You are on page 1of 32

Online Security

THE NEED

Based on a survey by Symantec
 

Number of Adults exposed to Cyber Crimes in 2010-11 = 431 Million Number of Adults exposed to Cyber Crimes Daily = More than 1 Million Number of Adults exposed to Cyber Crimes Per Second = 14 69% people have been victims of Cyber Crimes Increase in mobile vulnerability by 42%

  

Cost of Cyber Crime Apathy  Cost of ineffective online security by online adults in 24 countries in 2011=USD 338 Billion 114 Billion – Directly lost by victims 274 Billion .Victims valued at the time they lost to cyber crimes The global black market in marijuana.65bn) o o   . cocaine and heroin combined ($288bn) and approaching the value of all global drug trafficking ($411bn) The 2011 bill for cybercrime is more than 100 times the global annual expenditure of UNICEF ($3.

10% 19.Situation in India  In 2011.50% .70% 17. 1791 Cyber crime cases were registered with the National Crime Records Bureau (NCRB) % out of 1791 cases with NCRB Rajasthan Karnataka Kerela Maharashtra Andhra Pradesh 7% 8.40% 13.

  In 2011.5% more than those registered in 2010 (356) Percentage of registered cases Delhi 11.6 . cases registered under the Indian Penal Code = 422 18.6 Chattisgarh 18 Maharashtra 20.

2 16. 147% higher than that in 2009 (347) Percentage of cases registered under IT Act 2000 Delhi Hyderabad Jaipur Pune Vishakhapatnam Bangalore 10 13.4 15.4 . 53 mega cities have reported 858 cases under the IT Act 2000.4 23.6 21.

Need to remove Apathy Percentage Victims of cybercrime 15% Victims of cybercrime 44% .

      India is the 3rd most targeted country for Phishing attacks People in India need to step forward with their complaints as the number of cyber crime victims far outweigh the registered cases .in and 4150 . Cert-In’s 2010 Annual report claims – 6. 4 billion direct financial losses and 3.com domains were defaced Norton cybercrime report says 30 million people were cyber crime victims in 2010. According to the (Amended) IT Act 2008. Cert-In (Indian Computer Emergency Response Team) is designated to serve as the national agency for cyber security.9 million bot-infected systems 14348 website defacements Between January-September 2011 – 6850 .6 billion in time spent in solving the cases.

  The Computer Security Institute’s Security product provider .A partnership between the National White Collar Crime Center and the Federal bureau of Investigation.The E-Commerce Security Environment   Source of information Internet Crime Complaint Center (IC3) .

Security Threats in the E-commerce Environment Three key points of vulnerability:  Client  Server  Communications channel  Most common threats:  Malicious code  Hacking and cyber vandalism  Credit card fraud/theft  Spoofing  Denial of service attacks  Sniffing  Insider jobs  .

A Typical E-commerce Transaction .

Vulnerable Points in an E-commerce Environment .

most also deliver a “payload” of some sort (may be destructive or benign). file-infecting viruses and script viruses Worms: designed to spread from computer to computer Trojan horse: appears to be benign. but then does something other than expected    Bad applets (malicious mobile code): malicious Java applets or ActiveX controls that may be downloaded onto client and activated merely by surfing to a Web site .Malicious Code  Viruses: computer program that as ability to replicate and spread to other files. include macro viruses.

defacing or destroying a Web site Types of hackers include:  White hats – Members of “tiger teams” used by corporate security departments to test their own security measures  Black hats – Act with the intention of causing harm  Grey hats – Believe they are pursuing some greater good by breaking in and revealing system flaws .Hacking and Cybervandalism     Hacker: Individual who intends to gain unauthorized access to a computer systems Cracker: Used to denote hacker with criminal intent (two terms often used interchangeably) Cyber vandalism: Intentionally disrupting.

use stolen data to establish credit under false identity One solution: New identity verification mechanisms   .Credit Card Fraud  Fear that credit card information will be stolen deters online purchases Hackers target credit card files and other customer information files on merchant servers.

