?????? Secure Electronic Commerce - PowerPoint PPT Presentation

About This Presentation
Title:

?????? Secure Electronic Commerce

Description:

Secure Electronic Commerce (E-Finance Security Control Mechanisms) 992SEC14 TGMXM0A Fri. 6,7,8 (13:10-16:00) L526 – PowerPoint PPT presentation

Number of Views:88
Avg rating:3.0/5.0
Slides: 84
Provided by: Myd9
Category:

less

Transcript and Presenter's Notes

Title: ?????? Secure Electronic Commerce


1
?????? Secure Electronic Commerce
?????????? (E-Finance Security Control
Mechanisms)
992SEC14 TGMXM0A Fri. 6,7,8 (1310-1600) L526
  • Min-Yuh Day
  • ???
  • Assistant Professor
  • ??????
  • Dept. of Information Management, Tamkang
    University
  • ???? ??????
  • http//mail.im.tku.edu.tw/myday/
  • 2011-06-03

2
Syllabus
  • ?? ?/? ??(Subject/Topics
  • 100/02/18 ??????????
    (Course Orientation for Secure Electronic
    Commerce)
  • 2 100/02/25 ?????? (Introduction to
    E-Commerce)
  • 3 100/03/04 ???? (E-Marketplaces)
  • 4 100/03/11 ???????????????
    (Retailing in Electronic Commerce
    Products and Services)
  • 5 100/03/18 ???????????????
    (Online Consumer Behavior, Market
    Research, and
    Advertisement)
  • 6 100/03/25 ???? B2B?B2C?C2C (B2B, B2C, C2C
    E-Commerce)
  • 7 100/04/01 Web 2.0, Social Network, Social
    Media
  • 8 100/04/08 ???????
  • 9 100/04/15 ????????? (Mobile Computing and
    Commerce)
  • 10 100/04/22 ?????

3
Syllabus (cont.)
  • ?? ?/? ??(Subject/Topics
  • 11 100/04/29 ?????? (E-Commerce Security)
  • 12 100/05/06 ???? (Digital Certificate)
    Module 4
  • 13 100/05/13 ??????? (Network and Website
    Security) Module 5
  • 14 100/05/20 ??????????IC????????
    (Transaction Security, System
    Security, IC Card Security,
    Electronic Commerce Payment Systems)
    Module 6, 7, 8, 9
  • 15 100/05/27 ?????? (Mobile Commerce
    Security) Module 12
  • 16 100/06/03 ??????????
    (E-Finance Security Control Mechanisms)
    Module 13
  • 17 100/06/10 ?????? (Operation Security
    Management)
  • 18 100/06/17 ?????

4
Module 13????????
???????? ????????
???????????????? ????????????????
???????? ????????
5
????
  1. ???????????????
  2. ??10???????,?????????????????????????
  3. ??????????,??????????????
  4. ????????,????????,?????????

???????? ????????
6
Module 13????????
  • Module 13-1??????
  • Module 13-2????????
  • Module 13-3????????
  • Module 13-4?????????
  • ????

???????? ????????
7
Module 13-1??????
???????? ????????
8
?????????
???????? ????????
9
?????????
  • ????????(59)
  • ??????(52)
  • ????/????(50)
  • ??????????????(26)
  • ????(IM)????(25)
  • ????(25)
  • ???????(25)

???????? ????????
10
??????
  1. Port Scanning
  2. SNMP Scanning
  3. Enumeration Banner Grabbing
  4. Wireless Enumeration
  5. Vulnerability Scanning
  6. Host Evaluation
  7. Network Device Analysis
  8. Password Compliance Testing
  9. Application Specific Scanning
  10. Network Sniffing

???????? ????????
11
??????
  • Port Scanning
  • Identify enabled network services on systems
  • Look for unauthorized services or backdoors
  • SNMP Scanning
  • Enumerate systems on the network
  • Identify community strings
  • Enumeration Banner Grabbing
  • Verification of operating system
  • Wireless Enumeration Tools
  • Identify access points and potential exposures
  • Vulnerability Scanning
  • Identify well-known vulnerabilities on systems

???????? ????????
12
??????
  • Host Evaluation
  • Analyze configuration, discretionary access
    control and policies
  • Network Device Analysis
  • Analyze security architecture for well-known
    vulnerabilities and insecure configurations
  • Password Compliance Testing
  • Evaluate adherence to password policy and
    determine whether password filters are being
    effectively implemented
  • Application Specific Scanning
  • Evaluate security configuration of critical
    applications
  • Network Sniffing
  • Identifies sensitive information traversing the
    network (log-in, passwords, server configurations
    via telnet, etc)

