IS2771/TEL2771: Security in E-Business
Michael B. Spring
IS 2870: Web Technologies and Standards
Department of Information Science and Telecommunications
University of Pittsburgh
Spring, 2006 -- 06-2
Security in Electronic-Business is a graduate course on the design and implementation of information security in e‑business systems. E-business systems include both business to business systems and business to consumer systems – more frequently classed as e-commerce.
The course assumes that students are competent programmers with a solid knowledge of operating systems. Because a lot of the examples related to security involve the C language and the Unix operating system, many of the examples given will be with respect to this language and operating system. Students with limited C programming experience or minimal experience with UNIX workstations may take the course, but should anticipate spending significant additional time working to familiarize themselves with the environment during the first weeks of the course.
The course will focus on the technology, concepts, issues and principles that are important in the design and implementation of secure e‑commerce system. The course will examine technology for protecting electronic commerce. It will include discussion of basic security principles, as well as the issues, policy and standards particular to e‑commerce applications.
The course is divided into five parts:
· an overview of e‑commerce and related security principles and concepts
· privacy and security concerns as they pertain to users
· Web system security
· secure e‑commerce transactions and Public Key Infrastructure
· policy issues including legal and ethical issues
The goals of the course are:
· to understand related technologies in order to develop a secure e‑commerce system
· to understand the basic requirements for secure e-commerce systems
· To develop an understanding of the client/server architecture and the various components used in distributed systems
· To review areas of potential compromises in the security of client/server systems
· to be able to analyze the vulnerabilities of a given system and make recommendations for making the system more secure.
· To describe remedies for various existing security breeches in C/S systems and to show the methodologies required to make future systems less prone to security failures and outside attack
The required book for this course is:
· Grafinkle, Simson, Web Security, Privacy and Commerce, 2nd Edition, O’Reilly, 2002.
This book covers most topics which I want to cover in this course. Although the book may give you basic concepts in these topics, you will find that the book does not give a lot of details in many of them. I'll provide additional reading list to you in these topics. Most of the reading materials are available in electronic form via the World Wide Web (WWW). The students are required to read the materials for each topic each week before coming to class.
There are many number of books that may be helpful. These would include:
· Ford, Warwick and Michael S. Baum, Secure Electronic Commerce Prentice Hall, 2000.
· Ghosh, Anup K., E‑Commerce Security: Weak Links, Best Defenses. John Wiley & Sons, 1998.
· Merkow. Mark S., Jim Breithaupt, Building SET Applications for Secure Transactions. John Wiley & Sons, 1998.
Online resources are very useful in answering questions. Just a couple starting points would include:
· CERT http://www.cert.org/
· Software Engineering Institute http://www.sei.cmu.edu
· Computer Security Resource Clearinghouse http://csrc.nist.gov
· Microsoft Security Center http://www.microsoft.com/security/
· Center for Education and research in Information Assurance and Security http://www.cerias.p~irdue.edu
· FBI's National Computer Crime Squad http://www.emergency.com/fbi-nccs.htm
· National Infrastructure Protection Center http://www.fbi.gov/nipc/welcome.htm
· The Computer Security Division of NIST http://www.itl.nist.gov/div893/
· Computer Security Resource Clearinghouse http://csrc.nist.gov/
· Center for Education and Research in Information Assurance and Security http://www.cerias.purdue.edu/
There are several things that you should know before you take this course. The course requires a knowledge of Internet and Internet applications, especially the WWW. The course also requires a basic knowledge of the communication protocols used on the Internet. Basic programming skill in C and C++ or Java is strongly recommended.
Your knowledge of programming (particularly C) and a operating systems (particularly Unix) will help you in this course. One way to gauge your readiness to take this course is to answer the following questions. If you can't answer any of them, you will have a tough time with some of the concepts in this course.
· What is a shell? Which one do you use?
· What is a library? What is a DLL? How do you create a library?
· What is a process? What determines a process’s privileges?
· How are file protections set under Unix and Windows?
· What is a socket? What is a port?
· What is TCP/IP?
· What is HTTP, HTML, CGI?
· What is MIME?
The prerequisites for this course are:
TELCOM 2821: Network Security: Covers fundamental issues and first principles of security and information assurance (confidentiality/ privacy, integrity, authentication, identification, authorization, availability, access control).
