1 / 51

Chapter 7

Chapter 7. E-Business Network and Web Site Security. Objectives. In this chapter, you will learn to: Describe general e-business and Web site security issues Identify ways to protect the physical security of a network

rbryan
Télécharger la présentation

Chapter 7

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 7 E-Business Network and Web SiteSecurity E-Business Technologies

  2. Objectives In this chapter, you will learn to: • Describe general e-business and Web site security issues • Identify ways to protect the physical security of a network • List internal network security risks and explain how to protect against them • Discuss external network and Web site security risks and explain how to protect against them E-Business Technologies

  3. Objectives In this chapter, you will learn to: • Identify the risks associated with an e-business’s online transactions • Illustrate a virtual private network • Describe wireless security issues • Discuss the importance of security audits E-Business Technologies

  4. General Network and Web Site Security Issues • E-business security: protecting data and physical networks • E-business security risks include: • Physical risks: Damage to network and data • Internal risks: Threats originating within organization • External risks: Threats from outside the organization • Transactional risks: Data loss and interception E-Business Technologies

  5. Valued Gateway Client: Physical Risks • Include accidental or deliberate damage to equipment or data resulting from natural disaster or sabotage • Specific issues include: • Network equipment and physical location • Electrical power backup • Internet connectivity redundancy • Outsourcing physical risks E-Business Technologies

  6. Network Equipment andPhysical Location Equipment and locations security include: • Network facilities location: network equipment and server rooms always locked, locations anonymous • Fire protection: install fire-suppression systems that do not damage servers, routers, electrical equipment - but these systems might be fatal to humans • Network facilities construction: construction and design of facilities more substantial than conventional office space and with particular attention to electrical and communication considerations E-Business Technologies

  7. Electrical Power Backup • E-businesses should consider two levels of backup power: • Batteries that assume power within milliseconds of a failure • Power generators that automatically start when the batteries die • Critical servers should never be out more than five minutes per year to achieve “five nines reliability” (99.999% uptime) E-Business Technologies

  8. Internet Connectivity Redundancy • E-businesses should have more than one connection to the Internet • ISPs and Web hosting companies often have connections to more than one network service provider (NSP) • Complete data-center redundancy allowse-businesses to continue operations from a different location in the event of a major disaster • What is the price of redundancy and when is the price too high? E-Business Technologies

  9. Outsourcing Physical Risks • Using Web hosting services provides physically secure environment for e-business servers • Fee for service arrangement provides power, connectivity, and secure environment • Eliminates internal risks to physical security • What are the benefits for small firms to outsource? E-Business Technologies

  10. Physical Risks to Network andWeb Site Assets • Include accidental or deliberate damage to equipment or data is accidental or deliberate more likely? • Caused by natural disaster or sabotage • Threat to network infrastructure includes: • Damage to network equipment • Damage to power supplies • Damage from fire E-Business Technologies

  11. Network Equipment andPhysical Location • Physical security begins with equipment safety • Threat reduction includes proper management of network facilities location and fire protection • Security countermeasures for network facilities locations include: • Locked network equipment room doors with restricted personnel access • Locations of servers and switching equipment kept anonymous E-Business Technologies

  12. Network Equipment andPhysical Location • Fire protection and countermeasures to prevent fire damage include: • Use fire suppression system approved for electrical fires in server, switch, and power rooms • Use only fire extinguishers approved for electrical fires in server, switch, and power rooms • Pre-select and train employees responsible for fire control E-Business Technologies

  13. Internal Security Risks • Come from inside the company: unhappy employees, poor security awareness, poor planning • Establishing and enforcing security policy is first countermeasure • Additional countermeasures include: • Password protecting the network • Using biometric identification • Using smart card authorization E-Business Technologies

  14. Passwords • Passwords are used to identify a specific computer user and grant user access • Effective when created properly and changed regularly E-Business Technologies

  15. Biometric Identification • Measurement of biological data • Biometric security devices and software measure and record a computer user’s unique human characteristics (such as eye retina or iris) for user identification • Still under development E-Business Technologies

  16. Smart Card • Smart cards contain an embedded memory chip with user identification information • Can be used to authenticate a remote user logging into a network • Disadvantage: Risk of loss or theft E-Business Technologies

  17. Backup and RestorePolicies and Procedures • Describes the plan for securing vital data files and software in case of disaster • Specifies when and how critical files and software are backed up • Backups should be built in to daily, weekly, monthly network maintenance schedule • Test restore procedure, and archive, by performing periodic restores E-Business Technologies

