CHAPTER 8 E-COMMERCE SECURITY AND FRAUD PROTECTION

THE INFORMATION SECURITY PROBLEM

Information Security

Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction

What is EC Security?

CSI Computer Crime and Security Survey

Annual security survey of U.S. corporations, government agencies, financial and medical institutions, and universities conducted by the Computer Security Institute

Personal Security

National Security

Security Risks for 2011-2012

Cyberwars, Cyberespionage, and Cybercimes Across Borders

Types of Attack

Corporate espionage that plagues businesses around the world

Political espionage and warfare

The Drivers of EC Security Problems

The Internet's Vulnerable Design

Domain Name System(DNS)

Translates (converts) domain names to their numeric IP addresses

IP Address

An address that uniquely identifies each computer connected to a network or the Internet

The Shift to Profit-Induced Crimes

Internet Underground Economy

E-markets for stolen information made up of thousands of websites that sell credit card numbers, social security numbers, other data such as numbers of bank accounts, social network IDs, passwords, and much more

Keystroke Logging (Keylogging)

A method of capturing and recording user keystrokes

The Dynamic Nature of EC Systems and the Role of Insiders

Why is an E-Commerce Security Strategy needed?

The Computer Security Strategy Dilemma

Basic E-Commerce Security Issues and Landscape

Basic Security Terminology

Business Continuity Plan

A plan that keeps the business running after a disaster occurs; each function in the business should have a valid recovery capability plan

Cybercrime

Intentional crimes carried out on the Internet

Cybercriminal

A person who intentionally carries out crimes over the Internet

Exposure

The estimated cost, loss, or damage that can result if a threat exploits a vulnerability

Fraud

Any business activity that uses deceitful practices or devices to deprive another of property or other rights

Malware (Malicious Software)

A generic term for malicious software

Phishing

A crimeware technique to steal the identity of a target company to get the identities of its customers

Risk

The probability that a vulnerability will be known and used

Social Engineering

A type of nontechnical attack that uses some ruse to trick users into revealing information or performing an action that compromises a computer or network

Spam

The electronic equivalent of junk mail.

Vulnerability

Weakness in software or other mechanism that threatens the confidentiality, integrity, or availability of an asset (recall the CIA model); it can be directly used by a hacker to gain access to a system or network

Zombies

Computers infected with malware that are under the control of a spammer, hacker, or other criminal

The Threats, Attacks, and Attackers

Unintentional Threats

Intentional Attacks and Crimes

The Criminals and Methods

Hackers

Someone who gains unauthorized access to a computer system

Cracker

A malicious hacker, such as Maxwell, in the opening case, who may represent a serious problem for a corporation

The Targets of the Attacks in Vulnerable Areas

Vulnerable Areas Are Being Attacked

The Vulnerabilities in Business IT and EC Systems

SECURITY SCENARIOS AND REQUIREMENTS IN E-COMMERCE

The Content of Information Security

EC Security Requirements

Authentication

Process to verify (assure) the real identity of an individual, computer, computer program, or EC website

Authorization

Process of determining what the authenticated entity is allowed to access and what operations it is allowed to perform

Auditing

Availability

Nonrepudiation

Assurance that online customers or trading partners cannot falsely deny (repudiate) their purchase or transaction

THE DEFENSE: DEFENDERS, STRATEGY, AND METHODS

EC security strategy

A strategy that views EC security as the process of preventing and detecting unauthorized use of the organization’s brand, identity, website, e-mail, information, or other asset and attempts to defraud the organization, its customers, and employees.

