Please enable JavaScript.
Coggle requires JavaScript to display documents.
Chapter 7 E-Commerce Security & Fraud…
Chapter 7
E-Commerce Security & Fraud Prevention
Securing data, transactions and privacy and
protecting people (buyers and sellers)
is of
utmost importance
in conducting EC
Computer security
Refers to the protection of data, networks, computer programs, computer power and other elements of computerized information systems
key points of vulnerability
Client
Server
Communication Channel
Among common
Security Threats
Malicious code (Viruses, Worms, Trojans)
Unwanted programs (Spyware, Browser parasites)
Phishing/identity theft
Hacking and cybervandalism
(you may refer to slides for more)
EC
Security Management Concern
for 2011 :
Fraud in EC Transactions
Prevention and detection of Malware
(you may refer to slides for more)
Information Security Problem - reason why :question:
The Internet’s Vulnerable Design
The Shift to Profit-Induced Crimes
Internet underground economy
The Dynamic Nature of EC Systems and the Role of Insiders
Basic Security Terminology
(Terms)
Business continuity plan
A plan that keeps the business running after a disaster occurs;
Cybercrime
Intentional crimes carried out on the Internet
Cybercriminal
A person who intentionally carries out crimes over the Internet
Exposure
The estimated cost, loss, or damage that can result if a threat exploits a vulnerability
Fraud
Any business activity that uses deceitful practices or devices to deprive another of property or other rights
Malware (malicious software)
A generic term for malicious software
Phishing
A crimeware technique to steal the identity of a target company to get the identities of its customers
Risk
The probability that a vulnerability will be known and used
Social engineering
A type of nontechnical attack that uses some ruse to trick users into revealing information or performing an action that compromises a computer or network
Spam
The electronic equivalent of junk mail
Vulnerability
Weakness in software or other mechanism that threatens the confidentiality, integrity, or availability (CIA)
Zombies
Computers infected with malware that are under the control of a spammer, hacker, or other criminal
Cybersquatting
Involves the registration as domain names of well-known trademarks by non-trademark holders who then try to sell the names back to the trademark owners.
Security Attacks
Non-technical Security Attacks
Major Non-Technical Method Attacks
Social Phishing
Social Engineering
Email Spam and Spyware
Data Breach
Identity theft
Search engine spam
Spam site
Splog
Technical Security Attacks
Major Technical Methods Attacks
Malware
Unauthorized Access
Denial of Services Attacks (DoS)
Distributed Denial of Services Attacks (DDoS)
Spam and Spyware
Hijacking
Botnets
Defense: DEFENDERS, STRATEGY, AND METHODS
EC security strategy
EC Security Requirements
-Integrity
-Confidentiality
-Privacy
-Non-repudiation
-Authenticity
-Authorization
-Auditing
deterring measures
prevention measures
detection measures
information assurance (IA)
CIA security triad (CIA triad)
confidentiality, integrity, and availability
confidentiality : Assurance of data privacy and accuracy
integrity :Assurance that stored data has not been modified without authorization
availability : Assurance that access to data, the website, or other EC data service is timely
Defense Strategy
Defense I
Access Control
- use a unique elements such physical/behavior(biometric system) to get Authorization and Authentication
Encryption
- Process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and receiver
PKI
- A scheme for securing e-payments using public key encryption and various technical components
Defense II Securing eCommerce Networks
Firewall
- A single point between two or more networks where all traffic must pass (choke point)
Proxy servers
- Software servers that handle all communications originating from or being sent to the Internet
Packet-filtering routers
- Firewalls that filter data and requests moving from the public Internet to a private network
Packet filters
- Rules that can accept or reject incoming packets
Application-level proxy
- A firewall that permits requests for Web pages to move from the public Internet to the private network
Bastion gateway
- A special hardware server that utilizes application-level proxy software to limit the types of requests that can be passed to an organization’s internal networks from the public Internet
DMZ
- isolation zone between the two networks that is controlled by rules enforced by a firewall
Personal firewall
- designed to protect an individual user’s desktop system from the public network
Secure Channel such as VPN, protocol tunneling, SSL, S-HTTP, IDS
Defense III Controls, Compliance & Other Defense Mechanism
General control
such as Physical controls, Administrative controls.
Application controls
- use intelligent agents / software agents / softbots / knowbots
to protect specific applications
Operating system controls
Anti-virus software
Using
law
such as Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act
Defense IV Protection Against Social Engineering & Fraud
Prevention methods such as :
in Building - no access to upper floors from basement
Stringent
security checks
at entrances
in
Office
- use access cards, do not allow others to piggyback and enter, ask strangers who do not display access cards in office
Training
to employees and secretaries
so that they get aware in terms security issues/purposes
Defense VI Implementing Enterprise-Wide Security Programs
Senior Management Commitment & Support
will work on
EC SECURITY POLICIES AND TRAINING
and
EC SECURITY PROCEDURES AND ENFORCEMENT
Defense V: Disaster Preparation, Business Continuity & Risk Management
A continuity plan is to keep the business running after a disaster occurs such
Recovery planning
is part of asset protection and
disaster avoidance
- to prevent and precaution
Risk-Management & Cost-Benefit Analysis
Why Is It Difficult To Stop The Internet Crime ?
Lack of Cooperation from Credit Card Issuers and ISPs
Shoppers’ Negligence
Ignoring EC Security Best Practices
Design and Architecture Issues
You can also explain in terms of technical(such as hardware, software, network and etc) and non-technical issues (such as intentional parties, human lack of awareness and etc)