it clearly define what is e commerce security threat , how to protect that issues and who are hack e-commerce system

1. LECTURER IN CHARGE : M. FATHIMA RASHIDA
MIT 31053

2. GROUP MEMBERS
• SEU/IS/15/MIT/083
• SEU/IS/15/MIT/096
• SEU/IS/15/MIT/071
• SEU/IS/15/MIT/108
• SEU/IS/15/MIT/009
• SEU/IS/15/MIT/035
• SEU/IS/15/MIT/047
• SEU/IS/15/MIT/059
• SEU/IS/15/MIT/036

3. CONTENT
S
 INFORMATION SECURITY PROBLEM
 E-COMMERCE SECURITY & LANDSCAPE
 TECHNICAL MALWARE ATTACK METHODS: FROM VIRUSES
TO DENIAL OF SERVICE
 NON TECHNICAL METHODS: FROM PHISHING TO SPAMAND
FRAUD
 THE INFORMATION ASSURANCE MODEL AND DEFENSE
STRATEGY
 THE DEFENSE: ACCESS CONTROL, ENCRYPTION, AND PKI

4. INFORMATION SECURITY
PROBLEM
WHAT IS INFORMATION SECURITY?
 Information security refers to a variety of activities and methods that protect information systems,data, and procedures from any action
designed to destroy, modify, or degrade the systems and their operations.
 It is a very broad field due to the many methods of attack as well as the many modes of defense. The attacks on and defenses for computers
can affect individuals, organizations, countries, or the entire Web.
WHAT IS EC SECURITY?
 e-Commerce security refers to the principles which guide safe electronic transactions, allowing the buying and selling of goods and services
through the Internet, but with protocols in place to provide safety for those involved. Successful business online depends on the customers’
trust that a company has eCommerce security basics in place.

5. INFORMATION SECURITY
PROBLEM
WHAT IS CYBERWAR?
 Cyberwarefare or ( Cyberwar ) refers to any action by a nation-state or international organization to penetrate another nation’s computer
networks for the purpose of causing damage or disruption. The attack usually is done through viruses, DoS, or botnets.
WHAT IS CYBERESPIONAGE?
 Cyberespionage is the act of practice of obtaining secrets and information without the permission and knowledge of the holder of the
information from individuals, competitors, rivals, groups, government and enemies for personal, economic, political or military advantage
using methods on the internet.
 Cyber attacks can be classified into two major interrelated categories:
I. Corporate Espionage
II. Political Espionage and Warfare

6. INFORMATION SECURITY
PROBLEM
CORPORATE ESPIONAGE
 Many attacks target energy-related companies because their inside information is valuable.
example:- Nakashima ( 2011 ) reported that in November 2011, foreign hackers targeted a water plant control system in Illinois, causing
the pump to fail. The attackers also gained unauthorized access to the system database.
POLITICAL ESPIONAGE AND WARFARE
 Political espionage and cyberwars are increasing in magnitude. Sometimes, these are related to corporate espionage.
Example:-In 2014, U.S. hackers in Illinois used DDoS malware to attack the official website of the Crimean referendum. A few days later,
major Russian government Web resources and state media websites were also attacked by DDoS malware.

7. THE DRIVERS OF EC SECURITY PROBLEMS
There are many drivers (and inhibitors) that can cause security problems to EC
 The Internet’s vulnerable design
 The shift to profit-induced crimes
 The wireless revolution
 The Internet underground economy
 The dynamic nature of EC systems, and the role of insiders
 The sophistication of the attacks
INFORMATION SECURITY
PROBLEM

8. BASIC E COMMERCE
SECURITY ISSUES AND
LANDSCAPE
THE EC SECURITY BATTLEGROUND
The essence of EC security can be viewed as a battleground between attackers and defenders and the defenders’
security requirements. This battleground includes the following components,
 The attacks, the attackers, and their strategies
 The assets that are being attacked (the targets) in vulnerable areas
 The security defense, the defenders, and their
 methods and strategy

9. THE THREATS, ATTACKS, AND ATTACKERS
1. Unintentional Threats Categories:
 Human errors
 Environmental Hazards
 Malfunctions in the Computer System
2. Intentional threats
 intentional attacks are committed by cyber criminal or hackers
 Theft of data
 Inappropriate use of data
 Theft of laptops and other devices to steal data
 Damaging computer resources
BASIC E COMMERCE
SECURITY ISSUES AND
LANDSCAPE

10. BASIC E COMMERCE
SECURITY ISSUES AND
LANDSCAPE
3. Cyber criminals
A. hacker
 hacker is any skilled computer expert that uses their technical knowledge to overcome a problem.as well
as hacker can refer to any skilled computer programmer.
 Single word we say who gains unauthorized access to a computer system.
B. Cracker (black hat)
 having gained unauthorized access, crackers destroy vital data, deny legitimate users services
 Hackers build things while cracker break things.
C. White hats
 White hat hackers can be internet security experts. who are hired by companies to find vulnerabilities in
their computer system.

