New version page

Penn EMTM 553 - Security Threats Lecture

Upgrade to remove ads
Upgrade to remove ads
Unformatted text preview:

EMTM 553: E-commerce Systems Lecture 5: Security ThreatsThree ScenariosAlice Buys a BookInter-Corporate TradingDaisy's Electronic MarketWhat are the issues?Security Overview (Figure 5-1)What is Security?Goals of SecurityCopyright and Intellectual PropertySlide 11Security Policy and Integrated SecuritySpecific Elements of a Security PolicyIntellectual Property ThreatsSlide 15Three components to securityWhat can go wrong?Client-side securityServer-side securityDocument confidentialityElectronic Commerce ThreatsDownloaded softwarePowerPoint PresentationActiveX ControlsSlide 25Graphics, Plug-ins, and E-mail AttachmentsCommunication Channel ThreatsCommunication Channel Threats (2)Communication Channel Threats (3)Server ThreatsServer Threats (2)IP SpoofingDenial of Service AttacksSlide 34Database ThreatsOther ThreatsOther Threats (2)Slide 38CERT Coordination CenterQ&A12/15/00 EMTM 553 1EMTM 553: E-commerce SystemsLecture 5: Security ThreatsInsup LeeDepartment of Computer and Information ScienceUniversity of [email protected]/~lee12/15/00 EMTM 553 2Three Scenarios•Alice buys a book from Bob’s book store.•Inter-corporate trading for Charlie’s Plastic Company.•Daisy electronic market.12/15/00 EMTM 553 3Alice Buys a Book•Alice shops for a book on the internet using WWW.•She finds the desired book from Bob’s book store and makes the order using a web form provided by Bob’s.•Bob confirms that the order really comes from Alice’s.•She sends her credit card number, suitably encrypted.•The book is delivered through UPS.12/15/00 EMTM 553 4Inter-Corporate Trading•Charlie’s Plastic Makers is a medium-sized company in Canada with long-established requirements for high-quality plastic which it buys from Plasticorp.•Plasticorp aims to reduce costs of customer transactions by using secure messaging with its regular customers.•Origin and confidentiality of all correspondence must be ensured.12/15/00 EMTM 553 5Daisy's Electronic Market•Daisy is an entrepreneurial small businessperson who works from her home basement.•She buys items from suppliers willing to do business wholly electronically, repackages them, and sells them through a WWW storefront.•Effective marketing of the web page and very low overhead provide Daisy’s competitive edge.12/15/00 EMTM 553 6What are the issues?•Accountability -- Security relevant activities on a system can be traced to individuals who may be held responsible for their actions•Availability -- System resources are safeguarded from tampering and are available for authorized users at the time and in the format needed•Access Control -- Access to the system resources is limited to authorized individuals, entities, or processes•Confidentiality -- Information is not accessed by or disclosed to unauthorized individuals, entities, or processes•Identification and Authentication -- Verification that the originator of a transaction is the originator•Integrity -- Information is not undetectably altered or destroyed by an unauthorized person or process•Non-repudiation -- Undeniable proof of participation by the sender and/or receiver in a transaction•Privacy – individual rights to nondisclosure12/15/00 EMTM 553 7Security Overview (Figure 5-1)•Countermeasures are procedures, either physical or logical, that recognize, reduce, or eliminate a threat12/15/00 EMTM 553 8What is Security?•Dictionary Definition: protection or defense against attack, interference, espionage, etc.•Computer Security Classification:–Confidentiality (or Secrecy)oProtecting against unauthorized data disclosure and ensuring the authenticity of the data’s source–IntegrityoPreventing unauthorized data modification–Availability (or Necessity)oPreventing data delays or denials (removal)12/15/00 EMTM 553 9Goals of SecurityDATAIntegrityDATAAvailabilityDATAConfidentialitySource: GUNTER12/15/00 EMTM 553 10Copyright and Intellectual Property•Copyright–Protecting expressionoLiterary and musical worksoPantomimes and choreographic worksoPictorial, graphic, and sculptural worksoMotion pictures and other audiovisual worksoSound recordingsoArchitectural works12/15/00 EMTM 553 11Copyright and Intellectual Property•Intellectual property–The ownership of ideas and control over the tangible or virtual representation of those ideas•U.S. Copyright Act of 1976–Protects previously stated items for a fixed period of time–Copyright Clearance CenteroClearinghouse for U.S. copyright information12/15/00 EMTM 553 12Security Policy andIntegrated Security•Security policy is a written statement describing what assets are to be protected and why, who is responsible, which behaviors are acceptable or not–Physical security–Network security–Access authorizations–Virus protection–Disaster recovery12/15/00 EMTM 553 13Specific Elements of a Security Policy•Authentication–Who is trying to access the site?•Access Control–Who is allowed to logon and access the site?•Secrecy–Who is permitted to view selected information•Data integrity–Who is allowed to change data?•Audit–What and who causes selected events to occur, and when?12/15/00 EMTM 553 14Intellectual Property Threats•The Internet presents a tempting target for intellectual property threats–Very easy to reproduce an exact copy of anything found on the Internet–People are unaware of copyright restrictions, and unwittingly infringe on themoFair use allows limited use of copyright material when certain conditions are met12/15/00 EMTM 553 15Intellectual Property Threats•Cybersquatting–The practice of registering a domain name that is the trademark of another person or companyoCybersquatters hope that the owner of the trademark will pay huge dollar amounts to acquire the URLoSome Cybersquatters misrepresent themselves as the trademark owner for fraudulent purposes12/15/00 EMTM 553 16Three components to security•Three perspectives–User’s point of view–Server’s point of view–Both parties•Three parts–Client-side security–Server-side security–Document confidentiality12/15/00 EMTM 553 17 What can go wrong?•Risks that affect both client and server–Eavesdropping–Fraud•Risks to the end user–Active content–Privacy infringement•Risks to the web site–Webjacking–Server and LAN break-ins–Denial-of-service attacks12/15/00 EMTM 553 18Client-side security•Measures to protect the user’s privacy and the integrity of his


View Full Document
Download Security Threats Lecture
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Security Threats Lecture and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Security Threats Lecture 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?