Professional Documents
Culture Documents
Kenneth C. Laudon
Carol Guercio Traver
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-3
Class Discussion
Stuxnet worm:Stuxnet (first shot in a cyberwar between the
United States and Iran June 2010). Designed to disable the
software and computers that controlled the centrifuges in
Iran’s uranium enrichment process
Duqu worm, Sep2011(Believed to have been created by Stuxnet’s
developers) Duqu was designed to collect passwords, take
desktop screenshots to monitor users’ actions Duqu was
intended to further gauge the status of Iran’s nuclear program
In Aug. 2012 Gauss used to “follow the money” in banking
transactions.
Industrial cyberespionage is closely related to cyberwarfare.
Google has been battling Chinese cyberespionage for some
time
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-4
The E-commerce Security
Environment
Overall size and losses of cybercrime
unclear
Reporting issues
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-5
What Is Good E-commerce Security?
To achieve highest degree of security
New technologies
Organizational policies and procedures
Industry standards and government laws
Other factors
Time value of money
Cost of security vs. potential loss
Security often breaks at weakest link
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-6
The E-commerce Security Environment
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-7
Table 5.3, Page 254
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-8
Describe the key dimensions of e-commerce security.
There are six key dimensions to e-commerce security:
1. Integrity—ensures that information displayed on a Web site or
sent or received via the Internet has not been altered in any
way by an unauthorized party.
2. Nonrepudiation—ensures that e-commerce participants do not
deny (repudiate) their online actions.
3. Authenticity—verifies an individual’s or business’s identity.
4. Confidentiality—determines whether information shared
online, such as through e-mail communication or an order
process, can be viewed by anyone other than the intended
recipient.
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-9
5. Privacy—deals with the use of information shared
during an online transaction. Consumers want to limit
the extent to which their personal information can be
divulged to other organizations, while merchants want
to protect such information from falling into the wrong
hands.
6. Availability—determines whether a Web site is
accessible and operational at any given moment.
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-10
The Tension Between Security and Other Values
Ease of use
The more security measures added, the more
difficult a site is to use, and the slower it becomes
Public safety and criminal uses of the
Internet
Use of technology by criminals to plan crimes or
threaten nation-state
-Encrypted files sent via e-mail were used by Ramzi Yousef
Sep -11
-The case of Umar Farouk Abdulmutallab – AA Detroit 2009
-ISIS 2015
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-11
Security Threats in the E-com Environment
Three key points of vulnerability in e-com
environment:
1. Client
2. Server
3. Communications pipeline (Internet
communications channels)
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-12
A Typical E-commerce Transaction
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-13
Vulnerable Points in an E-commerce
Transaction
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-14
Most Common Security Threats in the
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-16
The Malware Con’t
5. Trojan horses appears to be benign, but then does
something other than expected. Often a way for viruses
or other malicious code to be introduced into a
computer system
6. Backdoors feature of viruses, worms and Trojans that
allows an attacker to remotely access a compromised
7. Bots, (short for robots) covertly installed on
your computer when attached to the Internet
Botnets collection of captured bot PC
Around 90% of the world’s spam, and 80% of the world’s malware, is delivered
by botnets. Once installed, the bot responds to external commands sent by the
attacker; your computer becomes a “zombie” and is able to be controlled by an
external third party
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-17
Malware are threats at both client and
server levels
At the server level, bring down an entire Web
site, preventing millions of people from using
the site. (infrequent)
At the client level malicious code attacks occur,
and the damage can quickly spread to millions
of other computers connected to the
Internet(frequent)
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-18
Most Common Security Threats (cont.)
II. Potentially unwanted programs (PUPs)
Program that installs itself on a computer, typically without
the user’s informed
Browser parasites is a program that can monitor
and change the settings of a user’s browser
Adware used to call for pop-up ads
Spyware a program used to obtain information such
as a user’s keystrokes, e-mail instant messages, and
even take screenshots
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-19
Most Common Security Threats (cont.)
III. Phishing
is any deceptive, online attempt by a third party to obtain
confidential information for financial gain.
Social engineering relies on human curiosity, greed, and
gullibility in order to trick people into taking an action that
will result in the downloading of malware
E-mail scams “Nigerian letter” scam
Spear-phishing “account verification “
Identity fraud/theft “steal your identity”
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-20
Most Common Security Threats (cont.)
Hacking
Hacker an individual who intends to gain unauthorized
access to a computer system
Crackers term typically used to denote a hacker with
criminal intent
Types of hackers: White, black, grey hats
Hacktivist typically attack governments,
organizations, and even individuals for political
purposes
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-21
Most Common Security Threats (cont.)
Cybervandalism:
intentions to disrupt, deface, or destroy sites
Or
to steal personal or corporate information they
can use for financial gain
Data breach
Losing control over corporate information to
outsiders
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-22
Insight on Business: Class Discussion
We Are Legion
What organization and technical failures
led to the data breach on the
PlayStation Network?
