电子商务：管理视角 CH11.ppt

《电子商务：管理视角 CH11.ppt》由会员分享，可在线阅读，更多相关《电子商务：管理视角 CH11.ppt（51页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、Chapter 11E-Commerce Security 2008 Pearson Prentice Hall,Electronic Commerce 2008,Efraim Turban,et al.Learning Objectives1.Explain EC-related crimes and why they cannot be stopped.2.Describe an EC security strategy and why a life cycle approach is needed.3.Describe the information assurance security

2、 principles.4.Describe EC security issues from the perspective of customers and e-businesses.2Learning Objectives5.Identify the major EC security threats,vulnerabilities,and risk.6.Identify and describe common EC threats and attacks.7.Identify and assess major technologies and methods for securing E

3、C communications.8.Identify and assess major technologies for information assurance and protection of EC networks.3Stopping E-Commerce CrimeslInformation assurance(IA)The protection of information systems against unauthorized access to or modification of information whether in storage,processing or

4、transit,and against the denial of service to authorized users,including those measures necessary to detect,document,and counter such threatslhuman firewallsMethods that filter or limit peoples access to critical business documents4Stopping E-Commerce CrimeslzombiesComputers infected with malware tha

5、t are under the control of a spammer,hacker,or other criminallapplication firewallsSpecialized tools designed to increase the security of Web applicationslcommon(security)vulnerabilities and exposures(CVE)Publicly known computer security risks,which are collected,listed,and shared by a board of secu

6、rity-related organizations(cve.mitre.org)5Stopping E-Commerce CrimeslvulnerabilityWeakness in software or other mechanism that threatens the confidentiality,integrity,or availability of an asset(recall the CIA model).It can be directly used by a hacker to gain access to a system or networklriskThe p

7、robability that a vulnerability will be known and used6Stopping E-Commerce CrimeslexposureThe estimated cost,loss,or damage that can result if a threat exploits a vulnerabilitylstandard of due careCare that a company is reasonably expected to take based on the risks affecting its EC business and onl

8、ine transactions7Stopping E-Commerce CrimeslCSI/FBI Computer Crime and Security SurveyAnnual security survey of U.S.corporations,government agencies,financial and medical institutions,and universities conducted jointly by the FBI and the Computer Security Institute8Stopping E-Commerce CrimeslHighlig

9、hts from CSI/FBI Computer Crime and Security Survey:lTotal financial losses from attacks have declined dramaticallylAttacks on computer systems or(detected)misuse of these systems have been slowly but steadily decreasing in all areaslDefacements of Internet Web sites have increased dramaticallyl“Ins

10、ide jobs”occur about as often as external attackslOrganizations largely defend their systems through firewalls,antivirus software,intrusion detection systems,and server-based access control listslOrganizations largely defend their systems through firewalls,antivirus software,intrusion detection syst

11、ems,and server-based access control listslComputer security investments per employee vary widely9E-Commerce Security Strategy and Life Cycle ApproachlThe Internets Vulnerable Designldomain name system(DNS)Translates(converts)domain names to their numeric IP addresseslIP addressAn address that unique

12、ly identifies each computer connected to a network or the Internet10E-Commerce Security Strategy and Life Cycle ApproachlThe Shift to Profit-Motivated CrimeslTreating EC Security as a ProjectlEC security programSet of controls over security processes to protect organizational assetslFour high-level

13、stages in the life cycle of an EC security program:1.Planning and organizing2.Implementation3.Operations and maintenance4.Monitoring and evaluating11E-Commerce Security Strategy and Life Cycle ApproachlOrganizations that do not follow such a life cycle approach usually:lDo not have policies and proc

14、edures that are linked to or supported by security activitieslSuffer disconnect,confusion,and gaps in responsibilities for protecting assetslLack methods to fully identify,understand,and improve deficiencies in the security programlLack methods to verify compliance to regulations,laws,or policieslHa

15、ve to rely on patches,hotfixes,and service packs because they lack a holistic EC security approach12E-Commerce Security Strategy and Life Cycle ApproachlpatchProgram that makes needed changes to software that is already installed on a computer.Software companies issue patches to fix bugs in their pr

16、ograms,to address security problems,or to add functionalitylhotfixMicrosofts name for a patch.Microsoft bundles hotfixes into service packs for easier installationlservice packThe means by which product updates are distributed.Service packs may contain updates for system reliability,program compatib

