Transcript Outline

Security for Electronic Commerce:
Introduction
Vijay Atluri
[email protected]
http://cimic.rutgers.edu/~atluri
1
Electronic Commerce (EC)

Is an area of study that is concerned with developing
methodologies and systems that support
 Creation
of information sources,
 Effective&efficient
interactions among sellers, consumers,
intermediaries &producers, and
 Movement
of information across the global networks
2
EC Objectives

In general  Increasing
the speed and efficiency of business
transactions and processes and improving customer
relationships and services
3
EC Objectives (Specifically)

e.g.,
 Streamlining
procurement processes; decrease costs
 Decrease length of production cycles
 Increase number of trading partners
 Achieve closer customer and vendor relationship
 Enhanced competitiveness and economic growth
 Enable enterprises to effectively conduct business with distant
partners
 Empower small businesses
4
EC Today

EC, although gained attention recently, has been around for
more than 20 years
 EDI,
EFT, ATM, credit cards, telephone banking
 EDI has not gained popularity because of high initial investment
and high maintenance cost

Development of IT (telecommunications, user-friendly
software, smaller and affordable computing) has triggered
major advances in many areas
 EC,
Digital Libraries, Telemedicine, Telecommuting, distance
learning, collaborative computing, just to name a few
5
EC Environment


Vast Amount of MM data
Distributed, Autonomous, and Heterogeneous Information
sources

Wide range of user’s specialties and abilities

Support decision making

The Internet as an infrastructure
6
Media for EC



VAN
Proprietary networks
Internet
 Emerging
global market place
7
Internet Growth

The hyper-atmosphere surrounding the Internet and
Internet growth ---->
 Over

emphasizes #of Internet users
To put in perspective
 World
population who use the Internet < 2%
8
Recent Statistics
Last Updated - Tuesday September 5, 2000 05:07:21 AM
total domains registered worldwide
27,617,033
number of .com domains
17,050,817
Last Updated - Tuesday September 5, 2000 05:07:21 AM
Breakdown of registered InterNIC Domains
.com 17,050,817
.net 2,806,721
.org 1,614,740
.edu 5,673
.gov 730
Total 21,478,681
9
Last Updated - Tuesday September 5, 2000 05:07:21 AM
Recent Statistics
ISO and other country level domains
.de
(Germany)
1,732,994
.uk
(United Kingdom)
2,078,474
.au
(Australia)
150,505
.dk
(Denmark)
204,475
.ar
(Argentina)
324,548
.nl
(Netherlands)
416,842
.ch
(Switzerland)
112,912
.jp
(Japan)
190,709
.br
(Brazil)
312,115
.it
(Italy)
312,186
.kr
(Korea)
325,203
.ca
(Canada)
93,330
.at
(Austria)
123,287
.se
(Sweden)
49,653
.nu
(Niue)
61,314
.za
(South Africa)
75,655
.nz
(New Zealand)
73,002
10
Rank
Nation
Internet
Users
(000)
1.
United
States
110,825
2.
Japan
18,156
3.
UK
13,975
4.
Canada
13,277
5.
Germany
12,285
6.
Australia
6,837
7.
Brazil
6,790
8.
China
6,308
9.
France
5,696
10.
South
Korea
5,688
11.
Taiwan
4,790
12.
Italy
4,745
13.
Sweden
3,950
14.
Netherland
s
2,933
15.
Spain
2,905
11
Internet Usage Ranked by Native
Language
Language
% of World Online Population
English
57.4%
Non-English
42.6%
Japanese
8.8%
German
6.2%
Chinese
4.4%
Spanish
4.3%
French
4.2%
Scandinavia
n
Italian
3.3%
Korean
1.9%
Portugese
1.5%
All Others
5.5%
26.4%
Total European
Languages
Total Asian Languages
Source:
2.5%
16.2%
Global
Reach
12
Categories of EC

B2B
 built
on established trust relationships, makes use of their shared
computer/telecomm infrastructures
 able to achieve efficiency through large volume of transactions

B2C
 Is
built on mutual distrust, has a small volume of transactions
 Requires a ubiquitous, low-cost, infrastructure
 Provides an opportunity for personalization and customization

B2G
 More
restrictive due to government regulations
 In the US, the Federal Acquisition Streamlining Act (FASA) has
mandated that all government agencies conduct bidding via EDI
by late 1999
13
Estimated Product Mix in Year 2000
Computer Products
Travel
Entertainment
Gifts & Flowers
Food & Drink
Apparel
Others
32%
24%
19%
10%
5%
5%
5%
Source: Glasser, “Selling Online: Electronic Storefront That Works”
14
Some statistics
1998
Business-toConsumer
Business-toBusiness
1999
2002
$18.2 Billion
$43 Billion
2003
$108 Billion
$847.2 Billion
$1.3 Trillion
$1.8 to $3.2
Trillion
(Global)
15
More statistics
1997
(billions)
B2B
B2C
B2G
Total(e)
Total
5.6
1.8
0.6
8
11,429
1998
16
4.77
1.71
22.48
11,657
1999
114
7.6
2.4
124
12,006
2002
268
35.3
8.4
311.7
14,006
16
More statistics
17
Online vs. Offline Sales Growth
18
Online vs. Offline Sales Growth
19
Interdisciplinary Nature of EC

