Chapter 4 Flashcards
As internet never was designed to be a global marketplace, it lacks ____________________
many basic security features.
Define Integrity
Ability to ensure that information being displayed on a web site or transmitted or received over the internet has not been altered in any way by an unauthorised party
Give a customer and a merchant perspective of integrity
Customer - Has information transmitted or received been altered?
Merchant - Has data on the site been altered without authorization? Is data being received from customers valid?
Define: Non-Reputation
Ability to ensure that e-commerce participants do not deny (i.e. repudiate) their online actions
Give a customer and a merchant perspective of non-reputation
Customer - Can a party to an action with me later deny taking that action?
Merchant - Can a customer deny ordering a product?
Define: Authenticity
Ability to identify the identity of a person or entity with whom one is dealing on the internet
Ex. can I trust who this person or company is saying they are?
Define: Confidentiality
Ability to ensure that message and data are available only to those who are authorised to view them
Define: Privacy
Ability to control the use of information about oneself
Define: Availability
Ability to ensure that an e-commerce site continues to function as intended
What is a major factor that can disrupt the customers “ease of use” and or their e-transaction causing less repetition in customer purchases?
Security! To many verification process can cause customers to become very annoyed and either give up on a purchase or cause less purchases in the future.
An increased level of security on a website can also cause…
A slower, less efficient website.
What are some examples of “malicious code”?
Virus’s, worms, adware, trojan’s etc
What is one of the most common ways computers get infected with malicious code?
Drive by download- malware coming from downloaded files that a user requested
What are some differences between viruses and worms?
Viruses are usually created to damage while worms are created to collect information and spread rapidy from computer to computer
What is the “backdoor” feature of infectious software?
Allowing a person to remotely access infected devices
Potentially Unwanted Programs (PUPS) are…
program that install themselves on a computer, typically without users informed consent – increasingly found on social networks
List 3 different kinds of PUPS
Adware - a PUP that serves pop-up ads to computer, usually installed on a computer to generate these pop ups
Browser Parasite - – program that can monitor and change the settings of a users browser
Spyware - program used to obtain information such as a user’s keystrokes, e-mail, instant messages and so on
Define : Phishing
any deceptive, online attempt by a third party to obtain confidential information for financial gain
What are hackers and crackers?
Hacker – individual who intends to gain unauthorised access to a computer system
Cracker – with the hacking community, a term typically used to denote a hacker with criminal intend
What is encryption?
process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and the receiver. The purpose of encryption is (a) to secure stored information and (b) to secure information transmission.
Define: Cipher text
text that has been encrypted and thus cannot be read by anyone other than the sender and the receiver.
The message integrity provides…
assurance that the message has not been altered
Non-repudiation prevents …
the user from denying he or she send the message
Authentication provides …
verification of the identity of the person (or computer) sending the message
Confidentiality gives …
assurance that the message was not read by others
The key(cipher) is
any method for transforming plain text to cipher text
Substitution cipher is…
every occurrence of a given letter is replaced systematically by another letter
Transition cipher is the ordering…
of letters in each word is changed in some systematic way
more complicated if (a) words are broken into two and (b) spell the first word with every other
letter beginning with the first letter, and then spell second word with remaining letters
Symmetric key encryption is when…
both the sender and receiver use same digital key to encrypt and decrypt messages
Symmetric key encryption has two main flaws, what are they?
- Hackers are powerful and can break encryption
- Systematic key encryption requires both parties to share the same key. A hacker can target either the sender or the receiver to gain access to the key
Data Encryption Standards (DES)…
developed by NSA and IBM. Uses a 56-bit encryption key
Advanced Encryption Standards (AES) are…
the most widely used symmetric key encryption algorithm, using 128-, 192-, and 256-bit encryption keys.
Explain how public key encryption works…
Two mathematically related digital keys are used: a public key and a private key. The private key is kept secret by the owner, and the public key is widely disseminated. Both keys can be used to encrypt and decrypt a message. However, once the keys are used to encrypt a message, that same key cannot be used to encrypt the message.
The sender uses the recipient’s key to encrypt the message(s) while the recipient uses his/her private key to decrypt it.
