online security and payment system
TRANSCRIPT
What is E-Commerce???
Transacting or facilitating business on internet is called e-commerce, and its revolve around buying and selling
Another definition:The use of internet and web to transit the
business.Digitally refers to commercial transactions between organization and individual.
The E-commerce Security EnvironmentMost serious losses involved theft of
proprietary information or financial fraud40% reported attacks from outside the
organization38% experienced denial of service attacks94% detected virus attacks
What is cyber Crime??Cybercrime: is any illegal act committed using a computer
network especially the Internet.Cybercrime is a subset of computer crime.
Computer Crime:Stealing and using or selling of data:Company dataPersonal information in company files
Dimensions of E-commerce Security
Integrity: ability to ensure that information being displayed on a Web site or transmitted/received over the Internet has not been altered in any way by an unauthorized party
Nonrepudiation: ability to ensure that e-commerce participants do not deny (repudiate) online actions
Authenticity: ability to identify the identity of a person or entity with whom you are dealing on the Internet
Confidentiality: ability to ensure that messages and data are available only to those authorized to view them
Privacy: ability to control use of information a customer provides about himself or herself to merchant
Availability: ability to ensure that an e-commerce site continues to function as intended
Most Common Security Threats in the E- commerce Environment
• Malicious code:• Designed to breach system security and threaten digital information
VirusesWormsTrojan horsesBots, botnets
• Unwanted programs: Browser parasitesAdwareSpyware
Malicious Code (Malware)
Viruses: computer program that has ability to replicate and spread to
other files; most also deliver a “payload” of some sort (may be destructive or benign)
Worms: designed to spread from computer to computer rather than
from file to file Program that actively reproduces itself across a network
Trojan horse: appears to be benign, but then does something other than
expected (i.e., games that steal sign-ons and passwords)
BOT:Is a malware used by unauthorized person to make a
computer zombie for having access on computer
Unwanted Programme:Includes adware parasites spyware or any other
programme application which is installed on computer through internet traffic without informed consent of a particular user
Adware:Installed in a computer from social networking Purpose is to just annoying youNot perform criminal activity
Browser parasite Installed through click on some link Captured your activities and then send to unauthorized
person Transmit your activities Change your home page
Spyware: Small programs install themselves surreptitiously on computers to monitor user Web surfing activity and serve up advertising
Captured our key strokes Steal our confidential or financial information Like our
login & password
Most Common Security Threats• Phishing:
Deceptive online attempt to obtain confidential information
Social engineering, e-mail scams, spoofing legitimate Web sites
Use information to commit fraudulent acts (access checking accounts), steal identity
• Hacking and cyber vandalism:Hackers vs. crackers
Cyber vandalism: intentionally disrupting, defacing, destroying Web site
Types of hackers: white hats, black hats, grey hats
Hackers vs. CrackersHackers
hacker is not cyber criminal
know all about the operating system
they always do constructive work
Crackers A person who breaks
security onSystem intrusion
System damage Cybervandalism cracker is cyber
criminal crackers creates nothing
& destroy much
•
Hacking and Cyber vandalismHacker: Individual who intends to gain unauthorized access to computer systems Types of hackers include :
White hats Black hats Grey hats
White Hats: Professional Security Experts not perform criminal activity
Black Hats: lack hat hackers break into secure networks to destroy data
or make the network unusable for those who are authorized to use the network
Types of hackerGray Hats:A grey hat hacker is a combination of a
black hat and a white hat hacker A grey hat hacker may surf the internet and hack into a computer system for the sole purpose of notifying the administrator that their system has a security defect, for example. Then they may offer to correct the defect for a fee
cont.Cracker: Used to denote hacker with criminal intent (two terms often used interchangeably)
Cyber vandalism:Intentionally disrupting, defacing or destroying a Web site
Credit Card FraudFear that credit card information will be stolen
deters online purchasesHackers target credit card files and other customer
information files on merchant servers; use stolen data to establish credit under false identity
One solution: New identity verification mechanisms
Spoofing (Pharming)Misrepresenting oneself by using fake e-mail
addresses or masquerading as someone elseOften redirects users to another Web site Threatens integrity of site; authenticity
DoS and dDoS Attacks• Denial of service (DoS) attack: Hackers flood Web site with useless traffic to
inundate and overwhelm network• Distributed denial of service (dDoS) attack: hackers use numerous computers to attack target
network from numerous launch points
malwareA generic term for malicious software
• A number of factors have contributed to the overall increase in malicious code. Among these factors, the following are paramount:Mixing data and executable instructionsIncreasingly homogenous computing environmentsUnprecedented connectivityLarger clueless user base
Other Security ThreatsSniffing: Type of eavesdropping program that monitors information
traveling over a network; enables hackers to steal proprietary information from anywhere on a network
Insider jobs: Single largest financial threat Poorly designed server and client software: Increase in
complexity of software programs has contributed to an increase is vulnerabilities that hackers can exploit
Technology SolutionsProtecting Internet communications (encryption)Securing channels of communication (SSL, S-
HTTP, VPNs)Protecting networks (firewalls)
Protecting Internet Communications: Encryption
• Encryption: The process of transforming plain text or data into cipher
text that cannot be read by anyone other than the sender and receiver
Purpose: Secure stored information and information transmission Provides: Message integrity
NonrepudiationAuthenticationConfidentiality
Symmetric Key EncryptionAlso known as secret key encryption
Both the sender and receiver use the same digital key to encrypt and decrypt message
Requires a different set of keys for each transaction
Public Key EncryptionPublic key cryptography solves symmetric key encryption problem of having to
exchange secret key Uses two mathematically related digital keys – public key
(widely disseminated) and private key (kept secret by owner)
Both keys are used to encrypt and decrypt message Once key is used to encrypt message, same key cannot be
used to decrypt message For example, sender uses recipient’s public key to encrypt
message; recipient uses his/her private key to decrypt it
A public key encryption system can be viewed as a series of public and private keys that lock data when they are transmitted and unlock the data when they are received. The sender locates the recipient’s public key in a directory and uses it to encrypt a message. The message is sent in encrypted form over the Internet or a private network. When the encrypted message arrives, the recipient uses his or her private key to decrypt the data and read the message.
Digital Envelopes• Addresses weaknesses of public key encryption
(computationally slow, decreases transmission speed, increases processing time) and symmetric key encryption (faster, but more secure)
• Uses symmetric key encryption to encrypt document but public key encryption to encrypt and send symmetric key
Securing Channels of Communication
• Secure Sockets Layer (SSL): Most common form of securing channels of
communication; used to establish a secure negotiated session (client-server session in which URL of requested document, along with contents, is encrypted)
• S-HTTP: Alternative method; provides a secure message-oriented
communications protocol designed for use in conjunction with HTTP
Protecting Networks: Firewalls and Proxy Servers
• Firewall: • Hardware or software filters communications
packets and prevents some packets from entering the network based on a security policy
• Proxy servers: • Software servers that handle all communications
originating from or being sent to the Internet (act as “spokesperson” or “bodyguard” for the organization)
Protecting Servers and Clients
• Operating system controls: Authentication and access control mechanisms
• Anti-virus software:• Easiest and least expensive way to prevent
threats to system integrity