22 April 2006
E-business Security
Dana Vasiloaica
Institute of Technology Sligo
Yesterday’s topics
E-business and its advantages



For customers
For businesses
For business partners and suppliers
Security goals



Protect confidentiality
Maintain integrity
Assure availability
Security problems


Accidental data loss
Malware
Viruses
Worms
Trojan horses
How to deal with Malware
Today
Intruders
How to deal with intruders
Overall security measures
Secure payment
Conclusions
Intruders
What can go wrong?
Security issues
Intruders
 Casual prying (read other
peoples e-mail,
documents, etc.)
 Snooping by insiders
 Determined attempt to
make money
 Commercial or military
espionage
 Simply for fun or to prove
it can be done
How to deal with intruders
 Identify every user
 Advise users to log off
when they leave their
desk
 Limit the privileges of
users
 Log files to monitor
users activity
 Encryption
 Etc.
Insiders
What could some of the employees do?




Read other people’s emails
Attempt to read documents and access information that is NOT
intended for their eyes
Commercial espionage
Install unauthorised software
How to prevent all of the above?








Each employee should log in the system using a unique username /
password
Advice all employees not to disclose their password to anyone
Advice all employees to log off when they leave their desk
Advice all employees to change their password regularly
Limit privileges of employees allowing them to perform only authorised
tasks and obtain only authorised information
Put in place a system that tracks employees actions and network
resources accessed
Encrypt or password protect all confidential documents / data
Any other measures?
Outsiders
What could they do?





As a hobby, prove that “it can be done”
Commercial and military espionage
Access bank accounts
Access and use other people’s credit card details
Shut down systems, etc.
How to prevent outsiders gaining access to resources





Identify every user of the system
Put in place a system that tracks users actions and network
resources accessed
Encrypt confidential documents / data
Put firewalls in place to protect the network
Keep all software and operating systems up to date to
prevent hackers exploit security holes
Overall key security
measures
Have a security policy in place and
ENFORCE it
Have clear guidelines as how security should be
implemented
Management has to make sure that all IT
technicians apply all the security measures
Management has to make sure that all
employees are aware of the security measures
and apply them
Technology used to implement security
guidelines

Sophisticated tools used to analyse, interpret,
configure and monitor the state of the network
security
Identify each user
Clearly identify all network users
Technologies used to assure identity

Username and passwords
Advice employees to :





use alphanumeric passwords
to keep them private
to change them regularly
Biometrics
Install access control programs and physical security devices on all
systems. Access control programs run extra checks on users before
allowing access. Physical security devices include biometric
scanning devices fitted to a computer which check a user’s face,
retina, fingerprint, hand, voice, typing rhythm, signature and so on
against a set of stored data for all legitimate users.
Make sure to delete the accounts of employees no longer
working for the company
Monitor the network
Security monitor

Test and monitor the state of the network security
Technology used to monitor the network

Network log files that record
Who logged in, for how long, from which computer, what
resources they have accessed, etc.



Network vulnerability scanners
Antivirus software
Disaster recovery backup technology
Check security logs and audit trails regularly
Conduct regularly a through risk analysis of the
network
Have a disaster recovery plan
Monitor and restrict access from
outside into the network
Monitor remote access into the network by



Allowing only a limited number of attempts to
log in
Block the account if all attempts to log in are
unsuccessful
Use log files to monitor the resources accessed
by remote users
Put firewalls in place before allowing
Internet access
Maintain data privacy
Data privacy


Information must be protected from
eavesdropping
Data must be communicated in confidentiality
Technologies used to assure data privacy



Password protect confidential documents
Encryption
Use secure protocols
ssh (secure shell)
https (http scheme) = http with encryption
Encryption
Computer encryption is based on the science of
cryptography
Encryption systems

Symmetric key encryption
A computer uses a key to encrypt a message before sending
it over the network
The destination computer uses the same key to decode it
The same key has to be installed on both computers

Public key encryption
A computer uses a combination of private key and public key
to encrypt a message. The private key is known only to the
computer, while the public key is given to any computer that
wants to communicate securely with.
The destination computer decodes the message using the
public key provided by the sending computer and its own
private key
Where is encryption used?
Digital signatures



A way to ensure that an electronic document (a, word
document, excel spreadsheet, etc.) is authentic
Standard used - Digital Signature Standard which is
based on a public-key encryption
If anything is changed in the document after the
signature is attached to it, the value the digital
signature compares with changes and therefore it will
be obvious that changes have been made
Electronic payment
Electronic payment
E-business and electronic payment go hand in
hand
What are the benefits of electronic payment?
One could pay:




On the spot by providing credit card information
On the spot using e-check (account number and bank
number)
By direct debit using credit card or bank account
Via specialised companies like PayPal
Concerns about electronic payment

Identity theft
To prevent fraud, confidential information has to
be transmitted and stored encrypted
Secure methods of payment
SSL




Stands for Secure Sockets Layer
Uses public-key encription
SSL is an Internet Security Protocol used by
browsers and web servers to transmit
sensitive information
SSL is part of an overall security protocol
known as Transport Layer Security
How can a customer know his/her payment
information is securely transmitted?
Look for the s after http in the web address
before making the payment. In other
words, the web address should read:
https//
Look for the padlock symbol in the status
bar, at the bottom of the browser window
Conclusions
Security – High priority issue
As a manager, what can you do?




Have a security policy in place and enforce it
Assure user authentication
Look at secure payment methods
Keep customers happy by providing secure
transactions
Recommended reading material
Otuteye,E., A systematic approach to E-business
security
available on-line at the following address:
http://ausweb.scu.edu.au/aw03/papers/otuteye/paper.html
Robinson, R., Managing Secure eBusiness
available on-line at the following address:
http://www.novell.com/news/press/net_security_whitepaper.pdf
Otuteye, E., Framework for E-Business Information
Security Management
available on-line at the following address:
http://e-commerce.mit.edu/papers/ERF/ERF136.pdf