E-commerce security threats and solutions

5/4/2013
Electronic Business MS 114
Security Issues, E-Commerce Threats

Part-1
It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change Charles Darwin
If youre not changing faster than your environment, you are falling behind Jack Welsh, CEO of GE
Security in Cyberspace
The electronic system that supports e-commerce is susceptible to abuse and failure in many ways:
Security in Cyberspace
Theft: Theft of confidential, proprietary, technological, or marketing information belonging to the firm or to the customer. An intruder may disclose such information to a third party, resulting in damage to a key customer, a client, or the firm itself. Disruption: Disruption of service resulting in major losses to business or inconvenience to the customer.
Electronic Business MS114 UNIT-II
Fraud:
Resulting in direct financial loss. Funds might be transferred from one account to another, or financial records might simply be destroyed.
Electronic Business MS114
UNIT-II
Security in Cyberspace Loss:

Loss of customer confidence stemming from illegal intrusion into customer files or company business, dishonesty, human mistakes, or network failure.
Security Issues Security concerns generally include the following issues: Confidentiality:
Knowing who can read data. Ensuring that information in the network remains private. This is done via encryption.
Identification and Authentication:

Electronic Business MS114 Electronic Business MS114
Making sure that message sender or principal are authentic.

UNIT-II
UNIT-II
5/4/2013
Security Issues Availability

System resources are safeguarded from tampering and are available for authorized users at the time and in the format needed Nonrepudiation:
Security Issues
Ensuring that principal cannot deny that they sent the message.
Privacy
Individual rights to nondisclosure
Integrity:
Making sure that information is not accidental or maliciously altered or corrupted in transit.
Firewalls:
A filter between corporate network and the Internet to secure corporate information and files from intruders but allowing access to authorized principals.
Access Control:
Restricting the use of resources to authorized principals.
UNIT-II
Security Threats in the E-commerce Environment
A Typical E-commerce Transaction
Three key points of vulnerability:

Client Server Communications channel
Most common threats:
Malicious code Hacking and cybervandalism Credit card fraud/theft Zombied PC Phishing Denial of service attacks Sniffing Spoofing
UNIT-II
UNIT-II
Vulnerable Points in an E-commerce Environment
Virus It is a software program which attach it self to other programs without the owner of program being aware of it. when the main program is executed the virus is spread causing damage. Worms designed to spread from computer to computer It can spread without any human intervention. It can propagate through network and can affect hand held devices. Trojan horse It is software that appears to perform a desirable function for the user prior to run or install. Perhaps in addition to the expected function, steals information or harms the system. Electronic Business MS114
UNIT-II
Malicious Code
UNIT-II
5/4/2013
Malicious Code
Bad applets (malicious mobile code) malicious Java applets or ActiveX controls that may be downloaded onto client and activated merely by surfing to a Web site
Examples of Malicious Code
UNIT-II
UNIT-II
Hacking and Cybervandalism

Hacker: Individual who intends to gain unauthorized access to a computer systems Cracker: Used to denote hacker with criminal intent (two terms often used interchangeably) Cybervandalism: Intentionally disrupting, defacing or destroying a Web site Types of hackers include:
White hats Members of tiger teams used by corporate security departments to test their own security measures Black hats Act with the intention of causing harm Grey hats Believe they are pursuing some greater good by breaking in and revealing system flaws
UNIT-II
Credit Card Fraud Fear that credit card information will be stolen deters online purchases Hackers target credit card files and other customer information files on merchant servers; use stolen data to establish credit under false identity One solution: New identity verification mechanisms
UNIT-II
Zombied PCs - A zombie computer (often
Kinds of Threats or Crimes
shortened as zombie) is a computer connected to the Internet that has been compromised by a hacker, computer virus or Trojan horse.
Generally, a compromised machine is only one of many in a botnet, and will be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies.
Phishing - is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies.
UNIT-II
5/4/2013
DoS - A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users.

