992sec14 secure electronic commerce e-finance securit control
TRANSCRIPT
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
1/83
Secure Electronic Commerce
1
Min-Yuh Day
Assistant Professor
Dept. of Information Management,Tamkang University
http://mail.im.tku.edu.tw/~myday/2011-06-03
t(E-Finance Security Control Mechanisms)
992SEC14TGMXM0A
Fri. 6,7,8 (13:10-16:00) L526
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
2/83
2
Subject/Topics
1 100/02/18 (Course Orientation for Secure Electronic Commerce)
2 100/02/25 (Introduction to E-Commerce)
3 100/03/04 (E-Marketplaces)
4 100/03/11
(Retailing in Electronic Commerce: Products and Services)
5 100/03/18 (Online Consumer Behavior, Market Research, and
Advertisement)
6 100/03/25 B2BB2CC2C (B2B, B2C, C2C E-Commerce)
7 100/04/01 Web 2.0, Social Network, Social Media
8 100/04/08
9 100/04/15 (Mobile Computing and Commerce)
10 100/04/22
Syllabus
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
3/83
3
Subject/Topics
11 100/04/29 (E-Commerce Security)12 100/05/06 (Digital Certificate) [Module 4]
13 100/05/13 (Network and Website Security) [Module 5]
14 100/05/20 IC(Transaction Security, System Security, IC Card Security,
Electronic Commerce Payment Systems) [Module 6, 7, 8, 9]
15 100/05/27 (Mobile Commerce Security) [Module 12]
16 100/06/03 t(E-Finance Security Control Mechanisms) [Module 13]
17 100/06/10 (Operation Security Management)
18 100/06/17
Syllabus (cont.)
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
4/83
13 - 4
Module 13
t
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
5/83
13 - 5
1. t
2. 10
3.
4.
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
6/83
13 - 6
Module 13Module 13tt
Module 13-1
Module 13-2
Module 13-3 Module 13-4
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
7/83
13 - 7
Module 13Module 13--11
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
8/83
13 - 8
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
9/83
13 - 9
(59%)
(52%)
/(50%)
(26%)
(IM)(25%)
(25%)
(25%)
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
10/83
13 - 10
1. Port Scanning
2. SNMP Scanning
3. Enumeration & Banner Grabbing
4. Wireless Enumeration5. Vulnerability Scanning
6. Host Evaluation
7. Network Device Analysis
8. Password Compliance Testing
9. Application Specific Scanning
10. Network Sniffing
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
11/83
13 - 11
1. Port Scanning
Identify enabled network services on systems
Look for unauthorized services or backdoors
2. SNMP Scanning
Enumerate systems on the network Identify community strings
3. Enumeration & Banner Grabbing
Verification of operating system
4. Wireless Enumeration Tools Identify access points and potential exposures
5. Vulnerability Scanning
Identify well-known vulnerabilities on systems
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
12/83
13 - 12
6. Host Evaluation Analyze configuration, discretionary access control and
policies
7. Network Device Analysis
Analyze security architecture for well-known
vulnerabilities and insecure configurations8. Password Compliance Testing
Evaluate adherence to password policy and determinewhether password filters are being effectivelyimplemented
9. Application Specific Scanning Evaluate security configuration of critical applications
10. Network Sniffing
Identifies sensitive information traversing the network(log-in, passwords, server configurations via telnet, etc)
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
13/83
13 - 13
1. Port Scanning1. Port Scanning
Use nmap tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
14/83
13 - 14
1. Port Scanning1. Port Scanning
Use SuperScan tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
15/83
13 - 15
1. Port Scanning1. Port Scanning
Use FScan tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
16/83
13 - 16
2. SNMP Scanning2. SNMP Scanning
Use SNScan tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
17/83
13 - 17
2. SNMP Scanning2. SNMP Scanning
Use SolarWinds SNMPweep tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
18/83
13 - 18
2. SNMP Scanning2. SNMP Scanning
Use SolarWinds IP Network Browser tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
19/83
13 - 19
3. Enumeration3. Enumeration
Use nslookupDNS Server
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
20/83
13 - 20
3. Enumeration3. Enumeration
Use finger tool on UNIX
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
21/83
13 - 21
3. Enumeration3. Enumeration
Use rpcinfo tool on UNIX
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
22/83
13 - 22
3. Banner Grabbing3. Banner Grabbing
Use SuperScan tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
23/83
13 - 23
3. Banner Grabbing3. Banner Grabbing
Use telnet (80) tool
GET
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
24/83
13 - 24
3. Banner Grabbing3. Banner Grabbing
Use telnet (21) tool
FTP 21 PORT ?
