3. CONTENT
S
INFORMATION SECURITY PROBLEM
E-COMMERCE SECURITY & LANDSCAPE
TECHNICAL MALWARE ATTACK METHODS: FROM VIRUSES
TO DENIAL OF SERVICE
NON TECHNICAL METHODS: FROM PHISHING TO SPAMAND
FRAUD
THE INFORMATION ASSURANCE MODEL AND DEFENSE
STRATEGY
THE DEFENSE: ACCESS CONTROL, ENCRYPTION, AND PKI
4. INFORMATION SECURITY
PROBLEM
WHAT IS INFORMATION SECURITY?
Information security refers to a variety of activities and methods that protect information systems,data, and procedures from any action
designed to destroy, modify, or degrade the systems and their operations.
It is a very broad field due to the many methods of attack as well as the many modes of defense. The attacks on and defenses for computers
can affect individuals, organizations, countries, or the entire Web.
WHAT IS EC SECURITY?
e-Commerce security refers to the principles which guide safe electronic transactions, allowing the buying and selling of goods and services
through the Internet, but with protocols in place to provide safety for those involved. Successful business online depends on the customers’
trust that a company has eCommerce security basics in place.
5. INFORMATION SECURITY
PROBLEM
WHAT IS CYBERWAR?
Cyberwarefare or ( Cyberwar ) refers to any action by a nation-state or international organization to penetrate another nation’s computer
networks for the purpose of causing damage or disruption. The attack usually is done through viruses, DoS, or botnets.
WHAT IS CYBERESPIONAGE?
Cyberespionage is the act of practice of obtaining secrets and information without the permission and knowledge of the holder of the
information from individuals, competitors, rivals, groups, government and enemies for personal, economic, political or military advantage
using methods on the internet.
Cyber attacks can be classified into two major interrelated categories:
I. Corporate Espionage
II. Political Espionage and Warfare
6. INFORMATION SECURITY
PROBLEM
CORPORATE ESPIONAGE
Many attacks target energy-related companies because their inside information is valuable.
example:- Nakashima ( 2011 ) reported that in November 2011, foreign hackers targeted a water plant control system in Illinois, causing
the pump to fail. The attackers also gained unauthorized access to the system database.
POLITICAL ESPIONAGE AND WARFARE
Political espionage and cyberwars are increasing in magnitude. Sometimes, these are related to corporate espionage.
Example:-In 2014, U.S. hackers in Illinois used DDoS malware to attack the official website of the Crimean referendum. A few days later,
major Russian government Web resources and state media websites were also attacked by DDoS malware.
7. THE DRIVERS OF EC SECURITY PROBLEMS
There are many drivers (and inhibitors) that can cause security problems to EC
The Internet’s vulnerable design
The shift to profit-induced crimes
The wireless revolution
The Internet underground economy
The dynamic nature of EC systems, and the role of insiders
The sophistication of the attacks
INFORMATION SECURITY
PROBLEM
8. BASIC E COMMERCE
SECURITY ISSUES AND
LANDSCAPE
THE EC SECURITY BATTLEGROUND
The essence of EC security can be viewed as a battleground between attackers and defenders and the defenders’
security requirements. This battleground includes the following components,
The attacks, the attackers, and their strategies
The assets that are being attacked (the targets) in vulnerable areas
The security defense, the defenders, and their
methods and strategy
9. THE THREATS, ATTACKS, AND ATTACKERS
1. Unintentional Threats Categories:
Human errors
Environmental Hazards
Malfunctions in the Computer System
2. Intentional threats
intentional attacks are committed by cyber criminal or hackers
Theft of data
Inappropriate use of data
Theft of laptops and other devices to steal data
Damaging computer resources
BASIC E COMMERCE
SECURITY ISSUES AND
LANDSCAPE
10. BASIC E COMMERCE
SECURITY ISSUES AND
LANDSCAPE
3. Cyber criminals
A. hacker
hacker is any skilled computer expert that uses their technical knowledge to overcome a problem.as well
as hacker can refer to any skilled computer programmer.
