Security for Electronic Commerce:
Introduction
Vijay Atluri
[email protected]
http://cimic.rutgers.edu/~atluri
1
Electronic Commerce (EC)

Is an area of study that is concerned with developing
methodologies and systems that support
 Creation
of information sources,
 Effective&efficient
interactions among sellers, consumers,
intermediaries &producers, and
 Movement
of information across the global networks
2
EC Objectives

In general  Increasing
the speed and efficiency of business
transactions and processes and improving customer
relationships and services
3
EC Objectives (Specifically)

e.g.,
 Streamlining
procurement processes; decrease costs
 Decrease length of production cycles
 Increase number of trading partners
 Achieve closer customer and vendor relationship
 Enhanced competitiveness and economic growth
 Enable enterprises to effectively conduct business with distant
partners
 Empower small businesses
4
EC Today

EC, although gained attention recently, has been around for
more than 20 years
 EDI,
EFT, ATM, credit cards, telephone banking
 EDI has not gained popularity because of high initial investment
and high maintenance cost

Development of IT (telecommunications, user-friendly
software, smaller and affordable computing) has triggered
major advances in many areas
 EC,
Digital Libraries, Telemedicine, Telecommuting, distance
learning, collaborative computing, just to name a few
5
EC Environment


Vast Amount of MM data
Distributed, Autonomous, and Heterogeneous Information
sources

Wide range of user’s specialties and abilities

Support decision making

The Internet as an infrastructure
6
Media for EC



VAN
Proprietary networks
Internet
 Emerging
global market place
7
Internet Growth

The hyper-atmosphere surrounding the Internet and
Internet growth ---->
 Over

emphasizes #of Internet users
To put in perspective
 World
population who use the Internet < 2%
8
Recent Statistics
L a s t U pda te d - T u e s d a y S e p te m b e r 5 , 2 0 0 0 0 5 :0 7 :2 1 A M
to ta l do m a i n s re gi s te re d w o rl dw i de
2 7 ,6 1 7 ,0 3 3
n u m be r o f .c o m do m a i n s
1 7 ,0 5 0 ,8 1 7
L a s t U p d a te d - T u e s d a y S e p te m b e r 5 , 2 0 0 0 0 5 :0 7 :2 1 A M
B r e a k d o w n o f r e g is te r e d In te r N IC D o m a in s
.c o m
1 7 ,0 5 0 ,8 1 7
.n e t
2 ,8 0 6 ,7 2 1
.o rg
1 ,6 1 4 ,7 4 0
.e d u
5 ,6 7 3
.g o v
730
T o ta l
2 1 ,4 7 8 ,6 8 1
9
L a s t U p d a te d - T u e s d a y S e p te m b e r 5 , 2 0 0 0 0 5 :0 7 :2 1 A M
Recent Statistics
IS O a n d o th e r co u n tr y le v e l d o m a in s
.d e
( G e rm a n y )
1 ,7 3 2 ,9 9 4
.u k
( U n i te d K i n g d o m )
2 ,0 7 8 ,4 7 4
.a u
( A u s tra l i a )
1 5 0 ,5 0 5
.d k
( D e n m a rk )
2 0 4 ,4 7 5
.a r
( A rg e n ti n a )
3 2 4 ,5 4 8
.n l
( N e th e rl a n d s )
4 1 6 ,8 4 2
.c h
( S w i tz e rl a n d )
1 1 2 ,9 1 2
.jp
( Ja p a n )
1 9 0 ,7 0 9
.b r
( B ra z i l )
3 1 2 ,1 1 5
.i t
( I ta l y )
3 1 2 ,1 8 6
.k r
( K o re a )
3 2 5 ,2 0 3
.c a
(C an ada)
9 3 ,3 3 0
.a t
( A u s tri a )
1 2 3 ,2 8 7
.s e
(Sw e de n )
4 9 ,6 5 3
.n u
(N iu e )
6 1 ,3 1 4
.z a
( S o u th A fri c a )
7 5 ,6 5 5
.n z
(N e w Ze alan d)
7 3 ,0 0 2
10
R an k
N atio n
In te r n e t
U se r s
(0 0 0 )
1.
U nite d
S ta te s
1 1 0 ,8 25
2.
Ja pa n
1 8 ,1 5 6
3.
UK
1 3 ,9 7 5
4.
C a na da
1 3 ,2 7 7
5.
G er m a n y
1 2 ,2 8 5
6.
A u stra lia
6 ,8 3 7
7.
B ra zil
6 ,7 9 0
8.
C hina
6 ,3 0 8
9.
F ra n c e
5 ,6 9 6
10.
S ou th
K or ea
5 ,6 8 8
11.
T a iw a n
4 ,7 9 0
12.
Ita ly
4 ,7 4 5
13.
S weden
3 ,9 5 0
14.
N eth erla n d
s
2 ,9 3 3
15.
S pa in
2 ,9 0 5
11
Internet Usage Ranked by Native
Language
L an g u ag e
% o f W o r ld O n lin e P o p u lat io n
E n g lish
57.4 %
N o n -E n g lish
42.6 %
J ap an es e
8.8 %
G erm an
6.2 %
C hin es e
4.4 %
S p anis h
4.3 %
F r enc h
4.2 %
S c an din a via
n
Italian
3.3 %
K or ean
1.9 %
P ortug es e
1.5 %
A ll O th ers
5.5 %
26.4 %
T o tal E u r o p ea n
L an g u ag e s
T o tal A s ia n L an g u a g e s
S ourc e:
2.5 %
16.2 %
G lob al
R eac h
12
Categories of EC

