Implementing Security for Electronic Commerce

1
Implementing Securityfor Electronic Commerce
Electronic Commerce
2
Security Management Issues

• Recognize the business consequences of poor
  security
• Security through obscurity doesnt work
• Its the business that counts, not the technology
• Security is an ongoing, closed-loop process
• Even for EC sites, internal breaches are more
  prevalent than external breaches
• Source Turban et al, Electronic commerce 2002.

3
Developing a Security Policy

• Identify and evaluate assets
• Identify threats
• Assess risk
• Assign responsibilities
• Establish security policies
• Implement across the organization
• Manage the security program
• http//enterprisesecurity.symantec.com/Content.cfm
  ?ArticleID1128PID10250588EID0printyes

4
Identify and evaluate assets

• What assets need to be protected and how to
  protect them while still allowing the business to
  flourish.
• Expect the Unexpected Imagine what might happen
  if
• Essential data were stolen, lost, compromised,
  corrupted, or deleted?
• Email systems were down for a day or more? How
  much would this loss of productivity cost?
• Customers were unable to place orders online for
  an extended period of time?

5
Identify threats

• What are the sources of potential security
  problems?
• External threats Originate outside the
  organization, such as viruses, worms, Trojan
  horses, hacking attempts, retaliation by former
  employees, or industrial espionage.
• Internal threats Threats coming from inside the
  enterprise can be very costly because the
  perpetrator has greater access and insight as to
  where sensitive and important data reside.

6
Assess risk

• The likelihood of certain events occurring, and
  which of these events has potential to cause the
  most damage needs to be calculated.
• The cost may be more than a monetary one value
  must be placed on loss of data, privacy, legal
  liability, unwanted media exposure, loss of
  customer or investor confidence, and the costs
  associated with repairing security breaches.

7
Assign responsibilities

• Choose a development team to help identify
  potential threats in all areas of the enterprise.
• Ideally, a representative from all departments in
  the company should be involved.
• Key team members would include the Network
  Administrator, legal counsel, a senior executive,
  as well as Human Resources and Public Relations
  representatives.

8
Establish security policies

• Create a policy that points to associated
  documents any guidelines and procedures,
  standards, as well as any employee contracts.
• These documents should contain specific
  information relative to computing platforms,
  technology platforms, user responsibilities, and
  organizational structure.
• That way, if changes are made over time, it is
  easier to change the underlying documents rather
  than the policy itself.

9
Implement across the organization

• Whatever policy is chosen, it must clearly
  outline security responsibilities and acknowledge
  who owns the specific systems and data.
• It may also require all employees to sign the
  statement, and if so, this should be clearly
  communicated.
• Three essential parts of enforcement should
  include
• Compliance,
• Security officers, and
• Funding

10
Manage the security program

• Determine the internal procedures for
  implementing these requirements and enforcing
  them.

11
Things to Keep in Mind

• Throughout the process of building a security
  policy, it is important to make sure the policy
  is
• Implementable and enforceable
• Concise and easy to understand
• Balances protection with productivity

12
Protecting ElectronicCommerce Assets

• You cannot hope to produce secure commerce
  systems unless there is a written security policy
• What assets are to be protected
• What is needed to protect those assets
• Analysis of the likelihood of threats
• Rules to be enforced to protect those assets

13
Protecting ElectronicCommerce Assets

• Both defense and commercial security guidelines
  state that you must protect assets from
• Unauthorized disclosure
• Modification
• Destruction
• Typical security policy concerning confidential
  company information
• Do not reveal company confidential information to
  anyone outside the company

14
Minimum Requirements for Secure Electronic
Commerce Figure 6-1
15
Protections

• Protecting the server
• Protecting the communication channel
• Protecting the client

16
Protecting the commerce sever
17
Protecting theCommerce Server

• Access control and authentication
• Controlling who and what has access to the server
• Requests that the client send a certificate as
  part of authentication
• Server checks the timestamp on the certificate to
  ensure that it hasnt expired
• Can use a callback system in which the client
  computer address and name are checked against a
  list

18
Protecting theCommerce Server

• Usernames and passwords are the most common
  method of providing protection for the server
• Usernames are stored in clear text, while
  passwords are encrypted
• The password entered by the user is encrypted and
  compared to the one on file

19
Operating System Controls

• Most operating systems employ username and
  password authentication
• A common defense is a firewall
• All traffic from inside to outside and outside to
  inside must pass through it
• Only authorized traffic is allowed
• The firewall itself must be immune to penetration

20
Firewalls

• Should be stripped of any unnecessary software
• Categories of firewalls include
• Packet filters
• Examine all packets flowing through the firewall
• Gateway servers
• Filter traffic based on the requested application
• Proxy servers
• Communicate on behalf of the private network
• Serve as a huge cache for Web pages

21
Check Point Softwares Firewall-1 Web Page Figure
6-17
22
Protecting Communication Channel
23
Protecting Electronic Commerce Channels

• Protecting assets while they are in transit
  between client computers and remote servers
• Providing channel security includes
• Channel secrecy
• Guaranteeing message integrity
• Ensuring channel availability
• Authentication

