Electronic Commerce Security - Information Technology Services

advertisement
Electronic Commerce Security
Week of July 15-July 21

Internet Security:
o
Computer security is the protection of assets from unauthorized access, use,
alteration, or destruction. Before the Internet and the networked computer,
business only needed physical security. Today, they need both physical and
logical security.

Physical security includes tangible protection devices, such as alarms,
guards, fireproof doors, security fences, safes or vaults, and bombproof
buildings (p. 441).

Logical security is the protection of assets using nonphysical means (p.
441).
o
A countermeasure is the general name for a procedure, either physical or logical,
that recognizes, reduces, or eliminates a security threat. The higher the
probability or the more severe the impact of a threat, the more you should be
willing to spend on countermeasures against that threat. Focus on Figure 10-1
Risk Management Model (p. 441).
o
A cracker is a technologically skilled person who uses their skill to obtain
unauthorized entry into a computer or network (p. 442).
o
The terms cracker and hacker basically mean the same thing. A white hat hacker
is someone who breaks into a computer or network so that they may alert the
company of a security problem and allow the company to fix the problem. A
black hat hacker is someone who puts their skills to ill purpose (p. 442).

Security Policy:
o
A security policy is a written statement describing which assets to protect and
why they are being protected, who is responsible for that protection, and which
behaviors are acceptable and which are not (p. 442).

The policy includes physical security, network security, access
authorization, virus protection, and disaster recovery.

The security policy should change as the company and the threats
change.
o

Steps to establishing a security policy (p. 443):

Determine which assets need protection.

Who should have access to what assets

Take inventory of what resources are available to protect the assets

Finally, the organization commits these resources and writes up a plan.
Security for Clients:
o
Client computers need protection different from security for companies (p. 444).
o
Cookies:

The Internet works on stateless connections in which all transmissions
are independent of all other transmissions. In other words, the current
transmission has no knowledge of the previous transmissions. Cookies
are small text files stored on the client computer so that data from one
session can be passed to future sessions (p. 445).

For example, you want to buy something online and enter your
Zip code. Two days later, you go back to the site and the site
remembers your Zip code. This means your Zip code was likely
saved in a cookie.

Too often, cookies are used to pass private information about
you to advertisers. As a result, they should be blocked.
o
A Web bug is a tiny graphic (often invisible) that a third-party Web site places on
another site’s Web page. When a site visitor loads the Web page, the Web bug is
delivered by the third party site, which can then place a cookie on the visitor’s
computer (p. 447).
o
Active Content:

Active content refers to programs that are embedded transparently in
Web pages and that cause action to occur (p. 448).

These actions are often written to damage the computer (p. 448).

A Trojan horse is a small program written into a program or
Web page to mask its true purpose (p. 448).

A zombie is a Trojan horse that secretly takes over another
computer for the purpose of launching attacks on other
computers (p. 448).

These programs are written in scripting languages such as JavaScript or
through ActiveX controls (p. 450).
o
Plug-ins are programs that enhance the capabilities (ex. playing audio or video,
animating graphics) of browsers to handle Web content that a browser cannot
handle (p. 450).
o
A virus is software that attaches itself to another program and can cause damage
when the host program is activated (p. 451).
o

A worm is a type of virus that replicates itself on the computer it infects (p. 451).
Protecting the Client Computer:
o
Antivirus software detects viruses and worms and either deletes them or isolates
them on the client computer so they cannot run (p. 452).
o
A digital certificate is a signed message or code attached to an e-mail message or
a program embedded in a Web page that verifies that the sender or Web site is
who or what it claims to be (p. 456).

A digital certificate is issued by a certification authority such as VeriSign
(p. 456).
o
Biometric security devices use an element of a person’s biological makeup to
perform the identification. Examples include eye scanners and fingerprint
readers (p. 459).

Miscellaneous threats:
o
Sniffer programs are software programs that record sensitive or personal
information (credit card information, address, phone, etc.) passing through a
computer (p. 460).
o
Backdoors are holes left either intentionally or unintentionally within a software
program that people are aware of the hole can use to steal sensitive or personal
information (p. 460).
o
Cybervandalism is the electronic defacing of an existing Web site’s page usually
by replacing the regular content with content placed there by the hacker (p. 462).
o
Spoofing is pretending to be someone you are not, or representing a Web site as
an original when it is a fake (p. 462).
o
Phishing is the sending of mass e-mails that include a link that appears to be real
(such as paypa1.com instead of paypal.com). When a user clicks on the link,
they are taken to a page where they are encouraged to provide personal
information (p. 462).
o
In wireless networks, wardriving involves hackers drive around with wireless
laptops searching for wireless networks that are not very secure (p. 463).

Read an article (http://news.bbc.co.uk/1/hi/sci/tech/1860241.stm) about a
British security company that realized that the majority of wireless
networks could be accessed with a laptop and a Pringles can.
o
Dictionary attack programs cycle through every word in an electronic dictionary
trying to guess a user’s password. This is one reason that people should avoid
using common words as their passwords (p. 475).

Protecting Against Sophisticated Threats:
o
Encryption is the coding of information by using a mathematically-based
program and a secret key to produce a string of characters that is unintelligible.
In order to read the message, both the sender and the receiver must have the key
(p. 464).
o
Secure Sockets Layer (SSL) is an encryption technology used on the World Wide
Web to allow the client and the Web server to exchange data privately (p. 468).

By the way, you should only submit your credit card information to a site
protected by SSL. You will know they have SSL if the Web address
begins with https:// (not http://).
o
Web servers should be protected with an access control list (ACL). An ACL is a
list of files and other resources and the usernames of people who can access those
files and resources. In other words, it is a list of who can access what (p. 479).
o
A firewall is software (or a combination of hardware and software) that is
installed on a network to control the data moving through it (p. 479).

A good firewall prevents access to a network by unauthorized users and
allows access to legitimate users (p. 480).
Download