B2B
 built
on established trust relationships, makes use of their shared
computer/telecomm infrastructures
 able to achieve efficiency through large volume of transactions

B2C
 Is
built on mutual distrust, has a small volume of transactions
 Requires a ubiquitous, low-cost, infrastructure
 Provides an opportunity for personalization and customization

B2G
 More
restrictive due to government regulations
 In the US, the Federal Acquisition Streamlining Act (FASA) has
mandated that all government agencies conduct bidding via EDI
by late 1999
13
Estimated Product Mix in Year 2000
Computer Products
Travel
Entertainment
Gifts & Flowers
Food & Drink
Apparel
Others
32%
24%
19%
10%
5%
5%
5%
Source: Glasser, “Selling Online: Electronic Storefront That Works”
14
Some statistics
1998
B u sin ess-to C o n su m er
B u sin ess-to B u sin ess
1999
2002
$18.2 B illion
$43 B illion
2003
$108 B illion
$847.2 B illion
$1.3 T rillion
$1.8 to $3.2
T rillion
(G lobal)
15
More statistics
1997
(billions)
B2B
B2C
B2G
Total(e)
Total
5.6
1.8
0.6
8
11,429
1998
16
4.77
1.71
22.48
11,657
1999
114
7.6
2.4
124
12,006
2002
268
35.3
8.4
311.7
14,006
16
More statistics
17
Online vs. Offline Sales Growth
18
Online vs. Offline Sales Growth
19
Interdisciplinary Nature of EC

Technical
 Network,

Database, Security, ..
Business
 Marketing,

Legal and Policy
 Ethics,

Finance, ..
privacy, ..
Our Focus
 Security
technologies, policies, standards
20
Conceptual Model of EC
21
EC Requirements and Services






Acquiring and storing information
Search and discovery services
Electronic payments
Security services
Connectivity
Legal and policy requirements
22
Why do we need to worry about security?