Sniffing:
type of eavesdropping program that monitors information traveling over a network; enables hackers to steal proprietary information from anywhere on a network
Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name servers. The term is generally used with regards to computer networks, but is not limited to this field, for example, it is also used in reference to CPU resource management. One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable.
Spoofing:
Misrepresenting oneself by using fake e-mail addresses or masquerading as someone else
UNIT-II
UNIT-II
5/4/2013
Internet Security A successful e-commerce environment is built on trust in the integrity of the communication network that links the buyer and the merchants. With open exchange of information on internet, more security is needed to minimize the vulnerability.
Internet Security
Part-2
Internet Security
Measures for security over Internet are: Web Application:
SSL Secure Socket Layer S-HTTP Secure Hypertext Transfer Protocol
SSL- Secure Socket Layer It is a key protocol for secure Web transactions. Secures data packets at the network layer. Originally it was developed by Netscape. Now it is widely used as a standard for encrypting data on the Internet. It is used by all Netscapes browser products and Microsoft Internet Explorer 3.0 or higher versions.
Security for e-commerce transaction

SET Secure Electronic Transaction
Security for e-mail

PGP Pretty Good Privacy S/MIME Multipurpose Internet Mail Extension MSP- Message Security Protocol
SSL- Secure Socket Layer One requirement for using SSL is that both merchants web server and customers web browser must use the same security system. Advantage of this protocol is that as it is used by all URLs beginning with http, no problem arise in interfacing online.
SSL- Secure Socket Layer It provides three basic services:

Server authentication Client authentication Encrypted SSL connection
5/4/2013
SSL- Secure Socket Layer

SSL server authentication uses public key cryptography to validate the servers digital signature. Similarly public key cryptography is used to validate clients machine. It allows client and server to select an encryption algorithm for secure connection. The key to this algorithm is transmitted using public key cryptography. Communication is performed using secret key.

S-HTTP Secure Hypertext Transfer Protocol

It is a protocol used to secure web transactions HTTP is a request response communication mechanism between a web browser and a web server. Do not confuse between the two- HTTPS and S-HTTP Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encrypted communication and secure identification of a network web server. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems. HTTPS and S-HTTP were both defined in the mid-1990s to address this need. Netscape and Microsoft supported HTTPS rather than S-HTTP, leading to HTTPS becoming the de facto standard mechanism for securing web communications.
S-HTTP Secure Hypertext Transfer Protocol
S-HTTP Secure Hypertext Transfer Protocol It is compatible with HTTP and can integrate with HTTP applications. It allows client machine and server machine to communicate easily through encrypted data exchange over Internet It supports only symmetric key cryptography and does not require digital certificates or public key. As it operates on application layer, it provides user authentication and is capable of securing only parts of documents.
It provides:
Confidentiality Authenticity Integrity Ensures nonrepudiation
It is more robust that SSL But is not widely popular because of Netscape market penetration.
SET Secure Electronic Transaction It is a specification designed by VISA, MasterCard and Europay. It is used for handling fund transfer from credit card issuer to merchants bank account. It is a well known payment model based on signature.
SET Secure Electronic Transaction It provides:

Confidentiality Authentication Integrity Of payment card transmission
It uses a variety of encryption techniques, digital signatures and certificates.
5/4/2013
SET Secure Electronic Transaction SET requires customer to register their accounts once with the card issuing authority/ bank to provide appropriate digital signature. Two things are needed by the customer:
Digital certificate Digital wallet
Digital Wallet It is an online shopping device that seals personal information in a free plug-in that can be invoked when making a Purchase. This eliminates having to retype credit card information in future transaction. Customer can select payment method and shipping address to accomplish with the purchase.
Steps
You made a purchase. Software has done the certificates exchange. You receive
e-merchants public key, payment processors key and a unique transaction identifier issued by the merchant.
When finished with the steps you get a message containing:

OI, including merchants transaction identifier. A digest of OI PI, including merchants transaction identifier, encrypted with a random symmetric key. A digest of PI A dual signature digest (OI Digest + PI Digest) encrypted with your private key. Your account number plus the random symmetric key encrypted with the payment processors public key.
Then create Order Information (OI) and payment Instruction (PI) including the e-merchants assigned transaction identifier. Now execute hashing function to make digest of the OI and PI. you get a dual signature by encrypting with private key (ensures that OI and PI are related together).
Security for e-mail Three main protocol governs the secure communication through e-mail
PGP Pretty Good Privacy S/MIME Multipurpose Internet Mail Extension MSP- Message Security Protocol
PGP Pretty Good Privacy

