DU SOL B.Com 3rd Year E-Commerce Notes Chapter 7 Security in E-Commerce
What are the Security risks of E-commerce?
When you allow any computer to any computer over the Internet, the chances of risk becomes high. This is what is happening. There are lots of security risks over the net. Security officers have been battling worms, viruses, denial of service attacks and hackers for years now. When you add the threat of cyber-terrorism, employees using Instant Messengers and downloading full- length feature movies onto their work PCs, the list of risks is multiplying far faster than security budgets or staffs can keep pace.
The Security Risks :
- Unauthorized access: Someone accesses or misuses a computer system to intercept transmissions and steal sensitive information
- Data alteration: The content of an e-commerce transaction – user names, credit card numbers and dollar amounts – is altered en route.
- Monitoring: A hacker eavesdrops on confidential information.
- Spoofing: A virtual vandal creates a fake site masquerading as yours to steal data from unsuspecting customers or just disrupt your business.
- Service denial: An attacker shuts down your site or denies access to visitors
- Repudiation: A party to an online e purchase denies that the transaction occurred or was authorized.
These dangers pose the threat of fraud, service disruption, lost sales, theft of confidential information and most damaging of all, loss of customer toast.
What are the types of threats and sources of threats?
The different types of factors behind the threats are as follows –
- Email Attachments – Users opening an attachment could unleash a worm or virus onto the corporate network and a new evolution of viruses means that they can propagate themselves even without a user double-clicking on them
- VPN Tunnel Vulnerabilities – A hacker who worms his way into the VPN has free and easy access to the network;
- Blended Attacks – Worms and viruses are becoming more complicated and now a single one may be able to execute itself or even attack more than one platform;
- Diversionary Tactics – Hackers may strike a set of servers in a target company and then when security administrators are busy securing that, they slip in and attack another part of the network;
- Downloads from Web Sites – Workers frequently misuse their Internet access in the workplace, downloading games, movies and music and even pom. It opens the network up to attack and sucks up valuable bandwidth.
- Supply Chain and Partners Added to the Network – An administrator may grant access to the network for a partner company and then forget to close that access point when: the job is over. The same applies to employees who are leaving the company;
- Renaming Documents – An employee could save business – critical information in a different file, give it a random, unrelated name and email the information to her home computer, a friend or even a corporate competitor. Monitoring software that checks emails leaving the company might fail to pick up on the outgoing message if the subject name has been changed;
- Peer-to-Peer Applications – In a peer-to-peer environment there is an implied trust between servers. That means if a user has access to one server, he automatically has access to another if the servers share trust. Here hackers or employees can gain access to one server and move freely throughout the network;
- Music and Video Browsers – These are browsers that automatically will connect the user with related web related web sites – all without the user’s permission. A music browser, for instance, may note that the user likes jazz so will connect the user to other jazz sites and exactable applications, putting the network at risk and potentially using up huge amounts of bandwidth.
What is Risk management approach?
Companies are increasingly required to provide assurance that their systems are secure and conform to commercial security standards. Senior business managers arc ultimately responsible for the security of their corporate systems and for the implications in the event of a security failure.
The security risks to IT systems can be accurately assessed and controls consistently applied, only as a result of carrying out a risk analysis and management exercise.
Meeting The Regulatory Need: The process of Risk Analysis is now regarded as mandatory in many quarters. For example, by the government for all its new IT projects. Also, private industry, particularly public listed companies and those seeking a public listing, need to comply with the Turnbull Report on Corporate Governance requirements which prescribes undertaking an analysis of business risks. “A company’s objectives, its internal organization and the environment in which it operates are continually evolving and as a result, the risks it faces are continually changing.
A sound system of internal control therefore depends on a thorough and regular evaluation of the nature and extent for the risks to which it is exposed. In parallel, the British Standard for Information Security Management BS7799 and the equivalent International Standard (ISO/IEC 17799) specifies that a Risk Assessment must be carried out to determine the detailed control requirements.
Similarly, the seventh principle of the Data Protection Act (1998), which came into force during 2000, requires that appropriate security controls must be implemented. Failure to comply with the Data Protection Act can result in significant fines. All commercial organizations delivering IT services to the public or to trading partners, particularly over the Internet where the risks are highest, will require that the risks ‘to those systems be addressed in a systematic manner which will mean undertaking a risk analysis of the new development.
Undertaking Risk Analysis: Risk Analysis has historically been pursued in some of the larger commercial organizations and government departments by Information Security professionals who use their expertise to systematically identify the risks applying to a specified IT environment and who thereby ensure that appropriate technical and non-technical controls, including business continuity options, commensurate with the risks are implemented and managed. Like many other business activities that do not generate direct revenue streams, risk analysis has been seen as being complex, requiring specialist expertise and therefore something to be outsourced or basically delayed. This is likely to be the case for most small to medium sized businesses.
