Please enable JavaScript.
Coggle requires JavaScript to display documents.
Chapter 10: Online Security - Coggle Diagram
Chapter 10: Online Security
Online Security Issues Overview
Today’s higher stakes
Electronic mail, shopping, all types of financial transactions
Common worry of Web shoppers
More likely to be stolen from computer where stored
Stolen credit card as it transmits over the Internet
Early Internet days
Most popular use: electronic mail
Chapter topic: security in the context of electronic commerce
Origins of Security on Interconnected Computer Systems
Data security measures taken by Roman Empire
Coded information to prevent enemies from reading secret war and defense plans
Modern electronic security techniques
Defense Department wartime use
[“Orange Book”: rules for mandatory access control]
Business computers
Initially adopted military’s security methods
Today’s computing
Requires comprehensive computer security plans
Computer Security and Risk Management
Computer security
Asset protection from unauthorized access, use, alteration, and destruction
Physical security
Includes tangible protection devices
[Alarms, guards, fireproof doors, security fences, safes or vaults, and bombproof buildings]
Logical security
Asset protection using nonphysical means
Threat
Any act or object posing danger to computer assets
Countermeasure
Procedure (physical or logical)
[Recognizes, reduces, and eliminates threat]
Extent and expense of countermeasures
[Vary depending on asset importance]
Electronic threat examples:
Impostors, eavesdroppers, thieves
Risk management model
Four general organizational actions
[Impact (cost) and probability of physical threat]
Also applicable for protecting Internet and electronic commerce assets from physical and electronic threats
Eavesdropper (person or device)
Listen in on and copy Internet transmissions
FIGURE 10-1 Risk management model
Crackers or hackers (people)
Write programs; manipulate technologies
[Obtain unauthorized access to computers and networks]
White hat hacker and black hat hacker
Distinction between good hackers and bad hackers
Good security scheme implementation
-Identify risks
-Determine how to protect threatened assets
-Calculate costs to protect assets
Elements of Computer Security
Integrity
Preventing unauthorized data modification
Man-in-the-middle exploit
[E-mail message intercepted; contents changed before forwarded to original destination]
Necessity
Preventing data delays or denials (removal)
Delaying message or completely destroying it
Secrecy
-Protecting against unauthorized data disclosure
-Ensuring data source authenticity
Establishing a Security Policy
Security policy
-Assets to protect and why, protection responsibility, acceptable and unacceptable behaviors
-Physical security, network security, access authorizations, virus protection, disaster recovery
Military policy: stresses separation of multiple levels of security
Corporate information classifications
-Public
-Company confidential
Steps to create security policy
-Determine assets to protect from threats
-Determine access to various system parts
-Identify resources to protect assets
-Develop written security policy
-Commit resources
Comprehensive security plan goals
Protect privacy, integrity, availability; authentication
Selected to satisfy Figure 10-2 requirements
FIGURE 10-2 Requirements for secure electronic commerce
Security policies information sources
-WindowSecurity.com site
-Information Security Policy World site
Absolute security: difficult to achieve
Create barriers deterring intentional violators
Reduce impact of natural disasters and terrorist acts
Integrated security
Having all security measures work together
[Prevents unauthorized disclosure, destruction, modification of assets]
Security policy points
-Authentication: Who is trying to access site?
-Access control: Who is allowed to log on to and access site?
-Secrecy: Who is permitted to view selected information?
-Data integrity: Who is allowed to change data?
-Audit: Who or what causes specific events to occur, and when?