Are there any positive social benefits of
hacktivism?
Have you or anyone you know
experienced data breaches or
cybervandalism?
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-23
Most Common Security Threats (cont.)
Credit card fraud/theft
Spoofing involves attempting to hide a true identity by
using someone else’s e-mail or IP address.
Pharming automatically redirecting a Web link to an
address different from the intended one, with the site
masquerading as the intended destination.
Spam (junk) Web sites (link farms) promise to
offer products or services, but in fact are just collections of
advertisements
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-24
Most Common Security Threats (cont.)
Identity fraud/theft
Unauthorized use of another person’s personal data,
such as social security, driver’s license, and/or credit
card numbers, as well as user names and passwords,
for illegal financial benefit
Denial of service (DoS) attack
uses hundreds or even thousands of computers to
attack the target network from numerous launch points
Distributed denial of service (DDoS) attack
Hackers flood site with useless traffic to overwhelm
network
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-25
Most Common Security Threats (cont.)
Sniffing
Eavesdropping program that monitors info traveling over a network
Insider attacks
Poorly designed server and client software
Social network security issues
Mobile platform security issues
Vishing attacks target gullible cell phone users with verbal
messages to call a certain number and, for example, donate
money to starving children
Smishing attacks exploit SMS(malicious URL)
Madware innocent-looking apps that contain adware that
launches pop-up ads and text messages on your mobile device
Slide 5-26
Insight on Technology: Class Discussion
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-27
Technology Solutions
Protecting Internet communications
Encryption
Protecting networks
Firewalls
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-28
Tools Available to Achieve Site Security
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-29
Encryption
Encryption
Transforms data into cipher text readable only by
sender and receiver
Secures stored information and information
transmission
Provides 4 of 6 key dimensions of e-commerce security:
Message integrity
Nonrepudiation
Authentication
Confidentiality
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-30
Symmetric Key Encryption
Sender and receiver use same digital key to encrypt
and decrypt message
Requires different set of keys for each transaction
Strength of encryption
Length of binary key used to encrypt data
Data Encryption Standard (DES) 56-bit encryption key
Advanced Encryption Standard (AES)
Most widely used symmetric key encryption
Uses 128-, 192-, and 256-bit encryption keys
Other standards use keys with up to 2,048 bits
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-31
Public Key Encryption
Uses two mathematically related digital keys
Public key (widely disseminated)
Private key (kept secret by owner)
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-32
Public Key Cryptography: A Simple Case
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-33
Public Key Encryption using Digital
Signatures and Hash Digests
Hash function:
Mathematical algorithm that produces fixed-length number called
message or hash digest
Hash digest of message sent to recipient along with
message to verify integrity
Hash digest and message encrypted with recipient’s
public key
Entire cipher text then encrypted with recipient’s
private key—creating digital signature—for
authenticity, nonrepudiation
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-34
Public Key Cryptography with Digital
Signatures
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-35
Digital Envelopes
Address weaknesses of:
Public key encryption
Computationally slow, decreased transmission speed, increased
processing time
Symmetric key encryption
Insecure transmission lines
Uses symmetric key encryption to encrypt
document
Uses public key encryption to encrypt and
send symmetric key
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-36
Creating a Digital Envelope
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-37
Digital Certificates
Digital certificate includes:
Name of subject/company
Subject’s public key
Digital certificate serial number
Expiration date, issuance date
Digital signature of certification authority
CA a trusted third party that issues digital certificates
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-38
Public Key Infrastructure (PKI)
Public Key Infrastructure (PKI):
Public key infrastructure (PKI) refers to the CAs and
digital certificate procedures that are accepted by all
parties.