The risk analysis process encompasses significant expertise requirements—
- Measure what impact on an organization a breach of security would have
- Evaluate different categories of information such as commercial and financial. Personal and personal safety, Legal and Regulatory.
- Identify the what variety of threats that may affect the IT environment
- Determine how unbumable are the systems to the identified threats
- Select from the large number of controls that are available ones that counter the risks
- Ensure that the costs incurred need to be commensurate with the
The use of an automated software tool that encapsulates the above expertise can provide an effective and economic approach to performing risk analysis.
Practical Needs for Risk Analysis: The primary benefit of undertaking a risk assessment is to provide the ability to answer fundamental, questions about the nature of controls and to assist in justifying why they need to be implemented. For example –
- A new business commerce application will require user authentication logon controls
- The IT systems are required to be moved to a new data center, or even be outsourced.
- A security breach has occurred within the company and management now require that remedial action to be undertaken.
Unless controls are prioritized according to actual risk, implementing controls in a knee-jerk or haphazard fashion, and without regard for what security is needed in the rest of the environment will do little to reduce the overall risk and will be wasteful use of resources focused on one area of risk and control.
Based upon these practical needs, some of the attributes of a risk analysis process should include the ability to –
- Assess the security risks to a company in business terms.
- Justify recommended controls in, relation to the value of the information that requires protection and the risks to that information
- Prioritize the implementation of controls by the level of risk.
- Be able to be applied progressively, i.e. from rapid assessment of the main concerns though to a more detailed comprehensive risk assessment but allowing any previous work to be re-used.
- Allow the implications of major IT or environment changes to be guickly assessed.
- Provide senior management with an accurate view, albeit in high- level terms of the risk to the information processed.
- To assist with the project planning process of undertaking risk analysis and implementing the recommended controls.
Companies seeking compliance with the British Standard for Information Security BS7799 will need to show they have undertaken a risk assessment. The output of the risk assessment will also need to serve as to support the BS7799 requirements. While Business Continuity is often considered a separate area of concern to IT Security, the process of analyzing business continuity requirements encompass some of the disciplines involved when performing a risk analysis.
For example the risks of business disruption and the specific need for business continuity will depend upon the business impact of for escalating unavailability time scales and the threats and vulnerabilities that could result in the unavailability or destruction occurring in the first place. Since valuation of information, threats and vulnerabilities will be evaluated as part of the risk analysis process it is efficient to collect the business continuity requirements at the same time. The risk analysis process will also be an invaluable aid in identifying all the information and physical assets that may need to be recovered as part of the continuity plan.
Manual Risk vs Software tool Approach: Using a manual risk analysis approach would require significant resources to meet he above needs and so may not be practical. However, a manual based approach to conducting a risk assessment may be more appropriate for the smallest of companies with a basic IT setup. Perhaps located in a single location, and where there would not likely to involve a high degree of data integrity, availability or confidentiality.
In a larger corporate environment subject to the external regulatory requirements described earlier and where new IT services are frequently being developed, perhaps over multiple sites and to many users, an interactive software tool should be capable of meeting all of the practical risk analysis needs described above. In particular, a tool will facilitate better management of the risk process and allow e-assessment of the risks in different IT environment scenarios with minimal re-working. One risk analysis and management software tool meeting the above needs, CRAMM, has extensive BS7799 support linked in, and is the preferred tool for many government bodies and commercial organizations.
The product includes a toolkit that facilitates controlled deployment within an enterprise to allow risk analysis to be carried out locally whilst maintaining consistency with a centrally defined approach. Fortunately, the most important thing you can do to secure your e-commerce sites also the simplest: Just install an electronic file called a digital certificate on your web server. Digital certificates are a kind of online passport issued by a trusted third party a certificate authority, who verifies the identity of the certificate’s holder. Digital certificates authenticate that their holders – people, web sites and even network resources – are truly who and what they claim to be and protect data exchanged online from intrusion. They are tamper-proof and cannot be forged.
Write a short note on E-commerce security and Rational security policy for e-commerce.
The basic requirements for E-Commerce security include information confidentiality, authentication, authorization, data integrity, non-repudiation and availability. Given the dynamic environment of E-Commerce, effectively meeting these requirements is not straightforward. The challenge is to come up with the most technically and economically feasible plan for protecting E- Commerce activities, knowing that today’s most secure technology will be vulnerable tomorrow. As is the case for most systems problems, the best approach is a structured one, including analyzing risk and delegating resources to protect the most valued assets of the organization.
Typically, policies are put into place to manage risk. Another framework for developing e-commerce policies uses a matrix of organizational relationships and technology. The problem with current approaches is that e address the problem of keeping up with the increasing rate of change in Commerce technology and applications nor do they consider how to keep such policies consistent and aligned with organizational objectives. To develop a tool that would aid in the formulation and management of E-Commerce information security policies, other tools in similarly rapidly changing business arenas were examined.
