Transcript Outline
Security for Electronic Commerce:
Introduction
Vijay Atluri
[email protected]
http://cimic.rutgers.edu/~atluri
1
Electronic Commerce (EC)
Is an area of study that is concerned with developing
methodologies and systems that support
Creation
of information sources,
Effective&efficient
interactions among sellers, consumers,
intermediaries &producers, and
Movement
of information across the global networks
2
EC Objectives
In general Increasing
the speed and efficiency of business
transactions and processes and improving customer
relationships and services
3
EC Objectives (Specifically)
e.g.,
Streamlining
procurement processes; decrease costs
Decrease length of production cycles
Increase number of trading partners
Achieve closer customer and vendor relationship
Enhanced competitiveness and economic growth
Enable enterprises to effectively conduct business with distant
partners
Empower small businesses
4
EC Today
EC, although gained attention recently, has been around for
more than 20 years
EDI,
EFT, ATM, credit cards, telephone banking
EDI has not gained popularity because of high initial investment
and high maintenance cost
Development of IT (telecommunications, user-friendly
software, smaller and affordable computing) has triggered
major advances in many areas
EC,
Digital Libraries, Telemedicine, Telecommuting, distance
learning, collaborative computing, just to name a few
5
EC Environment
Vast Amount of MM data
Distributed, Autonomous, and Heterogeneous Information
sources
Wide range of user’s specialties and abilities
Support decision making
The Internet as an infrastructure
6
Media for EC
VAN
Proprietary networks
Internet
Emerging
global market place
7
Internet Growth
The hyper-atmosphere surrounding the Internet and
Internet growth ---->
Over
emphasizes #of Internet users
To put in perspective
World
population who use the Internet < 2%
8
Recent Statistics
Last Updated - Tuesday September 5, 2000 05:07:21 AM
total domains registered worldwide
27,617,033
number of .com domains
17,050,817
Last Updated - Tuesday September 5, 2000 05:07:21 AM
Breakdown of registered InterNIC Domains
.com 17,050,817
.net 2,806,721
.org 1,614,740
.edu 5,673
.gov 730
Total 21,478,681
9
Last Updated - Tuesday September 5, 2000 05:07:21 AM
Recent Statistics
ISO and other country level domains
.de
(Germany)
1,732,994
.uk
(United Kingdom)
2,078,474
.au
(Australia)
150,505
.dk
(Denmark)
204,475
.ar
(Argentina)
324,548
.nl
(Netherlands)
416,842
.ch
(Switzerland)
112,912
.jp
(Japan)
190,709
.br
(Brazil)
312,115
.it
(Italy)
312,186
.kr
(Korea)
325,203
.ca
(Canada)
93,330
.at
(Austria)
123,287
.se
(Sweden)
49,653
.nu
(Niue)
61,314
.za
(South Africa)
75,655
.nz
(New Zealand)
73,002
10
Rank
Nation
Internet
Users
(000)
1.
United
States
110,825
2.
Japan
18,156
3.
UK
13,975
4.
Canada
13,277
5.
Germany
12,285
6.
Australia
6,837
7.
Brazil
6,790
8.
China
6,308
9.
France
5,696
10.
South
Korea
5,688
11.
Taiwan
4,790
12.
Italy
4,745
13.
Sweden
3,950
14.
Netherland
s
2,933
15.
Spain
2,905
11
Internet Usage Ranked by Native
Language
Language
% of World Online Population
English
57.4%
Non-English
42.6%
Japanese
8.8%
German
6.2%
Chinese
4.4%
Spanish
4.3%
French
4.2%
Scandinavia
n
Italian
3.3%
Korean
1.9%
Portugese
1.5%
All Others
5.5%
26.4%
Total European
Languages
Total Asian Languages
Source:
2.5%
16.2%
Global
Reach
12
Categories of EC
B2B
built
on established trust relationships, makes use of their shared
computer/telecomm infrastructures
able to achieve efficiency through large volume of transactions
B2C
Is
built on mutual distrust, has a small volume of transactions
Requires a ubiquitous, low-cost, infrastructure
Provides an opportunity for personalization and customization
B2G
More
restrictive due to government regulations
In the US, the Federal Acquisition Streamlining Act (FASA) has
mandated that all government agencies conduct bidding via EDI
by late 1999
13
Estimated Product Mix in Year 2000
Computer Products
Travel
Entertainment
Gifts & Flowers
Food & Drink
Apparel
Others
32%
24%
19%
10%
5%
5%
5%
Source: Glasser, “Selling Online: Electronic Storefront That Works”
14
Some statistics
1998
Business-toConsumer
Business-toBusiness
1999
2002
$18.2 Billion
$43 Billion
2003
$108 Billion
$847.2 Billion
$1.3 Trillion
$1.8 to $3.2
Trillion
(Global)
15
More statistics
1997
(billions)
B2B
B2C
B2G
Total(e)
Total
5.6
1.8
0.6
8
11,429
1998
16
4.77
1.71
22.48
11,657
1999
114
7.6
2.4
124
12,006
2002
268
35.3
8.4
311.7
14,006
16
More statistics
17
Online vs. Offline Sales Growth
18
Online vs. Offline Sales Growth
19
Interdisciplinary Nature of EC
Technical
Network,
Database, Security, ..
