Web servers can compromise secrecy if it allows automatic directory listings or by requiring users

to enter a user name and password.

Ecom systems store user data and retrieve product info from databased connected to the web server.

Databases connected to the web contain valuable info that could damage a company if disclosed.

A firewall is a software or a hardware combination that is installed in a network to control the packet traffic that

moves through it. Companies will place a firewall at the internet entry point of their networks as it provides a

defense between a network and the internet.

All traffic from the inside to outside and from outside to inside the network must pass through it.

Only authorized traffic, as defined by the local security policy, is allowed to pass through it.

The firewall itself is immune to penetration.

Logic that implements an encryption program. An encryption program being a program that transforms plain

text into cipher text. Once a message is sent over the network it gets encrypted and upon arrival at destin-

ation it is decoded by a decryption program. Someone can know the details of the algorithm and still not be

able to decipher the encrypted message without knowing the key that the algorithm used to encrypt the message.

The process used to calcualte a number from a message. It is essentially a virtual fingerprint for the message. They are

designed so that the probability of two different messages resulting in the same hash value is extemely small. It is a way to

tell if a message has been altered in transit.

Encodes messages by using two math related numeric keys.

Encodes a message with one of several available algorithms that use a single numeric key. Due to the fact

the same key is used, both the sender and receiver must know the key, however, the key must be guarded.

If the key is made public, all message previously sent are vulnerable.

Defined as a security handshake where the client and server sopmuter exchange a brief burst of messages. Each

computer identifies the other then SSL encrypts and decrypts info flowing between the two computers. SSL can

secure many different types of communication between computers in addition to HTTP. SSL allows the length of the

private session key generated by every encrypted transaction to be set at a variety of bit lengths

long binary number used with encryption algorithm to "lock" the characters of the message

being protected so that they are undecipherable without the key.

describes the process of hiding info. within another piece or medium of info.

device that uses an element of a person's biological makeup to perform the identification.

protection of individual rights to nondisclosure.

program that provides the mean to record info that passes through a computer or router that

handles internet traffic.

electronic defecting of an existing web site's page.

pretending to be someone you are not, or representing a web site as an original when truely it

is fake.

coding of info by using a math based program and a secret key to produce a string of characters

that is unintelligible.

key used by an encryption algorithm to create cipher text from plain text during a single secure session.

an encryption message digest.

networks inside of a fire wall as opposed to untrusted which are networks outside the firewall.

examines all data flowing back and forth between the trusted network and the internet.

firewalls that communicate with the internet on the private network's behalf.

software-only firewalls on an individual client computer.

Secrecy Threats

Theft of sensitive

or personal info.

Integrity Threats

Necessity Threats

Wireless Network

Threats

Cookies allow Web servers to maintain continuing open sessions with Web clients. An open session is necessary

to do a number of things that are important in online business activity. Cookies were invented to solve the stateless

connection problem by saving info about a Web user from one set of server-client message exchanges to another.

Cookies can be categorized by: Time Duration and by Source.

a tiny graphic that a 3rd party web site places on another site's Web page. When a site visitor loads the web page,

the web bug is delivered by the 3rd party site, which can then place a cookie on the visitor's computer.

refers to programs that are embedded transparently in web pages and that cause action to occur. In ecom

active content is used to place items into a shopping cart and compute a total invoice amount, including tax,

handling, and shipping. It extends the functionality of HTML and moves some data processing chores from the

busy server machine to the user's client computer.

Java is a programming language developed by Sun that is used widely in web pages to provide active content.

Java adds functionality to business applications and can handle transactions and a wide variety of actions on the

client computer. That relieves an otherwise busy server-side program from handling lots of transactions at the same time.

scripting language developed by Netscape to enable web page designers to build active content. JavaScript can be used

for attacks by executing cose that destroys a client's hard disk. It can also record the URLs of web pages a user visits and

capture info. Furthermore, a JavaScript program cannot start on its own, but all that it takes is clicking a button.

is an object that contains programs and properties that web designers place on web pages to perform particular

tasks. Only runs on computers with windows operating systems. The security danger with Active X controls is the

once they are downloaded, they executelike anyother program on a client computer, they have full access to system's

resources.

Some graphic files formats have been designed to specifically contain instructions on how to render a graphic. Meaning any

page containing such a graphic could be a threat. Plug-ins are programs that enhance capabilities of browsers. They are

beneficial in performing tasks such as playing video clips and displaying movies. However, users download these plug-ins and

install them so their browsers can display content that is not included in the original HTML.

A virus is a form of software that attaches itself to another program that can cause damage to a host system. A

worm is a kind of virus that reproduces itself on computers that it infects. Both of these annoyances moves rapidly

through the internet. Antivirus software can detect viruses and worms and can delete them or isolate them on the

host computer so they cannot run (ex: Norton, Symantec, McAfee).

is an attachment to an email or program embedded in a web page that varifies that the sender is who they claim to be. These

certificates contain a means to send an encrypted message which is encoded so others cannot read it. The encrypted message

identifies the software publisher. They are used for many types of online transactions including email and ecom. This certificate

is an assurance that the software was created by a specific company.

Contains 6 main elements:

Certificate owner's i.d.ing info, such as name, org., address

Certificate owner's public key

Date between which the certificate is valid

Serial number of certificate

Name of the certificate issuer

Digital signature of the certificate user

includes tangible protection devices, such as alarms, guards, fireproof doors,

security fences, safes or vaults, and bombproof buildings.

Protection of assets using nonphysical means.

Rick management model applies to protecting ecom assets from all kinds of threats.

A threat is judged based on on the potential seriousness of its happening. Orgs must

identify risks, determine how to protect assets, and calculate how much to spend to

protect those assets.

Secrecy

Integrity

Necessity

Any org. concerned about protecting ecom assets should have a security policy. This policy

must be continually upgraded. First step the company must take in creating a policy is to deter-

mine which assets to protect from which threats. The comprehensive plan for security should

protect a system's privacy, integrity, and availability, and authenticate users.

Elements of a security policy:

Authentication: who is trying to access the ecom site?

Access Control: Who is allowed to log on to and access the ecom site?

Secrecy: Who is permitted to view selected info?

Data integrity: Who is allowed to change data?

Audit: Who or what causes specific events to occur, and when?

the protection of assets from unauthorized access, use, alteration, or destruction.

act or object that poses a danger to computer assets.

person or device that can listen in on and copy internet transmissions.

people who write programs or manipulate tech. to obtain unauthorized access to computers and

networks.

hackers that use their skills for positive purposes.

hackers that use their skills for ill purposes.

contents of an email that are often changed in a way that negates the message's original content.

connection between a client and server over internet where by each transmission of info is independent;

no continuous connection is maintained.

small text files that Web servers place on Web client computers to identify returning visitors.

cookie that exists only until you shut down your browser.

cookie that exists indefinitely.

cookies placed on the client computer by the Web server site.

cookies that originates on a web site other than the site being visited.

program hidden inside another program of web page that masks its true purpose.

is a trojan horse that secretly takes over another computer for the purpose of launching attacks on other computers.

browser security feature that limits the actions that can be preformed by a Java applet that has been downloaded from web.

company that issues digital certificates to an org. or individuals.