:
Security for Client Computers
Client computers
[Must be protected from threats]
Chapter topics organized to follow the transaction-processing flow
[Beginning with consumer,
Ending with Web server at electronic commerce site]
Threats
[Originate in software and downloaded data,
Malevolent server site masquerades as legitimate Web site]
Cookies and Web Bugs
Internet connection between Web clients and servers
Stateless connection
[Each information transmission is independent,
No continuous connection (open session) maintained between any client and server]
Cookies
-Small text files Web servers place on Web client
-Identify returning visitors
-Allow continuing open session
Cookie sources
-First-party cookies
Web server site places them on client computer
-Third-party cookies
Different Web site places them on client computer
Time duration cookie categories
-Session cookies: exist until client connection ends
-Persistent cookies: remain indefinitely
-Electronic commerce sites use both
Disable cookies entirely
-Complete cookie protection
-Problem
[Useful cookies blocked (along with others)
Full site resources not available]
Web browser cookie management functions
-Refuse only third-party cookies
-Review each cookie before accepted
-Provided by most Web browsers
FIGURE 10-3 Mozilla Firefox dialog box for managing stored cookies
Web bug
-Tiny graphic that third-party Web site places on another site’s Web page
-Purpose
[Provide a way for a third-party site to place cookie on visitor’s computer]
Internet advertising community:
Internet advertising community:
-Calls Web bugs “clear GIFs” or “1-by-1 GIFs”
[Graphics created in GIF format,
Color value of “transparent,” small as 1 pixel by 1 pixel]
Active Content
Active content
Cause action to occur
E-commerce example
Place items into shopping cart; compute tax and costs
Programs embedded transparently in Web pages
Cookies, Java applets, JavaScript, VBScript, ActiveX controls, graphics, Web browser plug-ins, e-mail attachments
Applet: small application program
-Typically runs within Web browser
[Some browsers include tools limiting applets’ actions]
Crackers: embed malicious active content
Disadvantages
Can damage client computer
Advantages
Moves data processing chores to client computer
Extends HTML functionality
Scripting languages: provide executable script
Examples: JavaScript and VBScript
FIGURE 10-4 Advanced JavaScript settings in Mozilla Firefox
Trojan horse
Program hidden inside another program or Web page
[Masking true purpose]
May result in secrecy and integrity violations
Zombie (Trojan horse)
Botnet (robotic network, zombie farm)
-All controlled computers act as an attacking unit
Java Applets
Java programming language
Developed by Sun Microsystems
Widespread use in Web pages: active content
Java: platform-independent programming language
-Provides Web page active content
-Server sends applets with client-requested pages
-Most cases: operation visible to visitor
-Possibility: functions not noticed by visitor
Advantages
Adds functionality to business application’s functionality; relieves server-side programs
Disadvantage
Possible security violations (Trojan horse, zombie)
Java sandbox
Rules apply to all untrusted Java applets
[Not established as secure]
Java applets running within sandbox constraint
[Does not allow full client system access,
Prevents secrecy (disclosure) and integrity (deletion or modification) violations]
Confines Java applet actions to set of rules defined by security model
JavaScript
Can be used for attacks
[Cannot commence execution on its own,
User must start ill-intentioned JavaScript program]
Based loosely on Sun’s Java programming language
Enables Web page designers to build active content
Scripting language developed by Netscape
ActiveX Controls
Objects containing programs and properties Web designers place on Web pages
Component construction
Many different programming languages
[Common: C++ and Visual Basic]
Executed on client computer like any other program
Run on Windows operating systems computers
Comprehensive ActiveX controls list
[ActiveX page at Download.com]
Security danger
-Execute like other client computer programs
-Have access to full system resources
[Cause secrecy, integrity, and necessity violations]
-Actions cannot be halted once started
Web browsers
[Provide notice of Active-X download or install]
FIGURE 10-5 ActiveX control download warning dialog box in Internet Explorer
Graphics and Plug-Ins
Graphics, browser plug-ins, and e-mail attachments can harbor executable content
Graphic: embedded code can harm client computer
Browser plug-ins (programs)
-Enhance browser capabilities
-Popular plug-ins: Adobe Flash Player, Apple’s QuickTime Player, Microsoft Silverlight, RealNetworks’ RealPlayer
-Can pose security threats
[1999 RealPlayer plug-in,
Plug-ins executing commands buried within media]
Viruses, Worms, and Antivirus Software
Programs display e-mail attachments by automatically executing associated programs
[Macro viruses within attached files can cause damage]
Virus: software
[Attaches itself to another program,
Causes damage when host program activated]
Worm: virus
Spreads quickly through the Internet
Replicates itself on computers it infects
Macro virus
Small program (macro) embedded in file
ILOVEYOU virus (“love bug”)
-Spread with amazing speed
-Infected computers and clogged e-mail systems
-Replicated itself explosively through Outlook e-mail
-Caused other harm
