CH.5

Protecting Networks

• A firewall is a hardware or software that uses security policy to filter packets and has two main methods: packet filters and application gateways.
• Proxy servers handle all communications originating from or being sent to the Internet.

Protecting Servers and Clients

• System security enhancements include upgrades and patches.
• Anti-virus software is the easiest and least expensive way to prevent threats to system integrity, but it requires daily updates.

Management Policies, Business Procedures, and Public Laws

• Worldwide, companies spend $60 billion on security hardware, software, and services.
• Managing risk includes technology, effective management policies, and public laws and active enforcement.

A Security Plan: Risk Management Policies

• A security plan includes risk assessment, security policy, implementation plan, and security audit.
• Security organization, access controls, authentication procedures, authorization policies, and authorization management systems are all part of the security plan.

Common Security Threats

• Potentially unwanted programs (PUPs) include browser parasites, adware, and spyware.
• Phishing threats include e-mail scams, social engineering, and identity theft.
• Hacking threats include hackers vs. crackers, types of hackers (white, black, grey hats), and hacktivism.
• Cybervandalism involves disrupting, defacing, or destroying a website.
• Data breaches involve losing control over corporate information to outsiders.
• Credit card fraud/theft, spoofing, spam, denial of service (DoS) attacks, and distributed denial of service (DDoS) attacks are all common security threats.
• Sniffing threats involve eavesdropping programs that monitor information traveling over a network.
• Insider attacks, poorly designed server and client software, social network security issues, mobile platform security issues, and cloud security issues are all common security threats.

Technology Solutions

• Protecting internet communications involves encryption.
• Securing channels of communication involves SSL and VPNs.
• Protecting networks involves firewalls.
• Protecting servers and clients involves various security solutions.

Digital Envelopes

• Digital envelopes use symmetric key encryption to encrypt documents and public key encryption to encrypt and send symmetric keys.
• Addressing weaknesses of public key encryption include computationally slow, decreased transmission speed, and increased processing time.
• Addressing weaknesses of symmetric key encryption include insecure transmission lines.

Digital Certificates and Public Key Infrastructure (PKI)

• Digital certificates include the name of the subject/company, subject's public key, digital certificate serial number, expiration date, issuance date, and digital signature of the CA.
• Public Key Infrastructure (PKI) includes digital certificate procedures, CAs, and PGP.

Limits to Encryption Solutions

• Encryption does not protect storage of private keys.
• PKI is not effective against insiders, employees, and protection of private keys by individuals may be haphazard.
• There is no guarantee that verifying computer of merchant is secure.
• CAs are unregulated, self-selecting organizations.

Securing Channels of Communication

• Secure Sockets Layer (SSL) and Transport Layer Security (TLS) establish a secure, negotiated client-server session in which URL of requested document, along with contents, is encrypted.
• Virtual Private Network (VPN) allows remote users to securely access internal network via the Internet.

E-commerce Security Environment

• The overall size and losses of cybercrime are unclear due to reporting issues, with 46% of respondents in a 2011 CSI survey detecting a breach in the last year.
• Stolen information is stored on underground economy servers.

Achieving Good E-commerce Security

• To achieve the highest degree of security, new technologies, organizational policies and procedures, and industry standards and government laws are necessary.
• Other factors to consider include the time value of money, the cost of security vs. potential loss, and the fact that security often breaks at the weakest link.

The Tension Between Security and Ease of Use

• The more security measures added, the more difficult a site is to use, and the slower it becomes.
• Public safety and criminal uses of the internet, such as the use of technology by criminals to plan crimes or threaten nation-states, are also a concern.

Security Threats in the E-commerce Environment

• Three key points of vulnerability in the e-commerce environment are:
  • Clients
  • Servers
  • Communications pipeline (internet communications channels)

Common Security Threats

• Malicious code threats include:
  • Viruses
  • Worms
  • Trojan horses
  • Drive-by downloads
  • Backdoors
  • Bots, botnets
  • Threats at both client and server levels
• Potentially unwanted programs (PUPs) include:
  • Browser parasites
  • Adware
  • Spyware
• Phishing threats include:
  • Email scams
  • Social engineering
  • Identity theft
• Hacking threats include:
  • Hackers vs. crackers
  • Types of hackers: white, black, grey hats
  • Hacktivism
• Cybervandalism involves disrupting, defacing, or destroying a website.
• Data breach involves losing control over corporate information to outsiders.
• Credit card fraud/theft involves hackers targeting merchant servers and using data to establish credit under false identity.
• Spoofing (pharming) involves hackers setting up fake websites to trick users into revealing sensitive information.
• Spam (junk) websites and denial of service (DoS) attacks are also common threats.
• Distributed denial of service (DDoS) attacks involve hackers flooding a site with useless traffic to overwhelm the network.
• Sniffing threats involve eavesdropping programs that monitor information traveling over a network.
• Insider attacks, poorly designed server and client software, social network security issues, mobile platform security issues, and cloud security issues are also concerns.

