Chapter 5 - E-Commerce Security - College of Business & Public

advertisement
E-COMMERCE
SECURITY
Chapter 5
Learning Objectives
• Understand the scope of e-commerce crime and security
•
•
•
•
•
•
problems
Describe the key dimensions of e-commerce security
Understand the tension between security and other values
Identify the key security threats in the e-commerce
environment
Describe how technology helps protect the security of
messages sent over the Internet
Identify the tools used to establish secure Internet
communications channels and protect networks, servers, and
clients
Appreciate the importance of policies, procedures, and laws in
creating security
The E-Commerce Security Environment
• For most law-abiding citizens, the Internet holds the
promise of a huge and convenient global marketplace
• For criminals, the Internet has created entirely new – and
lucrative – ways to steal from the more than one billion
Internet consumers worldwide
• It’s also less risky to steal online
• For example, rather than rob a bank in person, the
Internet makes it possible to rob people remotely and
almost anonymously
The Scope of the Problem
• Cybercrime is becoming a more significant problem for
•
•
•
•
•
both organizations and consumers
A variety of worldwide cyberattacks make daily headlines
It is difficult to accurately estimate the actual amount of
cybercrime, but one source of information is the Ponemon
Institute of 56 representative US companies
The 2012 survey found that the average annual
cybercrime cost for these organizations was $8.9 million
The average cost per attack was $600,000
The number of attacks also increased by 40% compared
with the previous year
The Scope of the Problem (cont.)
• Reports issued by security product providers, such as
•
•
•
•
•
Symantec, are another source of data
Advances in technology have reduced the entry costs and
skills required to enter the cybercrime business
Web attack kits may be purchased and they are
responsible for more than 60% of all malicious activity
Targeted attacks are increasing
Social networks are helping criminals identify individual
targets
Mobile platforms and applications are increasingly
vulnerable
Types of
Attacks
Against
Computer
Systems
The Underground Economy Marketplace:
The Value of Stolen Information
• Criminals who steal information on the Internet do not
•
•
•
•
always use this information themselves, but instead
derive value by selling the information to others
Table 5.2 lists some recently observed prices for stolen
information, which typically vary depending on the
quantity being purchased
For example, stolen credit card information may be sold
for $2-$90 in the black market
As more credit card information is stolen, the value of this
information has been declining
In some cases, criminals are not necessarily after money
but intend to deface, vandalize, and/or disrupt a Web site,
rather than actually steal goods or services
What is Good E-Commerce Security?
• What is a secure commercial transaction?
• Anytime you go into a marketplace you take risks,
including the loss of privacy
• E-commerce merchants and consumers face many of the
same risks as participants in traditional commerce, albeit
in a new digital environment
• Reducing risks in e-commerce is a complex process that
involves new technologies, organizational policies and
procedures, and new laws and industry standards that
empower law enforcement officials to investigate and
prosecute offenders
• Figure 5.1 illustrates the multi-layered nature of ecommerce security
The Tension Between Security and
Other Values
• Can there be too much security? The answer is yes.
• Computer security adds overhead and expense to
business operations
• Expanding computer security also has other downsides:
• Makes systems more difficult to use
• Slows down the site
• Increases need for more processing
• Increases data storage demands
Security Threats in the
E-Commerce Environment
• From a technology perspective, there are three key points
of vulnerability when dealing with e-commerce:
• the client
• the server, and
• the communications pipeline
• Figure 5.3 illustrates some of the things that can go wrong
at each major vulnerability point in the transaction
Technology Solutions
• It might seem like there is not much that can be done
about the onslaught of security breaches on the Internet
• But in fact a great deal of progress has been made by
private security firms, corporate and home users, network
administrators, technology firms, and government
agencies
• There are two lines of defense:
• Technology solutions
• Policy solutions
• Tools available to achieve site security are summarized in
Figure 5.5
Encryption
• Encryption is the process of transforming plain text or
data into cipher text that cannot be read by anyone other
than the sender and the receiver
• The purpose of encryption is to secure stored information
and to secure information transmission
• One early encryption method was symmetric key
encryption where both the sender and the receiver use
the same key to encrypt and decrypt the message
• This method has some flaws:
• Computers are so powerful that they can break the keys quickly
• In order to share the key it may have to be sent over an insecure
medium where it could be stolen
• In commercial use, you would need a secret key for each of the
parties with which you transact business
Public Key Encryption
• In 1976, a new way of encrypting messages called public
key encryption was invented
• Public key encryption solves the problem of exchanging
keys
• In this method, two mathematically related digital keys are
used: a public key and a private key
• Figure 5.6 illustrates a simple use of public key
cryptography and takes you through the important steps
in using public and private keys
Public Key Cryptography
Limitations to Encryption Solutions
• All forms of encryption have limitations
• It is not effective against insiders
• Protecting private keys may also be difficult because they
are stored on insecure desktop and laptop computers
• Additional technology solutions exist for securing
channels of communications, networks, and
servers/clients
Securing Communication Channels,
Networks, Servers and Clients
• Communication channel security technologies:
• Secure Sockets Layer (SSL)
• Transport Layer Security (TLS)
• Virtual Private Networks (VPNs)
• Wi-Fi Protected Access (WPA2)
• Network protection technologies:
• Firewalls
• Proxy servers
• Intrusion detection systems
• Server/client protection technologies
• Operating system security enhancements
• Anti-virus software
Management Policies, Business
Procedures, and Public Laws
• In 2013, companies worldwide are expected to spend
over $65 billion on security hardware, software, and
services
• However, most CEOs and CIOs of existing e-commerce
operations believe that technology is not the sole answer
to managing the risk of e-commerce
• An e-commerce security plan would include a risk
assessment, development of a security policy,
implementation plan, creation of a security organization,
and a security audit
• Implementation may involve expanded forms of access
controls – IDs, passwords, access codes, biometrics
(fingerprints, retina scans, speech recognition), etc.
The Roles of Laws and Public Policy
• The public policy environment today is very different fro
the early days of e-commerce
• The net result is that the Internet is no longer an
ungoverned, unsupervised, self-controlled technology
juggernaut
• Table 5.5 lists the most significant federal e-commerce
security legislation
• Several organizations are devoted to tracking down
criminal organizations and individuals engaged in attacks
against Internet and e-commerce sites
• CERT Coordination Center at Carnegie Mellon University
• US Computer Emergency Readiness Team (US-CERT) at US
Department of Homeland Security
Government Policies and Controls on
Encryption Software
• An interesting example of the difficulties involved in
•
•
•
•
enhancing security is the case of encryption software
distribution
Governments have sought to regulate the uses of
encryption and to restrict availability and export of
encryption systems as a means of preventing crime and
terrorism
On one hand, restricting global distribution of advanced
encryption systems may reduce the likelihood that they
may be cracked
But it also reduces global Internet security if different
countries have different levels of protection
US policy permits exports except to pariah nations
Download