Technical
 Network,

Database, Security, ..
Business
 Marketing,

Legal and Policy
 Ethics,

Finance, ..
privacy, ..
Our Focus
 Security
technologies, policies, standards
20
Conceptual Model of EC
21
EC Requirements and Services






Acquiring and storing information
Search and discovery services
Electronic payments
Security services
Connectivity
Legal and policy requirements
22
Why do we need to worry about security?

Security and trust are important in conducting business
 evolved

 in

over centuries in the traditional paper world
for example, we always trust the bank if we deposit money
the electronic world, we need to face many new challenges
we transact in the new medium (internet) that is open
 targeted
towards flexibility, interoperability, connectivity rather
than security
 do we ever use a secure phone for placing an order over phone?


new type of currency?
Remote, and sometimes, unknown business parties
23
Why do we need to worry about security?

easy to commit crime due to
 lack
of forensic evidence
 anonymity
 sensitive data repositories are vulnerable targets
 rare regular auditing of computer usage
 non-existing regulatory policies and laws




Cookies and privacy concerns
executable contents (Java applets, activeX controls)
push technology
CGI scripts
24
Why do we need to worry about security?

many weak links
 vulnerabilities
in client software, server software, back-end
databases
 web clients (recall the IE version 3.0 vulnerability) and servers
 the whose system is as secure as its weakest link
SERVER
Database
CLIENT
Database
25
Security Objectives
Integrity
concerned with
unauthorized
disclosure of
information
concerned with
unauthorized
modification of
information
Confidentiality
Availability
concerned with
improper denial of
access to
information
26
Security Techniques

Prevention
 access

control
Detection and recovery
 auditing/intrusion
 incident

detection
handling
Tolerance
 practicality
27
Tradeoffs
confidentiality
 integrity
 availability
versus
 cost
 functionality
 ease of use




A process NOT a turn-key product
absolute security does not exist
security in most systems can be improved
28
Achieving Security

Policy
–
–
–
–

Mechanism
–
–

what?
specifies the requirements to be implemented
includes software, hardware, physical, personnel, procedural
specifies goals but does not specify how to achieve them
how?
specifies how the policy can be implemented
Assurance
–
–
–
how well?
ensures how well the mechanism meets the policy
requirements
low assurance mechanisms are easy to implement whereas
high assurance mechanisms are very difficult to implement
29
Security Technologies






Cryptography
Authentication
Access control
Auditing
Intrusion Detection
Incident response and recovery
30
Risk Assessment

Threats
 possible

attacks
Vulnerabilities
 weaknesses

Assets
 information

and resources
Risk
 combination
of threats, vulnerabilities and assets
31
Risks











Electronic systems are susceptible to abuse, misuse and
failure
direct financial loss resulting from fraud
theft of valuable confidential information
loss of business opportunity due to disruption of service
unauthorized use of resources
loss of customer confidence
costs resulting from uncertainities
false and malicious web sites posing as selling agents
theft of customer data from selling agents
privacy and the use of cookies
customer impersonation
32
Many attacks





Alteration and deletion of info from web pages including
that of CIA
1995 attack on citibank’s cash management system $10 m
fraud
netscape: cryptographic keys broken in less than a minute
sniffer attacks have become a common place
hacking into the 100s of US military and research facilities
33
Many Software vulnerabilities
(reported in March 2000)




Microsoft Internet Explorer 5.0 allows an attacker to set up
a web page giving him the ability to execute any program
on the visitor’s machine
By modifying URL, an attacker can completely bypass the
authentication of the Axis StarPoint CD-ROM servers
If an attacker sends the Netscape Enterprise server 3.6 a
certain type of long message, a buffer overflow crashes a
particular process. The attacker can then execute arbitrary
code remotely on the server
Dosemu, the DOS emulator shipped with the Corel Linux
1.0 allows users to execute commands with root privileges
34
Some interesting statistics


Credit card fraud: $5 billion annually worldwide
Online information theft: $10 million annually in US
 credit

card numbers, pirated software, corporate secrets
Information security compromises:
 50%
of organizations suffered info security related financial loss
in the last 2 years
 10% of users reported an attempted or successful break-in via the
internet in the last year
 50% claimed that they would not know if someone broke their
system through internet

Hacking: 20% of organizations having external access have
been hacked
35
More ..
36
37
Growth in Security Software Market
38
Outline of the Course











Security Technologies
Networking and Telecommunications technologies
Security Policies and regulations
Security standards
Internet Security
Secure Payment Systems
JAVA security
Security and auctions
Intellectual property protection, watermarking
Certificates, certification practices, PKI
Database security
39