It was created by Philip Zimmermann in 1991. He used it to encrypt his own messages. He released the toolkit over internet allowing anyone to create private key and encrypt their messages. The US govt. disapproved it. He founded PGP Inc. in 1996. A year later it was sold to Network Associates.
5/4/2013
S/MIME Multipurpose Internet Mail Extension
S/MIME Multipurpose Internet Mail Extension
It was developed by RSA in 1996. It was built on public key cryptography standards It provides security for different data types and for e-mail attachments. It has two key attributes: Digital signature Digital envelope
Signature is created using hashing algorithm which creates digest Digest is encrypted using public key cryptography. The digital signature ensures that nothing has been done to the message during transmission. The digital wallet ensures that message remains private.
UNIT-II
MSP Message Security Protocol It is mainly used by US government. It provides security for e-mails attachments across multiple platforms. It operates at application level. The message is send in encrypted format with the required decryption key to validate the message at the recipients end.
UNIT-II
5/4/2013
Basic Terminologies Encryption, Cryptography, Digital Signatures, Digital Certificates

Part-3
Cryptography deals with creating documents that can be shared secretly over public communication channels Cryptographic documents are decrypted with the key associated with encryption, with the knowledge of the encryptor The word cryptography comes from the Greek words: Krypto (secret) and graphein (write) Cryptanalysis deals with finding the encryption key without the knowledge of the encryptor Cryptology deals with cryptography and cryptanalysis Cryptosystems are computer systems used to encrypt data for secure transmission and storage
UNIT-II
Encryption
In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). Julius Cesar used alphabetical code to communicate with his commanders.
Security options at Mozilla Firefox
UNIT-II
UNIT-II
Security options at Microsoft IE
Secure Option using https

Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encrypted communication and secure identification of a network web server. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems.
UNIT-II
UNIT-II
5/4/2013
Trusted connection
Untrusted connection
UNIT-II
UNIT-II
Basic Terminologies Keys are rules used in algorithms to convert a document into a secret document Keys are of two types:
Symmetric Asymmetric
Secret-Key or Symmetric Cryptography
A key is symmetric if the same key is used both for encryption and decryption A key is asymmetric if different keys are used for encryption and decryption
Alice and Bob agree on an encryption method and a shared key. Alice uses the key and the encryption method to encrypt (or encipher) a message and sends it to Bob. Bob uses the same key and the related decryption method to decrypt (or decipher) the message.
UNIT-II
UNIT-II
Secret-Key or Symmetric Cryptography
Advantages There are some very fast classical encryption (and decryption) algorithms Since the speed of a method varies with the length of the key, faster algorithms allow one to use longer key values. Larger key values make it harder to guess the key value -- and break the code -- by brute force.
Symmetric algorithms can be divided into:

Stream Cipher: A symmetric algorithm that encrypts a bit of plain text at a time. Block Cipher: A symmetric algorithm that encrypts a number of bit as single unit of plain text at a time.
UNIT-II
UNIT-II
5/4/2013
Disadvantages Requires secure transmission of key value Requires a separate key for each group of people that wishes to exchange encrypted messages (readable by any group member)
For example, to have a separate key for each pair of people, 100 people would need 4950 different keys. [n*(n-1)/2]
Public-Key or Asymmetric Cryptography Alice generates a key value (usually a number or pair of related numbers) which she makes public. Alice uses her public key (and some additional information) to determine a second key (her private key). Alice keeps her private key (and the additional information she used to construct it) secret.
UNIT-II
UNIT-II
Public-Key or Asymmetric Cryptography
Bob (or Carol, or anyone else) can use Alices public key to encrypt a message for Alice. Alice can use her private key to decrypt this message. No-one without access to Alices private key (or the information used to construct it) can easily decrypt the message.
UNIT-II
UNIT-II
An Example: Internet Commerce Bob wants to use his credit card to buy some brownies from Alice over the Internet. Alice sends her public key to Bob. Bob uses this key to encrypt his credit-card number and sends the encrypted number to Alice. Alice uses her private key to decrypt this message (and get Bobs credit-card number).
Two uses of Asymmetric approach To provide message confidentiality: To prove the authenticity of the message originator.
UNIT-II
UNIT-II
5/4/2013
Hybrid Encryption Systems

