Chap. 10 E-commerce Security

Get Started. It's Free
or sign up with your email address
Chap. 10 E-commerce Security by Mind Map: Chap. 10 E-commerce Security

1. Key Definitions

1.1. Computer Security

1.1.1. the protection of assets from unauthorized access, use, alteration, or destruction.

1.2. Threat

1.2.1. act or object that poses a danger to computer assets.

1.3. Eavesdropper

1.3.1. person or device that can listen in on and copy internet transmissions.

1.4. Cracker/Hacker

1.4.1. people who write programs or manipulate tech. to obtain unauthorized access to computers and networks.

1.5. White hat hacker

1.5.1. hackers that use their skills for positive purposes.

1.6. Black hat hacker

1.6.1. hackers that use their skills for ill purposes.

1.7. Man-in-the-middle exploit

1.7.1. contents of an email that are often changed in a way that negates the message's original content.

1.8. Stateless Connection

1.8.1. connection between a client and server over internet where by each transmission of info is independent; no continuous connection is maintained.

1.9. Cookie

1.9.1. small text files that Web servers place on Web client computers to identify returning visitors.

1.10. Session cookies

1.10.1. cookie that exists only until you shut down your browser.

1.11. Persistent cookies

1.11.1. cookie that exists indefinitely.

1.12. 1st party cookies

1.12.1. cookies placed on the client computer by the Web server site.

1.13. 3rd party cookies

1.13.1. cookies that originates on a web site other than the site being visited.

1.14. Trojan Horse

1.14.1. program hidden inside another program of web page that masks its true purpose.

1.15. Zombie

1.15.1. is a trojan horse that secretly takes over another computer for the purpose of launching attacks on other computers.

1.16. Java Sandbox

1.16.1. browser security feature that limits the actions that can be preformed by a Java applet that has been downloaded from web.

1.17. Certification authority

1.17.1. company that issues digital certificates to an org. or individuals.

2. Types of Security

2.1. Physical Security

2.1.1. includes tangible protection devices, such as alarms, guards, fireproof doors, security fences, safes or vaults, and bombproof buildings.

2.2. Logical Security

2.2.1. Protection of assets using nonphysical means.

3. Communication Channel Security

3.1. The internet was not designed to be secure, it was truely designed to provide redundancy one or more communication lines were cut. Today, the internet remains relatively uncha- nged from its original state. Therefore, any message being transfered over the internet is subject to threats.

3.1.1. Secrecy Threats

3.1.1.1. Secrecy is the prevention of unauthorized info. disclosure. This is a technical issue that requires complex physocal and logical mechanisms. Companies may protect message against secrecy violations by using encryption. Moreover, secrecy countermeasures protect outgoing messages.

3.1.2. Theft of sensitive or personal info.

3.1.2.1. Protection of info. including credit cards, names, addresses. These threats can occur any time someone submits info over the internet. Obviously this is a serious problem.

3.1.3. Integrity Threats

3.1.3.1. An integrity threat happens when an unauthorized party alters a message stream of info. They can cuase a change in the actions a person or copmany takes because a mission-critical transmission has been altered. Examples of integrity threats include: Cybervandalism and Masquerading

3.1.4. Necessity Threats

3.1.4.1. The act of disrupting normal computer processing, or denying process entry. A computer that slows down to ultra slow speed may be experiencing a necessity threat. These sorts of attacks will remove info altogether, or get rid of info from a transmission or file.

3.1.5. Wireless Network Threats

3.1.5.1. Networks can use access points (WAPs) to provide network communications to computers. If they are not protected, anyone within range can log in and get access to network resources. The attackers that attack these networks are Wardrivers that practice the process of warchalking. companies avoid becoming a target by turning on a security feature called WEP.

4. Key Definitions con'd

4.1. Key

4.1.1. long binary number used with encryption algorithm to "lock" the characters of the message being protected so that they are undecipherable without the key.

4.2. Steganography

4.2.1. describes the process of hiding info. within another piece or medium of info.

4.3. Biometric security device

4.3.1. device that uses an element of a person's biological makeup to perform the identification.

4.4. Privacy

4.4.1. protection of individual rights to nondisclosure.

4.5. Sniffer programs

4.5.1. program that provides the mean to record info that passes through a computer or router that handles internet traffic.

4.6. Cybervaldalism

4.6.1. electronic defecting of an existing web site's page.

4.7. Masquerading

4.7.1. pretending to be someone you are not, or representing a web site as an original when truely it is fake.

4.8. Encryption

4.8.1. coding of info by using a math based program and a secret key to produce a string of characters that is unintelligible.

4.9. Session Key

4.9.1. key used by an encryption algorithm to create cipher text from plain text during a single secure session.

4.10. Digital Signature

4.10.1. an encryption message digest.

4.11. Trusted

4.11.1. networks inside of a fire wall as opposed to untrusted which are networks outside the firewall.

4.12. Packet-filter firewall

4.12.1. examines all data flowing back and forth between the trusted network and the internet.

4.13. Proxy server firewall

4.13.1. firewalls that communicate with the internet on the private network's behalf.

4.14. Personal firewall

4.14.1. software-only firewalls on an individual client computer.

5. Encryption Solutions

5.1. Encryption Algorithms

5.1.1. Logic that implements an encryption program. An encryption program being a program that transforms plain text into cipher text. Once a message is sent over the network it gets encrypted and upon arrival at destin- ation it is decoded by a decryption program. Someone can know the details of the algorithm and still not be able to decipher the encrypted message without knowing the key that the algorithm used to encrypt the message.

5.2. Hash Coding

5.2.1. The process used to calcualte a number from a message. It is essentially a virtual fingerprint for the message. They are designed so that the probability of two different messages resulting in the same hash value is extemely small. It is a way to tell if a message has been altered in transit.

