Home Uncategorized E-Commerce

Uncategorized

E-Commerce

# REVIEWING THE SECTION OF CHAPTER ASSIGNED

WRITE A SUMMARY DOCUMENT IN WORD FORMAT FOR ABOUT 1.5 – 2 PAGES LONG, ON IMPORTANCE OF USABILITY FACTOR IN E-COMMERCE AND FACTORS INVOLVED IN IT.

USE THE PROVIDED CHAPTER LINK TO SUBMIT YOUR RESULTS.

THE GOAL IS TO MAKE SURE YOU HAVE REVIEWED THE PART OF THE “ASSIGNED CHAPTER.

Electronic Commerce

Security

CHAPTER 10

© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.

1
1

Learning Objectives
In this chapter, you will learn:
What security risks arise in online business and how to manage them
How to create a security policy
How to implement security on Web client computers
How to implement security in the communication channels between computers
How to implement security on Web server computers
What organizations promote computer, network, and Internet security
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
2
2

2
2
2

Introduction
Proper use of password protection is an important element in maintaining security
Most people unwilling to remember numerous complex passwords and change them often
Password management tools are popular solutions for maintaining multiple complex passwords
Requires a single, master password for access
Weak link when hackers access master passwords
Encryption is an important safeguard to help address attacks
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
3

Online Security Issues Overview
Individuals and businesses have had concerns about security since Internet became a business communications tool
Increasing with steady increase in sales and all types of financial transactions
Chapter topics
Key security problems
Solutions to those problems
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
4

5
Origins of Security on Interconnected Computer Systems
Modern computer security techniques developed by US Department of Defense
“Orange Book”: rules for mandatory access control
Business computers initially adopted military’s security methods
Networks and other factors have increased number of users accessing computers
Computers now transmit valuable information
Changes have made the need for comprehensive security risk controls more important than ever
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
5

Computer Security and Risk Management
Asset protection from unauthorized access, use, alteration, and destruction
Physical security includes tangible protection devices
Alarms, guards, fireproof doors, security fences, safes or vaults, and bombproof buildings
Logical security is protection using nonphysical means
Threat is anything posing danger to computer assets
Countermeasures are procedures (physical or logical) that recognizes, reduces, and eliminates threats
Extent and expense depends on importance of asset at risk
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
6

7
Computer Security and Risk Management (cont’d.)
Risk management model: four general actions based on impact (cost) & probability of physical threat
Also applicable for protecting Internet and electronic commerce assets from physical and electronic threats
Eavesdropper (person or device) that listens in on and copies Internet transmissions
Crackers or hackers obtain unauthorized access to computers and networks
White hat (good) and black hat (bad) hackers
Companies must identify risks, determine how to protect assets, and calculate how much to spend
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
7

Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level

Elements of Computer Security
Secrecy refers to protecting against unauthorized data disclosure and ensuring data source authenticity
Integrity is preventing unauthorized data modification
Integrity violation occurs when an e-mail message is intercepted and changed before reaching destination
Man-in-the-middle exploit
Necessity refers to preventing data delays or denials (removal)
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
9

Establishing a Security Policy
Written statement of: assets to protect and why, who is responsible for protection and acceptable and unacceptable behaviors
Addresses physical and network security, access authorizations, virus protection, disaster recovery
Steps to create security policy
Determine which assets to protect from which threats
Determine access needs to various system parts
Identify resources to protect assets
Develop written security policy
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
10

Establishing a Security Policy (cont’d.)
Once policy is written and approved resources are committed to implement the policy
Comprehensive security plan protects system’s privacy, integrity, availability and authenticates users
Selected to satisfy Figure 10-2 requirements
Provides a minimum level of acceptable security
All security measures must work together to prevent unauthorized disclosure, destruction, or modification of assets
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
11

Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level

Establishing a Security Policy (cont’d.)
Security policy points
Authentication: Who is trying to access site?
Access control: Who is allowed to log on to and access site?
Secrecy: Who is permitted to view selected information?
Data integrity: Who is allowed to change data?
Audit: Who or what causes specific events to occur, and when?
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
13

Security for Client Devices
Threats to computers, smartphones, and tablets
Originate in software and downloaded Internet data
Malevolent server site masquerades as legitimate Web site
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
14

