chapter 10 e-commerce security and fraud issues and protections
TRANSCRIPT
Chapter 10E-Commerce Security and
Fraud Issues and Protections
Learning Objectives1. Understand the importance and scope of security
of information systems for EC.2. Describe the major concepts and terminology of
EC security.3. Understand about the major EC security threats,
vulnerabilities, and technical attacks.4. Understand Internet fraud, phishing, and spam.5. Describe the information assurance security
principles.6. Identify and assess major technologies and
methods for securing EC access and communications.
Learning Objectives7. Describe the major technologies for protection of
EC networks.8. Describe various types of controls and special
defense mechanisms.9. Describe consumer and seller protection from
fraud.10.Discuss enterprisewide implementation issues
for EC security. 11.Understand why it is so difficult to stop computer
crimes.
The Information Security Problem
• *Information security• What Is EC Security?
o The Status of Computer Security in the United States
o Personal Securityo National Securityo Security Risks for 2014 and-2015
Major EC Security Management Concerns for
2011
The Information Security Problem
• Cyberwars and Cyberespionage Across Borderso Cyberwarefareo Attacking Information Systemso Types of Attacks
1. Corporate espionage2. Political espionage and warfare
The Information Security Problem
• The Drivers of EC Security Problemso The Internet’s Vulnerable Designo The Shift to Profit-Induced Crimeso The Increased Volume of Wireless Activities and the
Number of Mobile Deviceso The Globalization of the Attackerso The *Darkneto *Internet Underground Economy
• The Internet Silk Road• *Keystroke logging (keylogging)
o The Explosion of Social Networkingo The Dynamic Nature of EC Systems and the Acts of
Insiderso The Sophistication of the Attackso The Cost of Cyber Crime
Basic E-Commerce Security Issues and
Landscape• Basic Security Terminology
o *Business continuity plano *Cybercrimeo *Cybercriminalo *Exposureo *Fraudo *Malware (malicious software)o *Phishingo *Risko *Social engineeringo *Spamo *Vulnerabilityo *Zombie
Basic E-Commerce Security Issues and
Landscape• The EC Security Battleground
o The attacks, the attackers, and their strategieso The assets that are being attacked (the targets) in
vulnerable areaso The security defense, the defenders, and their methods
and strategy
The EC Security Battleground
Basic E-Commerce Security Issues and
Landscape• The Threats, Attacks, and Attackers
o Unintentional Threats• Human Error• Environmental Hazards• Malfunctions in the Computer System
o Intentional Attacks and Crimeso The Criminals and Methods
• *Hacker• *Cracker
Basic E-Commerce Security Issues and
Landscape• The Targets of the Attacks in Vulnerable
Areaso Vulnerable Areas Are Being Attacked
• Vulnerability Information• Attacking E-Mail• Attacking Smartphones and Wireless Systems• The Vulnerability of RFID Chips
o The Vulnerabilities in Business IT and EC Systemso Pirated Videos, Music, and Other Copyrighted
Material
Basic E-Commerce Security Issues and
Landscape• EC Security Requirements
o *Authenticationo *Authorizationo Auditingo Availabilityo *Nonrepudiation
Basic E-Commerce Security Issues and
Landscape• The Defense: Defenders, Strategy, and
Methodso EC Defense Programs and Strategy
• *EC security strategy• *Deterrent methods• *Prevention measures• *Detection measures• *Information assurance (IA)
o Possible Punishmento Defense Methods and Technologies
• Recovery
Technical Malware Attack Methods: From Viruses to
Denial of Service• Technical and Nontechnical Attacks:
An Overviewo The Major Technical Attack Methodso Malware (Malicious Code): Viruses,
Worms, and Trojan Horseso * Viruseso * Worms
The Major Technical Security Attack
Methods
Technical Malware Attack Methods: From Viruses to
Denial of Serviceo * Macro virus (macro worm)o * Trojan horseo Some Recent Security Bugs: Heartbleed
and Crytolockero * Denial-of-service (DoS) attacko Web Server and Web Page Hijacking
• * Page hijacking
o * Botnetso Malvertising
How a Computer Virus Can Spread
Nontechnical Methods: From Phishing to Spam
and Fraud• Social Engineering and Fraud• Social Phishing
o *Phishingo *Pharming
• Fraud and Scams on The Interneto Examples of Typical Online Fraud Attackso E-Mail Scamso Top 10 Attacks and Remedieso *Identity Theft and Identify Fraud
• Cyber Bank Robberies
Social Engineering: From Phishing to Financial Fraud
and Crime
How Phishing Is Accomplished
Nontechnical Methods: From Phishing to Spam
and Fraud• Spam Attacks
o *E-mail spamo Typical Examples of Spammingo *Spyware
• Social Networking Makes Social Engineering Easyo How Hackers Are Attacking Social Networkso Spam in Social Networks and in the Web 2.0
