《討厭的東西(非文勿進)》路人某某

5、5

　　Dimensions of e-business security維度電子商務安全
　　- Integrity refers to the ability to ensure that information being displayed on a web site or transmitted or received over the internet, has not been altered in any way by an unauthorized party正直提到能力保證信息被顯示在網站或被傳送或者獲得在互聯網，未在任何情況下被修改由一個未批准的黨
　　- Non-repudiation refers to the ability to ensure that e-business participants do not deny (i.e., repudiate) their online action非拒绝提到能力保證電子商務參加者不否認(即，否定)他們的網上行動
　　- Authenticity refers to the ability to ensure that identify the identify of a person or entity with whom you are dealing on the internet真實性提到能力保證辨認人辨認或個體您在互聯網涉及
　　- Confidentiality refers to the ability to ensure that messages and data are available only to those who are authorized to view them機密提到能力保證消息和數據對被批准觀看他們的那些人是仅可利用的
　　- Privacy refers to the ability to ensure the use of information about oneself保密性提到能力保證對關於自己的信息的用途
　　- Availability refers to the ability to ensure that an e-business site continues to function as intended可及性提到能力保證電子商務站點繼續起作用按照計劃

　　The tension between security and other values緊張在安全和其他價值
　　(a) Ease of use易用之間
　　- The more security measures that are added to an e-business site, the more difficult it is to be use and the slower the site becomes, hampering ease of use, security is purchased at the price of slowing down processors and adding significantly to data storage demands越多安全措施增加到電子商務站點，越困難的它是用途，并且越慢站點變得，阻礙易用，安全被購買以減速處理器的價格，并且重大增加到數據存儲要求
　　- Too much security can harm profitability, while not enough can potentially put a business out of business而不是足够可能潛在地投入事務在事務外面， -許多安全可能危害有利
　　(b) Public safety and the criminal use of security公共安全和對安全的犯罪用途
　　- There is tension between the claims of individuals to act anonymously and the needs of the public officials to maintain public safety that can be threatened by criminals or terrorists有緊張在行動的個體聲稱匿名和公務員之間的需要維護可以由罪犯或恐怖分子威脅的公共安全

　　Security threats in the e-business environment
　　- Three key points of vulnerability – the client; the server; communications pipeline三個關鍵弱點-客戶; 服務器; 通信管道

　　Seven security threats to e-business sites
　　(1) Malicious code惡意代碼
　　- Includes a variety of threats such as viruses, Trojan horses, and bad applets包括各種各樣的威脅例如病毒、特洛伊馬和壞附屬程序
　　- Virus is a computer program that has the ability to replicate or make copies of itself, and spread to other files病毒是有能力複製或做拷貝的本身的計算機程序，并且傳播了對其他文件
　　- Trojan horse appears to be benign, but then does something other than expected除期望之外，另一方面-電腦程式內的病毒看來是良性的，但做某事
　　(2) Hacking and cyber vandalism亂砍和故意破壞
　　- Hacker is an individual who intends to gain unauthorized access to a computer system黑客是打算獲取對計算機系統的越權存取的人
　　- Cracker is the term typically used within the hacking community to denote a hacker with criminal intent薄脆餅乾是規定典型地用於在亂砍的社區範圍內表示一位黑客以犯罪意向
　　- Cyber vandalism is intentionally disrupting, defacing, or even destroying a site Cyber故意破壞是打亂，故意地損毀，甚至毀壞站點
　　- White hats are “good” hackers that help organization locate and fix security flaws白色帽子是「幫助組織找出和修理安全漏洞的好」黑客
　　- Black hats are hackers who act with the intention of causing harm黑帽子是行動打算導致害處的黑客
　　- Grey hats are hackers who believe they are pursuing some greater good by breaking in and revealing in and revealing system flaws灰色帽子是相信的黑客他們通過打破在和顯露追求某一更加偉大好和顯露的系統缺點
　　(3) Credit card fraud信用卡欺騙
　　- Different from traditional business與傳統事務不同
　　- Hackers target files on merchant server黑客目標文件在商人服務器
　　(4) Spoofing欺騙
　　- Misrepresenting oneself by using fake email addresses or masquerading as someone else誤傳的通過使用假電子郵件或化妝像個別人
　　(5) Denial of service attacks取消服務攻擊
　　- Flooding a web site with useless traffic to inundate and overwhelm the network充斥網站以無用的交通淹沒和淹沒網絡
　　- Distributed denial of service attack uses numerous computers to attack the target network from numerous launch points分佈的取消服務攻擊使用許多計算機攻擊目標網絡從許多發射點
　　(6) Sniffing嗅
　　- A type of eavesdropping program that monitors information traveling over a network竊聽的節目的類型旅行在網絡的那顯示器信息
　　(7) Insider jobs知情人工作
　　- Employees with access to sensitive information雇員以對高度機密信息的通入
　　- Sloppy internal security procedures散漫的內部安全規程
　　- Able to roam throughout an organization’s system without leaving a trace能漫遊在組織的系統中，不用留下蹤影