11. BASIC E COMMERCE
SECURITY ISSUES AND
LANDSCAPE
D. Grey hats
 gray hat hacking does play a role in the security environment. One of the most common examples given
of a gray hat hacker is someone who exploits a security vulnerability in order to spread public awareness
that the vulnerability exists. In this case, experts might say that the difference between a white hat hacker
and a gray hat hacker is that the gray hat hacker exploits the vulnerability publicly, which allows other
black hat hackers to take advantage of it.

12. BASIC E COMMERCE
SECURITY ISSUES AND
LANDSCAPE
THE TARGETS OF THE ATTACKS IN VULNERABLE AREAS
 Any part of an information system can be attacked. PCs, tablets, or smartphones can easily be stolen or attacked
by viruses and/or malware.
 VULNERABLE AREAS
 vulnerability information
 Attacking E-mail
 Attacking smartphones & wireless system
 The vulnerability of RFID chips
 The vulnerabilities business IT & E-commerce system

13. BASIC E COMMERCE
SECURITY ISSUES AND
LANDSCAPE
EC SECURITY REQUIREMENTS
 Authentication
Authentication is a process used to verify (assure) the real identity of an EC entity, which could be an
individual, software agent, computer program, or EC website.
 Authorization
Authorization is the provision of permission to an authenticated person to access systems and perform certain
operations in those specific systems.
 Auditing
When a person or program accesses a website or queries a database, various pieces of information are recorded
or logged into a fi le. The process of maintaining or revisiting the sequence of events during the transaction,
when, and by whom, is known as auditing.
 Availability
Assuring that systems and information are available to the user when needed and that the site continues to
function.

14. EC DEFENSE PROGRAMS AND STRATEGY
 EC Security Strategy
 Information Assurance(IA)
 Possible Punishment
 Recovery
 Different method
 Detection measures
 Prevention measures
BASIC E COMMERCE
SECURITY ISSUES AND
LANDSCAPE

15. TECHNICAL MALWARE ATTACK
METHODS FROM VIRUSES TO
DENIAL OF SERVICE
 Technical attack in which use of system and software is must and there is no human factor.
 Hackers use this methodology to hamper one’s life.
 The famous technical attacks are:
 DoS Attack
 Worms
 Botnets
 Virus Threat
 Trojan Horses
 Macro virus

16. TECHNICAL MALWARE ATTACK
METHODS FROM VIRUSES TO
DENIAL OF SERVICE
 Denial of Service (DoS) Attack:
A denial-of-service (DoS) is any type of attack where the attackers (hackers) attempt to prevent legitimate users from
accessing the service. In a DoS attack, the attacker usually sends excessive messages asking the network or server to
authenticate requests that have invalid return addresses.
 Botnets:
A botnet is a group of computers connected in a coordinated fashion for malicious purposes. Each computer in a botnet is
called a bot. These bots form a network of compromised computers, which is controlled by a third party and used to transmit
malware or spam, or to launch attacks.
 Macro virus
macro virus (macro worm) is a malware code that is attached to a data fi le rather than to an executable program
(e.g., a Word fi le). According to Microsoft, macro viruses can attack Word files as well as any other application
that uses a programming language.

17. NONTECHNICAL METHOS FROM
PHISHING TO SPAM AND FRAUD
NON TECHNICAL ATTACKS
These crimes are conducted with the help of both technical methods, such as malicious code that can access confidential
information that may be used to steal money from your online bank account, and nontechnical methods, such social engineering.
SOCIAL ENGINEERING AND FRAUD
Social engineering is a form of techniques employed by cybercriminals designed to lure unsuspecting users into
sending them their confidential data, infecting their computers with malware or opening links to infected sites.

18. NONTECHNICAL METHOS FROM
PHISHING TO SPAM AND FRAUD
 Social Phishing
Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card
numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message,
or text message.
 Pharming
Pharming is a cyber attack intended to redirect a website’s traffic to another, fake site. Pharming can be conducted either by
changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS Server software.