24
Providing Transaction Privacy

• Encryption
• The coding of information by using a
  mathematically based program and secret key to
  produce unintelligible characters
• Steganography
• Makes text invisible to the naked eye
• Cryptography
• Converts text to strings that appear to have no
  meaning

25
Message Security

• Privacy Enhanced Mail (PEM)
• Security Multiparts for MIME (Multipurpose
  Internet Mail Extensions)
• MIME Object Security Services (MOSS)
• S/MIME and PKCS (Public-Key Cryptography
  Standards)
• Pretty Good Privacy (PGP)
• Message Security Protocol (MSP)
• X.400 Security

26
S/MIME

• Based on PKCS developed by RSA
• PKCS 7
• Signed data
• Enveloped data
• Signed and enveloped data
• Canonical form
• Computer digital signature on a common,
  agreed-upon representation of a message, using an
  agreed-upon character encoding and
  line-terminator conversion.

27
S/MIME digital signature
28
S/MIME Encryption
29
Secure Sockets Layer (SSL) Protocol

• Secures connections between two computers
• Provides a security handshake in which the client
  and server computers exchange the level of
  security to be used, certificates, among other
  things
• Secures many different types of communications
  between computers

30
Secure Sockets Layer (SSL) Protocol

• Provides either 40-bit or 128-bit encryption
• Session keys are used to create the cipher text
  from plain text during the session
• The longer the key, the more resistant to attack

31
Establishing an SSL Session Figure 6-13
32
SSL Web Server Information Figure 6-14
33
Secure HTTP (S-HTTP) Protocol

• Extension to HTTP that provides numerous security
  features
• Client and server authentication
• Spontaneous encryption
• Request/response nonrepudiation
• Provides symmetric and public-key encryption, and
  message digests (summaries of messages as
  integers)

34
Ensuring Transaction IntegrityFigure 6-15
35
Network Protocol Security

• IP was not inherently secure
• Added two IP security mechanisms
• Authentication header
• Packet Encryption

36
Guaranteeing Transaction Delivery

• Neither encryption nor digital signatures protect
  packets from theft or slowdown
• Transmission Control Protocol (TCP) is
  responsible for end-to-end control of packets
• TCP requests that the client computer resend data
  when packets appear to be missing

37
Protecting Client
38
Protecting Client Computers

• Active content, delivered over the Internet in
  dynamic Web pages, can be one of the most serious
  threats to client computers
• Threats can hide in
• Web pages
• Downloaded graphics and plug-ins
• E-mail attachments

39
Protecting Client Computers

• Cookies
• Small pieces of text stored on your computer and
  contain sensitive information that is not
  encrypted
• Anyone can read and interpret cookie data
• Do not harm client machines directly, but
  potentially could still cause damage
• Misplaced trust
• Web sites that arent really what they seem and
  trick the user into revealing sensitive data

40
Monitoring Active Content

• Netscape Navigator and Microsoft Internet
  Explorer browsers are equipped to allow the user
  to monitor active content before allowing it to
  download
• Digital certificates provide assurance to clients
  and servers that the participant is authenticated

41
Digital Certificates

• Also known as a digital ID
• An attachment to an e-mail message
• Embedded in a Web page
• Serves as proof that the holder is the person or
  company identified by the certificate
• Encoded so that others cannot read or duplicate it

42
VeriSign

• Oldest and best-known Certification Authority
  (CA)
• Offers several classes of certificates
• Class 1 (lowest level)
• Bind e-mail address and associated public keys
• Class 4 (highest level)
• Apply to servers and their organizations
• Offers assurance of an individuals identity and
  relationship to a specified organization

43
(No Transcript)
44
Microsoft Internet Explorer

• Provides client-side protection right inside the
  browser
• Reacts to ActiveX and Java-based content
• Authenticode verifies the identity of downloaded
  content
• The user decides to trust code from individual
  companies

45
(No Transcript)
46
Security Warning and Certificate
Validation Figure 6-5
47
Internet Explorer Zones and Security
Levels Figure 6-6
48
Internet Explorer Security Zone Default
Settings Figure 6-7
49
Netscape Navigator

• User can decide to allow Navigator to download
  active content
• User can view the signature attached to Java and
  JavaSript
• Security is set in the Preferences dialog box
• Cookie options are also set in the Preferences
  dialog box

50
Setting Netscape Navigator Preferences Figure 6-8
51
A Typical Netscape Navigator Java Security
Alert Figure 6-9
52
Viewing a Content Providers Certificate Figure
6-10
53
Dealing with Cookies

• Can be set to expire within 10, 20, or 30 days
• Retrievable only by the site that created them
• Collect information so that the user doesnt have
  to continually enter usernames and passwords to
  access Web sites

54
Dealing with Cookies

• Earlier browsers simply stored cookies without
  comment
• Todays browsers allow the user to
• Store cookies without permission or warning
• Receive a warning that a cookie is about to be
  stored
• Unconditionally disallow cookies altogether