【正文】 ECT 250: Survey of emerce technology Security 2 ? Computer security is the protection of assets from unauthorized access, use, alteration, or destruction. ? There are two types of security: – Physical security including such devices as alarms, fireproof doors, security fences, vaults. – Logical security is nonphysical protection. ? A threat is an act or object that poses a danger to puter assets. ? A countermeasure is a procedure, either physical or logical that recognizes, reduces, or eliminates a threat. Terminology 3 The countermeasure will depend both on the cost associated with the threat and the likelihood that the threat will occur. ? High probability, low impact: Contain and control ? High probability, high impact: Prevent ? Low probability, low impact: Ignore ? Low probability, high impact: Insurance or backup Example: CTI puter systems under threat from (1) virus, (2) fire, (3) earthquake, (4) theft Risk analysis 4 ? Physical threats – Natural phenomena: Earthquake, storm, tornado – Arson, electrical shutdown, power surge – Theft, sabotage ? Logical threats – Impostors – Eavesdroppers – Thieves Types of threats 5 ? Secrecy Protecting against unauthorized data disclosure, and ensuring the authenticity of the data source. Example: Use of stolen credit card numbers ? Integrity Preventing unauthorized data modification. Example: Changing of an message ? Necessity Preventing data delays or denials. Example: Delaying a purchase order for stock Security terminology 6 ? Any anization concerned about protecting its emerce assets should have a security policy. ? A security policy is a written statement describing what assets are to be protected, why they are to be protected, who is responsible for that protection, and which behaviors are acceptable and not. ? The policy should address physical security, work security, access authorizations, virus protection, and disaster recovery. Security policy 7 ? Early puter security measures: – Computers were kept in locked central rooms – Access was granted only to select individuals – No one could remotely access the machine ? Modern systems are more plex: – Remote processing – Electronic transmission of information – Widespread use of the Inter History 8 Emerce security is best studied by examining the overall process, beginning with the consumer and ending with the merce server. This analysis produces a three part structure: 1. Client security 2. Communication channel security 3. Server security First, however, we will consider issues surrounding copyright and intellectual property. Emerce threats 9 ? Copyright is the protection of expression and it typically covers items such as books, essays, music, pictures, graphics, sculptures, motion pictures, recordings, architectural works. ? Intellectual property is the ownership of ideas and control over the representation of those ideas. ? The . Copyright Act of 1976 protects items for a fixed period of time. Each work is protected when it is created. A copyright notice is not necessary. Copyright and IP 10 The widespread use of the Inter has resulted in an increase in intellectual property threats. ? It is very easy to reproduce an exact copy of anything found on the Inter. ? Many people are unaware of copyright restrictions protecting intellectual property. ? See Intellectual Property Resources on the Inter. ? A related issue is cybersquatting which is the practice of registering a trademark of another pany as a domain name. Threats 11 ? Enforcing existing copyright laws can be difficult. ? Some methods for protecting digital IP include: – Digital copyright laws – Electronically locking files – Digital watermarks Protecting copyrights and IP 12 ? Steganography is the practice of hiding information within other information. Example: “See everyone? Lucky Larry!” What does it mean? ? Example of conventional watermark: $20 bill ? A digital watermark is a digital code or stream embedded into a file. They do not affect the quality of the file and may be undetectable. ? The presence of a watermark can indicate that the file was stolen. Digital watermarks 13 Emerce security is best studied by examining the overall process, beginning with the consumer and ending with the merce server. This analysis produces a three part structure: 1. Client security 2. Communication channel security 3. Server security Outline 14 Secrecy ? The prevention of unauthorized information disclosure. ? A technical issue involving physical and logical mechanisms. ? Example: Encryption of . Privacy ? The protection of individual rights to nondisclosure. ? The law enforces privacy protection. ? Example: Employers reading employees’ . See: Elessons in the Chicago Tribune Secrecy vs. privacy 15 ? Cookies are files that store identifying information about clients for the purposes of personalization. See The Cookie FAQ for more information. ? Malicious programs can read cookies to gain private information. Many sites do not store sensitive data in cookies. ? Cookies are not inherently bad, but it is wise to learn about them. Software exists that enables you to identify, manage, display, and eliminate cookies. See Cookie Crusher, and Cookie Pal. Cookies 16 ? Since many Web sites gather information about visitors to their sites, you are constantly giving away information such as your IP address. ? There are portals that allow you to surf the Web anonymously by visiting their portal first. ? Their site acts as a firewall, preventing any leaks in information. ? Example: Anonymous browsing 17 ? Malicious code is a program that causes damage to a system.