电子商务英文课件：ch10 E-Commerce Fraud and Security

1、Chapter 10E-Commerce Fraud and SecurityCopyright 2010 Pearson Education, Inc. Publishing as Prentice HallLearning Objectives Understand the importance and scope of security of information systems for EC.Describe the major concepts and terminology of EC security.Learn about the major EC security thre

2、ats, vulnerabilities, and risks.Understand phishing and its relationship to financial crimes.Describe the information assurance security principles.Identify and assess major technologies and methods for securing EC communications.10-1Copyright 2010 Pearson Education, Inc. Publishing as Prentice Hall

3、Learning Objectives Describe the major technologies for protection of EC networks.Describe various types of controls and special defense mechanisms.Describe the role of business continuity and disaster recovery planning.Discuss EC security enterprisewide implementation issues.Understand why it is no

4、t possible to stop computer crimes.10-2Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallThe Information Security ProblemWHAT IS EC SECURITY?Computer security refers to the protection of data, networks, computer programs, computer power and other elements of computerized information

5、systemsCSI Computer Crime and Security SurveyAnnual security survey of U.S. corporations, government agencies, financial and medical institutions, and universities conducted jointly by the FBI and the Computer Security Institute10-3Copyright 2010 Pearson Education, Inc. Publishing as Prentice Hall10

6、-4Copyright 2010 Pearson Education, Inc. Publishing as Prentice Hall10-5Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallThe Information Security ProblemTHE DRIVERS OF EC SECURITY PROBLEMSThe Internets Vulnerable Designdomain name system (DNS)Translates (converts) domain names to th

7、eir numeric IP addressesIP addressAn address that uniquely identifies each computer connected to a network or the Internet10-6Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallThe Information Security ProblemThe Shift to Profit-Induced CrimesInternet underground economyE-markets for

8、stolen information made up of thousands of Web sites that sell credit card numbers, social security numbers, other data such as numbers of bank accounts, social network IDs, passwords, and much morekeystroke logging (keylogging)A method of capturing and recording user keystrokes10-7Copyright 2010 Pe

9、arson Education, Inc. Publishing as Prentice HallBasic E-Commerce Security Issues and LandscapeBASIC SECURITY TERMINOLOGYbusiness continuity planA plan that keeps the business running after a disaster occurs. Each function in the business should have a valid recovery capability plancybercrimeIntenti

10、onal crimes carried out on the InternetexposureThe estimated cost, loss, or damage that can result if a threat exploits a vulnerabilityfraudAny business activity that uses deceitful practices or devices to deprive another of property or other rights10-8Copyright 2010 Pearson Education, Inc. Publishi

11、ng as Prentice HallBasic E-Commerce Security Issues and Landscapemalware (malicious software)A generic term for malicious softwarephishingA crimeware technique to steal the identity of a target company to get the identities of its customersriskThe probability that a vulnerability will be known and u

12、sedsocial engineeringA type of nontechnical attack that uses some ruse to trick users into revealing information or performing an action that compromises a computer or network10-9Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallBasic E-Commerce Security Issues and LandscapespamThe e

13、lectronic equivalent of junk mailvulnerabilityWeakness in software or other mechanism that threatens the confidentiality, integrity, or availability of an asset (recall the CIA model). It can be directly used by a hacker to gain access to a system or networkzombiesComputers infected with malware tha

14、t are under the control of a spammer, hacker, or other criminal10-10Copyright 2010 Pearson Education, Inc. Publishing as Prentice Hall10-11Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallBasic E-Commerce Security Issues and LandscapeSECURITY SCENARIOS AND REQUIREMENTS IN E-COMMERCE

15、EC Security RequirementsauthenticationProcess to verify (assure) the real identity of an individual, computer, computer program, or EC Web siteauthorizationProcess of determining what the authenticated entity is allowed to access and what operations it is allowed to performnonrepudiationAssurance th

16、at online customers or trading partners cannot falsely deny (repudiate) their purchase or transaction10-12Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallBasic E-Commerce Security Issues and LandscapeTHE DEFENSE: DEFENDERS AND THEIR STRATEGYEC security strategyA strategy that views

17、 EC security as the process of preventing and detecting unauthorized use of the organizations brand, identity, Web site, e-mail, information, or other asset and attempts to defraud the organization, its customers, and employees10-13Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallBa

18、sic E-Commerce Security Issues and Landscapedeterring measuresActions that will make criminals abandon their idea of attacking a specific system (e.g., the possibility of losing a job for insiders)prevention measuresWays to help stop unauthorized users (also known as “intruders”) from accessing any

19、part of the EC systemdetection measuresWays to determine whether intruders attempted to break into the EC system; whether they were successful; and what they may have done10-14Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallBasic E-Commerce Security Issues and Landscapeinformation

20、assurance (IA)The protection of information systems against unauthorized access to or modification of information whether in storage, processing, or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats10-15Co