17、ility,security,and more13E-Commerce Security Strategy and Life Cycle ApproachlIgnoring EC Security Best PracticeslComputing Technology Industry Association(CompTIA)Nonprofit trade group providing information security research and best practiceslDespite the known role of human behavior in information

18、 security breaches,only 29%of the 574 government,IT,financial,and educational organizations surveyed worldwide had mandatory security training.Only 36%offered end-user security awareness training14Information AssurancelCIA security triad(CIA triad)Three security concepts important to information on

19、the Internet:confidentiality,integrity,and availability15Information AssurancelconfidentialityAssurance of data privacy and accuracy.Keeping private or sensitive information from being disclosed to unauthorized individuals,entities,or processeslintegrityAssurance that stored data has not been modifi

20、ed without authorization;and a message that was sent is the same message that was receivedlavailabilityAssurance that access to data,the Web site,or other EC data service is timely,available,reliable,and restricted to authorized users16Information AssurancelauthenticationProcess to verify(assure)the

21、 real identity of an individual,computer,computer program,or EC Web sitelauthorizationProcess of determining what the authenticated entity is allowed to access and what operations it is allowed to perform17Information AssurancelnonrepudiationAssurance that online customers or trading partners cannot

22、 falsely deny(repudiate)their purchase or transactionldigital signature or digital certificateValidates the sender and time stamp of a transaction so it cannot be later claimed that the transaction was unauthorized or invalid18Information Assurance19Information Assurance20Enterprisewide E-Commerce S

23、ecurity and Privacy Model21Enterprisewide E-Commerce Security and Privacy ModellSenior Management Commitment and SupportlEC Security Policies and TraininglTo avoid violating privacy legislation when collecting confidential data,policies need to specify that customers:lKnow they are being collectedlG

24、ive permission,or“opt in,”for them to be collectedlHave some control over how the information is usedlKnow they will be used in a reasonable and ethical manner22Enterprisewide E-Commerce Security and Privacy Modellacceptable use policy(AUP)Policy that informs users of their responsibilities when usi

25、ng company networks,wireless devices,customer data,and so forth23Enterprisewide E-Commerce Security and Privacy ModellEC Security Procedures and Enforcementlbusiness impact analysis(BIA)An exercise that determines the impact of losing the support of an EC resource to an organization and establishes

26、the escalation of that loss over time,identifies the minimum resources needed to recover,and prioritizes the recovery of processes and supporting systemslSecurity Tools:Hardware and Software24Basic E-Commerce Security Issues and PerspectiveslSome of the major technology defenses to address these sec

27、urity issues that can occur in EC:lAuthenticationlAuthorizationlauditingProcess of recording information about what Web site,data,file,or network was accessed,when,and by whom or whatlConfidentiality(privacy)and integrity(trust)lAvailabilitylNonrepudiation25Threats and Attackslnontechnical attackAn

28、attack that uses chicanery to trick people into revealing sensitive information or performing actions that compromise the security of a networklsocial engineeringA type of nontechnical attack that uses some ruse to trick users into revealing information or performing an action that compromises a com

29、puter or network26Threats and Attacksltechnical attackAn attack perpetrated using software and systems knowledge or expertiseltime-to-exploitationThe elapsed time between when a vulnerability is discovered and the time it is exploitedlSpywareGuideA public reference site for spyware27Threats and Atta

30、ckslzero-day incidentsAttacks through previously unknown weaknesses in their computer networksldenial of service(DOS)attackAn attack on a Web site in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources28Threats

31、and AttackslWeb server and Web page hijackinglbotnetA huge number(e.g.,hundreds of thousands)of hijacked Internet computers that have been set up to forward traffic,including spam and viruses,to other computers on the InternetlmalwareA generic term for malicious softwarelvirusA piece of software cod

32、e that inserts itself into a host,including the operating systems,in order to propagate;it requires that its host program be run to activate it29Threats and AttackslwormA software program that runs independently,consuming the resources of its host in order to maintain itself,that is capable of propa

33、gating a complete working version of itself onto another machinelmacro virus(macro worm)A virus or worm that executes when the application object that contains the macro is opened or a particular procedure is executedlTrojan horseA program that appears to have a useful function but that contains a h

