Chapter 5

Web Security and Optimization

Slide 5-1
 Introduction
 Web security is critical component to protect and
secure websites and servers
 Web security, also known as “Cyber Security”
involves protecting information by preventing,
detecting, and responding attacks

Slide 5-2
 What is a Good Security?
 Reducing risks is a complex process that involves new
technologies, organizational policies and procedures,
and new laws and industry standards
 To achieve the highest degree of security possible, new
technologies are available and should be used
 Organizational policies and procedures are required to
ensure the technologies are not subverted
 Industry standards and government laws are required
to enforce payment mechanism, as well as investigate
and prosecute violators of laws designed to protect the
transfer of property in commercial transactions

Slide 5-3
What is a Good Security?

Fig: The Security Environment

Slide 5-4
 Security Dimensions
 Six key dimensions: integrity, nonrepudiation,
authenticity, confidentiality, privacy, and availability
 Integrity refers to the ability to ensure that
information being displayed on a Web site, or
transmitted or received over the Internet, has not
been altered in any way by an unauthorized party
 Nonrepudiation refers to the ability to ensure that e-
commerce participants do not deny their online
actions

Slide 5-5
 Security Dimensions
 Authenticity refers to the ability to identify the
identity of a person or entity with whom you are
dealing on the Internet
 Spoofing is the act of one person pretending to be
someone else; Hackers attempt to hide their true identity
by using fake email address or masquerading as someone
else; Spoofing can also involve redirecting a Web link to an
address different from the intended one, with a site
masquerading as the intended destination
 Confidentiality refers to the ability to ensure that
messages and data are available only to those who
are authorized to view them
Slide 5-6
 Security Dimensions
 Privacy refers to the ability to control the use of
information about oneself
 Availability refers to the ability to ensure that
website continues to function as intended
 Web security is designed to protect these six
dimensions; When any one of them is compromised,
it is a security issue

Slide 5-7
 Security Threats
 Three key points of vulnerability: the client, the
server, and the communications pipeline
 Some most common and most damaging forms of
security threats are:
 Malicious code
 Unwanted programs  Denial of Service (DoS)

 Phishing and identity theft  Distributed Denial of

 Hacking and cybervandalism
Service (DDoS)
 Sniffing
 Credit card fraud/theft
 Insider attacks
 Spoofing (pharming)
 Poorly designed server
 Spam (junk) Web sites
and client softwares
Slide 5-8
 Security Threats
 Malicious Code:
 Sometimes referred to as “malware”
 Includes a variety of threats such as viruses, worms,
Trojan horses, and bots
 Virus is a computer program that has the ability to
replicate or make copies of itself, and spread to other
files; In addition, most computer viruses deliver a
“payload”; The payload may be relatively benign, such
as the display of a message or image, or it may be
highly destructive – destroying files, reformatting the
computer’s hard drive, or causing programs to run
improperly
Slide 5-9
 Security Threats
 Computer viruses fall into several major categories
like macro viruses, file-infecting viruses, script viruses
 Macro viruses are application specific, meaning that
the virus affects only the application for which it was
written
 File-infecting viruses infect executable files, such as
.com, .exe, .drv, and .dll
 Script viruses are written in script programming
languages; The viruses are activated simply by
double-clicking an infected script file; For example
ILOVEU virus (also known as the Love Bug)

Slide 5-10
 Security Threats
 Instead of just spreading from file to file, worm is a
malware that is designed to spread from computer to
computer; A worm does not necessarily need to be
activated by a user or program in order for it to
replicate itself
 A Trojan horse is a software program that appears to
be benign, but then does something other than
expected; The Trojan horse is not itself a virus because
it does not replicate, but is often a way for viruses or
other malicious code such as bots or rootkits (a
program whose aim is to subvert control of the
computer’s operating system) to be introduced into a
computer system
Slide 5-11
 Security Threats
 Bots (short for robots) are a typical malicious code
that can be covertly installed on your computer when
attached to the Internet; Once installed, the boot
responds to external commands sent by the attacker
 Botnets are collections of captured computers used
for malicious activities

