate for short).
![Page 19: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/19.jpg)
PKI
In signing a document or an e-mail, a user signs using his own private key so that others can use the signer's public key to verify the authenticity and non-repudiation of documents or e-mail. Since only the user has his own private key to sign, non-repudiation is established
![Page 20: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/20.jpg)
PKI
The use of PKI saves the trouble of maintaining and distributing the same encryption/decryption key between the sender and the receiver
![Page 21: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/21.jpg)
Authentication using certificates
![Page 22: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/22.jpg)
Secure online payment
Credit card payment Secure Socket Layer Secure Electronic Transaction (SET) PayPal E-purse
![Page 23: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/23.jpg)
Credit Card
Invented in 1950s Only becomes profitable after 20 years
when the customers reach a critical mass
![Page 24: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/24.jpg)
Credit Card Payment
This is the usual payment method used in eCommerce
4 parties are involved: Cardholder (payer) Merchant (payee) Issuing Bank Acquiring Bank
![Page 25: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/25.jpg)
Measures to stop fraud Hot card lists Merchant floor limits – authorization
required when a certain amount is exceeded
Expiry date used as password Delivered to cardholder’s address Card verification value (MAC) Intrusion detection (anomaly detection)
![Page 26: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/26.jpg)
SSL: Secure Socket Layer
Developed by Netscape to secure HTTP sessions
Provides Data encryption Server authentication Message integrity Optional client authentication
NOT a payment system in itself
![Page 27: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/27.jpg)
SSL: Secure Socket Layer
Authentication of server by use of digital certificate
Use public key technology to exchange a session key (symmetric) between server and client used only for that session
After the buyer sends information thro the secure channel, the merchant processes the transaction in the usual manner
![Page 28: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/28.jpg)
SSL
Client to Server Name C, transaction serial no. C#, nonce Nc
Server to Client Name S, transaction serial no. S#, nonce Ns,
public key KS Client to Server
Pre-mastered secret key encrypted by KS
{Ko}KS
![Page 29: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/29.jpg)
SSL Client to Server
Finished message, MAC for all messages to date
{finished, MAC(K1, everything_to_date)}Kcs Server
Compute k1=h(Ko, Nc, Ns) Server to Client
{finished, MAC{k1,every_to_date)}Ksc, {data}Ksc
![Page 30: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/30.jpg)
Secure Electronic Transaction
A joint effort of VISA and MasterCard to develop a more secure internet payment system in 1997 (credit card no not kept)
SET makes use of public key technology and each participants are assigned public key/private key pairs
![Page 31: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/31.jpg)
Secure Electronic Transaction
Legal entity formed by MasterCard. Visa, American Express and JCB in 12/97
A protocol designed for electronic payment with credit card
Key idea Merchant does not need to know
payment details Bank does not need to know order details
![Page 32: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/32.jpg)
SET
Client to Server C, Nc, CC(Cert of client)
Server to Client S, S#, CS(merchant) CB(bank)
Client to Server {Order}KS, {Payment}KB, SigKC{h(Order),
h(Payment)}
![Page 33: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/33.jpg)
SET
Server to Bank (Summary}KB, {Payment}KB
Bank to Server Sig KS{Auth_response}
![Page 34: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/34.jpg)
SET
Disgrace of SET Nothing for the credit card holders Huge cost in building PKI Benefits less than expected
![Page 35: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/35.jpg)
EDI
Electronic Data Interchange Used for B2B transactions Build on Value-Added Networks International and national message
standards Expensive
![Page 36: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/36.jpg)
EDI transactions EDI, or Electronic Data Interchange, provides
trading partners with an efficient business tool for the automatic transmission of commercial data from one computer system directly to another.
Through the use of EDI message standards such as X.12, UN/EDIFACT, or EANCOM, data may be communicated quickly, efficiently and accurately irrespective of the users' internal hardware and software equipment.
