Chapter 10 Key Concepts

Computer security

logical security protection of assets from unauthorized access, use, alterations, or destruction. Physical security includes tangible protection devices, such as alarms, guards, fire proof doors, etc.

Managing Risk
Countermeasure - procedure either physical or logical that recognizes, reduces, or eliminates a threat.
Contain and control
Prevent Check Figure 10-1 pg 441
Ignore
Insurance or backup plan
Threats include - eavesdropper is a person or device that can listen in on and copy internet transmission. Hackers create these devices.

Computer security is split between 3 categories:
Secrecy - protecting against unauthorized data disclosure and ensuring the authenticity of data source
Integrity - preventing unauthorized data modification
Necessity - preventing data delays or denials (removal)
Man in the middle exploit - e mail message is intercepted and its contents are changed before forwarded

Security Policy is a written statement describing which assets to protect and why they are being protected, who is responsible for that protection, and which behaviours are acceptable and which are not.
First step - determine which assets to protect from which threats. Eg credit cards should be protected from eaves droppers.
Next - organization determines what resources are available to protect the assets identified.
Finally - organization commits resources to building or buying software, hardware, and physical barriers that implement the security policy.

Security policy covers many security centres
Authentication - who is tring to access the e commerce site
Access control - who is allowed to log on to and access site
Secrecy - who is permitted to view selected info
Data integrity - who is allowed to change data
Audit - who or what causes specific events to occur




Security for Client Computers

Cookies
Stateless connection makes each transmission of info is independent or no continuous connection such as shopping carts and payment processing
Session cookies - web client ends connection (shopping cart)
Persistent cookies - remain on computer indefinitely (login information recognition)
First party cookies are pleaced on client computer by web server site
Third party cookies - originates on a web site other than the site being visited

Web bug is a tiny graphic that a third party web site places on another web page

Active Content programs that are embedded transparently in web pages and that cause action to occur such as displaying movie graphics, downloads, and audio
-Programs that are active content are Trojan horses and zombies

Java applets is active content developed by sun Microsystems
-Java sandbox protects computer because java scripts are embedded onto client’s computer where security violations can occur.

Java Script is a scripting language developed by Netscape to enable web page designers
to build active content. Can be used to attack by executing code that destroys the client’s hard disk, discloses emails stored, or sends sensitive info. Cannot attack unless opened.

Active X controls contain programs and properties that web designers place on web pages to perform particular tasks.

Digital Certificates is an attachment to an email message or a program embedded in a web page that verifies sender or Web site. “signed” message code.
Stegonography is process of hiding information within another piece of information.

Communication Channel Security

Sniffer programs record information that passes through a computer
Backdoors are holes in the software either accidentally left open of intentionally.

Integrity threats include active wire tapping when an unauthorized party can alter a message stream of information. Cybervadalism which is defacing existing web pages. Phishing expeditions capture confidential customer information.

Hash coding, Asymmetric Encryption, Symmectic ecryption see pg 468