1. Find out about SET and the use of RSA 128-bit encryption for e-commerce.
Answer:
SET:
Secure Electronic Transaction (SET) is a standard that will enable the secure transaction on the Internet. It gives the fundamental framework within which many of the various components of securing function of digital transactions. SET has been certified by most of the entire major groups in the electronic commerce arena, including Microsoft, Netscape, VISA and MasterCard. With the use of digital signatures, SET will make able merchants to confirm that buyers are who they state to be. And it will defend buyers by providing a system for their credit card number to be transferred directly to the credit card issuer for confirmation and billing without the merchant being able to see the number.
RSA 128-bit encryption:
RSA is most common used in electronic commerce protocols, and is assumed to be secure given sufficiently long keys and use of up to date implementations. RSA 128-bit encryption has standard characteristics that ensure that data stays secure. RSA encryption is the organizational standard for use in securing applications, and RSA 128-bit is broadly considered unbreakable. It is common used in communication between browser and the server to ensure the transmission is secured.
References:
Secure Electronic Transaction (2010), Retrieved on May 20, 2010 from http://e-comm.webopedia.com/TERM/S/Secure_Electronic_Transaction.html
Management Online. (Mar 8, 2005) BusinessObjects XI increases security by providing RSA 128-bit encryption as standadrd platform security level. Retrieved on May 20, 2010 from http://www.information-management.com/news/1022600-1.html
2. What can you find out about network and host-based intrusion detection systems?
Network Intrusion Detection Systems (NIDS)
NIDS monitors packets on the network wire and attempts to discover if a hacker/cracker is attempting to break into a system (or cause a denial of service attack). A typical example is a system that watches for large number of TCP connection requests (SYN) to many different ports on a target machine, thus discovering if someone is attempting a TCP port scan. A NIDS may run either on the target machine who watches its own traffic (usually integrated with the stack and services themselves), or on an independent machine promiscuously watching all network traffic (hub, router, probe). Note that a “network” IDS monitors many machines, whereas the others monitor only a single machine (the one they are installed on) (Graham, R., 2000)
Host-based intrusion detection system:
Different from NIDS, host-based IDS monitors all or parts of the dynamic behaviour and the state of a computer system (Wikipedia). Much as a NIDS will dynamically inspect network packets, a HIDS might detect which program accesses what resources and discover that, for example, a word-processor has suddenly and inexplicably started modifying the system password database. Similarly a HIDS might look at the state of a system, its stored information, whether in RAM, in the file system, log files or elsewhere; and check that the contents of these appear as expected. One can think of a HIDS as an agent that monitors whether anything or anyone, whether internal or external, has circumvented the system’s security policy.
References:
Graham, R. (2000). FAQ: Network Intrusion Detection System. Retrieved on May 20, 2010, from http://www.linuxsecurity.com/resource_files/intrusion_detection/network-intrusion-detection.html
Wikipedia, Host-based Intrusion Detection System. Retrieved on May 20, 2010, from http://en.wikipedia.org/wiki/Host_based_intrusion_detection_system
3. What is 'phishing'?
Phishing (pronounced "fishing") is a type of online identity theft. It uses e-mail and fraudulent Web sites that are designed to steal your personal data or information such as credit card numbers, passwords, account data, or other information.
Con artists might send millions of fraudulent e-mail messages with links to fraudulent Web sites that appear to come from Web sites you trust, like your bank or credit card Company, and request that you provide personal information. Criminals can use this information for many different types of fraud, such as to steal money from your account, to open new accounts in your name, or to obtain official documents using your identity.
Microsoft (2010), Phishing- general, Retrieved on May 20, 2010, from http://www.microsoft.com/protect/yourself/phishing/faq.mspx
4. What is SET and how does it compare to SSL as a platform for secure electronic transaction? Is SET in common use?
Answer:
Secure Electronic Transaction (SET) is a standard that will enable the secure transaction on the Internet. It gives the fundamental framework within which many of the various components of securing function of digital transactions.
It is noticeable that SET is the more secure protocol but with more security it is more complex and also cost more. Users must concern a digital wallet or certificate from the bank and remember the password all time. However, SSL is much easy to put into practice and accepted by online customers.
Even though SET has t he strong holds of two major league credit card companies, VISA and MasterCard, SSL is built into all major browsers and web servers, therefore just installing a digital certificate turns on their SSL capabilities. This makes SSL easier for a business to use at the outset. These are the sorts of market advantages that perhaps develop when a protocol like SSL has been invented by and has support of th major computer organizations like Microsoft and Netscape instead of conventional credit extending companies such as VISA and MasterCard.
In conclusion SSL is very easy to use and it is widely accepted and may be up coming protocol offers more protections. Secure electronic transactions will be an important part of electronic commerce in the future but the challenge is cost and complexity of SET.
References:
Johnny Papa (April, 2010), Secure Sockets Layer: Protect Your E-Commerce Web Site with SSL and Digital Certificates, Retrieved on May 20, 2010, from http://msdn.microsoft.com/en-us/magazine/cc301946.aspx
Ganesh Ramakrishnan (2000), Secure Electronic Transaction (SET) Protocol, Retrieved on May 20, 2010, from http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=21545&TEMPLATE=/ContentManagement/ContentDisplay.cfm
5. What are cookies and how are they used to improve security? Can the use of cookies be a security risk?
Answer:
A cookie is in fact a file that is stored on the user’s hard drive which allows the user to distinguish that web page from others. Cookies are mostly used by electronic commerce websites where they store the user’s preferences so next time user doesn’t have to select them again.