???????? ????????
13
1. Port Scanning
Use nmap tool
???????? ????????
14
1. Port Scanning
Use SuperScan tool
???????? ????????
15
1. Port Scanning
Use FScan tool
???????? ????????
16
2. SNMP Scanning
Use SNScan tool
???????? ????????
17
2. SNMP Scanning
Use SolarWinds SNMPweep tool
???????? ????????
18
2. SNMP Scanning
Use SolarWinds IP Network Browser tool
???????? ????????
19
3. Enumeration
Use nslookup ?DNS Server ??????
???????? ????????
20
3. Enumeration
Use finger tool on UNIX
???????? ????????
21
3. Enumeration
Use rpcinfo tool on UNIX
???????? ????????
22
3. Banner Grabbing
Use SuperScan tool
???????? ????????
23
3. Banner Grabbing
??GET
Use telnet (80) tool
???????? ????????
24
3. Banner Grabbing
FTP ?? 21 PORT ?
Use telnet (21) tool
???????? ????????
25
4. Wireless Enumeration
Use Network Stumbler tool
???????? ????????
26
5. Vulnerability Scanning
Use Nessus tool
???????? ????????
27
5. Vulnerability Scanning
Use NeWT Security Scanner tool
???????? ????????
28
5. Vulnerability Scanning
Use Saint tool
???????? ????????
29
5. Vulnerability Scanning
Use IBM Internet Security Scanner tool
???????? ????????
30
6. Host Evaluation
Use CIS Windows Benchmark tool
???????? ????????
31
6. Host Evaluation
Use MS-Baseline Security Analyzer tool
???????? ????????
32
6. Host Evaluation
Use DameWare NT Utility tool
???????? ????????
33
7. Network Device Analysis
Use Insightix tool
???????? ????????
34
8. Password Compliance Testing
Use L0phtcrack tool
???????? ????????
35
9. Application Specific Scanning
Use Wikto tool
???????? ????????
36
9. Application Specific Scanning
Use WebInspect tool
???????? ????????
37
9. Application Specific Scanning
Use NGS Squirrel tool
???????? ????????
38
10. Network Sniffing
Use Ethereal tool
???????? ????????
39
??????
  • ????????????
  • Internet (B2C)
  • Extranet (B2B)
  • Cross Domain Intranet (HK, VN, JP, USetc)
  • ??????????????
  • Web Zone
  • Application / Database / Testing Zone
  • Transaction / Mainframe Zone
  • ??IDS / IPS???????????????
  • ????????????????, ??????
  • ????????????????
  • ??BIOS, HDD, USB??????????, ??????

???????? ????????
40
??????
  • ????????
  • http//www.owasp.org
  • Top 10 in 2007
  • A1 Cross Site Scripting (XSS)
  • A2 Injection Flaws
  • A3 Malicious File Execution
  • A4 Insecure Direct Object Reference
  • A5 Cross Site Request Forgery (CSRF)
  • A6 Information Leakage and Improper Error
    Handling
  • A7 Broken Authentication and Session Management
  • A8 Insecure Cryptographic Storage
  • A9 Insecure Communications
  • A10 Failure to Restrict URL Access

???????? ????????
41
??????
  • ????????
  • https//www.owasp.org/index.php/CategoryOWASP_Top
    _Ten_Project
  • The OWASP Top 10 Web Application Security Risks
    for 2010
  • A1 Injection
  • A2 Cross-Site Scripting (XSS)
  • A3 Broken Authentication and Session Management
  • A4 Insecure Direct Object References
  • A5 Cross-Site Request Forgery (CSRF)
  • A6 Security Misconfiguration
  • A7 Insecure Cryptographic Storage
  • A8 Failure to Restrict URL Access
  • A9 Insufficient Transport Layer Protection
  • A10 Unvalidated Redirects and Forwards

42
??????
  • ????????
  • A1 Injection Flaws
  • http//www.owasp.org
  • Source Code Secure Review
  • ??Web Application Firewall (WAF)
  • ??????????????????

???????? ????????
43
Module 13-2????????
???????? ????????
44
??????
  • ???????? http//www.ba.org.tw/
  • ??
  • ??????????
  • ????????????????
  • ??
  • ?????????????,?????????????????,?????????????????
    ,????????????????????????????????,????????????????
    ??,?????????????????????????????,????????????,????
    ????????????????????????????????????,???????????,?
    ??????????????,??????,??????????????????,?????????
    ?????
  • ??
  • ????
  • ???/???/??????????

