230 likes | 341 Views
Lesson 2 The Business Landscape Threats to E-Commerce. Why E-Commerce ?. Fast Efficient Anonymous Lowers labor cots Lowers capital expenditures (facility, maintenance, upgrades). How large is E-Commerce ?. Big business San Antonio Express: Nov/Dec 01: $13.8B Nov/Dev 00: $12B
E N D
Why E-Commerce? • Fast • Efficient • Anonymous • Lowers labor cots • Lowers capital expenditures (facility, maintenance, upgrades)
How large is E-Commerce? • Big business • San Antonio Express: • Nov/Dec 01: $13.8B • Nov/Dev 00: $12B • 13% of 2001 Holiday budget • NPR: • Nov/Dec 03: $20B • 29% growth over 2002, same period
Types of Business on the Internet • Banking • Investing • B2B • Healthcare • Loans/Mortgage
Commonly Used Terminology • EDI: electronic data interchange…data over proprietary networks • VAN: value added networks (same as EDI) • Internet: allowed small businesses to compete on even terms with big businesses doing EDI/VAN • Intranet: internal network usually supporting back office administrative functions • Extranet: external network connecting different businesses…the extension of LANs over Internet
Threats to E-Commerce • Internal—the achilles heel • Security breach—countermeasures: screen employees, intrusion detection systems, auditing • Carelessness—countermeasures: training and education, access control • External—the main focus of security • No hard data on true threat as most companies are not forthcoming with information (hurts business • Survey of Fortune 500 Companies • 42% reported unauthorized use • 32% reported losing upwards of $100M
Type of External Threats • Vandalism: WWW defacement • Sabotage: usually orchestrated for some ulterior motive • Breach of Privacy or Confidentially • EMAIL • Phone Calls • Credit Card number • Surfing Habits
Type of External Threats(2) • Theft and Fraud, recent events • Moldova ISP modem hijacking via trojan horse software • Russian E-Bay Credit Card Scam • Violations of Data Integrity • Incorrect data can lower E-commerce trust • Ruin investments • Denial of Service (DOS) • Early Virus/Worms • Emergence of Blended Threats
E-Commerce Security—Systems Approach • The Key Components: • Client Security – Operating system, Use of active content (Java, Active X) • Secure Transport—Secure Sockets Layer(SSL), Secure HTTP (SHTTP), PKI • Web Server Security—Common Gateway Interface Scripts • Operating System Security—the foundation for all security “The security of the system is only as strong as the weakest link”
CLIENT SERVER WEB SERVER DBA SERVER E-Commerce Security ExampleTypical WEB SERVER W/Backend Database FIREWALL Database Router
WEB SERVER Router CLIENT SERVER DBA SERVER USE ACL
WEB SERVER Router CLIENT SERVER DBA SERVER Enforce Port Mapping USE ACL
HARDEN OPERATING SYSTEM WEB SERVER Router CLIENT SERVER DBA SERVER Enforce Port Mapping USE ACL
HARDEN OPERATING SYSTEM WEB SERVER Router CLIENT SERVER DBA SERVER Enforce Port Mapping USE ACL RESTRICTED READ/WRITE
HARDEN OPERATING SYSTEM WEB SERVER Router CLIENT SERVER DBA SERVER Enforce Port Mapping USE ACL RESTRICTED READ/WRITE USE STATEFUL INSPECTION
HARDEN OPERATING SYSTEM WEB SERVER Router CLIENT SERVER DBA SERVER Enforce Port Mapping USE ACL RESTRICTED READ/WRITE SSH/VPN USE STATEFUL INSPECTION
HARDEN OPERATING SYSTEM WEB SERVER Router CLIENT SERVER DBA SERVER Enforce Port Mapping USE ACL RESTRICTED READ/WRITE SSH/VPN USE STATEFUL INSPECTION Physical Security Security Policies
Types of Attacks • Criminal Attacks • Intellectual Property Theft • Identity Theft • Brand Theft • Privacy Violations • DDoS and Dos • Surveillance/Traffic Analysis • Publicity Attacks
Criminal Attacks • How can I acquire the maximum financial return by attacking the system?” • Fraud: e-check, credit cards, ATM networks • SCAMs: sale of internet services, sale of merchandise, auctions, pyramid and multi-level marketing schemes, business opportunities • Destructive Attacks • Terrorist • Vengeful employees • Hackers
Intellectual Property Theft • Trade Secrets • Company Databases • Music ($11B/year) • Software (1997, Business Software Alliance: $15B/year)
Other Thefts • Indentity Theft • Credit cards • SSN • Brand Theft • Forged domain name transfer request (SEX.COM) • Page-jacking: web sites steal traffic away from other sites • MCI 1-800-COLLECT and ATT 1-800 C0LLECT
Privacy Violations • Targeted attacks---computer security thwarts these • Data Harvesting—works on correlation, automation supports
Summary • Benefits of E-Commerce • Common Terminology • Threats to E-Commerce • Key Components of E-Commerce Security • Types of Attacks