etashou - future exsistance

Promotion, marketing and sales of new technology and e-commerce

The Internet and Security

February 8, 2007 at 4:38 pm · Filed under External News


Arrow Basic communication is open & uncontrolled

Arrow Internet growth = more attacks on computers and networks

Exclamation 70% of organisations have experienced some form of attack (2000)
Exclamation 42% of organisations in 1996

Question But reporting has declined – why?

Cry Negative Publicity – 52%
Cry Fears that competitors would use it against them – 39%
Cry Didn’t realise they could report it – 15%
Cry Commercial financial loss is estimated at 6% of sales rev.

Variety of types of attacks – financial fraud, sabotage, data theft
unauthorised access, denial of service

Why now?

    Growth in commercial transactions on the internet
    Security & usability are inversely related
    Security considerations are low down commercial priorities
    Security depends upon the Internet as a whole
    Dominance of Microsoft makes world susceptible – Melissa virus
    Hacker community growing & easier to hack – script kids & micro virus

Your Business and Security:

But Business Requirements are:
Arrow Security, Privacy, Confidentiality & Integrity of transactions
Arrow Security fears are a major obstacle to e-business growth
Arrow Identity may be easily faked & signature is often required

Security Issues that may arise:

Customers’ concerns – is the web site legitimate?

    Does it contain malicious code
    Will private personal information be distributed to others
    Company’s perspective – is the customer legitimate?
    Will he/she try to alter web pages or content
    Will he/she try to implement a DoS attack
    Both are concerned about eavesdropping & information integrity

Security Concerns:

    Confidentiality – controlling access to information
    Integrity – data & programs to be free from unauthorised change or loss
    Availability & Legitimate Use – continual access to authorised users
    Non-Repudiation – ability to ensure that neither party can deny transaction or have anonymity
    Requires a legal framework within which to punish offenders
    Security = compromise – cost vs. perceived security
    Difficult as security is always a cost and there is no way of measuring return on investment

Risk Management:

    Authentication - of the web site or the buyer / participant
    Requires some credentials, e.g.
    knowledge – password
    Physical – card, fob, etc
    Biometric – fingerprint, retina scan, face recognition.
    Authorisation - access rights to certain areas
    Auditing – log files & journal files
    Information Security Policy – iterative development
    List all resources requiring protection – routers, firewalls, etc
    Define physical access restrictions to servers, PCs etc
    Define electronic access to the above
    Catalogue threat for each resource and perform risk analysis

Security Threats:

    Discover key elements of the network /system
    Scan for vulnerabilities – network sniffers, etc
    Hack system to gain access to administrator levels
    Disable /remove traces from log/journal files
    Steal files, source code or alter data.
    Install back doors or Trojan horses to permit undetectable re-entry

Security Defences:

    Growth Industry
    Anti-virus software
    Access Control Software /Hardware
    Physical Security
    Firewalls
    Encryption
    Intrusion Detection

Encryption & Firewalls:

Encryption

    Symmetric Systems – same key to encrypt & decrypt – DES
    Asymmetric Systems – also known as public key encryption
    Different key to decrypt – RSA (Rivest, Shamir & Adelman)
    Digital Signatures – utilise the public key of organisations

Firewalls

    Packet Filtering Routers
    Accept or reject packets of data
    Application Level Proxies
    Repackage packets between 2 network cards
    Hide IP addresses of communicating internal servers

E-Payment Systems:

Exclamation Credit Cards dominate the Internet
Exclamation PAIN problems persist
Exclamation Privacy – keep transaction details private
Exclamation Authentication – prove you are who you say you are
Exclamation Integrity – no alteration to transaction details without detection
Exclamation Non-Repudiation – a binding agreement
Exclamation E-payment system is going to require Issuer – bank or ISP
Exclamation Regulatory authority – an (independent) agency

E-Payment Criteria:

    Independence – of specialised facilities
    Interoperability & portability – also mesh with existing systems
    Security
    Anonymity
    Divisibility – deal with small cash sums
    Ease of Use – i.e. similar to a credit card
    Facilitate a transaction fee
    B2B – incentives as lower costs & immediate payments
    Basis for all e-payment schemes is Public Key Infrastructure (RSA)

E-Payment and Digital Certificates:

    Organisations provide digital certificates authenticating organisations.
    Such as Verisign, Trust-e
    SSL – secure socket layer
    Web browser/server takes care of everything
    SET – Secure Electronic Transaction
    Encrypted protocol for handling & verifying card validity, authorisation & purchase processing

No comments yet »

Your comment

You must be logged in to post a comment.