1 / 43

ECT 582 Secure Electronic Commerce

This resource explores the importance of security in electronic commerce and provides strategies for managing risks and improving safety. Topics covered include risk management, disclosure of proprietary information, fraud prevention, and the differences between physical and computer-based documents. The resource also discusses various types of attacks and the properties of a secure e-commerce system.

eloiser
Download Presentation

ECT 582 Secure Electronic Commerce

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ECT 582Secure Electronic Commerce Professor Robin Burke

  2. Introductions • About me • http://josquin.cs.depaul.edu/~rburke/ • About you • Student information sheet

  3. Resources • Course on-line • discussion forum • grades • Course home page

  4. Security • freedom from danger, risk, etc.: safety • freedom from care, apprehension or doubt; well-founded confidence • something that secures or makes safe; protection; defense • precautions taken to guard against theft, sabotage, the stealing of military secrets, etc • Webster’s Encyclopedic Unabridged Dictionary of the English Language

  5. E-Commerce • the process of electronically buying and selling goods, services and information, and the maintenance of all the relationships, both personal and organizational, required for an electronic marketplace to function.

  6. What are we securing?

  7. Post-9/11 realities • Aspects of business operations may impact public safety • E-commerce opens a hole for interacting with an organization

  8. What can we do to improve security?

  9. Key concepts • Risk • Trust

  10. Risk • What are the possible losses we are guarding against?

  11. Trust • Must choose where trust is to be placed

  12. Risk management • Risk analysis • Risk mitigation • Risk transfer

  13. What are the primary risks? • Disclosure of proprietary information • Denial of service • Virus attacks • Insider net abuse • Financial fraud • Sabotage - CSI/FBI 2003 Computer Crime and Security Survey

  14. Disclosure of Proprietary Info • Customer data exposure • Data theft • Sensitive information

  15. Fraud • Payment account abuse • Transfer funds without authorization • Destroy or hide financial records • Customer impersonation

  16. Secondary risks • Damage to relations with customer or business partners • Legal, public relations, or business resumption cost • Public relations damage • Uptake failure due to lack of confidence

  17. How is e-commerce different? • Need for physical proximity • Differences in document

  18. Physical documents • Semi-permanence of ink embedded in paper fibers • Particular printing process • letterhead • watermark • Biometrics of signature • Time stamp • Obviousness of modifications, interlineations, and deletions

  19. Computer documents • Computer-based records can be modified freely and without detection • Supplemental control mechanisms must be applied to achieve a level of trustworthiness comparable to that on paper • Less permanent, too

  20. Legal differences • In some cases, possession matters • negotiable document of title • cash money

  21. Info source Info destination Attack • Any action that compromises the security of information systems • Normal flow

  22. Interruption • Attack on availability Info source Info destination

  23. Interception Attack on confidentiality Info source Info destination

  24. Modification Attack on integrity Info source Info destination

  25. Fabrication Attack on authenticity Info source Info destination

  26. Passive vs active • Passive • Monitor communication • Disclose contents • but also traffic analysis • Active • Interfere with communication

  27. Active attacks: masquerade • Masquerade: one entity pretends to be a different entity • Example: Session Hijacking • Taking over an existing active session. • It can bypass the authentication process and gain access to a machine

  28. Active attacks: replay • Passive capture of data • Later retransmission to produce an unauthorized effect • Example: Password sniffing • Program capture user id / password info • Case in Tokyo – sniffer installed at Internet cafe. 16 million Yen stolen.

  29. Active attacks: modification • Some portion of a legitimate message is altered, or that message are delayed or reordered, to produce an unauthorized effect • Example: Spam • Return-To header on spam email is always forged to prevent tracking the sender

  30. Active attacks: DoS • Denial of service • prevents or inhibits the normal use or management of communication facilities • Example: SYN flooding • send open request for TCP connection but don’t respond to handshake • do this over and over again

  31. Security properties • What do we want out of a secure e-commerce system? • Confidentiality • Authentication • Integrity • Non-repudiation • Access control • Availability

  32. Confidentiality • Protects against interception • Ensures that a message is only readable by intended recipient • Technology • Encryption

  33. Authentication • Protects against fabrication • Ensures that the origin of a message or electronic document is correctly identified, with assurance that the identity is not false • Technology • User Id/Password • Digital certificates

  34. Integrity • Protects against modification • Ensures that only authorized parties are able to modify an electronic document or • Allow modification to be detected • Technology • Digital signatures

  35. Non-repudiation • Protects against an e-commerce participant acting in bad faith • Require that neither the sender nor the receiver of a message be able to deny the transmission • Technology • (Complicated)

  36. Access control • Protects against unauthorized access • Allows the establishment of fine-grained control over access to files and applications for different users and groups • Technology • (Various, usually tied to authentication)

  37. Availability • Protects against interruption • Requires that computer system asset be available to authorized parties when needed • Technology • (Many)

  38. The big picture • Security is a multi-faceted feature of information systems • An organization needs • A security strategy tailored for its particular needs • A security architecture that addresses that strategy • Security technology to realize the architecture

  39. Security strategy • Threats • what is valuable? • who might want it? • Vulnerabilities • where is the organization exposed? • Defenses • what can be done to manage the risks? • Legal • what liabilities and legal requirements exist?

  40. Security architecture • People • how are they hired, trained, monitored, audited? • Systems • what systems exist? • how are systems connected to each and to the larger Internet? • Procedures • how are systems used? • who gets access to what under what circumstances?

  41. Security technology • Main focus of this course • Specific technologies for achieving security-related goals • But • meaningless in the absence of a strategy and an architecture

  42. Assignment #1 • Create a web page for your assignments • I will link these to the course page • Subscribe to CERT Advisory mailing list • Post on the "Test" forum • Due before class starts • No late assignments!

  43. Next week • Cryptography • Reading • Ford & Baum, Ch. 4 • Risks Digest • Should be prepared for discussion

More Related