Lecture 10 – Security Threats and eBusiness

Countermeasures for Enterprise

eBusiness

Lecture 10 - Security Threats and

Countermeasures for Enterprises

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.2

Introduction to Lecture 10
Topics covered:
• Communication channel security
• Encryption and Secure Sockets Layer (SSL)
• Web server threats
• Database threats
• Access control and authentication
• Firewalls

V1.0 © NCC Education Limited

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.3

Problems of Using Internet as

a Communications Channel
• Secrecy threats
• Integrity threats
• Denial-of-service ((DoS)) threats
• Wireless network threats

V1.0 © NCC Education Limited

V1.0 Visuals Handout Lecture 10 – Page 1

Lecture 10 – Security Threats and eBusiness
Countermeasures for Enterprise

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.4

Secrecy Threats
• Secrecy is the prevention of unauthorised
information disclosure
• Privacy is the protection of individual rights
to non-disclosure
• Sniffer programs pose a threat to email
• Backdoors in software provide opportunities
for hackers

V1.0 © NCC Education Limited

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.5

Integrity Threats
• Active wiretapping – altering a message
stream of information
• Cybervandalism – defacing of an existing
website’s
website s page
• Spoofing – pretending to be somebody you
are not
• Phishing – attempts to capture confidential
customer information via spoof emails

V1.0 © NCC Education Limited

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.6

Denial-of-Service (DoS) Threats

• Attackers flood a targeted eCommerce site

with data packets
• Servers are overwhelmed
• eCommerce
C site
it only
l able
bl tto offer
ff a
reduced level of service or may become
inoperable
• Can result in financial loss to the
organisation or even force it out of business

V1.0 © NCC Education Limited

V1.0 Visuals Handout Lecture 10 – Page 2

Lecture 10 – Security Threats and eBusiness
Countermeasures for Enterprise

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.7

Wireless Threats
• Security provided by Wireless
Encryption Protocol (WEP)
• Manyy mobile devices have default
login and password set
• Companies often fail to change these
settings
• Wireless devices can be attacked by
wardrivers using warchalking

V1.0 © NCC Education Limited

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.8

Encryption

“Program that transforms normal text

(plain text) into cipher text (a string of
unintelligible
g characters)”)
• Hash coding
• Asymmetric coding (public-key)
• Symmetric coding (private-key)

V1.0 © NCC Education Limited

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.9

Comparison of
Encryption Methods

a. hash coding b. private-key c. public-key

Schneider, G. (2007) Electronic Commerce 7th Ed, p.468

V1.0 © NCC Education Limited

V1.0 Visuals Handout Lecture 10 – Page 3

Lecture 10 – Security Threats and eBusiness
Countermeasures for Enterprise

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.10

Secure Sockets Layer

(SSL) Protocol
“Protocol that secures connections between two
computers through the use of encryption”
• Provides a security handshake between the client
andd server computers
t
• All communication between SSL-enabled clients
and servers is encoded
• Can be used for HTTP, FTP sessions, private
downloading and uploading and Telnet

V1.0 © NCC Education Limited

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.11

Establishing an SSL Session

Schneider, G. (2007) Electronic Commerce 7th Ed, p.470

V1.0 © NCC Education Limited

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.12

Secure HTTP (S-HTTP)

“Protocol that sends individual messages

securely using encryption”
• Extension to HTTP
• Developed by CommerceNet
• Uses a secure envelope to encapsulate the
message

V1.0 © NCC Education Limited

V1.0 Visuals Handout Lecture 10 – Page 4

Lecture 10 – Security Threats and eBusiness
Countermeasures for Enterprise

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.13

Hash Functions
and Digital Signatures
• Intended to eliminate threat of an eCommerce
message being altered
• Hash algorithm is applied to the message
• Produces message digest that cannot be inverted
to produce original information
• Sender encrypts message digest using private key
• Encrypted message digest is called a digital
signature

V1.0 © NCC Education Limited

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.14

Sending and Receiving a

Digitally Signed Message

Schneider, G. (2007) Electronic Commerce 7th Ed, p.473

V1.0 © NCC Education Limited

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.15

eCommerce Server Security

• Web server threats
• Database threats
• Physical
y security
y threats
• Access control and authentication
• Firewalls

V1.0 © NCC Education Limited

V1.0 Visuals Handout Lecture 10 – Page 5

Lecture 10 – Security Threats and eBusiness
Countermeasures for Enterprise

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.16

Web Server Threats

• Can compromise security if server allows
automatic directory listings
• Major threat if the file holding usernames
and passwords of customers is
compromised
• Choice of user passwords can be
problematic if they are guessed too easily
• Dictionary attack programs pose threat

V1.0 © NCC Education Limited

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.17

Database Threats
• eCommerce systems store valuable user data and
product information in databases
• Once a user is authenticated, sections of the
database become available
• Poor security can mean that hackers gain
authentication
• Trojan horse programs can change or remove
access rights and allow hackers to gain entry

V1.0 © NCC Education Limited

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.18

Physical Security Threats

• Web servers need high levels of protection
against threats
• Threats can come from natural disasters or
terrorist attacks
• Disaster recovery plans should be in place
• Back-up copies of server contents held at
remote location

V1.0 © NCC Education Limited

V1.0 Visuals Handout Lecture 10 – Page 6

Lecture 10 – Security Threats and eBusiness
Countermeasures for Enterprise

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.19

Access Control
and Authentication

• Controls who has access to web servers

• Certificate containing digital signature can be used,
with timestamp and call
call-back
back checks
• Usernames and passwords are often used, kept in
a separate database with high security
• Access control list (ACL) restricts file access to
selected users

V1.0 © NCC Education Limited

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.20

Firewalls
• Software or hardware/software combination
• Controls packet traffic moving through a network
• Provides a defence between the internal network
and the Internet
• Categories are packet filter, gateway server and
proxy server
• Intrusion detection systems can help to identify and
block possible attacks

V1.0 © NCC Education Limited

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.21

Summary
• Wide range of threats posed by using the
Internet as a communications channel
• Secrecy and privacy are key concerns
• Encryption
E ti techniques
t h i play
l an iimportant
t t
role in ensuring effective eCommerce
security
• Variety of security risks to web servers
• Disaster recovery plans should be in place

V1.0 © NCC Education Limited

V1.0 Visuals Handout Lecture 10 – Page 7

Lecture 10 – Security Threats and eBusiness
Countermeasures for Enterprise

Security Threats and Countermeasures for Enterprise Lecture 10 - 10.22

V1.0 © NCC Education Limited

V1.0 Visuals Handout Lecture 10 – Page 8