21、pyright 2010 Pearson Education, Inc. Publishing as Prentice HallTechnical Attack MethodsvirusA piece of software code that inserts itself into a host, including the operating systems, in order to propagate; it requires that its host program be run to activate itwormA software program that runs indep

22、endently, consuming the resources of its host in order to maintain itself, and that is capable of propagating a complete working version of itself onto another machinemacro virus (macroworm)A macro virus or macro worm is executed when the application object that contains the macro is opened or a par

23、ticular procedure is executed10-16Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallTechnical Attack MethodsTrojan horseA program that appears to have a useful function but that contains a hidden function that presents a security riskbanking TrojanA Trojan that comes to life when com

24、puter owners visit one of a number of online banking or e-commerce sites10-17Copyright 2010 Pearson Education, Inc. Publishing as Prentice Hall10-18Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallTechnical Attack Methodsdenial of service (DOS) attackAn attack on a Web site in which

25、 an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resourcesbotnetA huge number (e.g., hundreds of thousands) of hijacked Internet computers that have been set up to forward traffic, including spam and viruses, to other compu

26、ters on the Internet10-19Copyright 2010 Pearson Education, Inc. Publishing as Prentice Hall10-20Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallPhishing, Financial Fraud, and SpamPHISHINGuniversal man-in-the-middle phishing kitA tool used by phishers to set up a URL that can intera

27、ct in real time with the content of a legitimate Web site, such as a bank or EC site, to intercept data entered by customers at log-in or check out Web pages10-21Copyright 2010 Pearson Education, Inc. Publishing as Prentice Hall10-22Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallP

28、hishing, Financial Fraud, and SpamFRAUD ON THE INTERNETclick fraudType of fraud that occurs in pay-per-click advertising when a person, automated system, or computer program simulates individual clicks on banner or other online advertising methodsidentity theftFraud that involves stealing an identit

29、y of a person and then the use of that identity by someone pretending to be someone else in order to steal money or get other benefits10-23Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallPhishing, Financial Fraud, and Spame-mail spamA subset of spam that involves nearly identical m

30、essages sent to numerous recipients by e-mailsearch engine spamPages created deliberately to trick the search engine into offering inappropriate, redundant, or poor quality search resultsspam sitePage that uses techniques that deliberately subvert a search engines algorithms to artificially inflate

31、the pages rankingssplogShort for spam blog. A site created solely for marketing purposesspywareSoftware that gathers user information over an Internet connection without the users knowledge10-24Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallThe Information Assurance Model and Defe

32、nse StrategyCIA security triad (CIA triad)Three security concepts important to information on the Internet: confidentiality, integrity, and availabilityconfidentialityAssurance of data privacy and accuracy. Keeping private or sensitive information from being disclosed to unauthorized individuals, en

33、tities, or processes10-25Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallThe Information Assurance Model and Defense StrategyintegrityAssurance that stored data has not been modified without authorization; a message that was sent is the same message that was receivedavailabilityAss

34、urance that access to data, the Web site, or other EC data service is timely, available, reliable, and restricted to unauthorized users10-26Copyright 2010 Pearson Education, Inc. Publishing as Prentice Hall10-27Copyright 2010 Pearson Education, Inc. Publishing as Prentice Hall10-28Copyright 2010 Pea

35、rson Education, Inc. Publishing as Prentice HallThe Information Assurance Model and Defense StrategyTHE DEFENSE STRATEGYPrevention and deterrenceDetectionContainmentRecoveryCorrectionAwareness and complianceEC security programsAll the policies, procedures, documents, standards, hardware, software, t

36、raining, and personnel that work together to protect information, the ability to conduct business, and other assets10-29Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallThe Defense I: Access Control, Encryption, and PKIaccess controlMechanism that determines who can legitimately use

37、 a network resourcepassive tokenStorage device (e.g., magnetic strip) that contains a secret code used in a two-factor authentication systemactive tokenSmall, stand-alone electronic device that generates one-time passwords used in a two-factor authentication system10-30Copyright 2010 Pearson Educati

38、on, Inc. Publishing as Prentice HallThe Defense I: Access Control, Encryption, and PKIbiometric controlAn automated method for verifying the identity of a person based on physical or behavioral characteristicsbiometric systemsAuthentication systems that identify a person by measurement of a biologic

39、al characteristic, such as fingerprints, iris (eye) patterns, facial features, or voice10-31Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallThe Defense I: Access Control, Encryption, and PKIENCRYPTION AND THE ONE-KEY (SYMMETRIC) SYSTEMencryptionThe process of scrambling (encrypting

40、) a message in such a way that it is difficult, expensive, or time-consuming for an unauthorized person to unscramble (decrypt) itsymmetric (private) key encryptionAn encryption system that uses the same key to encrypt and decrypt the message10-32Copyright 2010 Pearson Education, Inc. Publishing as