Slide 5-12
 Security Threats
 Unwanted Programs:
 Unwanted programs such as adware, browser parasites,
spyware, and other applications install themselves on a
computer, typically without the user’s informed consent;
once installed, these applications are usually exceedingly
difficult to remove from the computer
 Adware is typically used to call for pop-up ads to display
when the user visits certain sites
 Browser parasite is a program that can monitor and
change the settings of a user’s browser
 Spyware is a program used to obtain information such as
user’s keystrokes, copies of e-mail and instant messages,
and even take screenshots
Slide 5-13
 Security Threats
 Phishing and Identity Theft:
 Phishing is any deceptive, online attempt by a third
party to obtain confidential information for financial
gain; The most popular phishing attack is the e-mail
scam letter
 Hacking and Cybervandalism:
 A hacker is an individual who intends to gain
unauthorized access to a computer system
 Within the hacking community, the term cracker is
typically used to denote a hacker with criminal intent,
although in the public press, the terms hacker and
cracker are used interchangeably
Slide 5-14
 Security Threats
 Cybervandalism is the intentional disruption,
defacement, or even destruction of a Web site or
corporate information system
 Types of hackers:
 White hats – good hackers who help organizations
locate and fix security flows
 Black hats – hackers who act with the intention of
causing harm
 Grey hats – hackers somewhere in the middle are
the grey hats who believe they are pursuing some
greater good by breaking in and revealing system
flaws
Slide 5-15
 Security Threats
 Credit Card Fraud/Theft:
 Fear of stolen credit card information deters online
purchases
 Hackers target merchant servers; use data to
establish credit under false identity
 Online companies at higher risk than offline
 Spoofing (Pharming) and Spam (Junk) Web Sites:
 Spoofing is, generally, the act of one person
pretending to be someone else
 Hackers attempt to hide their true identity by using
fake email address or masquerading as someone else

Slide 5-16
 Security Threats
 Spoofing a Web site is also called “pharming”, which
involves redirecting a Web link to an address different
from the intended one, with a site masquerading as
the intended destination
 Spam Web sites promise to offer some product or
service, but in fact are a collection of advertisements
for other sites, some of which contain malicious code
 Denial of Service (DoS) and Distributed Denial of
Service (DDoS) Attacks:
 In DoS attack, hackers flood a network server or Web
server with many thousands of false communications
or requests for services to crash the network
Slide 5-17
 Security Threats
 A DDoS attack uses numerous computers to inundate
and overwhelm the network form numerous launch
points
 Sniffing:
 A sniffer is a type of eavesdropping program that
monitors information traveling over a network
 Sniffers enable hackers to steal proprietary
information from anywhere on a network,
including email messages, company files, and
confidential reports

Slide 5-18
 Security Threats
 Insider Attacks:
 The largest financial threats to business intuitions come
from insiders
 Malicious intruders seeking system access sometimes
trick employees into revealing their passwords by
pretending to be legitimate members of the company in
need of information
 Employees can introduce errors by entering faulty data or
by not following the proper instructions for processing
data and using computer equipment
 Information systems specialists can also create software
errors as they design and develop new software or
maintain existing programs
Slide 5-19
 Security Threats
 Poorly Designed Server and Client Software:
 Many security threats prey on poorly designed server
and client software, sometimes in the operating
system and sometimes in the application software,
including browsers
 The increase in complexity and size of software
programs has contributed to an increase in software
flaws or vulnerabilities that hackers can exploit

Slide 5-20
 Technology Solutions
 The threats to web are very real, potentially
devastating, and likely to be increasing in intensity
 Technology solutions
 Protecting Internet communications (encryption)
 Securing channels of communication (SSL, S-HTTP,
VPNs)
 Protecting networks (firewalls)
 Protecting servers and clients (OS security, antivirus)

