Matakuliah
Tahun
Versi
: M0284/Teknologi & Infrastruktur E-Business
: 2005
: <<versi/revisi>>
Pertemuan 9
Network Security and E-Commerce
1

Learning Objectives
• Estimate the technical security requirements for a network.
• Evaluate the business impact of security decisions.
• Conduct a security audit of a small network.
• Control access to the computing resources.
• Establish acceptable security solutions.
2

Internet Security Requirements
• Secrecy
– Deals with the protection of information due to unauthorized disclosure and the authentication of the data source.
• Integrity
– Addresses the validity of data and the guarantee that the data have not been tampered during transfer.
• Availability
– Insurance that the site will be reachable in a timely manner when the user is a legitimate stakeholder.
“Faulty Security has a impact on Business”
3

Security Threats
• Loss, Damage, or Distortion of Data via
Hackers
• Risks from Viruses
• Unauthorized Access to the System
• Financial Loss to Company or Customers
• Breaches of Personal Privacy
4

Security Policy Development
• Administrative Security
• Network Security
5

Security Policy Development
Administrative Security
• What services are required by the business and how can they be met securely?
• How much do employees depend on the
Internet and the use of e-mail?
• Do users rely on remote access to the internal network?
• Is access to the Web required?
• Are customers supported through the
Web?
6

Security Policy Development
Administrative Security
• Root policies must include
– Security architecture guide.
– Incident-response procedures.
– Acceptable use procedures.
– System administration procedures.
– Other management procedures.
7

Security Policy Development
Network Security
• All systems and servers have their own weaknesses.
– Establish steps to harden the system
• Limit exposed services/processes
– Follow update/patching warning
• From software publisher
• From security community
– Monitor security listserv
– Apply timely patches or use third party utility
8

Network Security
• Systems documentation
– Software provider security documentation
– Book Publisher title specific to security, OS,
NOS, web server, applications
– Subscription to security services
– Apply advice explained in documentation
• E.g. do not run unnecessary services
– Obtain documentation for update (pros & cons)
• Security patches
• New security issues
9

Network Security
• User access lists
– Users should have limited access to resources
– Access control list is compilation of access control entries
– Access control entries contains following
• A SID, that identifies the trustee. A trustee can be a user account, group account, or a logon account for a program such as a Windows NT service.
• An access mask specifying access rights controlled by the ACE.
• Flags that indicates the type of ACE and flags that determine whether other objects or containers can inherit the ACE from the primary object to which the ACL is attached.
10

Network Security
• Assets access control
• Assets list with who, when, how access is provided
11