5.3. Asymmetric Encryption

5.3.1. Encodes messages by using two math related numeric keys.

5.4. Symmetric Encryption

5.4.1. Encodes a message with one of several available algorithms that use a single numeric key. Due to the fact the same key is used, both the sender and receiver must know the key, however, the key must be guarded. If the key is made public, all message previously sent are vulnerable.

5.5. Secure Sockets Layer Protocol

5.5.1. Defined as a security handshake where the client and server sopmuter exchange a brief burst of messages. Each computer identifies the other then SSL encrypts and decrypts info flowing between the two computers. SSL can secure many different types of communication between computers in addition to HTTP. SSL allows the length of the private session key generated by every encrypted transaction to be set at a variety of bit lengths

6. Security for Server computers

6.1. Web server threats

6.1.1. Web servers can compromise secrecy if it allows automatic directory listings or by requiring users to enter a user name and password.

6.2. Database threats

6.2.1. Ecom systems store user data and retrieve product info from databased connected to the web server. Databases connected to the web contain valuable info that could damage a company if disclosed.

6.3. Firewalls

6.3.1. A firewall is a software or a hardware combination that is installed in a network to control the packet traffic that moves through it. Companies will place a firewall at the internet entry point of their networks as it provides a defense between a network and the internet.

6.3.2. - All traffic from the inside to outside and from outside to inside the network must pass through it. - Only authorized traffic, as defined by the local security policy, is allowed to pass through it. - The firewall itself is immune to penetration.

7. Online Security Issues

7.1. Managing Risk

7.1.1. Rick management model applies to protecting ecom assets from all kinds of threats. A threat is judged based on on the potential seriousness of its happening. Orgs must identify risks, determine how to protect assets, and calculate how much to spend to protect those assets.

7.2. Computer Security Class- ifications

7.2.1. Secrecy

7.2.1.1. protecting against unauthorized data disclosure and ensuring the authenticity of the data source.

7.2.2. Integrity

7.2.2.1. preventing unauthorized data modification.

7.2.3. Necessity

7.2.3.1. preventing data delays or denials (removal).

7.3. Security Policy and Integrated Security

7.3.1. Any org. concerned about protecting ecom assets should have a security policy. This policy must be continually upgraded. First step the company must take in creating a policy is to deter- mine which assets to protect from which threats. The comprehensive plan for security should protect a system's privacy, integrity, and availability, and authenticate users.

7.3.2. Elements of a security policy: - Authentication: who is trying to access the ecom site? - Access Control: Who is allowed to log on to and access the ecom site? - Secrecy: Who is permitted to view selected info? - Data integrity: Who is allowed to change data? - Audit: Who or what causes specific events to occur, and when?

8. Security for Client Computers

8.1. Cookies

8.1.1. Cookies allow Web servers to maintain continuing open sessions with Web clients. An open session is necessary to do a number of things that are important in online business activity. Cookies were invented to solve the stateless connection problem by saving info about a Web user from one set of server-client message exchanges to another. Cookies can be categorized by: Time Duration and by Source.

8.2. Web Bugs

8.2.1. a tiny graphic that a 3rd party web site places on another site's Web page. When a site visitor loads the web page, the web bug is delivered by the 3rd party site, which can then place a cookie on the visitor's computer.

8.3. Active Content

8.3.1. refers to programs that are embedded transparently in web pages and that cause action to occur. In ecom active content is used to place items into a shopping cart and compute a total invoice amount, including tax, handling, and shipping. It extends the functionality of HTML and moves some data processing chores from the busy server machine to the user's client computer.

8.4. Java Applets

8.4.1. Java is a programming language developed by Sun that is used widely in web pages to provide active content. Java adds functionality to business applications and can handle transactions and a wide variety of actions on the client computer. That relieves an otherwise busy server-side program from handling lots of transactions at the same time.

8.5. Java Script

8.5.1. scripting language developed by Netscape to enable web page designers to build active content. JavaScript can be used for attacks by executing cose that destroys a client's hard disk. It can also record the URLs of web pages a user visits and capture info. Furthermore, a JavaScript program cannot start on its own, but all that it takes is clicking a button.

8.6. Active X control

8.6.1. is an object that contains programs and properties that web designers place on web pages to perform particular tasks. Only runs on computers with windows operating systems. The security danger with Active X controls is the once they are downloaded, they executelike anyother program on a client computer, they have full access to system's resources.

8.7. Graphics and Plug-ins

8.7.1. Some graphic files formats have been designed to specifically contain instructions on how to render a graphic. Meaning any page containing such a graphic could be a threat. Plug-ins are programs that enhance capabilities of browsers. They are beneficial in performing tasks such as playing video clips and displaying movies. However, users download these plug-ins and install them so their browsers can display content that is not included in the original HTML.

8.8. Viruses, Worms, and Anti- virus software

8.8.1. A virus is a form of software that attaches itself to another program that can cause damage to a host system. A worm is a kind of virus that reproduces itself on computers that it infects. Both of these annoyances moves rapidly through the internet. Antivirus software can detect viruses and worms and can delete them or isolate them on the host computer so they cannot run (ex: Norton, Symantec, McAfee).

8.9. Digital Certificates

8.9.1. is an attachment to an email or program embedded in a web page that varifies that the sender is who they claim to be. These certificates contain a means to send an encrypted message which is encoded so others cannot read it. The encrypted message identifies the software publisher. They are used for many types of online transactions including email and ecom. This certificate is an assurance that the software was created by a specific company.

8.9.2. Contains 6 main elements: - Certificate owner's i.d.ing info, such as name, org., address - Certificate owner's public key - Date between which the certificate is valid - Serial number of certificate - Name of the certificate issuer - Digital signature of the certificate user