Matakuliah
Tahun
Versi
: M0284/Teknologi & Infrastruktur E-Business
: 2005
: <<versi/revisi>>
Pertemuan 9
Network Security and E-Commerce
1
Learning Objectives
• Estimate the technical security requirements for
a network.
• Evaluate the business impact of security
decisions.
• Conduct a security audit of a small network.
• Control access to the computing resources.
• Establish acceptable security solutions.
2
Internet Security Requirements
• Secrecy
– Deals with the protection of information due to
unauthorized disclosure and the authentication of the
data source.
• Integrity
– Addresses the validity of data and the guarantee that
the data have not been tampered during transfer.
• Availability
– Insurance that the site will be reachable in a timely
manner when the user is a legitimate stakeholder.
“Faulty Security has a impact on Business”
3
Security Threats
• Loss, Damage, or Distortion of Data via
Hackers
• Risks from Viruses
• Unauthorized Access to the System
• Financial Loss to Company or Customers
• Breaches of Personal Privacy
4
Security Policy Development
• Administrative Security
• Network Security
5
Security Policy Development
Administrative Security
• What services are required by the
business and how can they be met
securely?
• How much do employees depend on the
Internet and the use of e-mail?
• Do users rely on remote access to the
internal network?
• Is access to the Web required?
• Are customers supported through the
Web?
6
Security Policy Development
Administrative Security
• Root policies must include
– Security architecture guide.
– Incident-response procedures.
– Acceptable use procedures.
– System administration procedures.
– Other management procedures.
7
Security Policy Development
Network Security
• All systems and servers have their own
weaknesses.
– Establish steps to harden the system
• Limit exposed services/processes
– Follow update/patching warning
• From software publisher
• From security community
– Monitor security listserv
– Apply timely patches or use third party utility
8
Network Security
• Systems documentation
– Software provider security documentation
– Book Publisher title specific to security, OS,
NOS, web server, applications
– Subscription to security services
– Apply advice explained in documentation
• E.g. do not run unnecessary services
– Obtain documentation for update (pros &
cons)
• Security patches
• New security issues
9
Network Security
• User access lists
– Users should have limited access to resources
– Access control list is compilation of access control
entries
– Access control entries contains following
• A SID, that identifies the trustee. A trustee can be a
user account, group account, or a logon account
for a program such as a Windows NT service.
• An access mask specifying access rights
controlled by the ACE.
• Flags that indicates the type of ACE and flags that
determine whether other objects or containers can
inherit the ACE from the primary object to which
the ACL is attached.
10
Network Security
• Assets access control
• Assets list with who, when, how access is
provided
11