CH.5 E-commerce Security Fundamentals

E-commerce Security Environment

• The size and losses of cybercrime are unclear due to reporting issues.
• In 2011, 46% of respondents in a CSI survey detected a breach in the last year.
• Stolen information is stored on underground economy servers.

What Is Good E-commerce Security?

• To achieve the highest degree of security, new technologies, organizational policies and procedures, and industry standards and government laws are necessary.
• Other factors to consider include the time value of money, the cost of security vs. potential loss, and the concept that security often breaks at the weakest link.

The Tension Between Security and Ease of Use

• The more security measures added, the more difficult a site is to use, and the slower it becomes.
• The use of technology by criminals to plan crimes or threaten nation-state security is a concern.

Security Threats in the E-commerce Environment

• Three key points of vulnerability in the e-commerce environment are: • Clients • Servers • Communications pipeline (Internet communications channels)

Most Common Security Threats

• Malicious code threats include: • Viruses • Worms • Trojan horses • Drive-by downloads • Backdoors • Bots and botnets
• Potentially unwanted programs (PUPs) include: • Browser parasites • Adware • Spyware
• Phishing threats include: • E-mail scams • Social engineering • Identity theft
• Hacking threats include: • Hackers vs. crackers • Types of hackers: White, black, and grey hats • Hacktivism
• Cybervandalism: Disrupting, defacing, or destroying a Web site
• Data breach: Losing control over corporate information to outsiders
• Credit card fraud/theft: Hackers targeting merchant servers to establish credit under false identity
• Spoofing (Pharming): Spam (junk) Web sites
• Denial of service (DoS) attack: Hackers flooding a site with useless traffic to overwhelm the network
• Distributed denial of service (DDoS) attack
• Sniffing: Eavesdropping programs that monitor information traveling over a network
• Insider attacks: Poorly designed server and client software
• Social network security issues: Mobile platform security issues
• Cloud security issues: Same risks as any Internet device

Technology Solutions

• Protecting Internet communications: • Encryption
• Securing channels of communication: • SSL • VPNs
• Protecting networks: • Firewalls
• Protecting servers and clients: • Hardware and software security measures

Protecting Networks

• Firewall: Hardware or software that uses security policy to filter packets • Two main methods: Packet filters and Application gateways
• Proxy servers (proxies): Software servers that handle all communications originating from or being sent to the Internet

Protecting Servers and Clients

• Operating system security enhancements: • Upgrades • Patches
• Anti-virus software: Easiest and least expensive way to prevent threats to system integrity • Requires daily updates

Management Policies, Business Procedures, and Public Laws

• Companies worldwide spend $60 billion on security hardware, software, and services
• Managing risk includes: • Technology • Effective management policies • Public laws and active enforcement

A Security Plan: Risk Management Policies

• Risk assessment
• Security policy
• Implementation plan: • Security organization • Access controls • Authentication procedures, including biometrics • Authorization policies, authorization management systems
• Security audit