IA 2 - UNIT 2 Flashcards
It involves using the internet, intranet, extranet, or other networks to support business processes.
E-Business
- Primarily refers to online buying, selling, marketing, and servicing products and services.
- Includes payment and delivery of products/services online.
E-Commerce
phishing attack primary targets
- retail services
- financial institutions
- ISP
Identified privacy and security as significant
concerns.
2001 Study
(Udo)
Buyer concerns about website security remain
critical.
2014 Findings
(Hartono et al.)
Importance of information security in e-commerce financial transactions.
2016 Emphasis
(Jotwani &
Dutta)
Types of Security
Threats
- Denial of Service (DoS)
- Spying Attacks
- Unauthorized Access
Overloading servers to make services unavailable.
Denial of Service
(DoS)
Interception of sensitive information during transactions (e.g., man-in-the-middle attacks).
Spying Attacks
You are gaining access to user accounts or sensitive data without permission.
Unauthorized Access
Types of DoS Attacks
- DDoS
- Virus Infection
- Computer Worms
- Involves multiple compromised systems (botnets).
- Often undetected by the owners of infected systems.
DDoS
- Deliberately corrupts or deletes data.
- Spread via email attachments or downloads.
Virus Infection
Self-replicating does not necessarily damage
but consumes bandwidth.
Computer
Worms
Types of Spying Attacks
- Sniffing
- Man in the Middle Attack
- Key Logging
Applications or devices that read, monitor, and
capture network data exchanges.
Sniffing
An attack where the attacker intercepts and
relays messages between two parties.
Man in the Middle Attack
a spying attack that records
each user’s keystroke on a computer.
Keylogging
Consequences of Spying Attacks
Gaining access to sensitive information can lead to:
- Identity theft
- Financial fraud
- Corporate espionage
is an organized framework of concepts, beliefs, principles, policies, procedures, techniques, and measures that protect system assets against threats.
security
Methods Supporting the AIC Objectives
- Authentication
- Encryption
- Access Control
- Firewalls
- Intrusion Detection and Prevention
- Systems (IDPS)
- Message Digest/Checksum
- Honeypot
- Digital Signature & Certificate
- Technologies that measure and analyze unique physiological or behavioral characteristics are used to verify or identify individuals.
- These technologies are convenient, as they eliminate the need for cards or passwords, and they are unique to each person, making them a reliable form of authentication.
Biometrics for
Authentication
Fingerprints were collected for bank verification
and mobile SIM registration.
Nigeria
Bradesco Bank’s palm vein biometric ATM
system
Brazil
Biometric identification database to reduce
benefit fraud.
India
- The user provides biometric data via a sensor.
- A template is created and stored.
Registration
Modes of Biometrics
- Physical Biometrics
- Behavioral Biometrics
- User provides biometric data again.
- New template is generated and compared to the stored one.
- Access granted or denied based on matching.
Authentication
Physical
Biometrics
- Fingerprints
- Face Recognition
- Hand Geometry
- Iris Recognition
- Palm Vein
- Identification
Behavioral
Biometrics
Keystroke dynamics
- Generates profiles for network nodes based on sampled data.
- Identifies nodes with out-of-line profiles as potential attackers.
Bayes Probability Algorithm
Sampling and anomaly detection to monitor network nodes.
Kalutarage’s
Approach
- Combines boosting techniques with neural networks to improve the accuracy and generality of intrusion detection.
- Tran et al. [68]
Adaptive Boosting &
Semiparametric Neural Networks
- Feng et al. [69]
- A hybrid method that mines network data to detect anomalies and potential attacks.
State Vector Machine &
Ant Colony Networks
Benefits of Machine Learning in Intrusion
Detection
- Adaptive algorithms that learn and evolve with new attacks.
- Real-time detection and response to anomalies.
- Reduces manual analysis, increasing detection accuracy.
is a decentralized, transparent, and secure method for managing transactions and data without intermediaries.
Blockchain
Peer-to-Peer Security Using
Blockchains
- Immutability
- Protection from Fraud
- Cryptographic Hashing
Once a block is
accepted and added
to the chain, it cannot
be altered.
Immutability
The blockchain structure and validation process prevent tampering and fraudulent transactions.
Protection from
Fraud
SHA-256 provides a
secure hash function,
ensuring data integrity.
Cryptographic
Hashing
Challenges
in
Blockchain
Security
- Anonymity Concerns
- Scalability Issues
- Bitcoin transactions are anonymous, which may not be acceptable for traditional sectors like banking.
- Solution: Modified blockchain models with knowable user identities.
Anonymity
Concerns
Current implementations
may face challenges
scaling to accommodate
larger numbers of
transactions.
Scalability
Issues
Peers in the network who validate new transactions by solving cryptographic puzzles.
Data Miners
Maps business processes, application systems, and network topologies against possible attacks and defenses.
Enterprise
Security
Model
As enterprises move to the cloud, network complexity increases,
making security more challenging.
Cloud
Complexity
service oriented security framework
- authentication certificates
- code filters
- https
- ids/ips
- encryption
- access control
- seperate server for business data
JP Morgan Chase employs a multi-layered security model to protect its banking and financial data. This model includes comprehensive business process mapping to identify potential vulnerabilities in financial transactions, customer data, and infrastructure.
Enterprise Security
Architecture
Three
Phases of user education and engagement in information security
- awareness
- training
- education
Basic understanding of security concepts.
Awareness
incorporating awareness, training, and education at different user levels. This includes regular employee security briefings, specialized IT training, and advanced education for
cybersecurity staff.
Security Awareness
Programs at NASA
In-depth knowledge for professionals working in
security fields.
Education
Developing specific skills to handle security
challenges.
Training
offers training materials and simulation tools to help organizations educate employees and end-users about phishing attacks. Their e-learning modules simulate real phishing scenarios to raise awareness and improve responses.
APWG’s Anti-Phishing
Training
Methods of Delivering Security Awareness Training
- E-learning
- Content Coverage
- Compliance
Mandatory online courses.
E-learning
Phishing awareness, password security,
handling sensitive data
Content
Coverage
Specific organizational requirements for data security
Compliance
Example of
E-learning
Training
- Password Management Best Practices
- Sensitive Data Handling Procedures
- Phishing and Social Engineering
- Compliance and Regulatory Awareness (e.g., GDPR, HIPAA).