Environmento *Search engine spamo *Splog
• *Data Breach (Leak)
The Information Assurance Model And
Defense Strategy• Confidentiality, Integrity, and Availability
1.*Confidentiality2. *Integrity3. *Availability
• Authentication, Authorization, and Nonrepudiation
The Information Assurance Model And
Defense Strategy• E-Commerce Security Strategy
o The Phases of Security Defense1. Prevention and deterrence (preparation)2. Initial response3. Detection4. Containment (contain the damage)5. Eradication6. Recovery7. Correction8. Awareness and compliance
o Security Spending Versus Needs Gap
E-Commerce Security Strategy
Framework
The Information Assurance Model And
Defense Strategy• The Defense Side of EC Systems
1. Defending access to computing systems, data flow, and EC transactions
2. Defending EC networks3. General, administrative, and application controls4. Protection against social engineering and fraud5. Disaster preparation, business continuity, and risk
management6. Implementing enterprisewide security programs7. Conduct a vulnerability assessment and a
penetration testo Assessing Vulnerabilities and Security Needs
• *Vulnerability assessmento *Penetration test (pen test)
The Defense I: Access Control, Encryption, and
PKI• *Access Control
o Authorization and Authenticationo Biometric Systems
• *Biometric authentication• *Biometric systems
• Encryption and the One-Key (Symmetric) Systemo *Encryptiono *Plaintexto *Ciphertexto *Encryption algorithmo *Key (key value)o *Key spaceo *Symmetric (Private) Key Encryption
Symmetric (Private) Key Encryption
The Defense I: Access Control, Encryption, and
PKI• *Public key infrastructure (PKI)
o *Public (asymmetric) key encryption• *Public key• *Private key
o The PKI Process: Digital Signatures and Certificate Authorities• *Digital signatures• *Hash function• *Message digest• *Digital envelope• *Certificate authorities (CAs)
o Secure Socket Layer (SSL)
• Other Topics and Methods of Defense
Digital Signature
The Defense II: Securing E-
Commerce Networks• *Firewalls
o *Packetso The Dual Firewall Architecture: The DMZo *Personal Firewalls
• *Virtual private network (VPN)o *Protocol tunneling
• *Intrusion Detection Systems (IDS)o Cloud Computing Prevents DoS Attacks
• Honeynets and Honeypotso *Honeyneto *Honeypotso E-Mail Security
The Two Firewalls: DMZ Architecture
The Defense III: General Controls,
Spam, Pop Ups, Fraud, And Social
Engineering Controls • *General controls• *Application controls• General, Administrative, and Other
Controlso Physical Controlso Administrative Controls
• Protecting Against Spamo *CAN-SPAM Act
Major Defense Controls
The Defense III: General Controls,
Spam, Pop Ups, Fraud, And Social
Engineering Controls
• Protecting Your Computer from Pop-Up Adso Tools for Stopping or at Least Minimizing Pop-Ups
• Protecting against Other Social Engineering Attackso Protecting against Phishingo Protecting against Malvertising
• Protecting Against Spyware• Protecting Against Cyberwars
The Defense III: General Controls,
Spam, Pop Ups, Fraud, And Social
Engineering Controls • Fraud Protection• Business Continuity, Disaster Recovery,
and Risk Managemento Risk-Management and Cost-Benefit
Analysis
Business Continuity Services and IT Recovery
Process
Implementing Enterprisewide E-
Commerce Security• The Drivers of EC Security Management• Senior Management Commitment and
Support• EC Security Policies and Training
o Cyber Threat Intelligence (CTI)• EC Risk Analysis and Ethical Issues
o *Business impact analysis (BIA)o Ethical Issues
Enterprisewide EC Security and Privacy
Model
Implementing Enterprisewide E-
Commerce Security• Why Is It Difficult to Stop Internet Crime?
o Making Shopping Inconveniento Lack of Cooperation by Business Partnerso Shoppers’ Negligenceo Ignoring EC Security Best Practiceso Design and Architecture Issueso Lack of Due Care in Business Practices
• *Standard of due care
• Protecting Mobile Devices, Networks, and Applicationso Mobile Security Issueso The Defense
Managerial Issues1. What steps should businesses follow in
establishing a security plan? 2. Should organizations be concerned with internal
security threats? 3. What is the key to establishing strong e-
commerce security?
Summary1. The importance and scope of EC
information security. 2. Basic EC security issues. 3. Threats, vulnerabilities, and technical
attacks. 4. Internet fraud, phishing, and spam.5. Information assurance. 6. Securing EC access control and
communications.
Summary7. Technologies for protecting
networks.8. The different controls and special
defense mechanisms. 9. Protecting against fraud. 10.Enterprisewide EC security.11.Why is it so difficult to stop
computer crimes?