Pretty Good Privacy (PGP)
a widely used e-mail public key encryption software
program
invented in 1991 by Phil Zimmerman, and has become
one of the most widely used e-mail public key encryption
software tools in the world. Using PGP software installed on your
computer, you can compress and encrypt your messages as well as
authenticate both yourself and the recipient
Slide 5-39
Digital Certificates and Certification
Authorities
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-40
Limits to Encryption Solutions
Doesn’t protect storage of private key
PKI not effective against insiders, employees
Protection of private keys by individuals may be
haphazard
No guarantee that verifying computer of
merchant is secure
CAs are unregulated, self-selecting
organizations
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-41
Securing Channels of Communication
Secure Sockets Layer (SSL)/Transport
Layer Security (TLS)
Establishes secure, negotiated client–server
session
Virtual Private Network (VPN)
Allows remote users to securely access internal network via
the Internet using the Point-to-Point Tunneling Protocol
(PPTP)
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-43
Protecting Networks
Firewall
Hardware or software
Uses security policy to filter packets
Two main methods:
Packet filters
Application gateways
Proxy servers (proxies)
Software servers that handle all communications from
or sent to the Internet
Intrusion detection systems IDS
Intrusion prevention systems IPS
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-44
Firewalls and Proxy Servers
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-45
Protecting Servers and Clients
Operating system security
enhancements
Upgrades, patches
Anti-virus software
Easiest and least expensive way to prevent
threats to system integrity
Requires daily updates
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-46
Management Policies, Business
Procedures, and Public Laws
Worldwide, companies spend more than
$65 billion on security hardware,
software, services
Managing risk includes:
Technology
Effective management policies
Public laws and active enforcement
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-47
A Security Plan: Management Policies
Risk assessment
Security policy
Implementation plan
Security organization
Access controls
Authentication procedures, including biometrics
Authorization policies, authorization management
systems
Security audit
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-48
Developing an E-commerce Security Plan
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-49
The Role of Laws and Public Policy
Laws that give authorities tools for identifying,
tracing, prosecuting cybercriminals:
National Information Infrastructure Protection Act of 1996
USA Patriot Act
Homeland Security Act
Private and private-public cooperation
CERT Coordination Center
US-CERT
Government policies and controls on encryption
software
OECD, G7/G8, Council of Europe, Wassener Arrangement
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-50
Cash
Types of Payment Systems
Most common form of payment
Instantly convertible into other forms of value
No float
Checking transfer
Second most common payment form in United States
Credit card
Credit card associations(sets standards for issuing banks)
Issuing banks(bank that actually issues credit cards and
processes transactions)
Processing centers (clearinghouse)
institution that handles verification of accounts and balances
Slide 5-51
Types of Payment Systems (cont.)
Stored value
Funds deposited into account, from which funds
are paid out or withdrawn as needed
Debit cards, gift certificates
Peer-to-peer payment systems (PayPal)
Accumulating balance
Accounts that accumulate expenditures and to
which consumers make period payments
Utility, phone, American Express accounts
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-52
Payment System Stakeholders
Consumers
Low-risk, low-cost, refutable, convenience, reliability
Merchants
Low-risk, low-cost, irrefutable, secure, reliable
Financial intermediaries
Secure, low-risk, maximizing profit
Government regulators
Security, trust, protecting participants and enforcing
reporting
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-53
E-commerce Payment Systems
Credit cards
42% of online payments in 2013 (United States)
Debit cards
29% online payments in 2013 (United States)
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-54
How an Online Credit Transaction Works
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-55
Alternative Online Payment Systems
Online stored value systems:
Based on value stored in a consumer’s bank,
checking, or credit card account
Example: PayPal
Other alternatives:
Amazon Payments
Google Checkout
Bill Me Later
WUPay, Dwolla, Stripe
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-56
Mobile Payment Systems
Use of mobile phones as payment devices
established in Europe, Japan, South Korea
Near field communication (NFC)
Short-range (2”) wireless for sharing data between
devices
Expanding in United States
Google Wallet
Mobile app designed to work with NFC chips
PayPal
Square
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-57
Digital Cash and Virtual Currencies
Digital cash
Based on algorithm that generates unique
tokens that can be used in “real” world
Example: Bitcoin
Virtual currencies
Circulate within internal virtual world
Example: Linden Dollars in Second Life,
Facebook Credits
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-58
From Wikipedia,
Bitcoin is a cryptocurrency and worldwide payment system.[8]:3 It is the first
decentralized digital currency, as the system works without a central bank or
single administrator.[8]:1[9] The network is peer-to-peer and transactions take place
between users directly through the use of cryptography, without an intermediary.
[8]:4
These transactions are verified by network nodes and recorded in a public
distributed ledger called a blockchain. Bitcoin was invented by an unknown
person or group of people under the name Satoshi Nakamoto[10] and released as
open-source software in 2009.[11]
Bitcoins are created as a reward for a process known as mining. They can be
exchanged for other currencies,[12] products, and services. As of February 2015,
over 100,000 merchants and vendors accepted bitcoin as payment.
The word bitcoin is a compound of the words bit and coin
The blockchain is a public ledger that records bitcoin transactions.
Bitcoin is a digital asset[94] designed by its inventor, Satoshi Nakamoto, to work as
a currency.The price of bitcoins has gone through various cycles in 2011, the value
of one bitcoin rapidly rose from about US$0.30 to US$32 before returning to US$2
2013 – around US$224 today 20/12/17 1 Bitcoins =16312.88
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-59
Insight on Society: Class Discussion
Bitcoin
What are some of the benefits of using a
digital currency?
What are the risks involved to the user?
What are the political and economic
repercussions of a digital currency?
Have you or anyone you know ever used
Bitcoin?
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-60
Electronic Billing Presentment and
Payment (EBPP)
Online payment systems for monthly bills
50% of all bill payments
Two competing EBPP business models:
Biller-direct (dominant model)
Consolidator
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-61
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-62