TELCOM-2810/IS-2935: Introduction to Computer Security: This course will give you the basic concepts and overview of information security
It is recommended, although not required, that you take the following courses prior to or together with this course.
INFSCI 2770: Document Processing ‑ highly recommend if you want to know about HTTP, HTML and CGI programming
INFSCI 2550: Client‑ Server & Workstations ‑ highly recommend if you want TCP/IP programming skill
Your grade for the course will come from quizzes, participation, and projects. Your grades will be based on the number of points you earn out of 100 with an A awarded for 90-100, a B for 80-90, a C for 65-80 and an F for 0-65. As a general rule of thumb, the instructor views a graduate course commitment of 3 hours of homework for every hour of class time. Thus, over the term your reading and work on projects should absorb about 135 hours. Thus, a project worth 10 points anticipates you will spend 10 hours on it. Well prepared students will need less time, and students with weak backgrounds will require more. The sources of points are as follows:
1. Brief 5 minute in class quizzes on the assigned reading for the week. These exams will be multiple choice and fill in and designed to make sure that you are reading the assigned material before class. There will likely be six such quizzes with a point value of 5/quiz for a total over the term of 30 points.
2. Your participation in the class discussions and your overall participation in the class will be assessed by the instructor at the end of the term. Students will be awarded from 0 to 10 points at the instructor’s discretion.
3. Sixty(60) points will come from three projects. The first two will be individual projects worth 10 and 20 points. The third project, the final project, will be worth 30 points and may be an individual or a group project. Students may select one of the listed final project options or they may propose another project. The projects are:
a. Develop a privacy and security policy for a e-learning website. Your policy must be backed by a policy analysis that includes a review of at least 5 other sites with a similar focus that have privacy and security policies.
b. Log analysis. In order to make your e‑commerce website secure, the ability to detect unusual activities occurring in your website is crucial. By carefully analyzing the Web server log files and transaction log files, unusual activities can be identified easily. In this project, you will be given a web server log file, a transaction log file as well as error log files of a e‑commerce website. Your work is to conduct an analysis of the transactions generated by this e‑commerce website. You may use spreadsheets package or write your own program to do the analysis. The analysis should present details and summary of activities generated in this website, e.g. name and number of files requested, name and number of client hostnames (or IP address), number and type of transactions, etc., using tables and graphs. The analysis should use techniques of visualization to identify any unusual activities, e.g. high number of attempts to access unrestricted area, high number of file requests, high number of unsuccessful transactions (such as entering invalid credit card number), etc. (20 points)
c. The final project will be worth 30 points. See appendix A for possible final projects
The course outline provides a preliminary outline of the scope and sequence for the course. It is anticipated that there will be some slippage in the schedule if topics require more time than allocated. It is also anticipated that some of the topics in the course scheduled for coverage later in the term will be addressed as they come up in class discussion.
|
Lecture |
Topic |
Assignments |
|
1 |
Introduction: E‑commerce on the Internet |
WSP&C 1 |
|
2 |
Web Technology
|
WSP&C 1-2 |
|
3 |
Cryptography Basics |
WSP&C 3-4
|
|
4 |
SSL and TLS |
WSP&C 5
|
|
5 |
Biometrics and Digital Identification |
WSP&C 6-7
|
|
6 |
Privacy and Security
|
WSP&C 8-11 |
|
7 |
Coding Issues |
WSP&C 12-13
|
|
8 |
Web Server Security
|
WSP&C 14-15
|
|
9 |
Securing Web Applications
|
WSP&C 16-18
|
|
10 |
Content Security
|
WSP&C 20-22
|
|
11 |
Pornography and Privacy
|
WSP&C 23-24
|
|
12 |
Digital Payments |
WSP&C 25
|
|
13 |
Intellectual Property |
WSP&C 26
|
|
14 |
Presentations
|
|
|
15 |
|
|
1. A security implementation plan for a website
2. Public‑Key Infrastructures (PKI) development plan proposal This should be a significant indication of your ability to apply your knowledge and your understanding from this course to the real world. You will be given a scenario that you are a committee of the PKI working group of your country. Your job is to write a proposal of a plan to employ the PKI technology in your country. The proposal should provide the following information:
· objectives
· design of Certificate Authorities (CA) structures
· the reasons you choose the structure of your choice (advantages vs. disadvantages)
· policies and functions of the CA in each level of the structure
· technologies you want to employ, for example, encryption standards, smart card standard, etc. why these technologies are needed.