1 / 28

E-Commerce & Information Security

E-Commerce & Information Security Marc Rogers M.A. EDS Systemhouse Inc. Dept. of Psychology University of Manitoba Agenda E-Commerce Security & Vulnerabilities Attack Trends Computer Crime Impact Survey Attacker Profile Case Studies Conclusions E-Commerce & Security

paul
Télécharger la présentation

E-Commerce & Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. E-Commerce & Information Security Marc Rogers M.A. EDS Systemhouse Inc. Dept. of Psychology University of Manitoba

  2. Agenda • E-Commerce Security & Vulnerabilities • Attack Trends • Computer Crime Impact Survey • Attacker Profile • Case Studies • Conclusions

  3. E-Commerce & Security • A national poll of 1,000 Americans • 13 percent of those polled indicated they have no fears about electronic commerce. • The most popular concern was "privacy and security," which was cited by 53 percent of the sample. *Source: Market Facts Inc.

  4. E-Commerce & Security • Securing e-commerce must occur on five fronts: • (1) securing the data transaction, • (2) securing the Web clients, • (3) securing the Web server, • (4) securing the network server operating system. • (5) securing the data in storage

  5. E-Commerce & Security • To date only the data transaction protocols have gained recognition and development of secure properties (SET, SSL). • Security is only as strong as the weakest component. • A failure to secure any one of the five components of electronic commerce may result in the entire system being insecure. • If one component is much more secure than others then criminals will attack the weakest component (the path of least resistance).

  6. E-Commerce & Security • Webservers • Flaws, shortcomings, or even features in a Web server can provide a gateway for a malicious intruder to break into corporate systems • Webclients • Java applets, ActiveX controls, JavaScripts, VBScripts, browser plug-ins, and e-mail attachments all pose potential security and privacy hazards for e-commerce end-users.

  7. E-Commerce & Security • Network Server Operating System • If the OS is insecure then data is at risk. • Data Storage • If the data is stored in clear text or on unprotected servers it is at risk (i.e., insider threat, trojan horse etc.).

  8. E-Commerce & Security VALUJET Department of Justice

  9. E-Commerce & Security • Data Transaction Protocols: • Lack of “one” international standard security protocol • S.E.T. closest thing, but…. • Interoperability? • Certificate Management?

  10. Research and Surveys • Security an obvious concern • What is actually happening? • Is the sky really falling? • Information Security too “marketing driven” • Research and “objective” surveys

  11. CERT/CC • CERT/CC Study 1989-95 • Researcher: • J. D. Howard Ph.D. Carnegie Melon University • Empirical study of : “ The Analysis of Security Incidents on the Internet”

  12. CERT/CC Total number of incidents analyzed 4,567 • False Alarms: 268 (5.9 %) • Remaining: 4,299 (94.1%) • Unauthorized Access: 89.4 % • Unauthorized Use: 10.6 %

  13. CERT/CC • Attacks take advantage of vulnerabilities • Implementation • Design • Configuration • 4 Results of an Attack • Corruption of Information • Disclosure of Information • Theft of Service • Denial of Service

  14. CERT/CC • Attacks are becoming more sophisticated Progressed from simple user command, script and password cracking (sniffers, crackers) in 1993-94, to intricate techniques that fooled the basic operations of IP (spoofing etc.) • But Hackers less skilled

  15. CERT/CC • Attackers have become more difficult to locate and identify. • Earlier attacks the “hackers” tended to be a few individuals confined to a specific location or groups of locations. Due to this confinement they were usually easy to identify. • More recent sophisticated attacks, combined with the exponential increase in the size of the Internet which allow “hackers” to operate in many different locations allows hackers to operate in near obscurity.

  16. CERT/CC • Attacks have a 3 phase approach: • 1) Gain access to an account on a target system • 2) Exploit vulnerabilities to gain privileged (root/admin) access on the system • 3) Use the privileged access to attack other systems across the network.

  17. CERT/CC • Unauthorized use incidents increasing 9% per year greater than the growth of Internet hosts. • 1996 13 million hosts • Estimated by Jan 2001 = 200 million hosts

  18. CSI/FBI 1998-99 • Joint survey between CSI and the FBI International Computer Crime Squad. • Surveyed fortune 500 corporations. • Financial, and Medical Institutions, Government Agencies.

  19. CSI/FBI 1998-99 • 62 % reported computer security breaches • 51% of respondents acknowledged suffering financial loss from breaches. • 31% able to quantify their losses • Total loss $123,779,000.00 USD • 57% reported Internet connections as the point of attack in 1998-99 as compared to 37% in 1997-98.

  20. CSI/FBI 1998-99

  21. Case Study • March 1997 • Carlos Felipe Salgado Jr. AKA “SMAK” • 36 yrs old • Daly City, California • Account compromised at University of California at San Francisco (UCSF) • San Diego ISP compromised • Packet Sniffer detected

  22. Case Study • “SMAK” wants to sell CC numbers • FBI use informant to obtain some sample CC numbers (710) for $1.00/ea • CC numbers are legit • “SMAK” claims to have compromised systems in Asia, Latin America, Germany, and Europe • Used trojans

  23. Case Study • Informant sets up deal btwn “SMAK” and the FBI (posing as MAFIA) • Agreement to pay $260,000.00 for remaining CC numbers • Exchange to take place at San Francisco Intl. Airport • “SMAK” edgy - makes encrypted CDROM with the database

  24. Case Study • “SMAK” arrested with CDROM and key was discovered to be passage from a book he had in his possession • He admitted criminal activity • Cooperative

  25. Case Study • 86,326 Account numbers • 32,526 Visa numbers • 1,214 Issuers were impacted (Banks, CU’s, Brokerage, S&L’s)

  26. Case Study

  27. Case Study • FBI concluded: “On-line commerce tempting target for those willing and able to exploit its weaknesses.” • Salgado Sentenced: • 2 1/2 years incarceration • 5 years probation • Fines and restitution orders • No access to computers and related Devices

  28. Conclusions • E-commerce growing in record numbers • Primary concern is security • Only as strong as weakest link (Webclients, Webservers, Data Storage) • Strong motivation to attack systems • Contrary to media and some vendors - sky is not falling…but beware of dark alleys

More Related