ec07电子商务安全

E-CommerceSecurityChapter7E-CommerceSecurity第七章电子商务安全E-CommerceSecurity一、电子商务的安全概述E-CommerceSecurity3击垮电子商务网站：儿戏而已（BringingDownanECSite:MereChild’sPlay）•2000年2月7日上午Yahoo!遭攻击停机3个小时。•2月8日，Buy.com受到攻击陷于瘫痪，eBay也遭到攻击停机持续了一个下午，Amazon和CNN．Com也遭受攻击。•在35个小时之内，网站排名名列前茅的公司几乎全部罹难。•2月9日，全美因特网运行性能下降26.8%。在2月7、8、9日这三天，受害公司的损失超过了10亿美元。E-CommerceSecurity4•2月8日下午4点20分，新浪被袭，直到第二天下午才恢复正常。•这次大规模攻击使用的是一种叫“分布式拒绝服务”的新方法。•2001年1月，MSN、MSNBC、Expedia、Hotmail、Carpoint、Homeadvisor和Windowsmedia受到攻击被迫中断。而加拿大“黑手党男孩”承认进行了2000年2月的攻击。击垮电子商务网站：儿戏而已（BringingDownanECSite:MereChild’sPlay）E-CommerceSecurity5拒绝服务由于某种有意或无意的外界破坏，导致系统无法完成应有的网络服务项目（例如电子邮件或是联机功能等），即称为“拒绝服务”问题。此类破坏虽未直接威胁到信息安全，然而企业却往往需要耗费大量时间和精力来弥补错误，以恢复正常的服务。而在此期间，许多商机白白错过了，企业的商誉和形象也会大打折扣。UsingZombies(受控端)inaDistributedDenialofServiceAttackSource:Scambrayetal.(2000)E-CommerceSecurity7分布式拒绝服务1.探测扫描大量主机以寻找可入侵的目标；2.入侵有安全漏洞的主机并获取控制权，在每台入侵主机中安装攻击程序；3.构造庞大的、分布式的攻网；4.在同一时刻，由分布的成千上万台主机向同一目标地址发出攻击，目标系统全线崩溃。E-CommerceSecurity8AttackSophisticationvs.IntruderTechnicalKnowledgeSource:SpecialpermissiontoreproducetheCERT©/CCgraphic©2000byCarnegieMelonUniversity,inElectronicCommerce2002inAllenetal.(2000).E-CommerceSecurity9信息安全事件统计年份事件报道数目19886198913219902521991406199277319931334199423401995241219962573199721341998373419999859200021756200152658详见：www.cert.orgwww.cert.org.cn有关报告E-CommerceSecurity10信息保障•InformationAssurance•保护（Protect）•检测（Detect）•反应（React）•恢复（Restore）保护Protect检测Detect反应React恢复RestoreE-CommerceSecurity11E-CommerceSecurity二、电子商务安全的现状E-CommerceSecurity131.WhyNow?•Securitysystemsareonlyasstrongastheirweakestpoints•Securityandeaseofuse(orimplementation)areantitheticaltooneanother•SecuritytakesabackseattomarketpressuresE-CommerceSecurity14WhyNow?(cont.)•SecurityofanECsitedependsonthesecurityoftheInternetasawhole•Securityvulnerabilitiesareincreasingfasterthantheycanbecombated•SecuritycompromisedbycommonapplicationsE-CommerceSecurity152.TypesofThreatsandAttacks•Nontechnicalattack（非技术性攻击）:Anattackthatuseschicanery（欺骗）totrickpeopleintorevealingsensitiveinformationorperformingactionsthatcompromisethesecurityofanetworkE-CommerceSecurity16TypesofThreatsandAttacks(cont.)•Technicalattack（技术性攻击）:AnattackperpetratedusingsoftwareandsystemsknowledgeorexpertiseE-CommerceSecurity17TypesofThreatsandAttacks(cont.)•Malware:Agenerictermformalicioussoftware（恶意软件）–Theseverityofthevirusesincreasedsubstantially,requiringmuchmoretimeandmoneytorecover–85%ofsurveyrespondentssaidthattheirorganizationshadbeenthevictimsofe-mailvirusesin2002E-CommerceSecurity18TypesofThreatsandAttacks(cont.)–Maliciouscode（恶意代码）takesavarietyofforms—bothpureandhybrid•Virus:Apieceofsoftwarecodethatinsertsitselfintoahost,includingtheoperatingsystems,topropagate;itrequiresthatitshostprogramberuntoactivateitE-CommerceSecurity19TypesofThreatsandAttacks(cont.)–Worm:Asoftwareprogramthatrunsindependently,consumingtheresourcesofitshostinordertomaintainitselfandiscapableofpropagatingacompleteworkingversionofitselfontoanothermachineE-CommerceSecurity20TypesofThreatsandAttacks(cont.)–Trojanhorse:AprogramthatappearstohaveausefulfunctionbutthatcontainsahiddenfunctionthatpresentsasecurityriskE-CommerceSecurity213.电子商务安全问题的类型•物理安全问题•网络安全问题•数据的安全性•对交易不同方表现的不同安全问题E-CommerceSecurity22BasicSecurityIssues•MajorsecurityissuesinEC–Authentication（认证）–Authorization（授权）–Auditing（审查）–Confidentialityorprivacy（机密性/隐私）–Integrity（完整性）–Availability（有效性）–Non-repudiation（防抵赖）E-CommerceSecurity23TypesofThreatsandAttacks认证认证、授权、审查隐私完整性隐私完整性防抵赖E-CommerceSecurity24SecurityRequirements•Authentication(认证):Theprocessbywhichoneentityverifiesthatanotherentityiswhotheyclaimtobe一方证明另一方的真实性的过程•Authorization（授权）:Theprocessthatensuresthatapersonhastherighttoaccesscertainresources确认某人有权访问特定资源的权限E-CommerceSecurity25BiometricControls•Biometricsystems:Authenticationsystemsthatidentifyapersonbymeasurementofabiologicalcharacteristicsuchasafingerprint,iris(eye)pattern,facialfeatures,orvoiceE-CommerceSecurity26BiometricControls(cont.)•Physiologicalbiometrics:Measurementsderiveddirectlyfromdifferentpartsofthebody(e.g.,fingerprints,iris,hand,facialcharacteristics)•Behavioralbiometrics:Measurementsderivedfromvariousactionsandindirectlyfromvariousbodyparts(e.g.,voicescansorkeystrokemonitoring)E-CommerceSecurity27BiometricControls(cont.)•Fingerprintscanning:Measurementofthediscontinuitiesofaperson’sfingerprint,convertedtoasetofnumbersthatarestoredasatemplateandusedtoauthenticateidentity•Irisscanning:Measurementoftheuniquespotsintheiris(coloredpartoftheeye),convertedtoasetofnumbersthatarestoredasatemplateandusedtoauthenticateidentityE-CommerceSecurity28BiometricControls(cont.)•Voicescanning:Measurementoftheacousticalpatternsinspeechproduction,convertedtoasetofnumbersthatarestoredasatemplateandusedtoauthenticateidentityE-CommerceSecurity29BiometricControls(cont.)•Keystrokemonitoring:Measurementofthepressure,speed,andrhythmwithwhichawordistyped,convertedtoasetofnumbersthatarestoredasatemplateandusedtoauthenticateidentity;thisbiometricisstillunderdevelopmentE-CommerceSecurity30SecurityRequirements(cont.)•A