Single word we say who gains unauthorized access to a computer system.
B. Cracker (black hat)
having gained unauthorized access, crackers destroy vital data, deny legitimate users services
Hackers build things while cracker break things.
C. White hats
White hat hackers can be internet security experts. who are hired by companies to find vulnerabilities in
their computer system.
11. BASIC E COMMERCE
SECURITY ISSUES AND
LANDSCAPE
D. Grey hats
gray hat hacking does play a role in the security environment. One of the most common examples given
of a gray hat hacker is someone who exploits a security vulnerability in order to spread public awareness
that the vulnerability exists. In this case, experts might say that the difference between a white hat hacker
and a gray hat hacker is that the gray hat hacker exploits the vulnerability publicly, which allows other
black hat hackers to take advantage of it.
12. BASIC E COMMERCE
SECURITY ISSUES AND
LANDSCAPE
THE TARGETS OF THE ATTACKS IN VULNERABLE AREAS
Any part of an information system can be attacked. PCs, tablets, or smartphones can easily be stolen or attacked
by viruses and/or malware.
VULNERABLE AREAS
vulnerability information
Attacking E-mail
Attacking smartphones & wireless system
The vulnerability of RFID chips
The vulnerabilities business IT & E-commerce system
13. BASIC E COMMERCE
SECURITY ISSUES AND
LANDSCAPE
EC SECURITY REQUIREMENTS
Authentication
Authentication is a process used to verify (assure) the real identity of an EC entity, which could be an
individual, software agent, computer program, or EC website.
Authorization
Authorization is the provision of permission to an authenticated person to access systems and perform certain
operations in those specific systems.
Auditing
When a person or program accesses a website or queries a database, various pieces of information are recorded
or logged into a fi le. The process of maintaining or revisiting the sequence of events during the transaction,
when, and by whom, is known as auditing.
Availability
Assuring that systems and information are available to the user when needed and that the site continues to
function.
14. EC DEFENSE PROGRAMS AND STRATEGY
EC Security Strategy
Information Assurance(IA)
Possible Punishment
Recovery
Different method
Detection measures
Prevention measures
BASIC E COMMERCE
SECURITY ISSUES AND
LANDSCAPE
15. TECHNICAL MALWARE ATTACK
METHODS FROM VIRUSES TO
DENIAL OF SERVICE
Technical attack in which use of system and software is must and there is no human factor.
Hackers use this methodology to hamper one’s life.
The famous technical attacks are:
DoS Attack
Worms
Botnets
Virus Threat
Trojan Horses
Macro virus
16. TECHNICAL MALWARE ATTACK
METHODS FROM VIRUSES TO
DENIAL OF SERVICE
Denial of Service (DoS) Attack:
A denial-of-service (DoS) is any type of attack where the attackers (hackers) attempt to prevent legitimate users from
accessing the service. In a DoS attack, the attacker usually sends excessive messages asking the network or server to
authenticate requests that have invalid return addresses.
Botnets:
A botnet is a group of computers connected in a coordinated fashion for malicious purposes. Each computer in a botnet is
called a bot. These bots form a network of compromised computers, which is controlled by a third party and used to transmit
malware or spam, or to launch attacks.
Macro virus
macro virus (macro worm) is a malware code that is attached to a data fi le rather than to an executable program
(e.g., a Word fi le). According to Microsoft, macro viruses can attack Word files as well as any other application
that uses a programming language.
17. NONTECHNICAL METHOS FROM
PHISHING TO SPAM AND FRAUD
NON TECHNICAL ATTACKS
These crimes are conducted with the help of both technical methods, such as malicious code that can access confidential
information that may be used to steal money from your online bank account, and nontechnical methods, such social engineering.