19. THE INFORMATION ASSURANCE
MODEL AND DEFENSE STRATEGY
THE INFORMATION ASSURANCE MODEL
 Information assurance model is an extension of the original 1991 McCumbers INFORSEC model.
 Expanding coverage responsibilities and accountability of security professionals and also establishes and
additional view of the states of information.
 The security model based on three dimension
 Availability
 Integrity
 Confidentiality

20. E-COMMERCE SECURITY STRATEGY
E commerce needs to address the IA model and its components
 The phases of security defense
 Prevention and deterrence
 Initial response
 Detection
 Containment
 Eradication
 recovery
THE INFORMATION ASSURANCE
MODEL AND DEFENSE STRATEGY

21. THE DEFENSE ACCESS CONTROL
ENCRYPTION AND PKI
ACCESS CONTROL
 Access control is a security technique that regulates who or what can view or use resources in a computing
environment.
 It is a fundamental concept in security that minimizes risk to the business or organization.
 After user has been identified the user must be authenticated.
 A resource refers to hardware, software, Web pages, text files, databases, applications, servers, printers, or
any other information source or network component.
 Typically,access control defines the rights that specific users with access may have with respect to those
resources (i.e., read, view, write, print, copy,delete, execute, modify, or move).

22. ENCRYPTION AND THE ONE-KEY (SYMMETRIC) SYSTEM
 Encryption is a process that encodes a message or file so that it can be only be read by certain people.also called
ciphertext .
 Encryption has two basic options: he symmetric system , with one secret key, and the asymmetric system , with
two keys.
Two types:
Substitution cipher
Transposition cipher
THE DEFENSE ACCESS CONTROL
ENCRYPTION AND PKI

23. Encryption can provide four dimensions of e-commerce security:
1. Integrity:
The assurance that data are accurate and that they cannot be altered. The integrity attribute needs to be able to
detect and prevent the unauthorized creation, modification, or deletion of data or messages in transit.
2. Non repudiation: (Close to authentication)
The assurance that online customers or trading partners will not be able to falsely deny their purchase,
transaction, sale, or other obligation.
3. Authentication:
A process used to verify (assure) the real identity of an EC entity, which could be an individual, software agent,
computer program, or EC website.
4. Confidentiality:
Give assurance that the message was not read by others.
THE DEFENSE ACCESS CONTROL
ENCRYPTION AND PKI

24. What is Symmetric Encryption?
 Symmetric encryption is a type of encryption where only one key (a secret key) is used to both encrypt and
decrypt electronic information.
 The entities communicating via symmetric encryption must exchange the key so that it can be used in the
decryption process.
 In practice, this means that the sender or their network administrator must first generate a key then transmit it
to the recipient before encrypting the file and uploading it.
What is Public Key Encryption?
 Public-key encryption is a cryptographic system that uses two keys -- a public key known to everyone and
a private or secret key known only to the recipient of the message.
 Public key cryptography allows someone to send their public key in an open, insecure channel. Having a
friend's public key allows you to encrypt messages to them. Your private key is used to decrypt
messages encrypted to you.
THE DEFENSE ACCESS CONTROL
ENCRYPTION AND PKI

25. THE DEFENSE ACCESS CONTROL
ENCRYPTION AND PKI
Digital Envelopes
 A digital envelope is a secure electronic data container that is used to protect a message through encryption and
data authentication.
 A digital envelope allows users to encrypt data with the speed of secret key encryption and the convenience
and security of public key encryption.

26. Digital Certificates
 Digital Certificates are a means by which consumers and businesses can utilize the security applications of Public Key
Infrastructure (PKI).
 PKI comprises of the technology to enables secure e-commerce and Internet based communication.
THE DEFENSE ACCESS CONTROL
ENCRYPTION AND PKI

27. Secure Socket Layer (SSL) and Transport Layer Security
 SSL is the standard security technology for establishing an encrypted link between a web server and a browser.
 This link ensures that all data passed between the web server and browsers remain private and integral.
 SSL is an industry standard and is used by millions of websites in the protection of their online transactions with
their customers.
 Transport layer security (TLS) is a protocol that provides communication security between client/server
applications that communicate with each other over the Internet.
 It enables privacy, integrity and protection for the data that's transmitted between different nodes on the Internet.
THE DEFENSE ACCESS CONTROL
ENCRYPTION AND PKI