您好,欢迎访问三七文档
当前位置:首页 > IT计算机/网络 > 电子商务 > ec07电子商务安全
E-CommerceSecurityChapter7E-CommerceSecurity第七章电子商务安全E-CommerceSecurity一、电子商务的安全概述E-CommerceSecurity3击垮电子商务网站:儿戏而已(BringingDownanECSite:MereChild’sPlay)•2000年2月7日上午Yahoo!遭攻击停机3个小时。•2月8日,Buy.com受到攻击陷于瘫痪,eBay也遭到攻击停机持续了一个下午,Amazon和CNN.Com也遭受攻击。•在35个小时之内,网站排名名列前茅的公司几乎全部罹难。•2月9日,全美因特网运行性能下降26.8%。在2月7、8、9日这三天,受害公司的损失超过了10亿美元。E-CommerceSecurity4•2月8日下午4点20分,新浪被袭,直到第二天下午才恢复正常。•这次大规模攻击使用的是一种叫“分布式拒绝服务”的新方法。•2001年1月,MSN、MSNBC、Expedia、Hotmail、Carpoint、Homeadvisor和Windowsmedia受到攻击被迫中断。而加拿大“黑手党男孩”承认进行了2000年2月的攻击。击垮电子商务网站:儿戏而已(BringingDownanECSite:MereChild’sPlay)E-CommerceSecurity5拒绝服务由于某种有意或无意的外界破坏,导致系统无法完成应有的网络服务项目(例如电子邮件或是联机功能等),即称为“拒绝服务”问题。此类破坏虽未直接威胁到信息安全,然而企业却往往需要耗费大量时间和精力来弥补错误,以恢复正常的服务。而在此期间,许多商机白白错过了,企业的商誉和形象也会大打折扣。UsingZombies(受控端)inaDistributedDenialofServiceAttackSource:Scambrayetal.(2000)E-CommerceSecurity7分布式拒绝服务1.探测扫描大量主机以寻找可入侵的目标;2.入侵有安全漏洞的主机并获取控制权,在每台入侵主机中安装攻击程序;3.构造庞大的、分布式的攻网;4.在同一时刻,由分布的成千上万台主机向同一目标地址发出攻击,目标系统全线崩溃。E-CommerceSecurity8AttackSophisticationvs.IntruderTechnicalKnowledgeSource:SpecialpermissiontoreproducetheCERT©/CCgraphic©2000byCarnegieMelonUniversity,inElectronicCommerce2002inAllenetal.(2000).E-CommerceSecurity9信息安全事件统计年份事件报道数目19886198913219902521991406199277319931334199423401995241219962573199721341998373419999859200021756200152658详见:www.cert.orgwww.cert.org.cn有关报告E-CommerceSecurity10信息保障•InformationAssurance•保护(Protect)•检测(Detect)•反应(React)•恢复(Restore)保护Protect检测Detect反应React恢复RestoreE-CommerceSecurity11E-CommerceSecurity二、电子商务安全的现状E-CommerceSecurity131.WhyNow?•Securitysystemsareonlyasstrongastheirweakestpoints•Securityandeaseofuse(orimplementation)areantitheticaltooneanother•SecuritytakesabackseattomarketpressuresE-CommerceSecurity14WhyNow?(cont.)•SecurityofanECsitedependsonthesecurityoftheInternetasawhole•Securityvulnerabilitiesareincreasingfasterthantheycanbecombated•SecuritycompromisedbycommonapplicationsE-CommerceSecurity152.TypesofThreatsandAttacks•Nontechnicalattack(非技术性攻击):Anattackthatuseschicanery(欺骗)totrickpeopleintorevealingsensitiveinformationorperformingactionsthatcompromisethesecurityofanetworkE-CommerceSecurity16TypesofThreatsandAttacks(cont.)•Technicalattack(技术性攻击):AnattackperpetratedusingsoftwareandsystemsknowledgeorexpertiseE-CommerceSecurity17TypesofThreatsandAttacks(cont.)•Malware:Agenerictermformalicioussoftware(恶意软件)–Theseverityofthevirusesincreasedsubstantially,requiringmuchmoretimeandmoneytorecover–85%ofsurveyrespondentssaidthattheirorganizationshadbeenthevictimsofe-mailvirusesin2002E-CommerceSecurity18TypesofThreatsandAttacks(cont.)–Maliciouscode(恶意代码)takesavarietyofforms—bothpureandhybrid•Virus:Apieceofsoftwarecodethatinsertsitselfintoahost,includingtheoperatingsystems,topropagate;itrequiresthatitshostprogramberuntoactivateitE-CommerceSecurity19TypesofThreatsandAttacks(cont.)–Worm:Asoftwareprogramthatrunsindependently,consumingtheresourcesofitshostinordertomaintainitselfandiscapableofpropagatingacompleteworkingversionofitselfontoanothermachineE-CommerceSecurity20TypesofThreatsandAttacks(cont.)–Trojanhorse:AprogramthatappearstohaveausefulfunctionbutthatcontainsahiddenfunctionthatpresentsasecurityriskE-CommerceSecurity213.电子商务安全问题的类型•物理安全问题•网络安全问题•数据的安全性•对交易不同方表现的不同安全问题E-CommerceSecurity22BasicSecurityIssues•MajorsecurityissuesinEC–Authentication(认证)–Authorization(授权)–Auditing(审查)–Confidentialityorprivacy(机密性/隐私)–Integrity(完整性)–Availability(有效性)–Non-repudiation(防抵赖)E-CommerceSecurity23TypesofThreatsandAttacks认证认证、授权、审查隐私完整性隐私完整性防抵赖E-CommerceSecurity24SecurityRequirements•Authentication(认证):Theprocessbywhichoneentityverifiesthatanotherentityiswhotheyclaimtobe一方证明另一方的真实性的过程•Authorization(授权):Theprocessthatensuresthatapersonhastherighttoaccesscertainresources确认某人有权访问特定资源的权限E-CommerceSecurity25BiometricControls•Biometricsystems:Authenticationsystemsthatidentifyapersonbymeasurementofabiologicalcharacteristicsuchasafingerprint,iris(eye)pattern,facialfeatures,orvoiceE-CommerceSecurity26BiometricControls(cont.)•Physiologicalbiometrics:Measurementsderiveddirectlyfromdifferentpartsofthebody(e.g.,fingerprints,iris,hand,facialcharacteristics)•Behavioralbiometrics:Measurementsderivedfromvariousactionsandindirectlyfromvariousbodyparts(e.g.,voicescansorkeystrokemonitoring)E-CommerceSecurity27BiometricControls(cont.)•Fingerprintscanning:Measurementofthediscontinuitiesofaperson’sfingerprint,convertedtoasetofnumbersthatarestoredasatemplateandusedtoauthenticateidentity•Irisscanning:Measurementoftheuniquespotsintheiris(coloredpartoftheeye),convertedtoasetofnumbersthatarestoredasatemplateandusedtoauthenticateidentityE-CommerceSecurity28BiometricControls(cont.)•Voicescanning:Measurementoftheacousticalpatternsinspeechproduction,convertedtoasetofnumbersthatarestoredasatemplateandusedtoauthenticateidentityE-CommerceSecurity29BiometricControls(cont.)•Keystrokemonitoring:Measurementofthepressure,speed,andrhythmwithwhichawordistyped,convertedtoasetofnumbersthatarestoredasatemplateandusedtoauthenticateidentity;thisbiometricisstillunderdevelopmentE-CommerceSecurity30SecurityRequirements(cont.)•A
本文标题:ec07电子商务安全
链接地址:https://www.777doc.com/doc-27415 .html