1 / 29

ITCS 937

ITCS 937. Security management tools and practices in E-Business Prepared By: Shahriar Hassan 2167323. Introduction. Recent study by CSI/FBI, Ø 85% experienced security breaches in the past 12 months. Ø 64% suffered financial losses that averaged more than $US 2 million,

pomona
Télécharger la présentation

ITCS 937

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ITCS 937 Security management tools and practices in E-Business Prepared By: Shahriar Hassan 2167323

  2. Introduction • Recent study by CSI/FBI, Ø85% experienced security breaches in the past 12 months. Ø64% suffered financial losses that averaged more than $US 2 million, Source: http://www.entrust.com/corporate/enhanced.htm accessed 06/08/01

  3. Introduction contd. • A three-level-approach for managing security in e-commerce: §Level 1: Basic practices. §Level 2: Building a shield. §Level 3: Transmission Protection.

  4. Introduction contd. Level 1(Basic practices) - Password Management. - Access Control. - Physical security. Level 2 (Building a shield) - Policy and procedures. - Training and awareness. - Intrusion protection.

  5. Introduction contd.. • Level 3(Transmission protection) - Digital signature. - Digital certificate - Encryption. - SET. - SSL. - Biometrics

  6. Level 1: Basic practices • Password Management • Standard methods: frequent forced change of password, access rights etc. • Standard IT controls: minimum length of passwords, timeout and use of alphanumerical characters • Access Control • Access to server should be restricted. • Combination password (for authentication).

  7. Level 1 contd. • Physical security • Equipments should be in secured premises. • Limited access to these premises. • Adequate protection from fire, flood, power failure etc. • Audit/paper trail • Critical documents should be in hard copy. • Electronic audit trail. • Prompt identification of errors/irregulations.

  8. Level 2: Building a Shield • Policies and procedures • Need to consider: • Security policy. • Security organization. • Personnel security. • Physical and environmental security. • Communications and operations management. • System development and maintenance. • Business continuity management. • Compliance.

  9. Level 2 contd. • Training and awareness • Relevant personnel should be aware of risks. • Prepare to deal with intrusions. • Intrusion Protection: • Intrusion management: Should include: • Use of alerting and monitoring software. • Benchmarking. • Regular independent audits.

  10. Level 2 contd.Intrusion protection contd. • Content security: - About what is “in” and “out” of the network. - Policy is required to cover integrity issues, such as: • Loss of information. • Confidentiality breaches. • Exposure to legal liability. • Damage of reputation thru misuse of e-mail, etc.

  11. Level 2 contd.Intrusion Protection contd. • Firewall: • Controls access between: - a private network and Internet, - among different parts of a given network.

  12. Intrusion protection contd.Firewall contd.

  13. Intrusion Protection contd.Firewall contd. • Limitations: - insider’s intrusion. - not useful where there is direct connection (e.g. dial up connection). - outsiders masquerade as authorized user. • Component of Enterprise security, not whole solution.

  14. Intrusion protection contd. • Personnel security: - Single most expensive type of computer crime (FBI/CSI study) - Issues should include: • Security screening of new employees and contractors. • Strong password allocation and controls for access to network and applications; • Use of authentication techniques;

  15. Level 3: Transmission Protection • Encryption: • Enables data to be coded. • Each party in transaction holds a pair of matched keys: - Public key: widely distributed. - Private key: secret key. • An encrypted session sent using a public key might only be read by the recipient using their private key.

  16. Level 3 contd.Encryption contd. Encryption and keys

  17. Encryption contd. • Limitations: - Only protects data while in transit. - Encryption stream can be disrupted, corrupting traffic and causing expensive data integrity repairs.

  18. Level 3 contd. • Digital signature: • A data item, which accompanies a digitally encoded message .

  19. Level 3 contd. • Digital certificates: - The person sending a message owns a digital certificate - Ensures that the recipient knows that the sender is who they say they are.

  20. Digital certificate contd.

  21. Level 3 contd. • Secure Socket Layer (SSL) • Developed by Netscape in mid 1990’s. • Secure communications between client and server by allowing - mutual authentication, - Use of digital signatures for integrity, and - Encryption for privacy.

  22. SSL contd.

  23. SSL contd. • Advantages: - Does not require trusted third party. - Can establish a secure connection even when one end does not have a secure "key“. • Disadvantages: - users have to pay. - Not open standard.

  24. Level 3 contd. • Secure Electronic Transaction (SET) • Developed by VISA and MasterCard. • utilizes - Digital certificates, - e-wallets, - Certificate authorities and - Acquirers to provide security and privacy for the cardholder’s information.

  25. SET contd. Purchase sequence using SET

  26. SET contd. • Advantages: - Trusted purchasing environment. - Ability to handle multi party transactions. - New extensions: Debit card functionality, transactions stored on smart cards, processing of transactions that use SSL protocol for transport. • Disadvantages: - Quite complex to start with. - cost prohibitive for most merchants. - Few merchants and cardholders.

  27. Level 3 • Biometrics: - Verifying a person by a physical characteristic or personal trait. - Access is provided to the person, not a piece of plastic - Retinal scan, Iris recognition, Finger imaging, hand geometry, voice recognition, facial imaging etc. - Advantages and disadvantages.

  28. Conclusion: • Users do not understand security technology • Media perpetuates the uncertainty regarding security threats • Organizations continue to minimize the issue of Internet security. • Negligent??? • Civil suits for negligence??? • Internet simply isn’t secure enough???

  29. Questions??? Thanks……….

More Related