Electronic Commerce Security
1


Group members:
1.
2.
3.
4.
5.
6.

Nguyễn Đình Thịnh
Phạm Văn Việt
Phạm Văn Quốc
Nguyễn Tấn Tín
Hồng Văn Sang
Trần Tiến Vũ
-

- 1713325
- 1713955
- 1714023
- 1713511
- 1712928
1714023
2


Learning Objectives
In this chapter, you will learn:

• What security risks arise in online business and how to manage
them
• How to create a security policy
• How to implement security on Web client computers
• How to implement security in the communication channels
between computers
• How to implement security on Web server computers
• What organizations promote computer, network, and Internet
security
3


Contents
1.
2.
3.
4.
5.

Computer security ………………………………....... 5
Physical devices and network security…………24
SSL protocol ………………………………………………. 53
Database and server security ……………………..59
Countermeasures for security …………………….72
4


Computer security
5



Introduction
•

Proper use of password protection is an important element in maintaining
security
– Most people unwilling to remember numerous complex passwords
and change them often

•

Password management tools are popular solutions for maintaining multiple
complex passwords
– Requires a single, master password for access
– Weak link when hackers access master passwords
• Encryption is an important safeguard to help address attacks
6


Online Security Issues Overview
• Individuals and businesses have had concerns
about security since Internet became a business
communications tool

– Increasing with steady increase in sales and all types
of financial transactions

• Chapter topics

– Key security problems

– Solutions to those problems
7


Computers and Security: A Brief History
•

Modern computer security techniques developed by US Department of
Defense
• “Orange Book”: rules for mandatory access control

•

Business computers initially adopted military’s security methods
– Networks and other factors have increased number of users
accessing computers
– Computers now transmit valuable information

•

Changes have made the need for comprehensive security risk
controls more important than ever
8


Computer Security and Risk
Management
•

Computer security is the protection of assets from unauthorized access, use,

alteration, or destruction.
– Physical security includes tangible protection devices
• Alarms, guards, fireproof doors, security fences, safes or vaults,
and bombproof buildings
• Protection of assets using nonphysical means is called logical
security
• Any act or object that poses a danger to computer assets is known
as a threat
– Countermeasures are procedures (physical or logical) that recognizes,
reduces, and eliminates threats
• Extent and expense depends on importance of asset at risk
9


Computer Security and Risk Management (cont’d.)
• Risk management model: four general actions based on
impact (cost) & probability of physical threat

– Also applicable for protecting Internet and electronic
commerce assets from physical and electronic threats
– Eavesdropper (person or device) that listens in on and copies
Internet transmissions
– Crackers or hackers obtain unauthorized access to
computers and networks
• White hat (good) and black hat (bad) hackers

• Companies must identify risks, determine how to protect
assets, and calculate how much to spend
10



Risk management model

FIGURE 10-1: Risk management model

11


Risk management model
(con’t)

• The same sort of risk management model applies to
protecting Internet and electronic commerce assets from both
physical and electronic threats
• A cracker is a technologically skilled person who uses their
skills to obtain unauthorized entry into computers or network

12


Establishing a Security Policy
1.
2.
3.
4.
5.

Availability?
Integrity?
Authenticity?

Confidentiality?
Utility?

13


Establishing a Security Policy
Availability
•
Availability refers to the ability to access data of a
resource when it is needed, as such the information
has value only if the authorized people can access at
right time.
•
Denying access to data nowadays has become a
common attack.
•
Ex: Let’s say a hacker has compromised a webserver
of a bank and put it down. You as an authenticated
user want to do an e-banking transfer but it is
impossible to access it, the undone transfer is a
money lost for the bank.
14


Establishing a Security Policy
Integrity
• Integrity is the trustworthiness of data in the
systems or resources by the point of view of
preventing unauthorized and improper changes.

• Generally, Integrity is composed of two subelements – data-integrity, which it has to do with
the content of the data and authentication which
has to do with the origin of the data as such
information has values only if it is correct.

15


Ex: Let’s say you are doing an online payment of 5 USD, but your
information is tampered without your knowledge in a way by
sending to the seller 500 USD, this would cost you too much.
In this case cryptography plays a very major role in ensuring data
integrity. Commonly used methods to protect data integrity
includes hashing the data you receive and comparing it with the
hash of the original message. However, this means that the hash of
the original data must be provided in a secure way.

16


Establishing a Security Policy
Confidentiality
•

Confidentiality is the concealment of information or
resources. Also, there is a need to keep information secret
from other third parties that want to have access to it, so just
the right people can access it.

•


Ex: Let’s say there are two people communicating via an
encrypted email they know the decryption keys of each other
and they read the email by entering these keys into the email
program. If someone else can read these decryption keys
when they are entered into the program, then the
confidentiality of that email is compromised.

17


Establishing a Security Policy
Authenticity
●

This element of computer security is the process that confirms a user’s
identity. One method of authenticity assurance in computer security is
using login information such as user names and passwords, while other
authentication methods include harder to fake details like biometrics
details, including fingerprints and retina scans.

●

The right authentication method can help keep your information safe and
keep unauthorized parties or systems from accessing it. In addition to
the right method of authentication, providing users with excellent
systems, security, and privacy training is crucial in ensuring that users
don’t engage with any spam or unsecured emails with links and
downloads that could jeopardize sensitive company information.


●

Ex: Many times, illicit emails can appear legitimate and training is
necessary to prevent employees from accidentally enabling
unauthorized access.

18


Establishing a Security Policy
Utility
●

More businesses and security experts have started to add
“utility” as an element of computer security necessary to
prioritize in their operations. When used to describe a security
element, it refers to the usefulness and availability of
information.

●

If there’s a monumental data disaster, having backups of
critical data helps businesses maintain the utility of their
information.

●

Ex: Systrace is a computer security utility which limits an
application's access to the system by enforcing access
policies for system calls. This can mitigate the effects of

buffer overflows and other security vulnerabilities.
19


Establishing a Security Policy
●

Written statement of: assets to protect and why, who is
responsible for protection and acceptable and unacceptable
behaviors
●

●

Addresses physical and network security, access
authorizations, virus protection, disaster recovery

Steps to create security policy
●

Determine which assets to protect from which threats

●

Determine access needs to various system parts

●

Identify resources to protect assets


●

Develop written security policy

20