Sie sind auf Seite 1von 41

Amity School of Business

Amity School of Business


BBA, Semester IV E-Commerce Ms Kareena Bhatia

Amity School of Business

MODULE-VI
Security Threats with E-Commerce

Amity School of Business

Internet Security
Internet security is about protecting information. The risks inherent in e-commerce can be harnessed only through appropriate security measures and business and legal procedures that ensure the integrity and reliability of Internet transactions. The electronic system that support e-commerce is susceptible to abuse and failure in many ways: Fraud, resulting in direct financial loss. Funds may be transferred from one account to another Theft of confidential, proprietary, technological, or marketing information belonging to the firm or to the customer Disruption of service, resulting in major losses to the business or inconvenience to the customer Loss of customer confidence stemming from illegal interruption into customer files or company business

Amity School of Business

E-Commerce Security issues


The following points outline the security issues related to e-commerce. Confidentially : Knowing who can read data and ensuring that information in the network remain private. Authentication : Making sure that message senders or principals are who they say they are. Access Control : Restricting the use of a resource to authorized principals. Integrity : Making sure that information is not accidentally or maliciously altered or corrupted in transit. Nonrepudiation : Ensuring that principals cannot deny that they sent the message.

Amity School of Business

Designing E-Security
Designing e-security involves five steps: 1. 2. 3. 4. 5. Assessing Web Security needs. Establishing a Good Policy. Fulfilling Web security needs. Structuring the Security Environment. Monitoring the System.

Amity School of Business

Assessing Web Security Needs


A chief security officer is in charge of overseeing the entire security setup of the firm. He or she should be well versed in the technology as well as the nature of the business. The person must also be able to pinpoint which security breaches threaten the companys business and how well the company is in compliance with various laws and regulations.

Amity School of Business

Establishing A Good Policy


Policies should cover the threats that attack confidentially, integrity and privacy. Security Polices should cover the entire e-commerce system including the merchants local area networks, hardware, software, firewalls, protocols, standards, databases, and the staff directly involved in the e-commerce process. The policies should spell out Internet security practices, the nature and level of risks, the level of protection, and the procedure to be followed in case of threats and recover from failure.

Amity School of Business

Fulfilling Web Security Needs


Design consideration for the company is to list top vulnerabilities and take a close look at critical applications to decide risk levels. The amount of security a Web merchant needs depends on the sensitivity of its data and the demand for it. For example, if your site collects credit card numbers for access, you want the highest security possible for the Web server, the network and the Web site. Consult with your Web administrator or an outside security consultant to see what options are available and how to put them to good use.

Amity School of Business

Structuring The Security Environment


The design begins with sketching out the stepping stones- the sequence and parameters in the security network based on the security policy and requirements of the e-commerce system. How much security goes into a system depends on how much risk the company is willing to take, the security policy it willing to adopt, and the present state of security practices in the workplace. A security perimeter generally includes firewalls, authentication, virtual private networks, and intrusion detection devices. Installing such software and devices is part of physical design. The challenge is to police the entire perimeter.

Amity School of Business

Authorize and Monitoring The Security system


Once the perimeter is secure and only authorized users are allowed access to the e-commerce site, the next step is to install a system that generates authorization to different users to handle different jobs. These functions require that the security system be monitored via feedback mechanisms to ensure that the entire system is working properly. Monitoring means capturing processing details for evidence, verifying that e-commerce is operating within the security policy, and verifying that attacks have been unsuccessful.

Amity School of Business

Kinds of Threats and Crimes


1. Those that are physically related : For example, a hacker might attempt to steal or damage inventory. Other example include stolen credit card records, stolen computer hardware or software. An attacker, often by guessing passwords, might succeed in gaining access to another users account. Those that are order related: For example, a customer might attempt to use an invalid or a stolen credit card or claim no merchandise was received on a good credit card. Children might use their parents credit card without permission. Insiders can do a lot to infect an order because they have access to sensitive systems and information.

2.

Amity School of Business

Kinds of Threats and Crimes


3. Those that are electronically related: A hacker might try to sniff e-mail information or attempt to steal credit card numbers and use them illegally at a later date. Sniffer (a person or a program that uses the Internet to record information that transmits through a router from its source to its destination). Another example of an electronically related attack is damaging or destroying a Web site and infecting the entire business-to-consumer interface with malicious software called a virus.

Amity School of Business

The Threats Posed to E-Commerce Servers


E-Commerce is the transaction of goods and services and the payment for those goods and services over the Internet. Therefore, the physical place where all of these transactions occur is at the Server level. The server can be viewed as the central repository for your E-Commerce Place of Business which consists of the actual website which displays your products and services, the customer database, and the payment mechanism.

Amity School of Business

Threats to E-Commerce servers can be classified as either (1) Malicious Code Threats (2) Transmission Threats. Malicious code is introduced into the server in order to gain access to the system resources. Very often, the intent of Malicious Code Attacks is to cause large scale damage to the E-Commerce server. The threats and risks can be classified as either as active or passive. With passive threats, the main goal is to listen to transmissions to the server. With active threats, the intent is to alter the flow of data transmission aimed directly at the ECommerce server.