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
25/83
13 - 25
4. Wireless Enumeration4. Wireless Enumeration
Use Network Stumbler tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
26/83
13 - 26
5. Vulnerability Scanning5. Vulnerability Scanning
Use Nessus tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
27/83
13 - 27
5. Vulnerability Scanning5. Vulnerability Scanning
Use NeWT Security Scanner tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
28/83
13 - 28
5. Vulnerability Scanning5. Vulnerability Scanning
Use Saint tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
29/83
13 - 29
5. Vulnerability Scanning5. Vulnerability Scanning
Use IBM Internet Security Scanner tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
30/83
13 - 30
6. Host Evaluation6. Host Evaluation
Use CIS Windows Benchmark tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
31/83
13 - 31
6. Host Evaluation6. Host Evaluation
Use MS-Baseline Security Analyzer tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
32/83
13 - 32
6. Host Evaluation6. Host Evaluation
Use DameWare NT Utility tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
33/83
13 - 33
7. Network Device Analysis7. Network Device Analysis
Use Insightix tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
34/83
13 - 34
8. Password Compliance Testing8. Password Compliance Testing
Use L0phtcrack tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
35/83
13 - 35
9. Application Specific Scanning9. Application Specific Scanning
Use Wikto tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
36/83
13 - 36
9. Application Specific Scanning9. Application Specific Scanning
Use WebInspect tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
37/83
13 - 37
9. Application Specific Scanning9. Application Specific Scanning
Use NGS Squirrel tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
38/83
13 - 38
10. Network Sniffing10. Network Sniffing
Use Ethereal tool
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
39/83
13 - 39
Internet (B2C)
Extranet (B2B)
Cross Domain Intranet (HK, VN, JP, USetc)
Web Zone
Application / Database / Testing Zone
Transaction / Mainframe Zone
IDS / IPS
,
BIOS, HDD, USB,
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
40/83
13 - 40
http://www.owasp.org
Top 10 in 2007
A1 Cross Site Scripting (XSS)
A2 Injection Flaws
A3 Malicious File Execution
A4 Insecure Direct Object Reference
A5 Cross Site Request Forgery (CSRF)
A6 Information Leakage and Improper Error Handling
A7 Broken Authentication and Session ManagementA8 Insecure Cryptographic Storage
A9 Insecure Communications
A10 Failure to Restrict URL Access
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
41/83
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
The OWASP Top 10 Web Application Security Risks for 2010
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
13 - 41
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
42/83
13 - 42
A1: Injection Flaws
http://www.owasp.org
Source Code Secure Review
Web Application Firewall (WAF)
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
43/83
13 - 43
Module 13Module 13--22
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
44/83
13 - 44
tt http://www.ba.org.tw/
t
ttt
//
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
45/83
13 - 45
tt
t
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
46/83
13 - 46
(Electronic Banking)t()
ttt
t
t(Dial-Up, Lease-Line, VPN)
(Value Added NetworkVAN)
(Internet)
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
47/83
13 - 47
(////)
(
t)
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
48/83
13 - 48
< 5 < 10 < 20
(OTP),
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
49/83
13 - 49
tt
t(Lease-Line, VPN)
(VAN)
(Internet)
-
-
-
-
-
-
-
-
-
-
-
-
- , -
()t
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
50/83
13 - 50
(ID and Password)
t(FISC Card)
(One Time Password)
(Digital Signature)
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
51/83
13 - 51
() (),
(, )
-
8/3/2019 992SEC14 Secure Electronic Commerce E-Finance Securit Control
52/83
13 - 52
()