41、Prentice Hall10-33Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallThe Defense I: Access Control, Encryption, and PKIpublic key infrastructure (PKI)A scheme for securing e-payments using public key encryption and various technical componentspublic (asymmetric) key encryptionMethod o

42、f encryption that uses a pair of matched keysa public key to encrypt a message and a private key to decrypt it, or vice versapublic keyEncryption code that is publicly available to anyoneprivate keyEncryption code that is known only to its owner10-34Copyright 2010 Pearson Education, Inc. Publishing

43、as Prentice HallThe Defense I: Access Control, Encryption, and PKIdigital signature or digital certificateValidates the sender and time stamp of a transaction so it cannot be later claimed that the transaction was unauthorized or invalidhashA mathematical computation that is applied to a message, us

44、ing a private key, to encrypt the message.message digest (MD)A summary of a message, converted into a string of digits after the hash has been applied10-35Copyright 2010 Pearson Education, Inc. Publishing as Prentice Hall10-36Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallThe Defe

45、nse I: Access Control, Encryption, and PKIdigital envelopeThe combination of the encrypted original message and the digital signature, using the recipients public keycertificate authorities (CAs)Third parties that issue digital certificatesSecure Socket Layer (SSL)Protocol that utilizes standard cer

46、tificates for authentication and data encryption to ensure privacy or confidentialityTransport Layer Security (TLS)As of 1996, another name for the SSL protocol10-37Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallThe Defense II: Securing E-Commerce NetworksfirewallA single point be

47、tween two or more networks where all traffic must pass (choke point); the device authenticates, controls, and logs all trafficdemilitarized zone (DMZ)Network area that sits between an organizations internal network and an external network (Internet), providing physical isolation between the two netw

48、orks that is controlled by rules enforced by a firewall10-38Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallThe Defense II: Securing E-Commerce Networksvirtual private network (VPN)A network that uses the public Internet to carry information but remains private by using encryption

49、to scramble the communications, authentication to ensure that information has not been tampered with, and access control to verify the identity of anyone using the networkintrusion detection system (IDS)A special category of software that can monitor activity across a network or on a host computer,

50、watch for suspicious activity, and take automated action based on what it sees10-39Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallThe Defense II: Securing E-Commerce NetworkshoneynetA network of honeypotshoneypotProduction system (e.g., firewalls, routers, Web servers, database se

51、rvers) that looks like it does real work, but that acts as a decoy and is watched to study how network intrusions occurpenetration test (pen test)A method of evaluating the security of a computer system or a network by simulating an attack from a malicious source, (e.g., a cracker)10-40Copyright 201

52、0 Pearson Education, Inc. Publishing as Prentice HallThe Defense III: General Controls and Other Defense Mechanismsgeneral controlsControls established to protect the system regardless of the specific application. For example, protecting hardware and controlling access to the data center are indepen

53、dent of the specific applicationapplication controlsControls that are intended to protect specific applications10-41Copyright 2010 Pearson Education, Inc. Publishing as Prentice Hall10-42Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallThe Defense III: General Controls and Other Def

54、ense Mechanismsintelligent agentsSoftware applications that have some degree of reactivity, autonomy, and adaptabilityas is needed in unpredictable attack situations. An agent is able to adapt itself based on changes occurring in its environment10-43Copyright 2010 Pearson Education, Inc. Publishing

55、as Prentice Hall10-44Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallThe Defense III: General Controls and Other Defense Mechanismsinternal control environmentThe work atmosphere that a company sets for its employeesPROTECTING AGAINST SPAMControlling the Assault of Non-Solicited Po

56、rnography and Marketing (CAN-SPAM) ActLaw that makes it a crime to send commercial e-mail messages with false or misleading message headers or misleading subject lines10-45Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallThe Defense III: General Controls and Other Defense Mechanisms

57、Protection Against SplogsCaptcha toolCompletely Automated Public Turing test to tell Computers and Humans Apart, which uses a verification test on comment pages to stop scripts from posting automaticallyPROTECTING AGAINST POP-UP ADSProtection Against PhishingPROTECTING AGAINST SPYWARE10-46Copyright

58、2010 Pearson Education, Inc. Publishing as Prentice HallBusiness Continuity, Security Auditing, and Risk ManagementBUSINESS CONTINUITY AND DISASTER RECOVERY PLANNINGThe purpose of a business continuity plan is to keep the business running after a disaster occursRecovery planning is part of asset pro

59、tectiondisaster avoidanceAn approach oriented toward prevention. The idea is to minimize the chance of avoidable disasters (such as fire or other human-caused threats)10-47Copyright 2010 Pearson Education, Inc. Publishing as Prentice Hall10-48Copyright 2010 Pearson Education, Inc. Publishing as Prentice HallBusiness Continuity, Security Auditing, and Risk ManagementAUDITING INFORMATION