Legacy card management functions

Most card issuers will need some form of card management system (CMS), that allows them to keep track of the cards they have issued, expiry dates, etc. The CMS may also contain the details on the card, or may refer to another database (for example, a personnel database) that contains this information. The CMS may also include functions for maintaining the data (for example, name and address data), but for larger systems this is more often regarded as a separate customer management function.

For complex applications such as credit-card issuing, the CMS may link to several other systems, such as an authorisation system, call centre, statement and mailing management.

A CMS for magnetic stripe cards is usually a fairly simple ‘flat’ file structure, providing a link between the card number and the external data. With this kind of structure it is quite easy to give a call centre, for example, limited read-only access and the ability to make notes linked to the card or account, but they cannot affect transactions carried out by the card. The CMS can also act as the interface to a bureau or outside processor, so that the card issuer maintains the database but the bureau handles all the card-related functions.

Additional functions for smart-card management

When an issuer moves to a smart-card platform, it often assumes that it will need a smart-card management system (SCMS).

Introduction to Part II

Data to be accessed via communication networks or transmitted over public networks must be protected against unauthorized access, misuse, and modification. Security protection requires three mechanisms: enablement, access control, and trust management. Enablement implies that a cohesive security policy has been implemented and that an infrastructure to support the verification of conformance with the policy is deployed. Perimeter control determines the points of control, the objects of control and the nature of control to provide access control and perform verification and authorization. Trust management allows the specification of security policies relevant to trust and credentials. It ascertains whether a given set of credentials conforms to the relevant policy, delegates trust to third parties under relevant conditions, and manages dynamically, if needed, the level of trust assigned to individuals and resources in order to provide authorization.

Public key infrastructures (PKIs) represent an important tool to be used in enablement, while biometric-based infrastructures are gaining an important role in providing robust access control. Biometrics are automated methods of recognizing a person based on a physiological or behavioral characteristic. Biometric-based solutions are able to provide for confidential financial transactions and personal data privacy. The need for biometrics can be found in electronic governments, in the military, and in commercial applications. In addition, trust management systems start to be used in a large set of environments such as electronic payment and healthcare management, where transactions and accesses are highly sensitive.

Introduction

The notion of service is getting increasingly valuable to many fields of communications and information technology. Nowadays, the current development in service provision through communication networks are moving from tightly joined systems towards services of loosely linked and dynamically related components. The major evolution in this category of applications is a new paradigm, called e-service, for which project developers and service providers are pushing for the definition of techniques, methods, and tools as well as infrastructures for supporting the design, development, and operation of e-services. Also, standards bodies are urging to specify protocols and languages to help the deployment in e-services.

E-services are self-contained and modular applications. They can be accessed via Internet and can provide a set of useful functionalities to businesses and individuals. Particularly, recent approaches to e-business typically view an e-service as an abstraction of a business process, in the sense that it represents an activity executed within an organization on behalf of a customer or another organization.

Introduction

A text containing data that can be read and understood without any special measure is called plaintext. The method of transforming a plaintext in a way to hide its content to unauthorized parties is called encryption. Encrypting a plaintext results in unreadable text called ciphertext. Therefore, encryption is used to ensure that information is hidden from anyone for whom it is not intended, including those who can capture a copy of the encrypted data (while it is flowing through the network). The process of inversing the ciphertext to its original form is called decryption. Cryptography can be defined as the science of using mathematics to encrypt and decrypt data. Cryptography securely provides for the storage of sensitive information and its transmission across insecure networks, like the Internet, so that it cannot be read (under its original form) by any unauthorized individual (Menezes et al., 1996).

A cryptographic algorithm, also called cipher, is a mathematical function used in the encryption and decryption processes.

Introduction to Part I

In enterprise systems, a security exposure is a form of possible damage in the organization's information and communication systems. Examples of exposures include unauthorized disclosure of information, modification of business or employees' data, and denial of legal access to the information system. A vulnerability is a weakness in the system that might be exploited by an adversary to cause loss or damage. An intruder is an adversary who exploits vulnerabilities, and commits security attacks on the information/production system.

Electronic security (e-security) is an important issue to businesses and governments today. E-security addresses the security of a company, locates its vulnerabilities, and supervises the mechanisms implemented to protect the on-line services provided by the company, in order to keep adversaries (hackers, malicious users, and intruders) from getting into the company's networks, computers, and services. E-service is a very closely related concept to e-privacy and it is sometimes hard to differentiate them from each other. E-privacy issues help tracking users or businesses and what they do on-line to access the enterprise's web sites.

Keeping the company's business secure should be a major priority in any company no matter how small or large is the business of the company, and no matter how open or closed the company network is. For this intent, a security policy should be set up within the company to include issues such as password usage rules, access control, data security mechanisms and business transaction protection.