Security and trust are important in conducting business
 evolved

 in

over centuries in the traditional paper world
for example, we always trust the bank if we deposit money
the electronic world, we need to face many new challenges
we transact in the new medium (internet) that is open
 targeted
towards flexibility, interoperability, connectivity rather
than security
 do we ever use a secure phone for placing an order over phone?


new type of currency?
Remote, and sometimes, unknown business parties
23
Why do we need to worry about security?

easy to commit crime due to
 lack
of forensic evidence
 anonymity
 sensitive data repositories are vulnerable targets
 rare regular auditing of computer usage
 non-existing regulatory policies and laws




Cookies and privacy concerns
executable contents (Java applets, activeX controls)
push technology
CGI scripts
24
Why do we need to worry about security?

many weak links
 vulnerabilities
in client software, server software, back-end
databases
 web clients (recall the IE version 3.0 vulnerability) and servers
 the whose system is as secure as its weakest link
SERVER
Database
CLIENT
Database
25
Security Objectives
Integrity
concerned with
unauthorized
disclosure of
information
concerned with
unauthorized
modification of
information
Confidentiality
Availability
concerned with
improper denial of
access to
information
26
Security Techniques

Prevention
 access

control
Detection and recovery
 auditing/intrusion
 incident

detection
handling
Tolerance
 practicality
27
Tradeoffs
confidentiality
 integrity
 availability
versus
 cost
 functionality
 ease of use




A process NOT a turn-key product
absolute security does not exist
security in most systems can be improved
28
Achieving Security

Policy
–
–
–
–

Mechanism
–
–

what?
specifies the requirements to be implemented
includes software, hardware, physical, personnel, procedural
specifies goals but does not specify how to achieve them
how?
specifies how the policy can be implemented
Assurance
–
–
–
how well?
ensures how well the mechanism meets the policy
requirements
low assurance mechanisms are easy to implement whereas
high assurance mechanisms are very difficult to implement
29
Security Technologies






Cryptography
Authentication
Access control
Auditing
Intrusion Detection
Incident response and recovery
30
Risk Assessment

Threats
 possible

attacks
Vulnerabilities
 weaknesses

Assets
 information

and resources
Risk
 combination
of threats, vulnerabilities and assets
31
Risks











Electronic systems are susceptible to abuse, misuse and
failure
direct financial loss resulting from fraud
theft of valuable confidential information
loss of business opportunity due to disruption of service
unauthorized use of resources
loss of customer confidence
costs resulting from uncertainities
false and malicious web sites posing as selling agents
theft of customer data from selling agents
privacy and the use of cookies
customer impersonation
32
Many attacks





Alteration and deletion of info from web pages including
that of CIA
1995 attack on citibank’s cash management system $10 m
fraud
netscape: cryptographic keys broken in less than a minute
sniffer attacks have become a common place
hacking into the 100s of US military and research facilities
33
Many Software vulnerabilities
(reported in March 2000)




Microsoft Internet Explorer 5.0 allows an attacker to set up
a web page giving him the ability to execute any program
on the visitor’s machine
By modifying URL, an attacker can completely bypass the
authentication of the Axis StarPoint CD-ROM servers
If an attacker sends the Netscape Enterprise server 3.6 a
certain type of long message, a buffer overflow crashes a
particular process. The attacker can then execute arbitrary
code remotely on the server
Dosemu, the DOS emulator shipped with the Corel Linux
1.0 allows users to execute commands with root privileges
34
Some interesting statistics


Credit card fraud: $5 billion annually worldwide
Online information theft: $10 million annually in US
 credit

card numbers, pirated software, corporate secrets
Information security compromises:
 50%
of organizations suffered info security related financial loss
in the last 2 years
 10% of users reported an attempted or successful break-in via the
internet in the last year
 50% claimed that they would not know if someone broke their
system through internet

Hacking: 20% of organizations having external access have
been hacked
35
More ..
36
37
Growth in Security Software Market
38
Outline of the Course











Security Technologies
Networking and Telecommunications technologies
Security Policies and regulations
Security standards
Internet Security
Secure Payment Systems
JAVA security
Security and auctions
Intellectual property protection, watermarking
Certificates, certification practices, PKI
Database security
39
Descargar

Outline