Insight on Society: E-Signatures – Bane or Boon to E-commerce?  Electronic Signatures in Global and National Commerce Act (E-Sign Law): Went into effect October 2001 Gives as much legal weight to electronic signature as to traditional version Thus far not much impact Companies such as Silanis and others still moving ahead with new esignature options    .

enables hackers to steal proprietary information from anywhere on a network Insider jobs:single largest financial threat  . Sniffing. Insider Jobs     Spoofing: Misrepresenting oneself by using fake e-mail addresses or masquerading as someone else Denial of service (DoS) attack: Hackers flood Web site with useless traffic to inundate and overwhelm network Distributed denial of service (dDoS) attack: hackers use numerous computers to attack target network from numerous launch points Sniffing: type of eavesdropping program that monitors information traveling over a network. DoS and dDoS Attacks.Spoofing.

TWO LINES OF DEFENSE:   TECHNOLOGY SOLUTIONS POLICY SOLUTIONS .

Purpose of Encryption:   Secure stored information Secure information transmission .Technology Solutions  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and the receiver.

Encryption provides four key dimensions of e-commerce security:     Message integrity Nonrepudiation Authentication Confidentiality .

1. In commercial use. Symmetric Key Encryption: Both the sender and the receiver use the same key to encrypt and decrypt the message. Used extensively throughout world war Ancient means of encryption can be broken quickly in the digital age. secret key for transaction with every party is required. Symmetric key encryption requires both the parties share the same key. Common flaws in early methods of encryption:    .

Two mathematically related digital keys are used:   Private key: Kept secret by the owner Public key: Widely disseminated.2. Public Key Encryption: Solves the problem of exchanging keys. Drawbacks of public key encryption:    No authentication of the sender No assurance the message was altered in transit Potential lack of integrity in the system .

 . Digital Signature: “signed” cipher text that can be sent over the internet. PKE using Digital Signatures and Hash Digests  Hash Function: Algorithm that produces a fixed-length number called a hash or message digest.3.

Digital certificates: digital document issued by a certification authority that contains the name of the subject. the subject’s public key. but public key encryption to encrypt and send the symmetric key 5.4. Digital Envelopes: A technique that uses symmetric encryption for large documents. 6. company . a digital certificate serial number and other identifying information. Public Key Infrastructure: refers to the CAs and digital certificate procedures that are accepted by all parties. .

Secure Hypertext transfer Protocol(S-HTTP): A secure message-oriented communications protocol designed for use in conjunction with HTTP. optional client authentication and message integrity for TCP/IP connections.Methods of securing communication channels  Secure Sockets Layer(SSL): Provides data encryption. Virtual private networks: Allows remote users to securely access internal networks via the internet. using the point-to-point tuneling protocol.   . server authentication.

Protecting Networks:  Firewall: Refers to either hardware or software that filters communication packets and prevents some packets from entering the network based on a security policy. Proxy servers: Software server that handles all communications originating from or being sent to the Internet.  . acting as a spokesperson or bodyguard for the organization.

Protecting Servers and Clients  Operating System Security enhancements: Automatic computer security upgrades provided by the Microsoft Windows and Apple’s OS. Symantec etc.  . Anti-virus Software: Inexpensive tools to identify and eradicate the most common types of malicious codes.g: McAfee. E.

such as credit card numbers. It is the equivalent of a physical point of sale terminal located in most retail outlets. to ensure that information is passed securely between the customer and the merchant and also between merchant and the payment processor. or traditional brick and mortar.Online Gateway    A payment gateway is an e-commerce application service provider service that authorizes payments for e-businesses online retailers    bricks and clicks. .  Payment gateways protect credit card details by encrypting sensitive information.

How Payment Gateway Works? .

Dimensions of E-Commerce Security   Integrity Nonrepudiation     Authenticity Confidentiality Privacy Availability .

Thank you Siddhart Lahoti Yash Ambegaokar Abhinav Rege Anuj Dayama Ankit Gupta .….