　　Encryption加密
　　(a) The process of transforming plain text or data into cipher text that cannot be read by anyone outside of the sender and receiver變換純文本或數據的過程成不可能由任何人讀在發令者和接收器外面的密碼文本
　　(b) The purpose of encryption is (a) to secure stored information and (b) to secure information transmission加密的目的是(a)綁被存儲的信息和(b)到安全信息傳輸上
　　(c) Cipher text is text that has been encrypted and thus cannot be read by anyone beside the sender and the receiver密碼文本是被加了密和不可能由任何人因而讀在發令者和接收器旁邊的文本
　　(d) Key or cipher is any method for transforming plain text to cipher text鑰匙或暗號是所有方法為變換純文本對密碼文本
　　(e) Substitution cipher is where every occurrence of a given letter is systematically replaced by another letter替換密碼是一封特定信件的每發生被另一封信件的地方系統地替換
　　(f0 Transposition cipher changes the order of the letters in each world in some systematic way交叉點暗號在每個世界改變信件的定貨用某一系統的方式
　　(g) Symmetric key encryption (secret key encryption) the sender and the receiver use the same key to encrypt and decrypt the message相稱關鍵加密(秘密關鍵加密)發令者和接收器使用同一把鑰匙加密和解碼消息
　　- Data encryption standard (DES) is the most widely used symmetric key encryption, developed by the national security agency (NSA) and IBM資料加密標準(DES)是最用途廣泛的相稱關鍵加密，開發由國家安全代辦處(NSA)和IBM
　　(h) Public key cryptography use two mathematically related digital keys: a public key and a private key公共密鑰加密法用途二數學上相關的數字式鑰匙：一個公共密鑰和一個私用密鑰
　　- The private key is kept secret by the owner, and the public key is widely disseminated私用密鑰由所有者保持秘密，并且廣泛傳播公共密鑰
　　- Both keys can be used to encrypt and decrypt a message兩把鑰匙可以用於加密和解碼消息
　　- However, once the key are used to encrypt a message, the same key cannot be used to unencrypted the message然而-，一旦鑰匙用於加密消息，同一把鑰匙不可能用於末加密消息
　　(i) Digital signature is a “signed” cipher text that can be sent over the internet數字簽名是可以被送在互聯網的「簽字的」密碼文本
　　(j) Hash function uses an algorithm that produces a fixed-length number called a hash or message digest散列函數使用導致稱回鍋碎肉的一個定長數字或消息摘要的一種算法
　　(k) Digital envelop is a technique that uses symmetric encryption for large documents, but public key encryption to encrypt and send the symmetric key數字式包圍是為大文件使用相稱加密的技術，但是公共密鑰加密法加密和送相稱鑰匙
　　(l) Digital certificate is a digital document issued by a certification authority that contains the name of the subject or company, the subject’s public key, a digital certification serial number, an expiration data, the digital signature of the certification authority, and other identifying information數字認證是包含主題或公司的名字，主題的公共密鑰、一個數字式證明號碼、失效數據、證明當局數字簽名和其他辨認信息的證明當局發布的一個數字式文件
　　(m) Certification authority (CA) is a trusted third party that issues digital certificates證明當局(加州)一被信任的第三方問題數字認證
　　(n) Public key infrastructure (PKI) are certification authorities and digital certificate procedures that are accepted by all parties公共密鑰基礎設施(PKI)是證明當局和由所有黨接受的數字認證規程

　　Securing channels of communications通信安全信道
　　- Secure sockets layer (SSL) is the most common form of securing channels安全套接字層(SSL)是安全信道的最共同的形式
　　- Secure negotiated session is a client-server session in which the URL of the requested document, along with the contents, the contents of forms, and the cookies exchanged, are encrypted安全談判的會議是請求的文件，與內容一起，內容形式和曲奇餅URL交換的客戶端服務器會議，被加密
　　- Session key is an unique symmetric encryption key chosen for a single secure session對話鍵是為一個唯一安全會議選擇的一個獨特的相稱密鑰

　　Protecting networks
　　- Firewalls are software applications that act as a filter between a company’s private network and the internet itself防火牆是作為過濾器在公司的專用網和互聯網之間的軟件應用
　　- Proxy server is a software server that handles all communications originating from or being sent to the internet, acting as a spokesperson or bodyguard for the organization代理服務器是處理所有通信起源或被送到互聯網的軟件服務器，作為一位發言人或保鏢為組織

　　Protecting servers and clients
　　- Operating system controls allow for the authentication of the user and access controls to files, directories and network paths 保護的服務器和客戶-操作系統的控制考慮到用戶和存取控制的認證對文件、目錄和網絡路徑
　　- Anti-virus software is the easier and least expensive way to prevent threats to system integrity抗病毒軟件是更加容易和最少昂貴的方式防止威脅到系統完整性

　　Developing an e-business security plan
　　(a) Perform a risk assessment執行一個風險評估
　　- Assessment of risks and point of vulnerability對風險的評估和問題的弱點
　　(b) Develop a security policy開發一項安全策略
　　- A set of statements prioritizing the information risks, identifying acceptable risk targets, and identifying the mechanisms for achieving these targets給予信息風險優先，辨認可接受的風險目標和辨認機制為達到的一套聲明這些目標
　　- Mechanisms includes: - access controls determine who can gain legitimate access to a network; authentication procedures include the use of digital signatures, certificates of authority, and public key infrastructure; authorization policies determine differing levels of access to information assets for differing levels of users機制包括： -存取控制確定誰可能獲得對網絡的合法的使用; 認證規程包括對數字簽名、許可證和公共密鑰基礎設施的用途; 授權政策確定通入的不同的水平對信息財產的為用戶的不同的水平
　　(c) Develop an implementation plan開發實施計劃
　　- The action steps you will take achieve the security plan goals您將採取的行動步驟達到安全計劃目標
　　(d) Create a security organization創造安全組織
　　- Educates and trains users, keeps management aware of security threats and breakdowns, and maintain the tools chosen implement security教育并且訓練用戶，保持管理明白安全威脅和故障，并且維護工具選上的貫徹安全
　　(e) Perform security audit執行安全審計
　　- Involves the routine review of access logs identifying how outside are using the site as well as how insides are accessing the site’s assets介入通入日誌定期回顧辨認在怎麼之外的使用站點以及怎麼裡面訪問站點的財產