SOCIAL ENGINEERING AND FRAUD
Social engineering is a form of techniques employed by cybercriminals designed to lure unsuspecting users into
sending them their confidential data, infecting their computers with malware or opening links to infected sites.
18. NONTECHNICAL METHOS FROM
PHISHING TO SPAM AND FRAUD
Social Phishing
Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card
numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message,
or text message.
Pharming
Pharming is a cyber attack intended to redirect a website’s traffic to another, fake site. Pharming can be conducted either by
changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS Server software.
19. THE INFORMATION ASSURANCE
MODEL AND DEFENSE STRATEGY
THE INFORMATION ASSURANCE MODEL
Information assurance model is an extension of the original 1991 McCumbers INFORSEC model.
Expanding coverage responsibilities and accountability of security professionals and also establishes and
additional view of the states of information.
The security model based on three dimension
Availability
Integrity
Confidentiality
20. E-COMMERCE SECURITY STRATEGY
E commerce needs to address the IA model and its components
The phases of security defense
Prevention and deterrence
Initial response
Detection
Containment
Eradication
recovery
THE INFORMATION ASSURANCE
MODEL AND DEFENSE STRATEGY
21. THE DEFENSE ACCESS CONTROL
ENCRYPTION AND PKI
ACCESS CONTROL
Access control is a security technique that regulates who or what can view or use resources in a computing
environment.
It is a fundamental concept in security that minimizes risk to the business or organization.
After user has been identified the user must be authenticated.
A resource refers to hardware, software, Web pages, text files, databases, applications, servers, printers, or
any other information source or network component.
Typically,access control defines the rights that specific users with access may have with respect to those
resources (i.e., read, view, write, print, copy,delete, execute, modify, or move).
22. ENCRYPTION AND THE ONE-KEY (SYMMETRIC) SYSTEM
Encryption is a process that encodes a message or file so that it can be only be read by certain people.also called
ciphertext .
Encryption has two basic options: he symmetric system , with one secret key, and the asymmetric system , with
two keys.
Two types:
Substitution cipher
Transposition cipher
THE DEFENSE ACCESS CONTROL
ENCRYPTION AND PKI
23. Encryption can provide four dimensions of e-commerce security:
1. Integrity:
The assurance that data are accurate and that they cannot be altered. The integrity attribute needs to be able to
detect and prevent the unauthorized creation, modification, or deletion of data or messages in transit.
2. Non repudiation: (Close to authentication)
The assurance that online customers or trading partners will not be able to falsely deny their purchase,
transaction, sale, or other obligation.
3. Authentication:
A process used to verify (assure) the real identity of an EC entity, which could be an individual, software agent,
computer program, or EC website.
4. Confidentiality:
Give assurance that the message was not read by others.
THE DEFENSE ACCESS CONTROL
ENCRYPTION AND PKI
24. What is Symmetric Encryption?
Symmetric encryption is a type of encryption where only one key (a secret key) is used to both encrypt and
decrypt electronic information.
The entities communicating via symmetric encryption must exchange the key so that it can be used in the
decryption process.
In practice, this means that the sender or their network administrator must first generate a key then transmit it
to the recipient before encrypting the file and uploading it.
What is Public Key Encryption?
Public-key encryption is a cryptographic system that uses two keys -- a public key known to everyone and
a private or secret key known only to the recipient of the message.
Public key cryptography allows someone to send their public key in an open, insecure channel. Having a
friend's public key allows you to encrypt messages to them. Your private key is used to decrypt
messages encrypted to you.
THE DEFENSE ACCESS CONTROL
ENCRYPTION AND PKI
25. THE DEFENSE ACCESS CONTROL
ENCRYPTION AND PKI
Digital Envelopes
A digital envelope is a secure electronic data container that is used to protect a message through encryption and
data authentication.
A digital envelope allows users to encrypt data with the speed of secret key encryption and the convenience
and security of public key encryption.
26. Digital Certificates
Digital Certificates are a means by which consumers and businesses can utilize the security applications of Public Key
Infrastructure (PKI).