  18. Backup and RestorePolicies and Procedures • Backup media should also be stored offsite or at least a second copy of the backup media) • Some e-businesses assign backup responsibilities to employees outside of IT department • Offsite storage also available via Internet connection from data management companies E-Business Technologies

  19. Disaster Recovery Planning • Disaster Recovery Plan part of e-business’ Business Continuity Plan • DRP for network operations should include procedures for handling electrical outages, data loss, and security breaches • Plan can include the use or redundant servers and equipment to handle system failover • DRP should be tested periodically E-Business Technologies

  20. External Security Risks • Originate outside the company’s network • Must bypass network defenses • Connecting to the Internet exposes private LANs to risk of attack • Stringent security necessary to protect against external risk E-Business Technologies

  21. Hackers • Outside intruders that deliberately gain unauthorized access to individual computers or computer networks • White hat hackers find and make known weaknesses in computer systems without regard for personal gain • Black hat hackers (crackers) gain access to steal valuable information, disrupt service, or cause damage E-Business Technologies

  22. Hacker Attack Tactics • Objective: interrupt operations or use hacked computer as base of attack on other computers • The most common method is to send confusing data to a server or other computer • Crashing a program can allow a hacker to take control of computers • Buffer overflows tie up operating memory, degrading performance, causing crashes E-Business Technologies

  23. Distributed Denial of Service Attacks • Denial of Service (DoS) attacks designed to disable network using flood of useless traffic • Distributed DoS uses multiple computers to attack networks • DDoS attacks include: • Unending string of Pings • Sending hundred of huge e-mail messages E-Business Technologies

  24. E-Business Technologies

  25. Web Site Defacement • Hacker deliberately changes the content of Web pages • Caused by breaking into network, accessing Web site files and modifying files • Better known victims include FBI, Goodyear, NY Times, and NASA E-Business Technologies

  26. Hacker Countermeasures • Firewalls designed to resist buffer overflows and other common types of hacker attacks • Firewall types include: • Packet-filtering firewalls • Circuit-level firewalls - verified by TCP, the weakness is that once it is verified subsequent packets are not verified • Application-level firewalls (e-mail, FTP, or some other application) E-Business Technologies

  27. E-Business Technologies

  28. hacking back is illegal Hacker Countermeasures • Network Address Translation uses external IP addresses to hide internal IP addresses • Proxy server uses external IP address to send HTTP request over Internet and forwards responses from HTTP servers to requesting client using internal IP address E-Business Technologies

  29. How Filters Work • A filter is a process or device that screens incoming information • Allows only information that meets specified criteria through • Disabling service ports denies access to HTTP, e-mail from Internet • Restricting access to internal IP addresses hides computers E-Business Technologies

  30. Viruses Standard computer viruses: • Are small, usually destructive, programs that are inserted into other files that then become “infected” • Infect executable programs or operating system files, spreading when infected program executes • Can also spread via e-mail headers or attachments • Can prevent a computer system from booting, erase files or entire hard drives, prevent the saving or printing of files, and send repetitive e-mail messages E-Business Technologies

  31. Worms • Viruses that reside in a computer’s memory replicating itself • Uncontrolled replications consume a computer’s resources, slowing or crashing the system E-Business Technologies

  32. Macro Viruses • A macro virus is a virus that infects macros • Distributed in files such as Word documents or Excel workbooks e-mailed or transferred via floppy disk E-Business Technologies

  33. Trojan Horses • Pretends to be something useful or fun, does something malicious instead • Used to steal passwords, record a user’s keystrokes, locate IP addresses, and plant other destructive programs E-Business Technologies

  34. Wireless Viruses • “Liberty Crack” Palm Trojan, identified in August 2000 • Could delete all applications on a Palm device • “Phage” discovered in September 2000 • Infected Palm operating system applications and documents • Proliferated when users beamed or shared an infected document E-Business Technologies

  35. Virus Hoaxes • Some so-called viruses trumpeted in the media or announced via warning e-mails are just hoaxes • False warnings about viruses proliferate as quickly as real viruses • Creates an atmosphere in which a real virus warning might not be taken seriously • Several antivirus software vendors maintain up-to-date information on viruses, worms, Trojan horses, and hoaxes. This information is available online. E-Business Technologies