All known public key encryption algorithms are much slower than the fastest secret-key algorithms. In a hybrid system, Alice uses Bobs public key to send him a secret shared session key. Alice and Bob use the session key to exchange information.
Internet Commerce
Bob wants to order brownies from Alice and keep the entire transaction private. Bob sends Alice his public key. Alice generates a session key, encrypts it using Bobs public key, and sends it to Bob. Bob uses the session key (and an agreed-upon symmetric encryption algorithm) to encrypt his order, and sends it to Alice.
UNIT-II
UNIT-II
Time and cost for breaking key

Estimated 40 Bits key Cost to break key $100,000 2 sec $1 Million 0.2 sec $100 Million 2 millisecond 64 Bits key 1 year 37 days 9 hours 1 hours 80 Bits key 128 Bits key 70,000 years 1019 years
Common Cryptosystems RSA:

Most commonly used public key algorithm. Named after its inventor, Ron Rivest, Adi Shamir, and Len Adleman of MIT. Used for encryption and electron signature. It uses 512 bits key, 768 bits key and 1024 bits key. It is embedded in major products like Windows, Netscape navigator and Lotus Notes.
7,000 years 1018 years 70 years 7 years 1016 years 1015 years
$1 Billion 0.2 millisecond

Electronic Business MS114 UNIT-II UNIT-II
Common Cryptosystems Data Encryption Standards (DES):

It is a popular secret key encryption. Was developed by IBM in 1974. It was adopted as US federal standard in 1977 and Financial Industry standard in 1981. For conversion of 64 bits plaintext into 64 bits ciphertext a key with 56 bits is used. It is a strong algorithm which is difficult to break.
Common Cryptosystems 3DES or Triple DES:

It uses three 56 bit key. First encrypt the data Second decrypt the data Third again encrypt the data. It is considered to be the strong version of DES It is much secure and safer than plain DES.
UNIT-II
UNIT-II
5/4/2013
Common Cryptosystems RC4:

It was designed by Ron Rivest RSA Data Security Inc. It is a stream cipher symmetric key algorithm. It is used in secure socket layer protocol as bulk encryption cipher. Key lengths range from 40 to 128 bits.
Common Cryptosystems International Data Encryption Algorithm (IDEA):

Was created in Switzerland in by Philip Zimmermann in 1991. It is a block cipher symmetric key algorithm. It offers strong encryption using a 128 bit key to encrypt 64 bit block. Thus it is highly resistant to brute force. It was used as bulk encryption cipher in old versions of Pretty Good Privacy (PGP) SYSTEMS.
UNIT-II
UNIT-II
Cryptanalysis
Cryptanalysis (from the Greek krypts, "hidden", and analein, "to loosen" or "to untie") is the study of methods for obtaining the meaning of encrypted information, without access to the secret information that is normally required to do so. Typically, this involves knowing how the system works and finding a secret key. In non-technical language, this is the practice of codebreaking or cracking the code, although these phrases also have a specialized technical meaning.
Essentially, the practical importance of an attack is dependent on the answers to the following four questions:
What knowledge and capabilities does the attacker need? How much additional secret information is deduced? How much computation is required? (What is the computational complexity?) Does the attack break the full cryptosystem, or only a weakened version?
UNIT-II
UNIT-II
Major Attacks on Cryptosystems

Algebraic attack
A method of cryptanalytic attack used against block ciphers that exhibit a significant amount of mathematical structure.

Brute Force Attack:
Brute Force Attack is a form of attack in which each possibility is tried until success is obtained. Typically, a ciphertext is deciphered under different keys until plaintext is recognized.
Algorithmic attack (Formulaic attack)
Algorithmic attacks are in some ways much more difficult to perform because they generally require an extremely high degree of knowledge in mathematics. Rather than going after the entire key space, the code breaker will try and find flaws in the algorithm that causes it to be reduced to a problem of decreased complexity.
Chosen ciphertext attack
An attack where the cryptanalyst may choose the ciphertext to be decrypted. The attacker can obtain the plaintexts corresponding to an arbitrary set of ciphertexts of his own choosing.
Chosen plaintext attack
A form of cryptanalysis where the cryptanalyst may choose the plaintext to be encrypted. The attacker can obtain the ciphertexts corresponding to an arbitrary set of plaintexts of his own choosing
UNIT-II
UNIT-II
5/4/2013

