Basic communication is open & uncontrolled

Internet growth = more attacks on computers and networks

70% of organisations have experienced some form of attack (2000)
42% of organisations in 1996

But reporting has declined – why?

Negative Publicity – 52%
Fears that competitors would use it against them – 39%
Didn’t realise they could report it – 15%
Commercial financial loss is estimated at 6% of sales rev.

Variety of types of attacks – financial fraud, sabotage, data theft
unauthorised access, denial of service

Why now?

Growth in commercial transactions on the internet
Security & usability are inversely related
Security considerations are low down commercial priorities
Security depends upon the Internet as a whole
Dominance of Microsoft makes world susceptible – Melissa virus
Hacker community growing & easier to hack – script kids & micro virus

Your Business and Security:

But Business Requirements are:
Security, Privacy, Confidentiality & Integrity of transactions
Security fears are a major obstacle to e-business growth
Identity may be easily faked & signature is often required

Security Issues that may arise:

Customers’ concerns – is the web site legitimate?

Does it contain malicious code
Will private personal information be distributed to others
Company’s perspective – is the customer legitimate?
Will he/she try to alter web pages or content
Will he/she try to implement a DoS attack
Both are concerned about eavesdropping & information integrity

Security Concerns:

Confidentiality – controlling access to information
Integrity – data & programs to be free from unauthorised change or loss
Availability & Legitimate Use – continual access to authorised users
Non-Repudiation – ability to ensure that neither party can deny transaction or have anonymity
Requires a legal framework within which to punish offenders
Security = compromise – cost vs. perceived security
Difficult as security is always a cost and there is no way of measuring return on investment

Risk Management:

Authentication - of the web site or the buyer / participant
Requires some credentials, e.g.
knowledge – password
Physical – card, fob, etc
Biometric – fingerprint, retina scan, face recognition.
Authorisation - access rights to certain areas
Auditing – log files & journal files
Information Security Policy – iterative development
List all resources requiring protection – routers, firewalls, etc
Define physical access restrictions to servers, PCs etc
Define electronic access to the above
Catalogue threat for each resource and perform risk analysis

Security Threats:

Discover key elements of the network /system
Scan for vulnerabilities – network sniffers, etc
Hack system to gain access to administrator levels
Disable /remove traces from log/journal files
Steal files, source code or alter data.
Install back doors or Trojan horses to permit undetectable re-entry

Security Defences:

Growth Industry
Anti-virus software
Access Control Software /Hardware
Physical Security
Firewalls
Encryption
Intrusion Detection

Encryption & Firewalls:

Encryption

Symmetric Systems – same key to encrypt & decrypt – DES
Asymmetric Systems – also known as public key encryption
Different key to decrypt – RSA (Rivest, Shamir & Adelman)
Digital Signatures – utilise the public key of organisations

Firewalls

Packet Filtering Routers
Accept or reject packets of data
Application Level Proxies
Repackage packets between 2 network cards
Hide IP addresses of communicating internal servers

E-Payment Systems:

Credit Cards dominate the Internet
PAIN problems persist
Privacy – keep transaction details private
Authentication – prove you are who you say you are
Integrity – no alteration to transaction details without detection
Non-Repudiation – a binding agreement
E-payment system is going to require Issuer – bank or ISP
Regulatory authority – an (independent) agency

E-Payment Criteria:

Independence – of specialised facilities
Interoperability & portability – also mesh with existing systems
Security
Anonymity
Divisibility – deal with small cash sums
Ease of Use – i.e. similar to a credit card
Facilitate a transaction fee
B2B – incentives as lower costs & immediate payments
Basis for all e-payment schemes is Public Key Infrastructure (RSA)

E-Payment and Digital Certificates:

Organisations provide digital certificates authenticating organisations.
Such as Verisign, Trust-e
SSL – secure socket layer
Web browser/server takes care of everything
SET – Secure Electronic Transaction
Encrypted protocol for handling & verifying card validity, authorisation & purchase processing