Cookies and Web Bugs
Internet connection between Web clients and servers accomplished by multiple independent transmissions
No continuous connection (open session) maintained between any client and server
Cookies are small text files Web servers place on Web client to identify returning visitors
Allow shopping cart and payment processing functions without creating an open session
Session cookies exist until client connection ends
Persistent cookies remain indefinitely
Electronic commerce sites use both
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
15

Cookies and Web Bugs (cont’d.)
Cookies may be categorized by their source
First-party cookies are placed on client computer by the Web server site
Third-party cookies originate on a Web site other than the site being visited
Disable cookies entirely for complete protection
Useful cookies blocked (along with others) so that information is not stored
Full site resources not available if cookies are not allowed
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
16

Cookies and Web Bugs (cont’d.)
Web browser cookie management functions refuse only third-party cookies or review each cookie before allowing
Settings available with most Web browsers
Web bug or Web beacon is a tiny graphic that third-party Web site places on another site’s Web page
Provides method for third-party site to place cookie on visitor’s computer
Also called “clear GIFs” or “1-by-1 GIFs” because graphics created in GIF format with a color value of “transparent” and as small as 1 pixel by 1 pixel
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
17

Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level

Active Content
Active content programs run when client device loads Web page
Example actions: play audio, display moving graphics, place items into shopping cart
Moves processing work from server to client device but can pose a threat to client device
Methods to deliver active content
Cookies, Java applets, JavaScript, VBScript, ActiveX controls, graphics, Web browser plug-ins,
e-mail attachments
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
19

Active Content (cont’d.)
Scripting languages provide executable script
Examples: JavaScript and VBScript
Applets are small application programs that typically runs within Web browser
Most browsers include tools limiting applets’ and scripting language actions by running in a sandbox
ActiveX controls are objects containing programs or properties placed on Web pages to perform tasks
Run only on Windows operating systems
Give full access to client system resources
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
20

Active Content (cont’d.)
Crackers can embed malicious active content
Trojan horse is a program hidden inside another program or Web page that masks its true purpose
May result in secrecy and integrity violations
Zombie secretly takes over another computer to launch attacks on other computers
Botnet (robotic network, zombie farm) is all controlled computers act as an attacking unit
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
21

Graphics and Plug-Ins
Graphics, browser plug-ins, and e-mail attachments can harbor executable content
Embedded code can harm client computer
Browser plug-ins (programs) enhance browser capabilities bit can pose security threats
Plug-ins executing commands buried within media
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
22

Viruses, Worms, and Antivirus Software
Programs automatically execute associated programs to display e-mail attachments
Macro viruses in attached files can cause damage
Virus is software that attaches itself to host program and causes damage when program is activated
Worm is a virus that replicates itself on computers it infects and spreads quickly through the Internet
Macro virus is a small program embedded in file
First major virus was I LOVE YOU in 2000
Spread to 40 million computers in 20 countries and caused estimated $9 billion in damages
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
23

Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level

Viruses, Worms, and Antivirus Software (cont’d.)
2001 Code Red and Nimda: multivector virus-worm
Entered computer system in several different ways and caused billions in damages
2003: New version of Code Red (Bugbear) checked for antivirus software
Antivirus software detects viruses and worms
Deletes or isolates them on client computer
2008: Conficker virus which continues to be a concern because it can reinstall itself after removal
2010 & 2011: New and more Trojan combinations
Some targeted bank accounts
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
25

Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level

Viruses, Worms, and Antivirus Software (cont’d.)
2013: Ransomware (Cryptolocker) encrypted files and demanded payment for keys to unlock
Perpetrators got away with more than $3 million
2015: New version attached itself to games
Companies such as Symantec and McAfee track viruses and sell antivirus software
Data files must be updated regularly so that newest viruses are recognized and eliminated
Some Web e-mail systems such as Yahoo! Mail and Gmail automatically scan attachments before downloading
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
28

Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level

Digital Certificates
Digital certificate is an e-mail attachment or program embedded in Web page that verifies identity
Contains a means to send encrypted communication
Used to execute online transactions, send encrypted email and make electronic funds transfers
Certification authority (CA) issues digital certificates to organizations, individuals with six elements
Owner’s identification and public key, validity dates, serial number, issuer name and digital signature
Key is a long binary number used with encryption algorithm to “Lock” protected message characters