Ciphertext-only Attack:
The cryptanalyst has access only to a collection of ciphertexts or codetexts. Works primarily from ciphertext making guesses about the plaintext
Digital Signatures: Signing a Document

Alice applies a (publicly known) hash function to a document that she wishes to sign. This function produces a digest of the document (usually a number). Alice then uses her private key to encrypt the digest. She can then send, or even broadcast, the document with the encrypted digest.
Known Plaintext Attack:
In this technique the attacker knows the plaintext for part (s) of the ciphertext. They uses this information to decrypt the rest of the ciphertext.
Dictionary attack
A brute force attack that tries passwords and or keys from a precompiled list of values. This is often done as a precomputation attack.
UNIT-II
UNIT-II
Digital Signature Verification

Bob uses Alices public key to decrypt the digest that Alice encrypted with her private key. Bob applies the hash function to the document to obtain the digest directly. Bob compares these two values for the digest. If they match, it proves that Alice signed the document and that no one else has altered it.
Secure Transmission of Digitally Signed Documents

Alice uses her private key to digitally sign a document. She then uses Bobs public key to encrypt this digitally signed document. Bob uses his private key to decrypt the document. The result is Alices digitally signed document. Bob uses Alices public key to verify Alices digital signature.
UNIT-II
UNIT-II
Alice Plain text

B public Key
Digital Signature
Hash fn digest
A private Key
Digital Certificate
Digital signature
ciphertext
Internet
B private Key
An electronic document issued by a certifying authority to establish a merchants identity. Certificate authority:
A trusted entity that issues and revokes public key certificates and manages key pairs Authorities like verisgn, cybertrust, US Postal Services.
Hash fn
plaintext
ciphertext
A public Key
digest Bob
digest
If these two are same message is authentic

UNIT-II
UNIT-II
5/4/2013
Components of Digital Certificate Class1:

Digital Certificate Class

Quickest and simplest to issue. Contains minimum checks on users background. Only name, address and e-mail id are check. Can be compared with a library card.
Holders Name Name of certifying authority Public key for cryptographic use The duration of the certificate The class of certificate Certificate ID number.
Class2:
Checks for information like real name, SSN and DOB. They require proof of physical address, locale and e-mail id. Can be compared with a credit card.
UNIT-II
UNIT-II
Digital Certificate Class

Class3:
Strongest type. Can be compared with driving license To get them you need to prove who you are and you are responsible. Used for sensitive transactions like loan acquisition online. They are most thorough. In addition to class3 they check the users position at work.
Class4:
UNIT-II
5/4/2013
Firewalls
Firewalls
Part-4
It is a software and hardware tool that define, control and limit the access to networks and computers linked to the networks of an organization. Sits between two networks
Used to protect one from the other Places a bottleneck between the networks
All communications must pass through the bottleneck this gives us a single point of control
UNIT-II
Firewalls It must ensure:

Data Integrity Authentication Confidentiality
Out going Data Global Internet
Firewall
Incoming Data
Firewall
Internal Network (s)
Technically it is a router or a computer installed between the internal network of an organization and the rest of the internet.
UNIT-II
UNIT-II
Classification of Firewall
Classification of Firewall
Packet Filter Firewall:
It is used to filter packets based on the information in Network layer and transport layer header.
Source IP address Destination IP address Source port address Destination port address Type of protocol
Proxy firewall
It is used to filter packets on the basis of information available in the message. One solution is to install a proxy computer also called application gateway.
UNIT-II
UNIT-II
5/4/2013
Proxy Firewall
Error
Application Gateway
Personal Firewall It is an application which controls network traffic to and from a computer, permitting or denying communication based on a security policy. It protects only the computer on which it is installed
All HTTP Data

Global Internet Firewall
Accepted Data Packet
HTTP Server
UNIT-II
UNIT-II
Personal Firewall Some feature:

Alert about outgoing connection attempts. Monitors application by listening incoming connections. Hide the computer from port scans. Allows users to control which programs can and cannot access local networks.
Firewalls Home and Personal routers:

Provide
Configurable packet filtering NAT
Linksys D-Link
UNIT-II
UNIT-II
Firewalls Enterprise Firewalls:

Check point firewall-1 Cisco PIX MS Internet security and acceleration server GAI Gauntlet
Firewalls Firewalls protect against following situation.