Slide 5-21
 Encryption
 Encryption is the process of transforming plain text
or data into cipher text that cannot be read by
anyone other than the sender and receiver
 A key (or cipher) is any method for transforming plain
text to cipher text
 Purpose of encryption:
 To secure stored information
 To secure information transmission
 Can provide four of six key dimensions of e-
commerce security: message integrity,
nonrepudiation, authentication, and confidentiality
Slide 5-22
 Encryption
 Traditionally, records were encrypted using substitution
and transposition ciphers
 In a substitution cipher, every occurrence of a given
letter is replaced systematically by another letter; For
instance, if we used the cipher “letter plus two” –
meaning replace every letter in a word with a new letter
two places forward – then the word “HELLO” would be
“JGNNQ”
 In a transposition cipher, the ordering of the letters in
each word is changed in some systematic way; For
example, the word “HELLO” can be written backwards as
“OLLEH”
Slide 5-23
 Encryption
 Symmetric Key Encryption (Secret Key Encryption):
 Was used extensively throughout the World War II and is
still a part of Internet encryption
 Both sender and the receiver use the same key to encrypt
and decrypt the message
 Symmetric key systems are simpler and faster, but their
main drawback is that the two parties must somehow
exchange the key in a secure way; Requires different set of
keys for each transaction
 Strength of the symmetric key encryption depends on the
size of the key used; For the same algorithm, encrypting
using longer key is tougher to break than the one done
using smaller key
Slide 5-24
 Encryption
 Data Encryption Standard (DES):
 Developed by the National Security Agency (NSA) and
IBM is the 1950s
 Uses a 56-bit encryption key
 To cope with much faster computers, it has been
improved by Triple DES – essentially encrypting the
message three times each with separate key
 Advanced Encryption Standard (AES):
 Most widely used symmetric key encryption algorithm
 Offers key sizes of 128, 192, and 256 bits
 There are also many other symmetric key systems with
keys up to 2048 bits
Slide 5-25
 Encryption
 Public Key Encryption:
 Developed in 1976 by Whitfield Diffie and Martin Hellman;
Solves the problem of exchanging keys
 Two mathematically related digital keys are used: a public
key and a private key
 The private key is kept secret by the owner, and the public
key is widely disseminated; Both keys can be used to
encrypt and decrypt a message; keys are sufficiently long
(128, 256, and 512 bits)
 Once key used to encrypt message, same key cannot be
used to decrypt message
 Sender uses recipient’s public key to encrypt message;
recipient uses his/her private key to decrypt it
Slide 5-26
 Encryption

Fig: Public Key Cryptography—A Simple Case

Slide 5-27
 Encryption
 Public Key Encryption using Digital Signatures and
Hash Digests:
 Can achieve authentication, nonrepudiation, and
integrity
 To check the confidentiality of message and ensure it
has not been altered in transit, a hash function is used
first to create a digest of the message
 A hash function is an algorithm that produces a fixed-
length number called a hash or message digest;
 Standard hash functions are available (MD4 and MD5
produce 128 and 160 bit hashes)

Slide 5-28
 Encryption
 These more complex hash functions produce hashes
or hash results that are unique to every message
 The sender then encrypts both the hash result and
the original message using the recipient’s pubic key,
producing a single block of cipher text
 Entire cipher text then encrypted with sender’s
private key—creating digital signature—for
authenticity, nonrepudiation
 The recipient of this signed cipher text first uses the
sender’s public key to authenticate the message

Slide 5-29
 Encryption
 Once authenticated, the recipient uses his or her
private key to obtain the hash results and original
message
 As a final step, the recipient applies the same hash
function to the original text, and compares the result
with the result sent by the sender
 If the results are same, the recipient now knows the
message has not been changed during transmission;
The message has integrity

Slide 5-30
 Encryption

Fig: Public Key Cryptography with Digital Signatures

Slide 5-31
 Encryption
 Digital Envelops:
 Addresses weakness of public key encryption and
symmetric key encryption
 Public key encryption is computationally slow,
decreased transmission speed, and increased
processing time
 Symmetric key encryption is insecure as the
symmetric key must be sent to the recipient over
insecure transmission lines
 Uses more efficient symmetric encryption and
decryption for large documents, but public key
encryption to encrypt and send the symmetric key
Slide 5-32
 Encryption

Fig: Creating a Digital Envelope

Slide 5-33
 Encryption
 Digital Certificates and Public Key Infrastructure
(PKI):
 Ensures that people and institutions are who they
claim to be
 A digital document issued by a trusted third-party
institution known as certification authority (CA) that
contains the name of the subject or company, the
subject’s public key, a digital certificate serial number,
an expiration date, an issuance date, the digital
signature of the certification authority (the name of
the CA encrypted using the CA’s private key) and
other identifying information
Slide 5-34
 Encryption
 Certification authority (CA) is a trusted third party
that issues digital certificates
 Public key infrastructure (PKI) refers to the CAs and
digital certificate producers that are accepted by all
parties
 Pretty good privacy (PGP) is a widely used e-mail
public key encryption program; Using PGP software
installed on your computer, you can compress and
encrypt your messages as well as authenticate both
yourself and the recipient