Introduction

Every organization, using networked computers and deploying an information system to perform its activity, faces the threat of hacking from individuals within the organization and from its outside. Employees (and former employees) with malicious intent can represent a threat to the organization's information system, its production system, and its communication networks. At the same time, reported attacks start to illustrate how pervasive the threats from outside hackers have become. Without proper and efficient protection, any part of any network can be prone to attacks or unauthorized activity. Routers, switches, and hosts can all be violated by professional hackers, company's competitors, or even internal employees. In fact, according to various studies, more than half of all network attacks are committed internally.

One may consider that the most reliable solution to ensure the protection of organizations' information systems is to refrain from connecting them to communication networks and keep them in secured locations. Such a solution could be an appropriate measure for highly sensitive systems.

Introduction

One of the most decisive problems in business transaction is the identification of the principal (individual, software entity, or network entity) with which the transaction is being performed. As the traditional paperwork in business is moving to electronic transactions and digital documents, so must the reliance on traditional trust objects be converted to electronic trust, where security measures to authenticate electronic business actors, partners, and end-users before their involvement in the exchange of information, goods, and services are provided. Moreover, the obligation to provide confidentiality and confidence in the privacy of exchanged information is essential. Extending this list of security services should include the necessity to establish the non-repudiation of transactions, digitally attest the validity of transactions by trusted third parties, or securely time-stamping transactions.

Introduction

Biometrics deals with the process of identifying persons based on their biological or behavioral characteristics. This area has received recently a great deal of attention due to its ability to give each person unique and accurate characteristics. Moreover, the cost of implementing such technology to identify people has decreased tremendously. Biometrics techniques have been widely accepted by the public due to their strengths and robustness (Obaidat, 1997; Obaidat, 1999).

Identifying the identity of an individual involves solving two major issues: (a) verification, and (b) recognition.

Introduction to malware

Malicious software, often referred to as malware, is defined as a program or part of a program that executes unauthorized commands, generally with some malicious intention. Types of malware can be classified based on how they execute their malicious actions and propagate themselves. Viruses, worms, Trojan horses, and backdoors are the major examples of malware (Garetto et al., 2003). Other malware related terms include malcode and malware payload. Malcode refers to the programming code that contains the malware logic, while the malware payload represents the malicious action it is designed to realize (Briesemeister et al., 2003; Anagnostakis et al., 2003).

A malware can damage the host on which it is running by corrupting files and programs or over-consuming resources. Typically, this is done while the malware is avoiding the complete devastation of the host because a system failure would prevent the ability of the malware to propagate further.

Introduction

A Virtual Private Network (VPN) is a private network connecting different sites or corporate offices by using public telecommunication infrastructure (Internet) using encryption and tunneling protocol procedures for secured and reliable connectivity. One other definition states that a VPN is a private data network that makes use of the public telecommunications, maintaining privacy through the use of tunneling protocol and security procedures. Others have defined a virtual private network as a network that allows two or more private networks to be connected over a publicly accessed network (Papadimitriou et al., 2004; Metz, 2003; Ferguson and Huston, 1998; Hunt and Rodgers, 2004; Arora et al., 2001).

Introduction

Intrusion detection is the process designed to monitor, analyze, and correlate the information events that occur in a network or a computer system, in order to detect malicious computer and network activities, find signs of intrusions and trigger (or propose) immediate responses to protect the system under monitoring. An intrusion is defined as an attempt to compromise the confidentiality, integrity, availability of a system or to go around the security mechanisms of the system. An intrusion is performed by an adversary accessing the system remotely, an authorized user trying to gain additional privileges that they are not allowed to have, or an authorized user misusing the privilege he is granted. Intrusion detection allows enterprises to defend their information systems against threats.

Although the current intrusion detection technologies cannot provide a complete protection against attacks, it enhances protection capabilities of enterprises and completes the myriad of security solutions. Intrusion detection products, however, are different from other security products.

Introduction

E-government is to provide a non-stop government information service. The goal is to create a friendly easy-to-use tool for the public and businesses to locate information and use services made available on the net by the government agencies. It aims to provide a large spectrum of public information, authorize a greater and better access to this information, and give more convenience to government services. E-government projects have been started in the mid 1990s in various countries. Each country has assigned its own project with varying focuses, applications, and security mechanisms. Nowadays, some of these projects are in their operational phase, while others are still in the design or prototyping phases. However, as computer power is growing to be cheaper and computer networks are becoming larger and more efficient, many threats against e-government have been observed lately. Threats unfortunately tend to reduce the efficiency of e-government and limit its promises.

