22 April 2006 E-business Security Dana Vasiloaica Institute of Technology Sligo Yesterday’s topics E-business and its advantages For customers For businesses For business partners and suppliers Security goals Protect confidentiality Maintain integrity Assure availability Security problems Accidental data loss Malware Viruses Worms Trojan horses How to deal with Malware Today Intruders How to deal with intruders Overall security measures Secure payment Conclusions Intruders What can go wrong? Security issues Intruders Casual prying (read other peoples e-mail, documents, etc.) Snooping by insiders Determined attempt to make money Commercial or military espionage Simply for fun or to prove it can be done How to deal with intruders Identify every user Advise users to log off when they leave their desk Limit the privileges of users Log files to monitor users activity Encryption Etc. Insiders What could some of the employees do? Read other people’s emails Attempt to read documents and access information that is NOT intended for their eyes Commercial espionage Install unauthorised software How to prevent all of the above? Each employee should log in the system using a unique username / password Advice all employees not to disclose their password to anyone Advice all employees to log off when they leave their desk Advice all employees to change their password regularly Limit privileges of employees allowing them to perform only authorised tasks and obtain only authorised information Put in place a system that tracks employees actions and network resources accessed Encrypt or password protect all confidential documents / data Any other measures? Outsiders What could they do? As a hobby, prove that “it can be done” Commercial and military espionage Access bank accounts Access and use other people’s credit card details Shut down systems, etc. How to prevent outsiders gaining access to resources Identify every user of the system Put in place a system that tracks users actions and network resources accessed Encrypt confidential documents / data Put firewalls in place to protect the network Keep all software and operating systems up to date to prevent hackers exploit security holes Overall key security measures Have a security policy in place and ENFORCE it Have clear guidelines as how security should be implemented Management has to make sure that all IT technicians apply all the security measures Management has to make sure that all employees are aware of the security measures and apply them Technology used to implement security guidelines Sophisticated tools used to analyse, interpret, configure and monitor the state of the network security Identify each user Clearly identify all network users Technologies used to assure identity Username and passwords Advice employees to : use alphanumeric passwords to keep them private to change them regularly Biometrics Install access control programs and physical security devices on all systems. Access control programs run extra checks on users before allowing access. Physical security devices include biometric scanning devices fitted to a computer which check a user’s face, retina, fingerprint, hand, voice, typing rhythm, signature and so on against a set of stored data for all legitimate users. Make sure to delete the accounts of employees no longer working for the company Monitor the network Security monitor Test and monitor the state of the network security Technology used to monitor the network Network log files that record Who logged in, for how long, from which computer, what resources they have accessed, etc. Network vulnerability scanners Antivirus software Disaster recovery backup technology Check security logs and audit trails regularly Conduct regularly a through risk analysis of the network Have a disaster recovery plan Monitor and restrict access from outside into the network Monitor remote access into the network by Allowing only a limited number of attempts to log in Block the account if all attempts to log in are unsuccessful Use log files to monitor the resources accessed by remote users Put firewalls in place before allowing Internet access Maintain data privacy Data privacy Information must be protected from eavesdropping Data must be communicated in confidentiality Technologies used to assure data privacy Password protect confidential documents Encryption Use secure protocols ssh (secure shell) https (http scheme) = http with encryption Encryption Computer encryption is based on the science of cryptography Encryption systems Symmetric key encryption A computer uses a key to encrypt a message before sending it over the network The destination computer uses the same key to decode it The same key has to be installed on both computers Public key encryption A computer uses a combination of private key and public key to encrypt a message. The private key is known only to the computer, while the public key is given to any computer that wants to communicate securely with. The destination computer decodes the message using the public key provided by the sending computer and its own private key Where is encryption used? Digital signatures A way to ensure that an electronic document (a, word document, excel spreadsheet, etc.) is authentic Standard used - Digital Signature Standard which is based on a public-key encryption If anything is changed in the document after the signature is attached to it, the value the digital signature compares with changes and therefore it will be obvious that changes have been made Electronic payment Electronic payment E-business and electronic payment go hand in hand What are the benefits of electronic payment? One could pay: On the spot by providing credit card information On the spot using e-check (account number and bank number) By direct debit using credit card or bank account Via specialised companies like PayPal Concerns about electronic payment Identity theft To prevent fraud, confidential information has to be transmitted and stored encrypted Secure methods of payment SSL Stands for Secure Sockets Layer Uses public-key encription SSL is an Internet Security Protocol used by browsers and web servers to transmit sensitive information SSL is part of an overall security protocol known as Transport Layer Security How can a customer know his/her payment information is securely transmitted? Look for the s after http in the web address before making the payment. In other words, the web address should read: https// Look for the padlock symbol in the status bar, at the bottom of the browser window Conclusions Security – High priority issue As a manager, what can you do? Have a security policy in place and enforce it Assure user authentication Look at secure payment methods Keep customers happy by providing secure transactions Recommended reading material Otuteye,E., A systematic approach to E-business security available on-line at the following address: http://ausweb.scu.edu.au/aw03/papers/otuteye/paper.html Robinson, R., Managing Secure eBusiness available on-line at the following address: http://www.novell.com/news/press/net_security_whitepaper.pdf Otuteye, E., Framework for E-Business Information Security Management available on-line at the following address: http://e-commerce.mit.edu/papers/ERF/ERF136.pdf