Amity School of Business

Malicious Code Threats


Viruses and Worms A virus needs a host of some sort in order to cause damage to the system. The exact definition is . . . a virus attaches itself to executable code and is executed when the software program begins to run or an infected file is opened. So for example, a virus needs a file in which to attach itself to. Once that file is opened, the virus can then cause the damage. This damage can range from the deletion of some files to the total reformatting of the hard drive. The key to thing to remember about viruses is that they cannot by themselves spread-they require a host file. However, worms are very much different. A worm does not need a host to replicate. Rather, the worm replicates itself through the Internet, and can literally infect millions of computers on a global basis in just a matter of hours. However, worms can shut down parts of the Internet or E-Commerce servers, because they can use up valuable resources of the Internet, as well as the memory and processing power of servers and other computers.

Amity School of Business

Malicious Code Threats


Trojan Horses A Trojan Horse is a piece of programming code that is layered behind another program, and can perform covert, malicious functions. For example, your E-Commerce server can display a cool-looking screen saver, but behind that could be a piece of hidden code, causing damage to your system. One way to get a Trojan Horse attack is by downloading software from the Internet. Logic Bombs A Logic Bomb is a version of a Trojan Horse, however, it is event or time specific. For example, a logic bomb will release malicious or rogue code in an E-Commerce server after some specific time has elapsed or a particular event in application or processing has occurred.

Amity School of Business

Transmission Threats
Denial of Service Attacks With a Denial of Service Attack, the main intention is to deny your customers the services provided on your E-Commerce server. There is no actual intent to cause damage to files or to the system, but the goal is to literally shut the server down. This happens when a massive amount of invalid data is sent to the server. Because the server can handle and process so much information at any given time, it is unable to keep with the information and data overflow. As a result, the server becomes confused, and subsequently shuts down.

Amity School of Business

Transmission Threats
Ping of Death When we surf the Web, or send E-Mail, the communications between our computer and the server takes place via the data packet. It is the data packet that contains the information and the request for information that is sent from our computer to other computers over the Internet. The communication protocol which is used to govern the flow of data packets is called Transmission Control Protocol/Internet Protocol, or TCP/IP for short. The TCP/IP protocol allows for data packets to be as large as 65,535 bytes. With a Ping of Death Attack, a massive data packet is sent i.e., > 65,535 bytes. As a result, the memory buffers of the E-Commerce Server are totally overloaded, thus causing it to crash.

Amity School of Business

Customer Related Threats


Phishing Attacks Phishing can be defined as the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to con the user into surrendering private information that will be used for identity theft. For example, fraudulent e-mail could be sent to your customers claiming that their online account is about to expire, or that there is a security upgrade that will take place affecting their online account. After they are tricked into believing the content of the Phishing e-mail, the customer then clicks on the link, and submits all of their confidential information. All Phishing e-mail contains a link, or a web address, in which the customer clicks on thinking that they are using secure and legitimate site.

Amity School of Business

Transmission Threats
Data Packet Sniffing This refers to the use of Data Packet Sniffers, also known simply as sniffers. While it is an invaluable tool to the Network Administrator for troubleshooting and diagnosis, an attacker can also use a sniffer to intercept the data packet flow and analyze the individual data packets. Usernames, passwords, and other confidential customer data can then be hijacked from the E-Commerce server. This is a very serious problem, especially in wireless networks, as the data packets literally leave the confines of the network cabling and travel in the air. Ultimately, Data Packet Sniffing can lead to hijacking sessions. This is when the attacker eventually takes control over the network connection, kicks off legitimate users (such as your customers) from the E-Commerce server, and ultimately gains control of it.

Amity School of Business

Security Protection and Recovery


Basic Internet Security Practices Passwords Firewalls Biometrics

Amity School of Business

FIREWALLS
A firewall is a combination of hardware and software that sits between the internet and internal network of an organization to protect the network from outside attack (Fig. 1). It can examine the data entering or leaving from the network and can filter the data according to certain rules, thus, protects the network from an attack. It uses a set of rules to determine whether outgoing or incoming data packets are allowed to pass through the firewall. For example, we can, as a rule, specify IP addresses of sending devices such that packets from these IP addresses are not allowed to enter the network. The Firewall would stop them from entering.

Amity School of Business

Cryptography
Cryptography is the technique of converting a message into unintelligible or non-understandable form such that even if some unauthorized or unwanted person intercepts the message he/she would still not be able to make any sense out of it. Cryptography is thousands of years old. Techniques used for cryptography Substitution In substitution we replace each letter in the message with another to make the message non-understandable. For example, each letter a in the message can be replaced with letter d and letter b with letter e and so on. Transposition It is based on scrambling the characters in a message. A transposition system may first write a message into a table row by row then the message can be read and rewritten column by column to make it scrambled (see Fig 1)

Amity School of Business

Amity School of Business

Cryptography
Without cryptography, it is doubtful that banks, businesses and individuals would feel safe doing business online. Cryptography is a collection of mathematical techniques used to ensure confidentiality of information. The process of scrambling a message with the help of a key is called Encryption. The process of unscrambling a message using an appropriate key is called Decryption There are two types of cryptography - Symmetric and Asymmetric cryptography.