???????? ????????
45
??????
  • ??????????????????
  • ?????????????
  • ???
  • ?????
  • ???????
  • ?????????????????

???????? ????????
46
????
  • ??
  • ????(Electronic Banking)????????????(??????)?,???
    ??????????,????????????,?????????????????????
  • ??????
  • ???????????????????????????????????
  • ????????(Dial-Up, Lease-Line, VPN)
  • ????(Value Added Network,VAN)
  • ????(Internet)
  • ????

???????? ????????
47
??????
  • ???????
  • ???????????????
  • (??/????????/????????????????/???????????/??)
  • ????????
  • ?????????????????
  • (???????????????????????????????????????????????
    ??????????????????????????????????????????????????
    ?????????????????????????????????????)

???????? ????????
48
??????
  • ???
  • ??????,??????????????????????
  • ???
  • ??????,??????????????????????
  • ????????
  • ?????????????????
  • ???????
  • ???? lt 5?????? lt 10?????? lt 20?
  • ??????(OTP), ???????,?????????

???????? ????????
49
??????
????(????)????????????????????
?????? ???????? (Lease-Line, VPN) ???????? (Lease-Line, VPN) ???? (VAN) ???? (VAN) ???? (Internet) ???? (Internet)
???? ??????? ???????? ??????? ???????? ??????? ????????
????? ??? ??? ??? ??? ?? ???
????? ?? ??? ?? ??? ?? ???
?????? ?-?? ?-??? ??? ?-?? ?-??? ??? ?-?? ?-??? ???
??????? ?? ??? ?? ??? ?? ???
?????? ?-?? ?-??? ??? ?-?? ?-??? ??? ?-?? ?-??? ???
?? - ???, ? - ???
???????? ????????
50
????????
  • ????(ID and Password)
  • ?????(FISC Card)
  • ???????(One Time Password)
  • ????(Digital Signature)

???????? ????????
51
????????
  • ???????
  • ??(?????????)
  • ???????(????????), ???????
  • ??????????????????????
  • ????????????????
  • ??(????????, ??)
  • ???????
  • ????,??????????
  • ???????,?????
  • ??
  • ??????????????????????
  • ????????????????????
  • ???????,????
  • ?????????????

???????? ????????
52
????????
  • ????(???)
  • ????????
  • ?????????????????
  • ???????
  • ???? lt 5?????? lt 10?????? lt 20?
  • ??????(OTP), ???????,?????????
  • ???
  • ????
  • ATM??
  • OTP???????
  • ?????????

???????? ????????
53
?????????
  • ???????
  • ???????56??DES?1024??RSA????
  • ?????????????????
  • ????????????(TimeOut)
  • ???????????(Session)
  • ????????????
  • ???????????
  • ?????????????????
  • ????????, ???????????????
  • ??????????
  • ???????????????????
  • ????????????????
  • ????????????????????????
  • ????????????????????

???????? ????????
54
?????????
  • ????(???)
  • ????????
  • ?????????????????
  • ???????
  • ???? lt 5?????? lt 10?????? lt 20?
  • ???
  • ?????????
  • ????????????????
  • ?????????????????
  • ??????????????????

???????? ????????
55
????????
  • ???????(???)
  • ???????56??DES?1024??RSA????
  • ?????????????????
  • ????????????(TimeOut)
  • ???????????(Session)
  • ????????????
  • ???????????
  • ?????????????????
  • ????????, ??????????????
  • ??????????
  • ???????????????????
  • ?????????????????????????????????????????
  • ???????????????????????

???????? ????????
56
????????
  • ????(???)
  • ??????????
  • ?????????????????
  • ???????
  • ?????????/?????????
  • ???
  • ?????????(e.g. IC Card, USB Token)
  • ???????????????USB??
  • ?????????????????
  • ??????????
  • ???????????????
  • ?????????????????????CPS???

???????? ????????
57
Module 13-3????????
???????? ????????
58
??????
????
????
????
????
???????? ????????
59
??????
?SSL??
????
?????
???? ?????
????
????
????
????
????
???????? ????????
60
????????
  1. ???????
  2. ????????(?)???
  3. ???????
  4. ???????
  5. ??????
  6. ?????????
  7. ????????
  8. ????????
  9. ????????(??)
  10. ????????

