WELCOME EVERY ONE

PREASENTATION TOPIC:

Presented By:
M.UZAIR 11
M.FAISAL 16
TAHA KHAN 44
Tauseef abbas 08
M.Rashid 13
What is security?
Protection of a person, building,
organization, or country against threats

InE-commerce Security is simple a safety

measurement taken for secure business.
 The E-commerce Security Environment:
The Scope of the Problem
Overall size of cybercrime unclear;
individuals face new risks of fraud that may
involve losses
◦ Symantec: Cybercrime on the rise from 2006
◦ 2007 CSI survey: 46% detected security breach;
◦ 91% suffered financial loss as a result
◦ Underground economy marketplace that offers sales of
stolen information growing
Security Threats in the E-commerce Environment
Four key points of vulnerability:
Intellectual property threats -
◦ Client
◦ Server
◦ Communications channel
Security Threats in the E-
commerce Environment
Intellectual property threats
Use existing materials found on the Internet
without the owner's permission, e.g., music
downloading, domain name (cyber squatting),
software pirating

 Client computer threats

–      Malicious codes
–      Active contents
Security Threats in the E-
commerce Environment
 Communication channel threats
 –      Sniffer program
 –      Backdoor
 –      Spoofing
 –      Denial-of-service
 Server threats
 –      Privilege setting
 –      Server Side Include (SSI), Common Gateway
Interface (CGI)
 –      File transfer
 –      Spamming
 A Typical E-commerce Transaction

SOURCE: Boncella, 2000.

8
Most Common Security Threats in the
E-commerce Environment
Malicious code (viruses, Trojans)
Unwanted programs (spyware, browser parasites)
Phishing/identity theft
Credit card fraud/theft
DoS attacks
Insider attacks
Malicious Code

Viruses: Have ability to replicate and spread to

other files; most also deliver a “payload” of some
sort (destructive or benign); include macro
viruses, file-infecting viruses, and script viruses
Worms: Designed to spread from computer to
computer
Trojan horse: Appears to be benign, but then
does something other than expected
Bots: Can be covertly installed on computer;
responds to external commands sent by the
attacker
 Unwanted Programs

Installed without the user’s informed consent

◦ Browser parasites: Can monitor and change settings of a
user’s browser

◦ Adware: Calls for unwanted pop-up ads

◦ Spyware: Can be used to obtain information, such as a

user’s keystrokes, e-mail, IMs, etc.
Phishing and Identity Theft
Any deceptive, online attempt by a third
party to obtain confidential information
for financial gain
◦ Most popular type: e-mail scam letter
◦ One of fastest growing forms of e-commerce crime
Hacking and Cyber vandalism

Hacker: Individual who intends to gain

unauthorized access to computer systems

Cracker: Hacker with criminal intent (two

terms often used interchangeably)

Cyber vandalism: Intentionally disrupting,

defacing or destroying a Web site
 Credit Card Fraud

Fear that credit card information will be stolen

deters online purchases

Hackers target credit card files and other

customer information files on merchant servers;
use stolen data to establish credit under false
identity

One solution: New identity verification

mechanisms
Spoofing (Pharming) and Spam (Junk) Web
Sites

Spoofing (Pharming)
◦ Misrepresenting oneself by using fake e-mail addresses
or masquerading as someone else
◦ Threatens integrity of site; authenticity
Spam (Junk) Web sites
◦ Use domain names similar to legitimate one, redirect
traffic to spammer-redirection domains
 DoS and DDoS Attacks

Denial of service (DoS) attack

◦ Hackers flood Web site with useless traffic to inundate
and overwhelm network
Distributed denial of service (DDoS) attack
◦ Hackers use numerous computers to attack target network
from numerous launch points
 Other Security Threats
◦ Sniffing: A program that monitors information
traveling over a network;
◦ It enables hackers to steal proprietary information
from anywhere on a network

◦ Insider jobs: Single largest financial threat

◦ Poorly designed server and client software:

Increase in complexity of software programs has
contributed to increase is vulnerabilities that
hackers can exploit
Tools Available to
Achieve Site
Security

Figure 4.7 Copyright © 2011 Pearson

Education, Ltd. Slide 5-18
Technology Solutions

Protecting Internet communications

(encryption)
Protecting networks (firewalls)
Protecting servers and clients
Encryption

Encryption
◦ Transforms data into cipher text readable only by
sender and receiver
◦ Secures stored information and information
transmission
◦ Provides 4 of 6 key dimensions of e-commerce
security:
1. Message integrity
2. Nonrepudiation
3. Authentication
4. Confidentiality
Copyright © 2011 Pearson
Education, Ltd. Slide 5-20
Symmetric Key Encryption
 Sender and receiver use same digital key to encrypt
and decrypt message
 Requires different set of keys for each transaction
 Strength of encryption
◦ Length of binary key used to encrypt data
 Advanced Encryption Standard (AES)
◦ Most widely used symmetric key encryption
◦ Uses 128-, 192-, and 256-bit encryption keys
 Other standards use keys with up to 2,048 bits
Copyright © 2011 Pearson
Education, Ltd. Slide 5-21
 Public Key Encryption
Uses two mathematically related digital keys
◦ Public key (widely disseminated)
◦ Private key (kept secret by owner)
Both keys used to encrypt and decrypt message
Once key used to encrypt message, same key cannot
be used to decrypt message
Senderuses recipient’s public key to encrypt
message; recipient uses his/her private key to decrypt
it
Copyright © 2011 Pearson
Education, Ltd. Slide 5-22
 Public Key Cryptography – A Simple Case

Figure 4.8 Copyright © 2011 Pearson

Education, Ltd. Slide 5-23
 Securing Channels of Communication
◦ Secure Sockets Layer (SSL):
◦ Establishes a secure, negotiated client-server session in
which URL of requested document, along with contents,
is encrypted
◦ S-HTTP:
Provides a secure message-oriented communications
protocol designed for use in conjunction with HTTP
◦ Virtual Private Network (VPN):
◦ Allows remote users to securely access internal network
via the Internet, using Point-to-Point Tunneling Protocol
(PPTP)
Copyright © 2011 Pearson
Education, Ltd. Slide 5-24
 Secure Negotiated Sessions Using SSL

Figure 4.12 Copyright © 2011 Pearson

Education, Ltd. Slide 5-25
Protecting Networks
Firewall
◦ Hardware or software
◦ Uses security policy to filter packets
◦ Two main methods:
1. Packet filters
2. Application gateways

Proxy servers (proxies)

◦ Software servers that handle all communications
originating from or being sent to the Internet
Copyright © 2011 Pearson
Education, Ltd. Slide 5-26
 Firewalls and Proxy Servers

Figure 4.13 Copyright © 2011 Pearson

Education, Ltd. Slide 5-27
Protecting Servers and Clients
Operating system security enhancements
◦ Upgrades, patches

Anti-virus software:
◦ Easiest and least expensive way to prevent threats
to system integrity
◦ Requires daily updates

Copyright © 2011 Pearson

Education, Ltd. Slide 5-28
Developing an E-commerce Security Plan

Figure 4.14 Copyright © 2011 Pearson

Education, Ltd. Slide 5-29
A Security Plan: Management Policies
Risk assessment
Security policy
Implementation plan
◦ Security organization
◦ Access controls
◦ Authentication procedures, inc. biometrics
◦ Authorization policies, authorization management systems
Security audit
Copyright © 2011 Pearson
Education, Ltd. Slide 5-30
The Role of Laws and Public Policy
Laws that give authorities tools for identifying,
tracing, prosecuting cybercriminals:
◦ National Information Infrastructure Protection Act of 1996
◦ USA Patriot Act
◦ Homeland Security Act
Private and private-public cooperation
◦ CERT Coordination Center
◦ US-CERT
Government policies and controls on encryption
software
OECD guidelines
Copyright © 2011 Pearson
Education, Ltd. Slide 5-31