Security Overview & Electronic

Commerce Threats

Electronic Business MS 114

It is not the strongest of the species that survive, nor the most
intelligent, but the one most responsive to change
Charles Darwin
If youre not changing faster than your environment, you are
falling behind
Jack Welsh, CEO of GE

Security in Cyberspace
The electronic system that supports e-commerce is
susceptible to abuse and failure in many ways:

Fraud:
Resulting in direct financial loss.
Funds might be transferred from one account to
another, or financial records might simply be
destroyed.

Security in Cyberspace
Theft:
Theft of confidential, proprietary, technological, or
marketing information belonging to the firm or to
the customer.
An intruder may disclose such information to a
third party, resulting in damage to a key customer,
a client, or the firm itself.
Disruption:
Disruption of service resulting in major losses to
business or inconvenience to the customer.

Security in Cyberspace
Loss:
Loss of customer confidence stemming from
illegal intrusion into customer files or company
business, dishonesty, human mistakes, or network
failure.

Security Issues
Security concerns generally include the
following issues:
Confidentiality:
Knowing who can read data.
Ensuring that information in the network remains
private.
This is done via encryption.

Identification and Authentication:

Making sure that message sender or principal are
authentic.

Security Issues
Availability
System resources are safeguarded from tampering
and are available for authorized users at the time
and in the format needed

Integrity:
Making sure that information is not accidental or
maliciously altered or corrupted in transit.

Access Control:
Restricting the use of resources to authorized
principals.

Security Issues
Nonrepudiation:
Ensuring that principal cannot deny that they sent the
message.

Privacy
Individual rights to nondisclosure

Firewalls:
A filter between corporate network and the Internet to
secure corporate information and files from intruders but
allowing access to authorized principals.

Security Threats in the E-commerce Environment

Three key points of vulnerability:

Client
Server
Communications channel

Most common threats:

Malicious code
Hacking and cybervandalism
Credit card fraud/theft
Zombied PC
Phishing
Denial of service attacks
Sniffing
Spoofing

A Typical E-commerce Transaction

Vulnerable Points in an E-commerce Environment

Malicious Code

Virus It is a software program which attach it self to other

programs without the owner of program being aware of it.
when the main program is executed the virus is spread
causing damage.
Worms
designed to spread from computer to computer
It can spread without any human intervention.
It can propagate through network and can affect hand held
devices.
Trojan horse It is software that appears to perform a desirable function
for the user prior to run or install.
Perhaps in addition to the expected function, steals
information or harms the system.

Malicious Code
Bad applets (malicious mobile code) malicious Java applets or ActiveX controls that may be
downloaded onto client and activated merely by surfing to
a Web site

Examples of Malicious Code

Hacking and Cybervandalism

Hacker: Individual who intends to gain unauthorized
access to a computer systems
Cracker: Used to denote hacker with criminal intent
(two terms often used interchangeably)
Cybervandalism: Intentionally disrupting, defacing or
destroying a Web site
Types of hackers include:
White hats Members of tiger teams used by corporate
security departments to test their own security measures
Black hats Act with the intention of causing harm
Grey hats Believe they are pursuing some greater good
by breaking in and revealing system flaws

Credit Card Fraud

Fear that credit card information will be stolen
deters online purchases
Hackers target credit card files and other
customer information files on merchant
servers; use stolen data to establish credit
under false identity
One solution: New identity verification
mechanisms

Kinds of Threats or Crimes

Zombied PCs - A zombie computer (often
shortened as zombie) is a computer connected to the
Internet that has been compromised by a hacker,
computer virus or Trojan horse.
Generally, a compromised machine is only one of many in
a botnet, and will be used to perform malicious tasks of
one sort or another under remote direction. Most owners
of zombie computers are unaware that their system is
being used in this way. Because the owner tends to be
unaware, these computers are metaphorically compared
to zombies.

Kinds of Threats or Crimes

Phishing - is the criminally fraudulent process of
attempting to acquire sensitive information such as
usernames, passwords and credit card details by
masquerading as a trustworthy entity in an electronic
communication.
Phishing is typically carried out by e-mail or instant
messaging, and it often directs users to enter details at a
fake website whose look and feel are almost identical to
the legitimate one.
Phishing is an example of social engineering techniques
used to fool users, and exploits the poor usability of
current web security technologies.

Kinds of Threats or Crimes

DoS - A denial-of-service attack (DoS attack) or distributed

denial-of-service attack (DDoS attack) is an attempt to make
a computer resource unavailable to its intended users.
Although the means to carry out, motives for, and targets of a DoS
attack may vary, it generally consists of the concerted efforts of a
person or people to prevent an Internet site or service from
functioning efficiently or at all, temporarily or indefinitely.
Perpetrators of DoS attacks typically target sites or services hosted on
high-profile web servers such as banks, credit card payment gateways,
and even root name servers.
The term is generally used with regards to computer networks, but is
not limited to this field, for example, it is also used in reference to CPU
resource management.
One common method of attack involves saturating the target machine
with external communications requests, such that it cannot respond to
legitimate traffic, or responds so slowly as to be rendered effectively
unavailable.

Kinds of Threats or Crimes

Sniffing:
type of eavesdropping program that monitors
information traveling over a network; enables
hackers to steal proprietary information from
anywhere on a network

Spoofing:
Misrepresenting oneself by using fake e-mail
addresses or masquerading as someone else