Deterring Measures

Actions that will make criminals abandon their idea of attacking a specific system (e.g., the possibility of losing a job for insiders)

Prevention Measures

Ways to help stop unauthorized users (also known as “intruders”) from accessing any part of the EC system

Detection Measures

Ways to determine whether intruders attempted to break into the EC system; whether they were successful; and what they may have done

Information Assurance (LA)

The protection of information systems against unauthorized access to or modification of information whether in storage, processing, or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats

Technical Attack Methods: From Viruses to Denial of Service

Malicious code: viruses, worms, and trojan horses

Virus

worm

A piece of software code that inserts itself into a host, including the operating systems, in order to propagate; it requires that its host program be run to activate it

A software program that runs independently, consuming the resources of its host in order to maintain itself, that is capable of propagating a complete working version of itself onto another machine

banking trojan

Trojan horses

macro viruses (macro worm)

A macro virus or macro worm is executed when the application object that contains the macro is opened or a particular procedure is executed

A program that appears to have a useful function but that contains a hidden function that presents a security risk

A Trojan that comes to life when computer owners visit one of a number of online banking or e-commerce sites

denial-of-services (Dos) attack

page hijacking

An attack on a website in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources

Creating a rogue copy of a popular website that shows contents similar to the original to a Web crawler; once there, an unsuspecting user is redirected to malicious websites

botnet

Malvertising

A huge number of hijacked Internet computers that have been set up to forward traffic, including spam and viruses, to other computers on the Internet

Nontechnical Methods: From Phishing To Spam

Social Phishing

Sophisticated Phishing Methods

Fraud on the internet

Identity Theft and Identify Fraud

identity theft

Fraud that involves stealing an identity of a person and then the use of that identity by someone pretending to be someone else in order to steal money or get other benefits

Cyber bank robberies

Spam and spyware attacks

e-mail spam

A subset of spam that involves nearly identical messages sent to numerous recipients by e-mail

spyware

Software that gathers user information over an Internet connection without the user’s knowledge

search engine spam

Pages created deliberately to trick the search engine into offering inappropriate, redundant, or poor-quality search results

spam site

Page that uses techniques that deliberately subvert a search engine’s algorithms to artificially inflate the page’s rankings

splog

Short for spam blog, a site created solely for marketing purposes

data breach

A security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so

The Information Assurance Model and Defense Strategy

CIA security triad (CIA triad)

confidentiality

integrity

availability

Authentication, Authorization, and Nonrepudiation

E-Commerce Security Strategy

The Objective of Security Defense

Security Spending Versus Needs Gap

Assessing Security Needs

vulnerability assessment

penetration test (pen test)

EC security programs

computer security incident management

THE DEFENSE SIDE OF EC SYSTEMS

General, administrative, and application controls

Protection against social engineering and fraud

Defending EC networks

Disaster preparation, business continuity, and risk management

Defending access to computing systems, data flow, and EC transactions

Implementing enterprisewide security programs

The Defense I: Access Control, Encryption, and PKI

access control

Authorization and Authentication

biometric control

biometric systems

ENCRYPTION AND THE ONE-KEY (SYMMETRIC) SYSTEM

plaintext

ciphertext

encryption

encryption algorithm

key (key value)

key space

symmetric (private) key encryption

Data Encryption Standard (DES)

public key infrastructure (PKI)

public key

private key

public (asymmetric) key encryption

digital signature or digital certificate

message digest (MD)

hash function

certificate authorities (CAs)

digital envelope

Secure Socket Layer (SSL)

firewall

A single point between two or more networks where all traffic must pass

packet

  • Segment of data sent from one computer to another on a network

The Dual Firewall Architecture: The DMZ


Personal firewall

  • network node designed to protect an individual user’s desktop system from the public network by monitoring all the traffic that passes through the computer’s network interface card

Additional Virus, Malware, and Botnet Protection

virtual private network (VPN)

network that uses the public Internet to carry information but remains private by using encryption to scramble the communications, authentication to ensure that information has not been tampered with, and access control to verify the identity of anyone using the network

Protocol tunneling

  • Method used to ensure confidentiality and integrity of data transmitted over the Internet by encrypting data packets

intrusion detection system (IDS)

  • A special category of software that can monitor activity across a network

Dealing with DoS Attacks

  • Cloud Computing Prevents DoS Attacks

honeynet

  • A network of honeypots

honeypot

Production system (e.g., firewalls, routers, Web servers, database servers) that looks like it does real work, but that acts as a decoy and is watched to study how network intrusions occur

E-Mail Security