  36. Virus Countermeasures • Countermeasures to block infections include: • Antivirus software • Employee education • Installing software updates and patches • User awareness • Use of application software tools • It's not just the job of IT, but of all users E-Business Technologies

  37. Transactional Security • Transactional security includes: • Authentication • Integrity • Nonrepudiation • Confidentiality • Protective measures include: sending and receiving encrypted messages or data, using digital certificates to authenticate the parties involved in the transaction, and storing retained customer information properly E-Business Technologies

  38. Encryption • Cryptography is the art of protecting information by encrypting it • Encryption is the translation of data into a secret code called ciphertext • Ciphertext that is transmitted to its destination and then decrypted (or returned to its unencrypted format) is called plaintext • Both parties in a transaction need access to encryption key • Network encryption uses two keys: a public key to encrypt information and a private key to decrypt it E-Business Technologies

  39. Public Key Infrastructure • An e-business obtains public and private keys from a certificate authority (CA) • Public keys are posted to a public directory • Private keys are given only to the e-business requesting the keys • A digital certificate is the electronic security credential that certifies an entity’s identity E-Business Technologies

  40. E-Business Technologies

  41. How Public Key Encryption Works • Public-key encryption is asymmetric • Uses very large prime numbers to create public keys • Public and private keys are used for the initial session greeting; session keys encrypt and decrypt data • Session keys are shorter keys created and used only during the current session and discarded afterward • In the U.S., session keys usually consist of 16 digits equaling 128 bits, also called 128-bit keys E-Business Technologies

  42. Security Protocols • Secure Sockets Layer (SSL) uses public key encryption and digital certificates; and is included in Web browsers/Web servers • Transport Layer Security (TLS) used to assure no third-party access to Internet communications Uses two protocols: • TLS Record Protocol • TLS Handshake Protocol • Secure Electronic Transactions (SET) protocol used for presenting credit card transaction on the Internet E-Business Technologies

  43. Virtual Private Networks • Virtual Private Networks (VPNs) are private networks that use the Internet to transmit data VPNs use: • Firewalls • Public key encryption • Digital certificates E-Business Technologies

  44. E-Business Technologies

  45. Tunneling • Tunneling encapsulates one protocol within another protocol requires telecomm equipment that supports VPN • VPNs using the Internet encapsulate encrypted data, sending and receiving IP addresses, and a special tunneling protocol within a regular IP packet • Tunneling protocols include: Point-to-Point, GRE, L2TP, and IPSec • Method of data encryption and encapsulation depends on the protocol used E-Business Technologies

  46. Wireless Security • Eavesdropping on early wireless transmissions was fairly simple: • FDMA technologies stayed on one frequency for call duration, required “listening device” that operated on same frequency • TDMA technologies switch can be intercepted using device that listens for one-third of a second and then decompresses signal into full second of speech • CDMA (other current standards) poses more of a challenge, but … not invincible E-Business Technologies

  47. WAP and WTLS • Wireless Transport Layer Security (WTLS) uses encryption and digital certificates • Upon accessing WAP server, WAP client requests secure connection • WAP server responds by sending digital certificate, with public key • WAP client generates encrypted session key to WAP server, which decrypts the key • WAP client/server can send/receive encrypted data for balance of session E-Business Technologies

  48. WLANs and Security • WLANs are most vulnerable at wireless access points • Hackers need only an 802.11b-enabled laptop, an inexpensive antennae, and WLAN access point detection software, such as NetStumbler • Using “meaningful” access point names and “default” settings on wireless access points simplifies hacker’s job • Using Wireless Equivalent Privacy (WEP) security protocol (IEEE 802.11b Wi-Fi) provides encryption and authentication of wireless transmissions E-Business Technologies

  49. IrDA and Bluetooth Security • Short distances and line-of-sight requirements for IrDA devices make “sniffers” impractical • Using laptops with default IrDA port settings in public places (such as airports) automatically allows networking with other IrDA devices without authentication or passwords • Bluetooth uses 128-bit link key, private encryption keys, user PIN and device addresses for transmission security • Bluetooth vulnerability: device address sent with each transmission and user PINs can be compromised easily by theft or loss of device E-Business Technologies

  50. Security Audits • Security audit is a comprehensive review and assessment of an e-business’s security vulnerabilities • A complete security audit should include: reviewing security policies, employee security training, and the physical security of thee-business’s offices and network facilities • Audits can include examining the technical security of a network via penetration testing or actual attempted hacking attacks by security audit personnel E-Business Technologies

More Related