E-mail services that are known to be problem Unauthorized interactive log-ins Undesirable materials Unauthorized sensitive information leaving the organization.
UNIT-II
UNIT-II
5/4/2013
Firewalls Firewalls cannot prevent:

Physical attacks on the system and server Weak security policy Data- Driven attacks
UNIT-II
5/4/2013
Achieving Privacy
Private Networks
A small organization can use an isolated LAN. People inside the organization can send data to one another that totally remain inside the organization, secure from outsiders. Intra-organization data is exchanged through private internet. Inter-organization data is exchanged through global internet.
IDS, VPN, Public Key Infrastructure

Part-5
Hybrid Networks
Virtual Private Networks
It is private but virtual network Private as provides privacy Business Virtual Electronic MS114as it does not use private network.
UNIT-II
Traditional Connectivity
What is VPN?
Virtual Private Network is a type of private network that uses public telecommunication, such as the Internet, instead of leased lines to communicate. Became popular as more employees worked in remote locations. Terminologies to understand how VPNs work.
[From Gartner Consulting]

UNIT-II UNIT-II
Private Networks vs. Virtual Private Networks

Employees can access the network (Intranet) from remote locations. Secured networks. The Internet is used as the backbone for VPNs Saves cost tremendously from reduction of equipment and maintenance costs. Scalability
Remote Access Virtual Private Network
(From Gartner Consulting)

UNIT-II UNIT-II
5/4/2013
Brief Overview of How it Works

Two connections one is made to the Internet and the second is made to the VPN. Datagram's contains data, destination and source information. Firewalls VPNs allow authorized users to pass through the firewalls. Protocols protocols create the VPN tunnels.
Four Critical Functions

Authentication validates that the data was sent from the sender. Access control limiting unauthorized users from accessing the network. Confidentiality preventing the data to be read or copied as the data is being transported. Data Integrity ensuring that the data has not been altered
UNIT-II
UNIT-II
Encryption
Encryption -- is a method of scrambling data before transmitting it onto the Internet. Public Key Encryption Technique Digital signature for authentication
Tunneling
A virtual point-to-point connection made through a public network. It transports encapsulated datagrams.
Original Datagram Encrypted Inner Datagram Datagram Header Outer Datagram Data Area
Data Encapsulation [From Comer]
Two types of end points: Remote Access Electronic Business MS114 Site-to-Site
UNIT-II
UNIT-II
Four Protocols used in VPN

PPTP -- Point-to-Point Tunneling Protocol L2TP -- Layer 2 Tunneling Protocol IPsec -- Internet Protocol Security SOCKS is not used as much as the ones above
Electronic Business MS114 Electronic Business MS114 UNIT-II UNIT-II
VPN Encapsulation of Packets
5/4/2013
Types of Implementations
A successful e-commerce environment is built on trust in the integrity of the communication network that links the buyer and the merchants. What does implementation mean in VPNs? 3 types
Intranet Within an organization Extranet Outside an organization Remote Access Employee to Business
Virtual Private Networks (VPN)

Basic Architecture
UNIT-II
UNIT-II
Device Types
What it means 3 types
Hardware Firewall Software
Device Types: Hardware

Usually a VPN type of router
Pros Highest network throughput Plug and Play Dual-purpose Cons Cost Lack of flexibility
UNIT-II
UNIT-II
Device Types: Firewall

More security?
Pros Harden Operating System Tri-purpose Cost-effective Cons Still relatively costly Pros Flexible
Device Types: Software

Ideal for 2 end points not in same org. Great when different firewalls implemented
Cons Lack of efficiency More labor training required Lower productivity; higher labor costs
Low relative cost
UNIT-II
UNIT-II
5/4/2013
Advantages: Cost Savings

Eliminating the need for expensive long-distance leased lines Reducing the long-distance telephone charges for remote access. Transferring the support burden to the service providers Operational costs
Advantages VS. Disadvantages
Cisco VPN Savings Calculator