Slide 5-35
 Encryption

Fig: Digital Certificates and Certification Authorities

Slide 5-36
 Encryption
 Limitations to Encryption Solutions:
 Doesn’t protect storage of private key
 PKI is not effective against insiders – employees –
who have legitimate access to corporate systems
including customer information
 Protection of private keys by individuals may be
haphazard
 There is no guarantee that verifying computer of
merchant is secure
 CAs are unregulated, self-selecting organizations

Slide 5-37
Securing Channels of Communication
 Secure Socket Layer (SSL):
 Establishes a secure negotiated session between
client and server in which URL of requested
document, along with the contents, contents of
forms, and the cookies, are encrypted
 A session key is a unique symmetric encryption
key chosen for a single secure session
 Provides data encryption, server authentication,
optional client authentication, and message
integrity for TCP/IP connections

Slide 5-38
Securing Channels of Communication

Fig: Secure Negotiated Sessions Using SSL

Slide 5-39
Securing Channels of Communication
 Secure Hypertext Transfer Protocol (S-HTTP):
 A secure message-oriented communications
protocol designed for use in conjunction with
HTTP
 Cannot be used to secure non-HTTP messages
 Whereas SSL is designed to establish to a secure
between two computers, S-HTTP is designed to
send individual messages securely

Slide 5-40
Securing Channels of Communication
 Virtual Private Network:
 Allows remote users to securely access internal
networks via the Internet, using point-to-point
tunneling protocol (PPTP)
 PPTP is an encoding mechanism that allows one
local network to connect to another using the
Internet as the conduit
 The primary use of VPNs is to establish secure
communications among business partners – large
suppliers or customers

Slide 5-41
 Protecting Networks
 Firewalls:
 Firewalls and proxy servers are intended to build a
wall around your network and the attached servers
and clients
 A firewall refers to either hardware or software that
filters communication packets and prevents some
packets from entering the network based on a security
policy
 Firewalls can filter traffic based on packet attributes
such as source IP address, destination port or IP
address, type of service, the domain name of the
source, and many other dimensions
Slide 5-42
 Protecting Networks
 There are two major methods firewalls use to validate
traffic: packet filters and application gateways
 Packet filters examine data packets to determine
whether they are destined for a prohibited port or
originate from a prohibited IP address as specified by
the security administrator
 Application gateways filter communications based on
the application being requested, rather than the source
or destination of the message

Slide 5-43
 Protecting Networks
 Proxy Servers (Proxies):
 Software server that handles all communications
originating from or being sent to the Internet, acting as
a spokesperson or bodyguard for the organization
 Act primarily to limit access of internal clients to
external Internet servers, although some proxy servers
act as firewalls as well
 By prohibiting users form communicating directly with
the Internet, companies can restrict access to certain
types of sites
 Also improves Web performance by storing frequently
requested Web pages locally
Slide 5-44
Protecting Networks

Fig: Firewalls and Proxy Servers

Slide 5-45
 Protecting Servers and Clients
 Operating system security enhancements
 Upgrading operating system security patches;
these patches are upgraded automatically when
connecting on the Internet
 Anti-virus software
 Easiest and least expensive way to prevent threats
to system integrity
 Requires daily updates

Slide 5-46
 NAT (Network Address Translation)
 NAT translates a private IP address of a computer in
a local network to a public IP address and vice versa;
The public address is used by the router that
connects the computers to the Internet
 When other computers on the Internet attempt to
access computers within the local network, they only
see the IP address of the router; This adds an extra
level of security, since the router can be configured
as a firewall, only allowing authorized systems to
access the computers within the network

Slide 5-47
 NAT (Network Address Translation)
 Once a system from outside the network has been
allowed to access a computer within the network, the
IP address is then translated from the router's address
to the computer's unique address
 The address is found in a "NAT table" that defines the
internal IP addresses of computers on the network;
The NAT table also defines the global address seen by
computers outside the network; Even though each
computer within the local network has a specific IP
address, external systems can only see one IP address
when connecting to any of the computers within the
network.
Slide 5-48
 NAT (Network Address Translation)
 Network address translation makes computers
outside the local area network (LAN) see only one IP
address, while computers within the network can see
each system's unique address
 NAT aids in network security and also limits the
number of IP addresses needed by companies and
organizations; Using NAT, even large companies with
thousands of computers can use a single IP address
for connecting to the Internet

Slide 5-49