34、idden function that presents a security risk30Threats and AttackslTrojan-Phisher-ReberyA new variant of a Trojan program that stole tens of thousands of stolen identities from 125 countries that the victims believed were collected by a legitimate companylbanking TrojanA Trojan that comes to life whe

35、n computer owners visit one of a number of online banking or e-commerce siteslrootkitA special Trojan horse program that modifies existing operating system software so that an intruder can hide the presence of the Trojan program31Securing E-Commerce Communicationslaccess controlMechanism that determ

36、ines who can legitimately use a network resourcelpassive tokenStorage device(e.g.,magnetic strip)that contains a secret code used in a two-factor authentication systemlactive tokenSmall,stand-alone electronic device that generates one-time passwords used in a two-factor authentication system32Securi

37、ng E-Commerce Communicationslbiometric systemsAuthentication systems that identify a person by measurement of a biological characteristic,such as fingerprints,iris(eye)patterns,facial features,or voicelpublic key infrastructure(PKI)A scheme for securing e-payments using public key encryption and var

38、ious technical components33Securing E-Commerce CommunicationslencryptionThe process of scrambling(encrypting)a message in such a way that it is difficult,expensive,or time-consuming for an unauthorized person to unscramble(decrypt)itlplaintextAn unencrypted message in human-readable formlciphertextA

39、 plaintext message after it has been encrypted into a machine-readable form34Securing E-Commerce Communicationslencryption algorithmThe mathematical formula used to encrypt the plaintext into the ciphertext,and vice versalkey(key value)The secret code used to encrypt and decrypt a messagelkey spaceT

40、he large number of possible key values(keys)created by the algorithm to use when transforming the message35Securing E-Commerce Communicationslsymmetric(private)key systemAn encryption system that uses the same key to encrypt and decrypt the messagelData Encryption Standard(DES)The standard symmetric

41、 encryption algorithm supported by the NIST and used by U.S.government agencies until October 2000lRijndaelAn advanced encryption standard(AES)used to secure U.S.government communications since October 2,200036Securing E-Commerce Communications37Securing E-Commerce Communicationslpublic(asymmetric)k

42、ey encryptionMethod of encryption that uses a pair of matched keysa public key to encrypt a message and a private key to decrypt it,or vice versalpublic keyEncryption code that is publicly available to anyonelprivate keyEncryption code that is known only to its ownerlRSAThe most common public key en

43、cryption algorithm;uses keys ranging in length from 512 bits to 1,024 bits38Securing E-Commerce CommunicationslhashA mathematical computation that is applied to a message,using a private key,to encrypt the messagelmessage digest(MD)A summary of a message,converted into a string of digits after the h

44、ash has been appliedldigital envelopeThe combination of the encrypted original message and the digital signature,using the recipients public keylcertificate authorities(CAs)Third parties that issue digital certificates39Securing E-Commerce CommunicationslSecure Socket Layer(SSL)Protocol that utilize

45、s standard certificates for authentication and data encryption to ensure privacy or confidentialitylTransport Layer Security(TLS)As of 1996,another name for the SSL protocol40Securing E-Commerce NetworkslThe selection and operation of technologies that ensure network security should be based on:lDef

46、ense in depthlNeed-to-access basislpolicy of least privilege(POLP)Policy of blocking access to network resources unless access is required to conduct businesslRole-specific securitylMonitoringlPatch managementlIncident response team(IRT)41Securing E-Commerce NetworkslFIREWALLSlfirewallA single point

47、 between two or more networks where all traffic must pass(choke point);the device authenticates,controls,and logs all trafficlpacketSegment of data sent from one computer to another on a network42Securing E-Commerce NetworkslFirewalls can be designed to protect against:lRemote loginlApplication back

48、doorslSMTP session hijackinglMacroslViruseslSpam43Securing E-Commerce Networkslpacket-filtering routersFirewalls that filter data and requests moving from the public Internet to a private network based on the network addresses of the computer sending or receiving the requestlpacket filtersRules that

49、 can accept or reject incoming packets based on source and destination addresses and the other identifying information44Securing E-Commerce Networkslapplication-level proxyA firewall that permits requests for Web pages to move from the public Internet to the private networklbastion gatewayA special

50、hardware server that utilizes application-level proxy software to limit the types of requests that can be passed to an organizations internal networks from the public Internet45Securing E-Commerce Networks46Securing E-Commerce NetworkslproxiesSpecial software programs that run on the gateway server