Digital Certificates (cont’d.)
Identification requirements vary between CAs
Driver’s license, notarized form, fingerprints
More stringent rules adopted in 2008 after hackers obtained falsified digital certificates
Secure Sockets Layer-Extended Validation (SSL-EV) requires extensive confirmations
Annual fees range from $100 to more than $1000
Digital certificates expire after period of time
Provides protection by requiring credentials be resubmitted for evaluation
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
31

Steganography
Process of hiding information within another piece of information whcih can be used for malicious purposes
Provides a way for hiding an encrypted file within another file
Casual observer cannot detect anything important in container file
Two-step process where encrypting file protects it from being read and steganography makes it invisible
Al Qaeda used steganography to hide attack orders
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
32

Physical Security for Client Devices and Client Security for Mobile Devices
Client computers require physical security
Fingerprint readers: more protection than passwords
Biometric security devices use an element of a person’s biological makeup to provide identification
Signature recognition, eye or palm scanners, veins
Access passwords help secure mobile devices
Remote wipe clears all personal data and can be added as a app or done through e-mail
Many users install antivirus software
Rogue apps contain malware or collect information and forward to perpetrators
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
33

Communication Channel Security and Secrecy Threats
Internet was designed to provide redundancy, not to be secure
Remains unchanged from original insecure state
Secrecy is the prevention of unauthorized information disclosure
Technical issue requiring sophisticated physical and logical mechanisms such as encryption of emails
Privacy is the protection of individual rights to nondisclosure which is a legal matter
Should supervisors be allowed to randomly read employee emails?
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
34

Secrecy Threats (cont’d.)
Theft of sensitive or personal information is a significant electronic commerce threat
Sniffer programs record information passing through computer or router handling Internet traffic
Backdoor allows users to run a program without going through the normal authentication procedures
May be left by programmers accidently or intentionally
Stolen corporate info (Eavesdropper example)
Several companies offer anonymous Web services that hide personal information from sites visited
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
35

Integrity Threats
Active wiretapping when an unauthorized party alters message information stream
Cybervandalism is electronic defacing of a Web site
Masquerading (spoofing) is pretending to be someone else or a fake Web site representing itself as original
Domain name servers (DNSs) are Internet computers that link domain names to IP addresses
Perpetrators substitute their Web site address in place of real one
Phishing expeditions trick victims into disclosing confidential info (banking and payment systems)
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
36

Necessity Threats
Delay, denial, and denial-of-service (DoS) attacks that disrupt or deny normal computer processing
Intolerably slow-speed computer processing
Renders service unusable or unattractive
Distributed denial-of-service (DDoS) attack uses botnets to launch simultaneous attack on a Web site
DoS attacks can remove information from a transmission or file
Quicken accounting program diverted money to perpetrator’s bank account
Overwhelmed servers and stopped customers access
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
37

Threats to the Physical Security of Internet Communications Channels
Internet’s packet-based network design precludes it from being shut down by attack on single communications link
Individual user’s Internet service can be interrupted
Destruction of user’s Internet link
Larger companies, organizations use more than one link to main Internet backbone
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
38

Threats to Wireless Networks
Wireless Encryption Protocol (WEP) is a set of rules for encrypting transmissions from the wireless devices to the wireless access points (WAPs)
Wardrivers attackers drive around in cars and search for accessible networks
Warchalking is placing a chalk mark on buildings when open networks are found
Companies can avoid attacks by turning on WEP and changing default login and password settings
Best Buy wireless point-of-sale (POS) failed to enable WEP and customer intercepted data
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
39

Encryption Solutions and Encryption Algorithms
Encryption is coding information using mathematically based program and a secret key
Cryptography is the science of studying encryption
Converts text that is visible but has no apparent meaning
Encryption programs transforms normal text (plain text) into cipher text (unintelligible characters string)
Encryption algorithm is the logic behind the program
Includes mathematics to do transformation
Decryption program is an encryption-reversing procedure that decodes or decrypts messages
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
40

