E Security

Security Issues
The Internet is a public network consisting of
thousands of interconnected private computer
networks.
Private computer network systems are exposed
to threats from anywhere on the public network.
Businesses must protect against the unknown.
Any E-Business needs to be concerned about
network security.
New methods of attacking networks and Web
sites, and new network security holes, are being
constantly discovered or invented.
An E-Business cannot expect to achieve perfect
security for its network and Web site.

Denial of Service Attack
Designed to disable a Web site by flooding it
with useless traffic or activity.
Distributed denial of service attack uses
multiple computers to attack in a coordinated
fashion.
Risk is primarily centered around downtime or
lack of Web site availability.
Defenses exist for these attacks.

Website Defacement
Occurs when a hacker penetrates the system and
replaces text or graphics with other material.
Risk is primarily down time and repair costs.
There have been many well publicized examples,
including high profile industry and government
sites.
Ordinary defenses against unauthorized logins
are a first line defense.
Total security may be difficult to achie
Credit Card Fraud and Data Theft
E-Business is at risk from credit card fraud
from stolen data.
Secure your own data.
Verify the identity of your customers and the
validity of the incoming credit card data.
Identity theft by a miscreant masquerading as
someone else is also a common problem.

Data Spills
A security problem caused, ordinarily by a bug
or other system failure, occasionally hackers
are behind this problem
This is an unintended disclosure of customer
or corporate data through the Web or other
Internet service
May expose firm to legal liability

E business security
An important issue that is often overlooked or
given a lower priority in the face of startup
activity.
A startup firm should consider outsourcing
Web and Internet services in part since the
outsourcing company can address security
concerns as part of the package.

Network and Website Technology
Tools such as passwords, firewalls, intrusion
detection systems, and virus scanning
software should be used to protect an E-
Businesss network and Web site
Firewall
11-10
Securing
E-Commerce Communications
biometric systems
Authentication systems that identify a
person by measurement of a biological
characteristic, such as fingerprints, iris (eye)
patterns, facial features, or voice
public key infrastructure (PKI)
A scheme for securing e-payments using
public key encryption and various technical
components
11-11
Securing
E-Commerce
Communications(Cryptography)
encryption
The process of scrambling (encrypting) a message
in such a way that it is difficult, expensive, or time-
consuming for an unauthorized person to
unscramble (decrypt) it
plaintext
An unencrypted message in human-readable form
ciphertext
A plaintext message after it has been encrypted
into a machine-readable form
11-12
Securing
E-Commerce Communications
encryption algorithm
The mathematical formula used to encrypt the
plaintext into the ciphertext, and vice versa
key (key value)
The secret code used to encrypt and decrypt a
message
key space
The large number of possible key values (keys)
created by the algorithm to use when transforming
the message
11-13
Securing
E-Commerce Communications
symmetric (private) key system
An encryption system that uses the same key to
encrypt and decrypt the message
Data Encryption Standard (DES)
The standard symmetric encryption algorithm
supported by the NIST and used by U.S.
government agencies until October 2000
Rijndael
An advanced encryption standard (AES) used to
secure U.S. government communications since
October 2, 2000
11-14
Securing
E-Commerce Communications
11-15
Securing
E-Commerce Communications
public (asymmetric) key encryption
Method of encryption that uses a pair of matched keysa
public key to encrypt a message and a private key to
decrypt it, or vice versa
public key
Encryption code that is publicly available to anyone
private key
Encryption code that is known only to its owner
RSA
The most common public key encryption algorithm; uses
keys ranging in length from 512 bits to 1,024 bits
11-16
Securing
E-Commerce Communications
Secure Socket Layer (SSL)
Protocol that utilizes standard certificates
for authentication and data encryption to
ensure privacy or confidentiality
Transport Layer Security (TLS)
As of 1996, another name for the SSL
protocol and believed to be more secure
than SSL
11-17
Securing
E-Commerce Networks
proxies
Special software programs that run on the gateway
server and pass repackaged packets from one
network to the other
demilitarized zone (DMZ)
Network area that sits between an organizations
internal network and an external network
(Internet), providing physical isolation between the
two networks that is controlled by rules enforced
by a firewall
11-18
Securing
E-Commerce Networks
11-19
Securing
E-Commerce Networks
personal firewall
A network node designed to protect an individual users desktop
system from the public network by monitoring all the traffic that passes
through the computers network interface card
virtual private network (VPN)
A network that uses the public Internet to carry information but
remains private by using encryption to scramble the communications,
authentication to ensure that information has not been tampered with,
and access control to verify the identity of anyone using the network
protocol tunneling
Method used to ensure confidentiality and integrity of data transmitted
over the Internet, by encrypting data packets, sending them in packets
across the Internet, and decrypting them at the destination address