![Page 37: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/37.jpg)
EDI in Hong Kong
TRAXON for air-cargo CargoNet for shipping EZ*TRADE for retail, manufacturing and
trading Tradelink for HK Government chiefly for the
Customs Department
![Page 38: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/38.jpg)
EDI Infrastructure
VAN (Valued Added Networks) / VPN (Virtual Private Networks)
i-EDI (Web Based EDI Systems)
![Page 39: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/39.jpg)
EDI example: SWIFT
RGP = Regional General Processor
![Page 40: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/40.jpg)
PayPal
Virtual bank in Internet Cater for small merchants that cannot
open account with banks Provides other services such as shopping
cart Problem of jurisdiction
![Page 41: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/41.jpg)
E-purse
Pre-paid debit cards that can work offline Not many business successes
Mondex Most successful case
Octopus Pre-paid phone cards
![Page 42: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/42.jpg)
The Internet Payment Processing System
Acquiring bank Credit card association Customer issuing bank Internet merchant accounts Payment gateway Processor
![Page 43: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/43.jpg)
Parties to Internet transaction
Customer Merchant
Issuing Bank Merchant’s Acquiring Bank
Payment Gateway
Processor
![Page 44: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/44.jpg)
The transaction process
Credit Card NO.
Transaction info
Request for payment
Authorization
OK
![Page 45: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/45.jpg)
Transaction initiation
Customer decides to make a purchase on merchant’s web site, proceeds to check out and inputs credit card information
Merchant’s web site receives customer information and send transaction information to Payment Gateway
Payment Gateway route information to processor
![Page 46: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/46.jpg)
Payment authorization Processor send information to the
Merchant’s Acquiring Bank Acquiring Bank sends transaction
information to the credit card holder’s Issuing Bank
Issuing Bank sends transaction result (authorization or decline) to Acquiring Bank
Acquiring Bank send transaction result to Processor
![Page 47: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/47.jpg)
Payment authorization
Processor routes information to the Payment Gateway
Payment Gateway passes result to the Merchant
Merchant accepts and ships goods or rejects transaction
![Page 48: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/48.jpg)
The payment process
Request for payment
CreditMerchantA/C
DebitConsumerA/C
![Page 49: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/49.jpg)
Payment settlement
Merchant requests Payment Gateway to settle a payment
Payment Gateway sends all transactions to be settled to the Processor
Processor send settlement payment details to customer’s credit card Issuing Bank , and to the Merchant’s Acquiring Bank
![Page 50: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/50.jpg)
Payment settlement
Issuing Bank includes the Merchant’s charge on the customer’s credit card statement while Acquiring Bank credits the Merchant’s account
![Page 51: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/51.jpg)
Payment Processing
![Page 52: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/52.jpg)
PCI DSS
Payment Card Industry Data Security Standard
It is developed by PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International
![Page 53: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/53.jpg)
PCI DSS
It is a security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
This is intended to help organizations proactively protect customer account data.
![Page 54: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/54.jpg)
Requirements
Build and Maintain a Secure Network Install and maintain a firewall configuration to
protect cardholder data Do not use vendor-supplied defaults for
system passwords and other security parameters
![Page 55: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/55.jpg)
Requirements
Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data
across open, public networks
![Page 56: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/56.jpg)
Requirements
Maintain a Vulnerability Management Program
Use and regularly update anti-virus software Develop and maintain secure systems and
applications
![Page 57: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/57.jpg)
Requirements
Implement Strong Access Control Measures Restrict access to cardholder data by
business need-to-know Assign a unique ID to each person with
computer access Restrict physical access to cardholder data
![Page 58: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/58.jpg)
Requirements
Regularly Monitor and Test Networks Track and monitor all access to network
resources and cardholder data Regularly test security systems and
processes
![Page 59: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/59.jpg)
Requirements
Maintain an Information Security Policy Maintain a policy that addresses information
security
![Page 60: Information Systems Security Information Security for Web- based Applications](https://reader035.vdocuments.net/reader035/viewer/2022062314/56649e1c5503460f94b0a63c/html5/thumbnails/60.jpg)
Reading
Refer Verisign Online Payment Processing Guide
Information Security Principles & Applications Topic 4: Message Authentication 虞慧群 [email protected]
Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 [email protected]