Defining Security Policy: Security policies are generally high-level, technology neutral and concern risks. Security policies set directions and procedures and define penalties and countermeasures if the policy is transgressed. Security policies must not be confused with implementation- specific information, which would be part of the security standards, procedures and guidelines.
Security policies are created by empowered representatives from group responsible for –
- Human resources
- Legal and regulatory matters
- Information systems
- Public relations
- Lines of business
Some of the most important security policies include –
- User identification and password policy
- Remote access policy
- Extranet policy
- Internet security policy
- Access to data policy
- Administration policy
- Incident response policy
- Awareness procedure policy
- User behavior policy
- Security monitoring and audit policy
Security policies must be balanced and provide tradeoffs between: Level of security User convenience and cost.
Without an equitable balance between these elements, it is not realistic to expect that the security policies will be followed. This may mean they should be modified. Today, high cost and user inconvenience far outweigh the benefits so smart cards are used instead; however, as costs decrease and usability improves biometric authentication may become a po’icy reality.
International Issue. One significant area of concern for E-Commerce is the international nature of the Internet. Jurisdictional issues, intellectual property rights, laws regarding particular technologies for example, encryption, local custom and local decency standards and various political and terrorist agendas, to name a few, ail are cause for concern.
Industry Issue: There are a number of industry-specific challenges when it comes to security. For example, an entirely online company like Nile.com may face different threats and risks than those faced by financial services or manufacturing companies. Instead of focusing these differences, we examine application-specific issues. For example, on-line transaction security for credit card processing is critical for several different industry areas.
Policy Framework For Interpreting Risk IN E-Commerce Security :
Initial Policy Assessment: An organization that does not have an existing security policy always begins at this point. This may be a new organization like a start-up, a company with no security policy in place or one that is replacing existing policy.
Existing organizational strategy and policy should be referenced to gain context and to ensure that policy is created in compliance with existing business strategies and policies.
Risk Assessment Step: Risk Assessment identifies the business assets, an organization wants to protect and identifies potential threats to those assets by asking these questions –
- What am I trying to protect?
- What do I need to project against?
- How much am I willing to spend to have adequate protection?
- What is the cost versus the benefit for the business?
Risk Assessment Methodology: Risk Assessment consist of four sub-step: Conduct Security Assessment, Assess Business Risk, Develop Security Recommendations and Summarize Risk Assessment Results. Executed in sequence, these sub-steps result in a decision of whether to accept the proposed changes to security policy based on risk.
Through the risk assessment process it can be helpful to document results in a spreadsheet-based matrix.
Conduct Security Assessment: This sub-step identifies elements in the current or proposed environment that may be subject to threats that could compromise information assets. Specific tasks include :
Asset Identification quantifies information system assets critical to the business including all forms of data and the people and technology that support information processes. Assets are then grouped to identify correspondence between the information assets and the technologies that support these assets.
Threat Assessment identifies threats to the confidentiality, integrity and availability of the identified assets. In general terms, a threat is a bad thing that can happen. Threats can also be caused by direct or indirect actions which can . originate from accidental or deliberate sources or events.
Vulnerability Assessment evaluates the target environment to identify 1 weaknesses within the organization’s assets that could he exploited and result in a compromise of assets. In general terms, a vulnerability is the weakness that allows a threat to happen.
A variety of methods can be used to analyze the environment including review of documentation, interviews with stakeholders, site surveys or walkthroughs, automated system and/or network assessments, and surveys of targeted groups. We suggest using a combination of these approaches to achieve maximum results.
Assess Business Risk. This sub-step is an assessment oFrisk as it applies to business assets. Although we recommend a quantitative assessment, many organizations utilize qualitative I measurements. In either case, each asset must be given a measure, which can be either intrinsic or related to the cost of restoration if the asset were to be lost or compromised.
The value of intangible assets such as reputation and trust that do not have any intrinsic or business value must be evaluated. One way to perform this evaluation is to list all assets evaluated so far, ranked in terms of value. Based on this list, the assets with intangible and subjective value will be inserted, according to best judgment, between two assets already evaluated.
The business impact loss or damage to business assets should be evaluated and could include –
- Loss of reputation and client confidence
- Legal penalties against the company
- Cost of security failure recovery
- Cost of the unavailability of the system
This sub-step involves two tasks: Impact Analysis and Risk Valuation.
Analyze Impact identifies the effect on the business if the asset is harmed using two factors: potential damage and likelihood of occurrence. Damage is rated High, Medium, or Low Potential. For example, if loss of life is a possibility – as it would be in an earthquake – the potential damage should be classified as High. Likelihood of occurrence is also rated High, Medium or Low.