Break the public key encryption process down into 5 steps
- The sender crates a digital message
- The sender obtains the recipient’s public key from a public directory and applies it to the message
- Application of recipient’s key produces an encrypted cipher text message
- The encrypted message is sent over the internet
- The recipient uses his/her private key to decrypt the message
Hash function is…
an algorithm that produces a fixed-length number called a hash or message digest. Hash digest of a message are sent to recipients along with another message that verifies the integrity.
The entire cipher text is then encrypted with recipient’s private key – creating a digital signature – for authenticity and non-repudiation
List the 7 steps of public key encryption that has DIGITAL SIGNATURES
- The sender crates an original message
- The sender applies a hash function, producing a 128-bit hash result
- The sender encrypts the message and hash result using recipient’s public key
- The sender encrypts the result, again using his or her private key
- The result of the double encryption is sent over the internet
- The receiver uses the sender’s public key to authenticate the message
- The receiver uses his or her private key to decrypt the hash function and the original message. The receiver checks to ensure the original message and the hash function results conform to one another
Define digital envelopes
a technique that uses symmetric encryption for large documents, but public key encryption to encrypt and send the symmetric key
Digital certificates and public key infrastructure relies on….
certification authorities who give out, verify and then guarantee digital certificates
What is a digital certificate
A digital document that contains the name of the subject or company, the subject
s public key, a digital certificate serial number, an expiration date, an issuance date, the digital signature of the certification authority, and other identifying formation.)
Certification authority (CA) is a…
trusted third party that issues digital certificates.
Public key infrastructures are
Certification authorities and digital certificate producers that are accepted by all parties
How do you create a digital certificate?
The user generates a public/private key pair and sends a request for a certification to a CA along with the users public key.
The CA verifies the information.
The CA issues a certificate containing the user’s public key and other related information.
Finally, the CA creates a message digest from the certificate itself and signs it with the C’s private key.
Pretty good privacy is …
a widely used e-mail public key encryption software program
What are some limitations to encryption solutions
- not effective against insider employees who have legitimate access to corporate systems including customer information
- most e-com sites do not store customer information in encrypted form
- no garentee that the person using the computer with the right keys is the right person (computer theft, sneaky wives ya know)
The most common form of securing channels is through the…
Secure Sockets Layer and Transport Layer Security
Secure Negotiated session is …
a client-server session in which the URL of the requested document along with the contents, contents of forms and the cookies are exchanged and encrypted
Give an example of a secure negotiated session
When you enter your credit card in a form the data is encrypted
A session key is
a unique symmetric encryption key chosen for a single secure session
Once a session key is used it ..
is is plunged into the darkness of mordor and is gone FOREVER
Single use key
A virtual private network
allows remote users to securely access internal networks via the internet using the Point to Point Tunneling protocol PPTP
What are 2 ways of protecting Networks and explain both
Firewalls - hardware or software that filters communication packets and prevents packets from entering the network based on security policy
Proxy Server - software server that handles all communications from or being sent to the internet.
What are the 5 steps to developing an E-Commerce security plan?
- Perform a risk assessment
- Develop a security policy
- Develop an implemenation plan
- Create a security organization
- Perform a security audit
Security Policy is
A set of statements prioritizing the information risks, identifying acceptable risk targets and identifying the mechanisms for achieving these targets
After establishing the base of the security policy, the next step is to create an…
Implementation plan - the actions/steps you will take to achieve the security plan goals
After implementing the plan you will need to organize the …
security organization - the education and training of users to keep management aware of security threats and breakdowns
…….. must be established to determine who can gain legitimate access to a network
Access Controls
Authentication Procedures
Include the use of digital signatures, certificates of authority and public key infrastructure
Biometrics
The study of measurable biological or physical characteristics
Security Tokens
Small devices that continuously generate six digit passwords to prevent theft
Authorization Policies….
determine differing levels of access to information assets for differing levels of users
Authorization Management system
Establishes where and when a user is permitted to access certain parts of a website
Security audit…
the routine review of access logs (identifying how outsiders are using the site as well as how insiders are accessing the sites assets)
The CERT coordination center monitors and…
tracks online criminal activity reported to it by private corporations and government agencies that seek out its help
A stored value payment system is
account created by depositing funds into an account and from which funds are paid out or withdrawn as needed
Merchant account
a bank account that allows companies to process credit card payments and receive funds from those transactions