Advantages: Scalability
Flexibility of growth Efficiency with broadband technology
Disadvantages
VPNs require an in-depth understanding of public network security issues and proper deployment of precautions Availability and performance depends on factors largely outside of their control Immature standards VPNs need to accommodate protocols other than IP and existing internal network technology
UNIT-II
Applications: Site-to-Site VPNs Large-scale encryption between multiple fixed sites such as remote offices and central offices Network traffic is sent over the branch office Internet connection This saves the company hardware and management expenses
Site-to-Site VPNs
UNIT-II
UNIT-II
5/4/2013
Applications: Remote Access

Encrypted connections between mobile or remote users and their corporate networks Remote user can make a local call to an ISP, as opposed to a long distance call to the corporate remote access server. Ideal for a telecommuter or mobile sales people. VPN allows mobile workers & telecommuters to take advantage of broadband connectivity. i.e. DSL, Cable
Industries That May Use a VPN

Healthcare: enables the transferring of confidential patient information within the medical facilities & health care provider Manufacturing: allow suppliers to view inventory & allow clients to purchase online safely Retail: able to securely transfer sales data or customer info between stores & the headquarters Banking/Financial: enables account information to be transferred safely within departments & branches General Business: communication between remote employees can Electronic Business MS114 be securely exchanged
UNIT-II
UNIT-II
Statistics From GartnerConsulting*

Remote access for employees working out of homes Remote access for employees while traveling Site-to-site connectivity between offices Access to network for business partners/customers
Some Businesses using a VPN

CVS Pharmaceutical Corporation upgraded their frame relay network to an IP VPN ITW Foilmark secured remote location orders, running reports, & internet/intranet communications w/ a 168-bit encryption by switching to OpenReach VPN Bacardi & Co. Implemented a 21-country, 44location VPN
90% 79% Percentages 63% 50% 20% 40% 60% 80% 100%
0%
% of Respondents
*Source: www.cisco.com
UNIT-II
Where Do We See VPNs Going in the Future?
VPNs are continually being enhanced. Example: Equant NV As the VPN market becomes larger, more applications will be created along with more VPN providers and new VPN types. Networks are expected to converge to create an integrated VPN Improved protocols are expected, which will also improve VPNs.

E-commerce security threats and solutions

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

E-commerce security threats and solutions

Uploaded by

Copyright:

Available Formats

5/4/2013

Electronic Business MS 114

Security Issues, E-Commerce Threats

Electronic Business MS114

Security in Cyberspace Loss:

Identification and Authentication:

Making sure that message sender or principal are authentic.

Security Issues Availability

Security Threats in the E-commerce Environment

A Typical E-commerce Transaction

Three key points of vulnerability:

Most common threats:

Electronic Business MS114

Electronic Business MS114

Vulnerable Points in an E-commerce Environment

Electronic Business MS114

Examples of Malicious Code

Electronic Business MS114

Electronic Business MS114

Hacking and Cybervandalism

Electronic Business MS114

Zombied PCs - A zombie computer (often

Kinds of Threats or Crimes

Kinds of Threats or Crimes

Electronic Business MS114

Kinds of Threats or Crimes

Kinds of Threats or Crimes

Electronic Business MS114

Security for e-commerce transaction

Security for e-mail

SSL- Secure Socket Layer It provides three basic services:

SSL- Secure Socket Layer

S-HTTP Secure Hypertext Transfer Protocol

S-HTTP Secure Hypertext Transfer Protocol

SET Secure Electronic Transaction It provides:

It uses a variety of encryption techniques, digital signatures and certificates.

When finished with the steps you get a message containing:

PGP Pretty Good Privacy

S/MIME Multipurpose Internet Mail Extension

S/MIME Multipurpose Internet Mail Extension

Electronic Business MS114

Electronic Business MS114

Basic Terminologies Encryption, Cryptography, Digital Signatures, Digital Certificates

Security options at Mozilla Firefox

Electronic Business MS114

Electronic Business MS114

Security options at Microsoft IE

Secure Option using https

Electronic Business MS114

Electronic Business MS114

Electronic Business MS114

Electronic Business MS114

Secret-Key or Symmetric Cryptography

Secret-Key or Symmetric Cryptography

Symmetric algorithms can be divided into:

Electronic Business MS114

Electronic Business MS114

Electronic Business MS114

Public-Key or Asymmetric Cryptography

Electronic Business MS114

Electronic Business MS114

Hybrid Encryption Systems