Encryption Algorithms and Hash Coding
In the U.S. the National Security Agency controls dissemination which banned publication of details
Illegal for U.S. companies to export
Encryption algorithm property is that message cannot be deciphered without key used to encrypt it
Hash coding uses a hash algorithm to calculate a number (hash value) from a message
Unique message fingerprint
Can determine if message was altered during transit
Mismatch between original hash value and receiver computed value
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
41

Asymmetric Encryption
Public-key encryption encodes messages using two mathematically related numeric keys
Public key is freely distributed and encrypts messages using encryption algorithm
Private key is secret and belongs to key owner
Decrypts all messages received
Pretty Good Privacy (PGP) is a popular public-key encryption technology
Uses several different encryption algorithms
Free for individuals and sold to businesses
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
42

Symmetric Encryption
Private-key encryption that encodes message with a single numeric key to encode and decode data
Both sender and receiver must know the key
Very fast and efficient but does not work well in large environments because of number of keys required
Data Encryption Standard (DES) was first U.S. government private-key encryption system
Triple Data Encryption Standard (Triple DES, 3DES) was a stronger version of DES
Advanced Encryption Standard (AES) is a more secure standard that is commonly used today
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
43

Comparing Asymmetric and Symmetric Encryption Systems
Advantages of public-key (asymmetric) systems
Small combination of keys required
No problem in key distribution
Implementation of digital signatures possible
Disadvantage is that public key systems are significantly slower than private-key systems
Public-key systems complement rather than replace private-key systems
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
44

Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level

Encryption in Web Browsers: Secure Sockets Layer (SSL) Protocol
Provides security “handshake” in which client and server exchange brief burst of messages
Agreed level of security, all communication encrypted
Eavesdropper receives unintelligible information
Secures many different communication types
Protocol for implementing SSL is to precede URL with protocol name HTTPS
Session key used by algorithm to create cipher text from plain text during single secure session
Secrecy implemented using combination of public-key and private-key encryption
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
46

SSL Protocol (cont’d.)
Browser generates a private key and encrypts it using the server’s public key
Browser sends encrypted key to the server which decrypts message and exposes shared private key
After secure session is established public-key encryption no longer used
Message transmission protected by private-key encryption with session key (private key) discarded when session ends
Any new connection requires the entire process to be restarted beginning with the handshake
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
47

Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level

Encryption in Web Browsers: Secure HTTP (S-HTTP)
Extension to HTTP providing security features
Symmetric encryption for secret communications and public-key encryption to establish client-server authentication
Session negotiation setting transmission conditions occurs between client and server
Establishes secure session with a client-server handshake exchange that includes security details
Secure envelope encapsulates message, provides secrecy, integrity, and client-server authentication
SSL has largely replaced S-HTTP

Hash Functions, Message Digests, and Digital Signatures
To detect message alteration hash algorithm applied to message content to create message digest
Receiving computer can calculate value to determine if numbers match (no alteration) or not (alteration)
Not ideal because hash algorithm is public
Digital signature is an encrypted message digest created using a private key
Provides nonrepudiation and positive identification of the sender
Secrecy when used with an encrypted message
Same legal status as traditional written signature
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
50

Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level

Security for Server Computers and Password Attack Threats
Server is the third link in client-Internet-server electronic commerce path
Web server administrator ensures security policies documented and implemented
One of the most sensitive file on Web server holds Web server username-password pairs
Most encrypt authentication information
Passwords threats include using easy passwords
Dictionary attack programs cycle through electronic dictionary, trying every word as password
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
52

Password Attack Threats (cont’d.)
Solutions to threat include stringent requirements and company dictionary checks
Passphrase is a sequence of words or text easy to remember but a good password or password hint
Password manager software securely stores all of a person’s passwords
User only needs to remember master password to get access to the program
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
53

Database Threats and Other Software-Based Threats
Most database systems rely on usernames and passwords that may be stored in unencrypted tables
Database fails to enforce security
Unauthorized users can masquerade as legitimate users and reveal or download information
Trojan horse programs hide within database system
Reveal information by changing access rights
Java or C++ programs executed by server often use a buffer memory area to hold data
Buffer overrun (buffer overflow) error occurs when program malfunctions and spills data outside buffer
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
55