???????? ????????
61
1.????????(?)???
????
2
3
1
Req MAC/D-S
C/R
Req
AcessList
F/W??IP AP??Fun/Time
????
????
????
???????? ????????
62
2.???????
New Window
???????? ????????
63
3.???????
????
????
???????? ????????
64
4.??????
IE Embeded in WebBrowser Controler
???????? ????????
65
5.?????????
??, ?????
https//ch1nabank.com.tw
??Hosts
????
????
https//chinabank.com.tw
????
???????? ????????
66
6.????????
???????? ????????
67
7.????????
???????
??????
???????
?????
???????? ????????
68
8.????????(??)
?????? ??????
???? ??????
?????? ??????
?????????
?????
???????? ????????
69
9.????????
???????? ????????
70
Module 13-4????????
???????? ????????
71
????????????
  • ??????
  • ?????????????,??????????,????????????????????,????
    ??????
  • ???????,???????????,???????????????,???????????,??
    ??????
  • ??????????,??????,?????,???????????????,??????????
    ?????????????,???????????????

???????? ????????
72
????????????
  • ???????
  • ??????????(???????????????),?????????????????????
    ???,??,????????????
  • ???????????????,??????????????????,??????????
  • ?????????(???????????????)????????????,??????????
    ?????,?????????????

???????? ????????
73
????????????
  • ???????
  • ???????????????????????,????????????????????????,
    ??????????????
  • ???????????,?????????????????,???????????????????,
    ????????????????
  • ????????????????????,???????????????????,????????
    ???????,???????????????,??????????????
  • ???????,?????????????,???????????????,????????????
    ??

???????? ????????
74
????????????
  • ???????????????(Web ATM)??????
  • ??????ATM???????????????,?????????????????????????
    ?
  • ???????????????,??????????????,???????????????

???????? ????????
75
????????????
  • ?????????????(PDA)??????????
  • ?????????????(PDA)???????,???????????,????????????
    ?,???????????,?????,?????????????(????????????????
    ?)?,????,????????????????PDA,???????????
  • ????????????,????????????????,??????,?????????????
    ??????(SSID),?????????????????????????,???????????
  • ????????????,????????????????????(???)???????,????
    ????????,??????,????????????

???????? ????????
76
??Summary
  • ?????????Types of Attacks
  • ????????(59)
  • Insider abuse of Net access
  • ??????(52)
  • Virus
  • ????/????(50)
  • Laptop / Mobile device theft
  • ??????????????(26)
  • Phishing where your organization was
    fraudulently represented as sender
  • ????(IM)????(25)
  • Instant messaging misuse

???????? ????????
77
??Summary
  • ??????
  • ??Scanning
  • Port / SNMP / Vulnerability / Application
  • ??Enumeration
  • Wireless Enumeration
  • ??Grabbing
  • Banner Grabbing
  • ??Analysis
  • Network Device Analysis
  • ??Evaluation
  • Host Evaluation
  • ??Testing
  • Password Compliance /??Penetration
  • ??Sniffing
  • Network Sniffing

???????? ????????
78
??Summary
  • ????????

?????? ???????? (Lease-Line, VPN) ???????? (Lease-Line, VPN) ???? (VAN) ???? (VAN) ???? (Internet) ???? (Internet)
???? ??????? ???????? ??????? ???????? ??????? ????????
????? ??? ??? ??? ??? ?? ???
????? ?? ??? ?? ??? ?? ???
?????? ?-?? ?-??? ??? ?-?? ?-??? ??? ?-?? ?-??? ???
??????? ?? ??? ?? ??? ?? ???
?????? ?-?? ?-??? ??? ?-?? ?-??? ??? ?-?? ?-??? ???
???????? ????????
79
??Summary
  • ????????
  • ???? ID Password
  • ?????, ???????????????
  • ??????(????, ???, ?????)
  • ?????????
  • ????? IC Card
  • ???
  • ?????????
  • ????????, ??ATM????
  • ???? Digital Signature
  • ?CRL
  • ????
  • ?????RA
  • ???, ????????????
  • ?????One Time Password
  • ?????, ??????? ??Man In The Middle?

???????? ????????
80
??Summary
  • ????????
  • ?????
  • ?????
  • ?????
  • ??????
  • ?????
  • ?????
  • ????
  • ??????
  • ??????

???????? ????????
81
??Summary
  • ???
  • ????????, ???????PC??
  • ????????, ?????????
  • ???????????, ???????????????
  • ?????????

???????? ????????
82
????Reference
  • ????,??????????????????(2008/10)
  • ??????, ????????????(2008/9)
  • IATRP, The 10 Baseline Activities of INFOSEC
    Evaluation Methodology(2008/10)

???????? ????????
83
References
  • ???????? ????????
  • Turban et al., Introduction to Electronic
    Commerce, Third Edition, 2010, Pearson
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "?????? Secure Electronic Commerce" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!