PKI comprises of the technology to enables secure e-commerce and Internet based communication.
THE DEFENSE ACCESS CONTROL
ENCRYPTION AND PKI
27. Secure Socket Layer (SSL) and Transport Layer Security
SSL is the standard security technology for establishing an encrypted link between a web server and a browser.
This link ensures that all data passed between the web server and browsers remain private and integral.
SSL is an industry standard and is used by millions of websites in the protection of their online transactions with
their customers.
Transport layer security (TLS) is a protocol that provides communication security between client/server
applications that communicate with each other over the Internet.
It enables privacy, integrity and protection for the data that's transmitted between different nodes on the Internet.
THE DEFENSE ACCESS CONTROL
ENCRYPTION AND PKI
Notas do Editor
They are never damage the data intentionally
Cracker can be easily identified
A vulnerability is where an attacker finds a weakness in the system and then exploits that weakness. Vulnerability creates opportunities for attackers to damage information systems.
One of the easiest places to attack is a user’s e-mail, since it travels via the unsecured Internet. One example is the ease of former candidate for U.S. Vice President Sarah Palin’s e-mail that was hacked in March 2008.
Since mobile devices are more vulnerable than wired systems, attacking smartphones and wireless systems is becoming popular due to the explosive growth of mobile computing.
These chips are embedded everywhere, including in credit cards and U.S. passports. Cards are designed to be read from some distance (contactless), which also creates a vulnerability.
ex:-When you carry a credit card in your wallet or pocket, anyone with a RFID reader that gets close enough to you may be able to read the RFID information on your card.
insufficient use of security programs and firewalls) and organizational weaknesses (e.g., lack of user training and security awareness, and an insider who steals data and engages in inappropriate use of business computers).
E-Mail Scams
Hackers hacked into your e-mail accounts, fi nding who your contacts are and their e-mail addresses. They then sent out an e-mail to you from people on the list. Alternatively, hackers get into your friend’s e-mail account and fi nd that you are one of their contacts. Then they send you the request for help.
Confi dentiality :-
is the assurance of data secrecy and privacy. Namely, the data is disclosed only to authorized people.
Confi dentiality is achieved by using several methods, such as encryption and passwords
Integrity
is the assurance that data are accurate and that they cannot be altered.
The integrity attribute needs to be able to detect and prevent the unauthorized creation, modification, or deletion of data or messages in transit.
Availability
is the assurance that access to any relevant data, information websites, or other EC services and their use is available in real time, whenever and wherever needed. The information must
be reliable.
Prevention and deterrence (preparation) .
Good controls may prevent criminal activities as well as human error from occurring. Controls can also deter criminals from attacking computerized systems and deny access to unauthorized human intruders. Also, necessary tools need to be acquired.
Initial Response .
The first thing to do is to verify if there is an attack. If so, determine how the intruder gained access to the system and which systems and data are infected or corrupted.
3. Detection.
The earlier an attack is detected, the easier it is to fi x the problem, and the smaller amount of damage is done. Detection can be executed by using inexpensive or free intrusion detecting software.
4. Containment (contain the damage).
This objective is to minimize or limit losses once a malfunction has occurred. It is also called damage control . Damage control can be done, for example, by using fault-tolerant hardware and software that enable operation in a satisfactory, but not optimal, mode until full recovery is made.
5. Eradication .
Remove the malware from infected hosts.
6. Recovery.
Recovery needs to be planned for to assure quick return to normal operations a reasonable cost. One option is to replace parts rather than to repair them. Functionality of data should also be restored.
7. Correction.
Finding the causes of damaged systems and fixing them will prevent future occurrences.
8. Awareness and compliance.
All organization members must be educated about possible hazards and must comply with the security rules and regulations.
Substitution cipher
every occurrence of a given letter is replaced systematically by another letter
Transposition cipher
the ordering of the letters in each word is changed in some systematic way