CHAPTER 8 E-COMMERCE SECURITY AND FRAUD PROTECTION
THE INFORMATION SECURITY PROBLEM
Information Security
Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction
What is EC Security?
CSI Computer Crime and Security Survey
Annual security survey of U.S. corporations, government agencies, financial and medical institutions, and universities conducted by the Computer Security Institute
Personal Security
National Security
Security Risks for 2011-2012
Cyberwars, Cyberespionage, and Cybercimes Across Borders
Types of Attack
Corporate espionage that plagues businesses around the world
Political espionage and warfare
The Drivers of EC Security Problems
The Internet's Vulnerable Design
Domain Name System(DNS)
Translates (converts) domain names to their numeric IP addresses
IP Address
An address that uniquely identifies each computer connected to a network or the Internet
The Shift to Profit-Induced Crimes
Internet Underground Economy
E-markets for stolen information made up of thousands of websites that sell credit card numbers, social security numbers, other data such as numbers of bank accounts, social network IDs, passwords, and much more
Keystroke Logging (Keylogging)
A method of capturing and recording user keystrokes
The Dynamic Nature of EC Systems and the Role of Insiders
Why is an E-Commerce Security Strategy needed?
The Computer Security Strategy Dilemma
Basic E-Commerce Security Issues and Landscape
Basic Security Terminology
Business Continuity Plan
A plan that keeps the business running after a disaster occurs; each function in the business should have a valid recovery capability plan
Cybercrime
Intentional crimes carried out on the Internet
Cybercriminal
A person who intentionally carries out crimes over the Internet
Exposure
The estimated cost, loss, or damage that can result if a threat exploits a vulnerability
Fraud
Any business activity that uses deceitful practices or devices to deprive another of property or other rights
Malware (Malicious Software)
A generic term for malicious software
Phishing
A crimeware technique to steal the identity of a target company to get the identities of its customers
Risk
The probability that a vulnerability will be known and used
Social Engineering
A type of nontechnical attack that uses some ruse to trick users into revealing information or performing an action that compromises a computer or network
Spam
The electronic equivalent of junk mail.
Vulnerability
Weakness in software or other mechanism that threatens the confidentiality, integrity, or availability of an asset (recall the CIA model); it can be directly used by a hacker to gain access to a system or network
Zombies
Computers infected with malware that are under the control of a spammer, hacker, or other criminal
The Threats, Attacks, and Attackers
Unintentional Threats
Intentional Attacks and Crimes
The Criminals and Methods
Hackers
Someone who gains unauthorized access to a computer system
Cracker
A malicious hacker, such as Maxwell, in the opening case, who may represent a serious problem for a corporation
The Targets of the Attacks in Vulnerable Areas
Vulnerable Areas Are Being Attacked
The Vulnerabilities in Business IT and EC Systems
SECURITY SCENARIOS AND REQUIREMENTS IN E-COMMERCE
The Content of Information Security
EC Security Requirements
Authentication
Process to verify (assure) the real identity of an individual, computer, computer program, or EC website
Authorization
Process of determining what the authenticated entity is allowed to access and what operations it is allowed to perform
Auditing
Availability
Nonrepudiation
Assurance that online customers or trading partners cannot falsely deny (repudiate) their purchase or transaction
THE DEFENSE: DEFENDERS, STRATEGY, AND METHODS
EC security strategy
A strategy that views EC security as the process of preventing and detecting unauthorized use of the organization’s brand, identity, website, e-mail, information, or other asset and attempts to defraud the organization, its customers, and employees.