Other Software-Based Threats (cont’d.)
Buffer overflow can be a error or intentional
Insidious version of buffer overflow attack writes instructions into critical memory locations
Web server resumes execution by loading internal registers with address of attacking program’s code
Good programming practices can reduce potential errors from buffer overflow
Some computers include hardware to limit effects
Mail bomb attack occurs when hundreds or thousands of people send a message to particular address
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
56

Threats to Physical Security of Web Servers and Access Control and Authentication
Web servers and computers networked closely to them must be protected from physical harm
Companies outsource hosting Web servers or maintain server content’s backup copies at remote location
Companies often rely on service providers for Web security
Access control and authentication refers to controlling who and what has access to Web server
Authentication is identity verification of entity requesting computer access
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
57

Access Control and Authentication (cont’d)
Server user authentication occurs in several ways
Digital signature-contained certificate, certificate timestamp or callback system
Usernames and passwords provide some protection
Many maintain usernames in plain text and encrypt passwords with one-way encryption algorithm
Site visitor may save username and password as a cookie which might be stored in plain text
Access control list (ACL) restricts file access to selected users
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
58

Firewalls
Software or hardware-software combination that is installed in a network to control packet traffic
Placed at Internet entry point of network as a defense between network and Internet or other network
Firewall principles: All traffic must pass through it, only authorized traffic can pass and it is immune to penetration
Networks inside the firewall are trusted and those outside the firewall are untrusted
Filter permits selected messages though network
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
59

Firewalls (cont’d.)
Can separate corporate networks from one another
Segment corporate network into secure zones
Large organizations must install firewalls at each location that all follow the same security policy
Packet-filter firewalls examine data flowing back and forth between trusted network and the Internet
Gateway servers filter traffic based on requested application and limit access to specific applications
Proxy server firewalls communicate with the Internet on private network’s behalf
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
60

Firewalls (cont’d.)
Perimeter expansion problems occur when computers are used outside traditional physical site
Intrusion detection systems monitor server login attempts
Analyze for patterns indicating cracker attack and block attempts originating from same IP address
Growth of cloud computing is increasing the need for cloud security which has lagged behind the need
Personal firewalls on individual client computers have become an important tool for expanded network perimeters and individuals
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
61

Organizations that Promote Computer Security and CERT
After 1988 Internet Worm organizations formed to share information about computer system threats
Sharing information about attacks and defenses for attacks helps create better computer security
Computer Emergency Response Team (CERT)
Maintains effective, quick communications among security experts to handle or avoid security incidents
Responds to thousands of incidents and provides security risk information and event alerts
Primary authoritative source for viruses, worms, and other types of attack information
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
62
62

Other Organizations
System Administrator, Audit, Network and Security (SANS) Institute is a cooperative education and research organization
SANS Internet Storm Center Web site provides current information on computer attacks worldwide
CERIAS (Center for Education and Research in Information Assurance and Security) is a center for multidisciplinary research and education
Center for Internet Security is a not-for-profit organization that helps electronic commerce companies
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
63

Computer Forensics and Ethical Hacking
Computer forensics experts (ethical hackers) are computer sleuths hired to probe PCs
Locate information usable in legal proceedings
Job of breaking into client computers
Computer forensics field is responsible for collection, preservation, and computer-related evidence analysis
Companies hire ethical hackers to test computer security safeguards
© 2017 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
64

Turn in your highest-quality paper
Get a qualified writer to help you with

“ E-Commerce ”

Get high-quality paper

NEW! AI matching with writer

Hire a Writer

Client Reviews

4.9

Sitejabber

4.6

Trustpilot

4.8

Our Guarantees

100% Confidentiality

Information about customers is confidential and never disclosed to third parties.

Original Writing

We complete all papers from scratch. You can get a plagiarism report.

Timely Delivery

No missed deadlines – 97% of assignments are completed in time.

Money Back

If you're confident that a writer didn't follow your order details, ask for a refund.

New to Your Trusted Assignment Help Service? Sign up & Save

Calculate the price of your order

Type of paper needed:

Pages:

You will get a personal manager and a discount.

Academic level:

We'll send you the first draft for approval by at

Total price:

$0.00

Power up Your Academic Success with the
Team of Professionals. We’ve Got Your Back.

Power up Your Study Success with Experts We’ve Got Your Back.

Order Now Order Now