Amity School of Business

Amity School of Business

Symmetric Cryptography In symmetric cryptography same keys are used for encryption and decryption. Asymmetric or Public Key Cryptography In this type a pair of public and private keys is used for encryption and decryption

Amity School of Business

Amity School of Business

PrivateKey Cryptography (Symmetric Encryption)


In private-key cryptography, the sender and recipient agree beforehand on a secret private key. The plaintext is somehow combined with the key to create the cipher text. The method of combination is such that, it is hoped, an adversary could not determine the meaning of the message without decrypting the message, for which he needs the keys. The following diagram illustrates the Encryption Process . The following diagram illustrates the Decryption Process

Amity School of Business

Amity School of Business

Private-key methods are efficient and difficult to break. However, one major drawback that the key must be exchanged between the sender and recipient beforehand, raising the issue of how to protect the secrecy of the key.

Amity School of Business

Public-Key Cryptography (Asymmetric Encryption) A encryption system that uses two keys -- a public key known to everyone and a private or secret key known only to the recipient of the message. An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them

Amity School of Business

E-Commerce : Encryption contd

(Alices private key)

(Alices public key)

Bob

Doug

Alices public key is known to all

Amity School of Business

"Hey,Alice, how about lunch at Taco Bell. I hear they have free refills!" Bob (S)

Encrypt with Alices public key

HNFmsEm6Un BejhhyCGKOK JUxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A

Alice (R)

HNFmsEm6Un BejhhyCGKOK JUxhiygSBCEiC 0QYIh/Hn3xgiK BcyLK1UcYiY lxx2lCFHDC/A

"Hey,Alice, how about lunch at Taco Bell. I hear they have free refills!" Decrypt with Alices private key

Amity School of Business

Digital/Electronic Signature
An electronic signature means any letters, numbers, symbols, images, characters or any combination thereof in electronic form applied to an electronic document which can ensure authenticity, integrity and non-repudiation. It uses public key cryptography Authenticity means that the message is from a particular source/individual. Integrity means that the message has not been altered during transmission. Non-repudiation means that the execution of the digital signatures cannot be denied by the one who is sending the message.

Amity School of Business

Amity School of Business

Digital Certificates
These are the certificates in electronic form which establish whether or not a public key belongs to the purported owner. A digital certificate at least comprises a public key, certification information (name, ID etc.) and electronic signatures of a certification authority.

Amity School of Business

Certification authority (CA)


A certification authority is defined to be a trusted public/private body that attests the association of a particular individual with his/her corresponding public key. A CA signs digital certificates with its private key. There are many CAs working in the field but the pioneering or the most reputed CA is Verisign which is based in America. Certification authorities work in a hierarchical fashion. There is the CA at the top called root CA (the most reputed CA). It can issue certificates to CAs working below it and those CAs can further issue certificates to CAs working under them. In this fashion a hierarchy of CAs is developed with each CA confirming the public key of the CA below it through a digital certificate.

Amity School of Business

Role of a Certification Authority


The role of a Certification Authority is analogous or similar to a passport office. The issuance of passport by the passport office attaches credibility that this particular person is entitled to travel. However, the passport is not issued by the office until detailed enquiry/verification about the Identity of the person is made. Once a person holds the passport, that confirms that this particular person whose, name, address etc. is appearing on the passport is entitled to travel. Similarly, if a digital certificate is issued by a reputed CA that would confirm to other people that this particular public key certified by the CA belongs to this individual only.

Amity School of Business

Reason why we use the concept of CAs.


We use it for the verification of identify of a person. This is probably the best solution envisaged for such verification, though it may have certain loopholes in it. You can realize that the best thing is that Mr. A personally hands over his public key. On the other hand if I try to trace his public key against his particulars (name, address, and identification no.) on a key server There is a possibility that I end up discovering that there are three, four, five different public keys against the particulars of same Mr. A. Assume that all of them have been certified by different CAs. Now, I am confused that which of these is genuine so that I can use it. Indeed, only one of them is genuine and the rest are fraudulent keys registered by fraudulent people using particulars of Mr. A. In this situation I would use and rely upon that public key of Mr. A that has been certified by the most reputed CA among all the CAs. I would treat others as fraudulent.

Amity School of Business

The objective of getting fraudulent keys is to intercept/receive the messages intended to be sent to a particular receiver. So, if someone intends to receive the messages delivered for Mr. A, he may register the key against his particulars and get a certificate in this behalf. Note: That CAs are supposed to issue the certificate after proper enquiry, otherwise they may also be held liable under different laws.

Das könnte Ihnen auch gefallen