Technology Solutions

• Protecting internet communications involves:
  • Encryption
• Securing channels of communication involves:
  • SSL, VPNs
• Protecting networks involves:
  • Firewalls
• Protecting servers and clients involves:
  • Various security measures

E-commerce Payment Systems

• Credit cards are a popular payment method, with 44% of online payments in 2012 (U.S.).
• Debit cards are another popular payment method, with 28% of online payments in 2012 (U.S.).
• Limitations of online credit card payment include:
  • Security, merchant risk
  • Cost
  • Social equity
• Alternative online payment systems include:
  • Online stored value systems (e.g., PayPal)
  • Other alternatives (e.g., Amazon Payments, Google Checkout, Bill Me Later, WUPay, Dwolla, Stripe)

Mobile Payment Systems

• The use of mobile phones as payment devices is established in Europe, Japan, and South Korea, and is expanding in the United States.
• Near field communication (NFC) is a short-range wireless technology for sharing data between devices.
• Mobile payment systems include:
  • Google Wallet
  • PayPal
  • Square

Digital Cash and Virtual Currencies

• Digital cash is based on an algorithm that generates unique tokens that can be used in the "real" world (e.g., Bitcoin).
• Virtual currencies circulate within internal virtual worlds (e.g., Linden Dollars in Second Life, Facebook Credits).

Electronic Billing Presentment and Payment (EBPP)

• Online payment systems for monthly bills involve:
  • Biller-direct (dominant model)
  • Consolidator
• Both models are supported by EBPP infrastructure providers.

Encryption

• Encryption transforms data into cipher text readable only by the sender and receiver, securing stored information and information transmission.
• Encryption provides four of the six key dimensions of e-commerce security:
  • Message integrity
  • Nonrepudiation
  • Authentication
  • Confidentiality

Symmetric Key Encryption

• Symmetric key encryption uses the same digital key to encrypt and decrypt a message.
• Requires a different set of keys for each transaction.
• The strength of encryption depends on the length of the binary key used to encrypt data.

Public Key Encryption

• Public key encryption uses two mathematically related digital keys:
  • Public key (widely disseminated)
  • Private key (kept secret by owner)
• Both keys are used to encrypt and decrypt a message.

Public Key Encryption using Digital Signatures and Hash

• Hash function: Digests produce a fixed-length number called a message or hash digest.
• Hash digest of a message is sent to the recipient along with the message to verify integrity.
• Hash digest and message are encrypted with the recipient's public key, and the entire cipher text is then encrypted with the recipient's private key, creating a digital signature, for authenticity and nonrepudiation.

The Role of Laws and Public Policy

• Laws that give authorities the power to identify, trace, and prosecute cybercriminals include:
  • National Information Infrastructure Protection Act of 1996
  • USA Patriot Act
  • Homeland Security Act
• Private and private-public cooperation involves:
  • CERT Coordination Center
  • US-CERT
• Government policies and controls on encryption software include:
  • OECD, G7/G8, Council of Europe, Wassener Arrangement

Types of Payment Systems

• Cash is the most common form of payment, instantly convertible into other forms of value, with no float.
• Checking transfer involves transferring funds from a checking account to a merchant's account.
• Credit card payment involves credit card associations, issuing banks, and processing centers.
• Stored value payment involves depositing funds into an account, from which funds are paid out or withdrawn as needed.
• Accumulating balance payment involves accounts that accumulate expenditures and to which consumers make period payments.

Payment System Stakeholders

• Consumers want:
  • Low-risk
  • Low-cost
  • Refutable
  • Convenience
  • Reliability
• Merchants want:
  • Low-risk
  • Low-cost
  • Irrefutable
  • Secure
  • Reliable
• Financial intermediaries want:
  • Secure
  • Low-risk
  • Maximizing profit
• Government regulators want:
  • Security
  • Trust
  • Protecting participants and enforcing reporting