Deterring Measures
Actions that will make criminals abandon their idea of attacking a specific system (e.g., the possibility of losing a job for insiders)
Prevention Measures
Ways to help stop unauthorized users (also known as “intruders”) from accessing any part of the EC system
Detection Measures
Ways to determine whether intruders attempted to break into the EC system; whether they were successful; and what they may have done
Information Assurance (LA)
The protection of information systems against unauthorized access to or modification of information whether in storage, processing, or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats
Technical Attack Methods: From Viruses to Denial of Service
Malicious code: viruses, worms, and trojan horses
Virus
worm
A piece of software code that inserts itself into a host, including the operating systems, in order to propagate; it requires that its host program be run to activate it
A software program that runs independently, consuming the resources of its host in order to maintain itself, that is capable of propagating a complete working version of itself onto another machine
banking trojan
Trojan horses
macro viruses (macro worm)
A macro virus or macro worm is executed when the application object that contains the macro is opened or a particular procedure is executed
A program that appears to have a useful function but that contains a hidden function that presents a security risk
A Trojan that comes to life when computer owners visit one of a number of online banking or e-commerce sites
denial-of-services (Dos) attack
page hijacking
An attack on a website in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources
Creating a rogue copy of a popular website that shows contents similar to the original to a Web crawler; once there, an unsuspecting user is redirected to malicious websites
botnet
Malvertising
A huge number of hijacked Internet computers that have been set up to forward traffic, including spam and viruses, to other computers on the Internet
Nontechnical Methods: From Phishing To Spam
Social Phishing
Sophisticated Phishing Methods
Fraud on the internet
Identity Theft and Identify Fraud
identity theft
Fraud that involves stealing an identity of a person and then the use of that identity by someone pretending to be someone else in order to steal money or get other benefits
Cyber bank robberies
Spam and spyware attacks
e-mail spam
A subset of spam that involves nearly identical messages sent to numerous recipients by e-mail
spyware
Software that gathers user information over an Internet connection without the user’s knowledge
search engine spam
Pages created deliberately to trick the search engine into offering inappropriate, redundant, or poor-quality search results
spam site
Page that uses techniques that deliberately subvert a search engine’s algorithms to artificially inflate the page’s rankings
splog
Short for spam blog, a site created solely for marketing purposes
data breach
A security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so
The Information Assurance Model and Defense Strategy
CIA security triad (CIA triad)
confidentiality
integrity
availability
Authentication, Authorization, and Nonrepudiation
E-Commerce Security Strategy
The Objective of Security Defense
Security Spending Versus Needs Gap
Assessing Security Needs
vulnerability assessment
penetration test (pen test)
EC security programs
computer security incident management
THE DEFENSE SIDE OF EC SYSTEMS
General, administrative, and application controls
Protection against social engineering and fraud
Defending EC networks
Disaster preparation, business continuity, and risk management
Defending access to computing systems, data flow, and EC transactions
Implementing enterprisewide security programs
The Defense I: Access Control, Encryption, and PKI
access control
Authorization and Authentication
biometric control
biometric systems
ENCRYPTION AND THE ONE-KEY (SYMMETRIC) SYSTEM
plaintext
ciphertext
encryption
encryption algorithm
key (key value)
key space
symmetric (private) key encryption
Data Encryption Standard (DES)
public key infrastructure (PKI)
public key
private key
public (asymmetric) key encryption
digital signature or digital certificate
message digest (MD)
hash function
certificate authorities (CAs)
digital envelope
Secure Socket Layer (SSL)
firewall
A single point between two or more networks where all traffic must pass
packet
- Segment of data sent from one computer to another on a network
The Dual Firewall Architecture: The DMZ
Personal firewall
- network node designed to protect an individual user’s desktop system from the public network by monitoring all the traffic that passes through the computer’s network interface card
Additional Virus, Malware, and Botnet Protection
virtual private network (VPN)
network that uses the public Internet to carry information but remains private by using encryption to scramble the communications, authentication to ensure that information has not been tampered with, and access control to verify the identity of anyone using the network
Protocol tunneling
- Method used to ensure confidentiality and integrity of data transmitted over the Internet by encrypting data packets
intrusion detection system (IDS)
- A special category of software that can monitor activity across a network
Dealing with DoS Attacks
- Cloud Computing Prevents DoS Attacks
honeynet
- A network of honeypots
honeypot
Production system (e.g., firewalls, routers, Web servers, database servers) that looks like it does real work, but that acts as a decoy and is watched to study how network intrusions occur
E-Mail Security