The major problem of cookies is the information they contain. When a user connects to a website that can be personalized, user will be prompted with several questions in order to build a profile, this information is then stored in a cookie. Depending on the website, the manner in which this data is stored could end up being damaging to the user.
In fact, an online sales site could collect information on users' preferences by means of a questionnaire, so that they can suggest items that would be of interest to users.
A cookie is a way to create a link between the user's session (browsing certain pages of a website for a certain amount of time) and the data relating to the user.
Ideally, a cookie should contain a random chain (session identification), which is unique and difficult to decipher, and valid only for a given period of time. Only the server should be able to associate the user's preferences with the session identifier. Thus, when the session cookie expires, it becomes useless and should not contain any information relating to the user.
The cookie should never contain direct user information, and its lifespan should be as close as possible to the duration of the user's session.
On the other hand, the data stored in the cookie is sent to the server, to the database where the user entered his data. Thus, the cookie should never contain user information that the user hasn't given him, nor information on contents of the computer, in other words, the cookie should not collect information from the user's computer.
So, always refuse to give personal information to a website that does not seem legitimate, as it has no right to collect your personal information.
A cookie is not a dangerous file in itself if it is well designed and if the user does not provide personal data.
References:
(n.d) (October 16, 2008 02:43:18 PM), Security – Cookies, Retrieved on May 20, 2010, from http://en.kioskea.net/contents/securite/cookies.php3
6. What makes a firewall a good security investment? Accessing the Internet, find two or three firewall vendors. Do they provide hardware, software or both?
Answer:
Firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
There are several types of firewall techniques, according to (webopedia, 2009):
Packet filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.
Application gateway: Applies security mechanisms to specific applications, such as FTP and Telenet servers. This is very effective, but can impose a performance degradation.
Circuit-level gateway:Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.
In practice, many firewalls use two or more of these techniques in concert, and usually, a firewall is considered a first line of defense in protecting private information.
The following Firewall Vendors are found in the internet:
i)CISCO
- provide both the hardware and software in multiple integrated solutions. CISCO’s firewall products are based on modular, scalable platforms, and each firewall is designed to secure varying network environment.
ii) IBM
- Unlike CISCO, IBM does not focus on hardware, but rather is part of a broad range of security products and services, from software to hardware to consulting. It provides different solutions for customers using others suppliers’ firewall hardware.
iii) NEC
- being an worldwide network equipment vendor, NEC provides both firewall solution in hardware and software. It is specialized in security software bundled with firewall and collaboration with different brands’ firewall products.
References:
Firewall (2010), Retrieved on May 20, 2010, from http://www.webopedia.com/TERM/F/firewall.html
7. What measures should e-commerce provide to create trust among their potential customers? What measures can be verified by the customer?
Answer:
In the e-commerce business, securing trust in a company is essential to its success. Trust is as important to a potential customer’s purchasing decision as the products the company offers him. And an essential element of building that trust, with both customers and partners, is the assurance that the e-commerce operation meets the demanding security standards required of organizations handling sensitive financial information.
i) Authentication
Customers must be able to assure themselves that they are in fact doing business and sending private information with a real identity – not a “spoof” site masquerading as a legitimate bank or e-store.
ii) Confidentiality
Sensitive Internet communications and transactions, such as the transmission of credit card information, must be kept private.
iii) Data integrity
Communications must be protected from undetectable alteration by third parties in ransmission on the Internet.
iv) Nonrepudiation
It should not be possible for a sender to reasonably claim that he or she did not send a secured communicaito or did not make an online purchase
Digital certificate, email confirmation, and online enquiry could help customers to verify that the security measures are taken in an e-commerce environment.
References:
Building an E-Commerce Trust Infrastructure (n.d), Retrieved on May 20, 2010, from
8. Get the latest PGP information from http://en.wikipedia.org/wiki/Pretty_Good_Privacy.
The use of digital certificates and passports are just two examples of many tools for validating legitimate users and avoiding consequences such as identity theft. What others exist?
Answer:
The latest PGP information is PGP Corporation and Protegrity Partner to Provide Continuous End-to-End Security of Sensitive Data. The unique PGP Corporation and Protegrity approach leverages the three pillars of total protection for sensitive data: (1) end-to-end encryption for any kind of sensitive data in any location; (2) automated key management; and (3) centralized administration and reporting to address compliance. The integration of PGP Corporation’s market-leading suite of trusted data protection solutions to protect sensitive data wherever it goes with Protegrity’s product offerings for those customers that require database encryption, tokenization, format-controlled encryption, and masking delivers the only true end-to-end data protection solution of its kind in today’s market.
Besides digital certificates and passport, identify theft could be avoided by enrolling in an identity insurance, identity guard, or registration / enquiry on Identity Theft Knowledge Centre.
References:
PGP Corporation and Protegrity Partner to Provide Continuous End-to-End Security of Sensitive Data (19th May, 2010), Retrieved on May 20, 2010, from http://www.pgp.com/insight/newsroom/press_releases/pgp_protegrity.html
No comments:
Post a Comment