Introduction to Part III

The Internet is growing to be the major means through which the services can be delivered electronically to businesses and customers. Today, the current developments in service provision through communication networks are moving from tightly joined systems towards services of loosely linked and dynamically bound components. The evolution in this category of applications is represented by a new paradigm, the so-called e-service, for which project developers and service providers are encouraging the definition of techniques, design of methods, and construction of tools as well as infrastructures for supporting the design, development, and operation of e-services and e-government systems. The development of e-services can increase the business opportunity for making available value-added e-services by: composing existing e-services (which may be supplied by different providers), customizing and updating e-services, or creating them from formal specifications.

Service composition appears to be an important issue that can provide a competitive advantage for organizations since they can reduce the needed effort and increase the efficiency of e-services to build. Recently, many e-services have been made publicly accessible and therefore are offered in an unsecured manner. However, some among these e-services will need to use encrypted communications and authentication services. To provide security mechanisms for the operation of e-services at a low level granularity, it is important to define: (a) how the e-services authenticate customers in a reasonable fashion; (b) how e-services' standards address the problem of securing the assets in offering e-services; and (c) how cryptographic elements are managed and distributed.

Introduction

As stated in the previous chapters, entity authentication can be defined as the process through which the identity of an entity (such as an individual, a computer, an application, or a network) is demonstrated. Authentication involves two parties, a prover (called also claimant) and a verifier (called also recipient). The prover presents its identity and a proof of that identity. The verifier ensures that the prover is, in fact, who he/she claims to be by checking the proof. Authentication is distinct from identification, which aims at determining whether an individual is known to the system. It is also different from authorization, which can be defined as the process of granting the user access to specific system resources based on his/her profile and the local/global policy controlling the resource access. In the following sections, however, we will use the terms identification and authorization to designate the same concept.

Message authentication, on the other hand, provides the assurance that a message has not been modified during its transmission.

Introduction to Part IV

The use of communication technologies has become a crucial factor that is able to considerably improve and affect the productivity of an organization. The need to secure information systems and networked infrastructures is now commonplace in most enterprises. This is essentially due to the importance of the information transmitted across communication networks and stored in networked servers. As a consequence, strong links are being built between security and the enterprise business activity and various tools have been made available for enterprises. These tools include, but are not limited to, filters and firewalls, intrusion detection systems, anti-malicious software systems, virtual private networks and risk management systems.

Intrusion detection systems analyze system and user operations in computer and network platforms in search for an activity that can be considered undesirable from a security point of view. Because of the complicated structures of attacks, data sources for intrusion detection include audit information, network traffic, application logs, and data collected from monitors controlling system behavior. Generated alerts are correlated in order to reduce the number of false alarms, detect efficiently multi-action attacks, and propose responses to the detected intrusions. On the other hand, risk management, which is the discipline that deals with the determination of vulnerabilities and threats, is an important aspect in securing enterprises. It integrates a list of architectures, techniques, and models to evaluate properly whether a current state of an enterprise is encountering threats.

Introduction

The development of information and communication technologies, especially the Internet, has prompted enterprises to redesign their communication infrastructure in order to take benefit of this visibility factor and re-engineer their business processes by implementing projects online, managing virtual enterprises, and externalizing their activities. Renovation and ICT use have contributed significantly to the success of many companies. Nevertheless, the current growth of digital attacks has caused decision makers in enterprises to doubt the confidence in information technology. In fact, security incidents that occurred recently (as discussed in the previous chapters) have emphasized three important facts: (a) computer network attacks can induce a huge damage on business activity, (b) many of the attacked enterprises have active security infrastructures at the moment the security incident occurred, and (c) the security infrastructure costs vary highly from one enterprise to the other based on the security policy adopted and the nature of the activity performed by the enterprise.

Security of e-based systems and computer networks has become an important issue recently due to the increased dependence of organizations and people on such systems. The risk of accessing an e-commerce, or e-government system or Web site ranges from invasion of privacy and loss of money to exposing national security information and catastrophe. E-security solutions aim to provide five important services: authentication of users and actors, integrity, confidentiality of communication, availability of business services and non-repudiation of transactions. Most e-security solutions that are provided by the literature use two main cryptographic techniques: public key cryptosystems and digital signatures. Efficient solutions also should be compliant with the national legal framework.

There are multibillion dollars being invested in computer networks and e-systems; therefore, securing them is vital to their proper operation as well as to the future of the organizations and companies and national security. Due to the difficulties in securing the different platforms of e-systems, and the increasing demand for better security and cost-effective systems, the area of e-system and network security is an extremely rich field for research, development and investment. Security of e-systems provides in-depth coverage of the wide range of e-system security aspects including techniques, applications, trends, challenges, etc.

This book is the first book that is dedicated entirely to security of e-systems and networks. It consists of four main parts with a total of 14 chapters.

Chapter 1 describes the importance of system security and presents some relevant concepts in network security and subscribers' protection.