E-Business Security

Alter – Information Systems 4th

ed.
1 © 2002 Prentice Hall
 Threat of Accidents and
Malfunctions
 Operator error
 Hardware malfunction
 Software bugs
 Data errors
 Accidental disclosure of information
 Damage to physical facilities
 Inadequate system performance
 Liability for system failure
Alter – Information Systems 4th
ed.
2 © 2002 Prentice Hall
 Threat of Computer Crime:
Theft
 Theft of software and equipment
 Unauthorized use of access codes and
financial passwords
 Theft by entering fraudulent transaction data
 Theft by stealing or modifying data
 Internet hoaxes for illegal gain
 Theft by modifying software
Alter – Information Systems 4th
ed.
3 © 2002 Prentice Hall
 Threat of Computer Crime:
Sabotage and Vandalism
 Trap door
 A set of instructions that permits a user to
bypass the computer system’s security
measures
 Trojan horse
 A program that appears to be valid but
contains hidden instructions that can cause
damage
Alter – Information Systems 4th
ed.
4 © 2002 Prentice Hall
 Threat of Computer Crime:
Sabotage and Vandalism (cont.)
 Logic bomb
 A type of Trojan horse set to activate when a
particular condition occurs
 Virus
 A special type of Trojan horse that can replicate
itself and spread
 Denial of service attack
 Sabotaging a Web site by flooding it with incoming
messages
Alter – Information Systems 4th
ed.
5 © 2002 Prentice Hall
 Factors that Increase the Risks
 The nature of complex systems
 Human limitations
 Pressures in the business environment

Alter – Information Systems 4th

ed.
6 © 2002 Prentice Hall
 Methods for Minimizing Risks
 Controlling system development and
modifications
 Software change control systems
 Providing security training
 Physical access controls

Alter – Information Systems 4th

ed.
7 © 2002 Prentice Hall
 Controlling Access to Data,
Computers, and Networks
 Guidelines for manual data handling
 Access privileges
 Access control based on what you know
 Password schemes
 Access control based on what you have
 Access control based on where you are
 Access control based on who you are
Alter – Information Systems 4th
ed.
8 © 2002 Prentice Hall
  Controlling incoming data flowing through
networks and other media
 Commercially available virus protection
products
 Firewall software that inspects each incoming
data packet, and decides whether it is
acceptable based on its IP address

Alter – Information Systems 4th

ed.
9 © 2002 Prentice Hall
 Firewall and the Internet

Alter – Information Systems 4th

ed.
10 © 2002 Prentice Hall
 Making the Data Meaningless to
Unauthorized Users
 Public key encryption – encryption
method based on two related keys, a
public key and a private (secret) key
 Also used to transmit the secret key used by
the Data Encryption Standard (DES)
 Digital signatures – use public key encryption
to authenticate the sender of a message and
the message content
Alter – Information Systems 4th
ed.
11 © 2002 Prentice Hall
 Encryption

Alter – Information Systems 4th

ed.
12 © 2002 Prentice Hall
 Controlling Traditional
Transaction Processing
 Data preparation and authorization
 Data validation
 Error correction
 Backup and recovery

Alter – Information Systems 4th

ed.
13 © 2002 Prentice Hall
 Maintaining Security in Web-
Based Transactions
 Public key infrastructure (PKI)
 Certification authority (CA) – a company that
issues digital certificates
 Computer-based records that identify the CA,
identify the sender that is being verified, contain
the sender’s public key, an is digitally signed by
the CA

Alter – Information Systems 4th

ed.
14 © 2002 Prentice Hall
 Transaction Privacy, Authentication,
Integrity, and Nonrepudiation
 Web transactions are encrypted using the Secure
Socket Layer (SSL) protocol -
 Encrypts the transmission using a temporary key generated
automatically based on session information
 Transaction authentication – the process of verifying the
identity of the participants in a transaction
 Transaction integrity – ensuring that information is not
changed after the transaction is completed
 Nonrepudiation – ensuring that neither party can deny that the
transaction occurred
Alter – Information Systems 4th
ed.
15 © 2002 Prentice Hall
 Difficulties With Security Methods
for Web Transactions
 Secure Electronic Transaction
(SET) method:
 Proposed by a consortium of credit card
companies
 More secure than SSL
 Costly, and very slow adoption rate

Alter – Information Systems 4th

ed.
16 © 2002 Prentice Hall
 Motivating Efficient and Effective
Operation
 Monitoring information system usage
 Business process performance
 Information system performance
 Unusual activity
 Charging users to encourage efficiency
 Chargeback systems try to motivate efficient
usage by assigning the cost of information
systems to the user departments
Alter – Information Systems 4th
ed.
17 © 2002 Prentice Hall
 Auditing the Information System
 Auditing ensures that financial operations
are neither misrepresented nor threatened
due to defective procedures or accounting
systems
 Auditing around the computer vs.
auditing through the computer

Alter – Information Systems 4th

ed.
18 © 2002 Prentice Hall
 Preparing for Disasters
 Disaster plan – a plan of action to
recover from occurrences that shut down
or harm major information systems

Alter – Information Systems 4th

ed.
19 © 2002 Prentice Hall