Business
Marketing,
Legal and Policy
Ethics,
Finance, ..
privacy, ..
Our Focus
Security
technologies, policies, standards
20
Conceptual Model of EC
21
EC Requirements and Services
Acquiring and storing information
Search and discovery services
Electronic payments
Security services
Connectivity
Legal and policy requirements
22
Why do we need to worry about security?
Security and trust are important in conducting business
evolved
in
over centuries in the traditional paper world
for example, we always trust the bank if we deposit money
the electronic world, we need to face many new challenges
we transact in the new medium (internet) that is open
targeted
towards flexibility, interoperability, connectivity rather
than security
do we ever use a secure phone for placing an order over phone?
new type of currency?
Remote, and sometimes, unknown business parties
23
Why do we need to worry about security?
easy to commit crime due to
lack
of forensic evidence
anonymity
sensitive data repositories are vulnerable targets
rare regular auditing of computer usage
non-existing regulatory policies and laws
Cookies and privacy concerns
executable contents (Java applets, activeX controls)
push technology
CGI scripts
24
Why do we need to worry about security?
many weak links
vulnerabilities
in client software, server software, back-end
databases
web clients (recall the IE version 3.0 vulnerability) and servers
the whose system is as secure as its weakest link
SERVER
Database
CLIENT
Database
25
Security Objectives
Integrity
concerned with
unauthorized
disclosure of
information
concerned with
unauthorized
modification of
information
Confidentiality
Availability
concerned with
improper denial of
access to
information
26
Security Techniques
Prevention
access
control
Detection and recovery
auditing/intrusion
incident
detection
handling
Tolerance
practicality
27
Tradeoffs
confidentiality
integrity
availability
versus
cost
functionality
ease of use
A process NOT a turn-key product
absolute security does not exist
security in most systems can be improved
28
Achieving Security
Policy
–
–
–
–
Mechanism
–
–
what?
specifies the requirements to be implemented
includes software, hardware, physical, personnel, procedural
specifies goals but does not specify how to achieve them
how?
specifies how the policy can be implemented
Assurance
–
–
–
how well?
ensures how well the mechanism meets the policy
requirements
low assurance mechanisms are easy to implement whereas
high assurance mechanisms are very difficult to implement
29
Security Technologies
Cryptography
Authentication
Access control
Auditing
Intrusion Detection
Incident response and recovery
30
Risk Assessment
Threats
possible
attacks
Vulnerabilities
weaknesses
Assets
information
and resources
Risk
combination
of threats, vulnerabilities and assets
31
Risks
Electronic systems are susceptible to abuse, misuse and
failure
direct financial loss resulting from fraud
theft of valuable confidential information
loss of business opportunity due to disruption of service
unauthorized use of resources
loss of customer confidence
costs resulting from uncertainities
false and malicious web sites posing as selling agents
theft of customer data from selling agents
privacy and the use of cookies
customer impersonation
32
Many attacks
Alteration and deletion of info from web pages including
that of CIA
1995 attack on citibank’s cash management system $10 m
fraud
netscape: cryptographic keys broken in less than a minute
sniffer attacks have become a common place
hacking into the 100s of US military and research facilities
33
Many Software vulnerabilities
(reported in March 2000)
Microsoft Internet Explorer 5.0 allows an attacker to set up
a web page giving him the ability to execute any program
on the visitor’s machine
By modifying URL, an attacker can completely bypass the
authentication of the Axis StarPoint CD-ROM servers
If an attacker sends the Netscape Enterprise server 3.6 a
certain type of long message, a buffer overflow crashes a
particular process. The attacker can then execute arbitrary
code remotely on the server
Dosemu, the DOS emulator shipped with the Corel Linux
1.0 allows users to execute commands with root privileges
34
Some interesting statistics
Credit card fraud: $5 billion annually worldwide
Online information theft: $10 million annually in US
credit
card numbers, pirated software, corporate secrets
Information security compromises:
50%
of organizations suffered info security related financial loss
in the last 2 years
10% of users reported an attempted or successful break-in via the
internet in the last year
50% claimed that they would not know if someone broke their
system through internet
Hacking: 20% of organizations having external access have
been hacked
35
More ..
36
37
Growth in Security Software Market
38
Outline of the Course
Security Technologies
Networking and Telecommunications technologies
Security Policies and regulations
Security standards
Internet Security
Secure Payment Systems
JAVA security
Security and auctions
Intellectual property protection, watermarking
Certificates, certification practices, PKI
Database security
39