Risk Valuation determines a risk factor for each asset being analyzed. Risk, the potential damage or loss of an asset, is a combination of the value the owner places on the asset, the business impact the loss of the asset would have and the likelihood that the weakness will be exploited to damage the asset.
This risk factor can be assigned by a skilled security professional or calculated using the following formula.
Risk = Potential Damage x Likelihood of Occurrence
Develop Security Recommendations: The tasks involved with completing this sub-step are –
- Identify Security Options
- Determine Payroll and Non-payroll Cost
- Determine Priority of Options
- Verify Results
Develop Cost/Benefit Matrix: Identify Security Options determines recommendations to mitigate each identified risk. This task produces the best conclusions when skilled security professionals work together to challenge each others recommendations.
Summarize Assessment Final Results: Here results of both the Policy and Risk Assessments are documented so management can decide whether to accept the proposed change. If accepted, the life cycle for this particular proposed change continues in the Plan phase.
If rejected, but other policy changes are determined to be needed, the Plan phase follows as well. Otherwise, the life cycle resumes in the Operate phase.
The Implications :
Human Performance Implications. Policy updates or alterations will inevitably change something about the way someone is working, and such changes, no matter how small, require attention. The impact of the. change must be assessed to make sure it can be successfully implemented. An understanding of the current environment is therefore vital.
While some of the security team assesses the risk involved with the proposed change, others should examine the existing organization structure, performance, and culture to determine the unique requirements of the proposed change. These questions should be asked to assess an organization’s ability to successfully support a new, security policy –
- Who is impacted?
- Does the organization structure reflect the importance of security?
- Is the culture conscious of the importance of security?
- Who are the key sponsors and advocates?
- How does the culture suggest components of a new policy and or highlight key implementation issues?
- What aspects of the culture suggest potential security risks that the new policy and implementation plan should address?
- What do you expect to happen when policy is implemented – what is the end result?
If these are not addressed, the inability or unwillingness of the organization to change represents another potential threat to security.
E-commerce Implications: The process of moving business-to-consumer functions to an e-Commerce model typically involves replacing the human intermediary with software. Historically, the human intermediary served several roles including information asset protection. Today the question the organization must ask is whether software can be skeptical enough to protect valuable information assets.
But the transition to online auctions means not only business-to-consumer risks but consumer-to-consumer risks as well. Therefore the company must ask whether software can be skeptical enough to protect the information asset of personal identification.
Policy Development Methodology: Policy Development contains two sub-steps: Create/update Security Strategy and Create/Update Security Policy.
Policy Development Create/Update Security Strategy: Security strategy is an overview of future business direction along with the security controls needed, to support these business functions. A security strategy should be held consisting of the following tasks –
- Identify future business initiatives
- Identify’risks to each initiative
- identify security options
- Prioritize security initiatives
- Document security strategy
Executive input is also vital to guarantee that security strategy is aligned with rest of the organization’s business strategies. It will also ensure that security is considered when new business capabilities and acquisitions are planned, new alliances made and new markets entered. All strategies must work together.
Create/Update Security Policy. Specific tasks of this sub-step include –
- Identify Areas for Security
- Policy Draft Security Policy
- Review Security Policy
- Publish Security Policy
Draft Security Policy creates the initial version of the security policy or security policy update. The security team should provide guidance to this person on the context and the content of the policy.
The policy draft should include, at a minimum, the following sections or attributes –
- Title – Provided by the security organization following a standard format.
- Version – number of the document so it can be version controlled.
- Scope and Audience – The intended audience and the environments to which it applies.
- Overview – A briefly explanation of relevant security issues including specific threats and vulnerabilities to consider.
- Roles and Responsibilities – Define who is responsible for what actions.
- Content – Identify and explain all relevant information.
- Reporting – Information for reporting all security violations and security incidents.
- Related Document
- Author and History – A record of the original author, authors of revisions and a synopsis of each revision change.
Review Security Policy ensures qualify, usability and acceptance of the policy. A small review team with user, management and executive representation should review it. Their comments should be directed back to the author who will then make any updates deemed necessary. Then the final draft is forwarded to the security organization.
Finally, the Publish Security Policy task authorizes and communicates the policy. First, the security organization forwards the final draft to the executive responsible for approving the policy. Once approved, the policy is then communicated to the entire organization.
Write a short note on Corporate Digital Library.
Today the term digital library is widely used as the generic term for diverse information strutures that provide organisations and workers access to the vast amount of internal information encoded in multimedia formats. It creates a unified repository of consistent business data for information processing. Companies can perform more substantive, accurate, and consistent analysis using the digital library as a foundation for decision support system. Digital library is focused on the utilization for the storage and retrieval of reusable data within corporate environments.
This gives significant returns in the form of cost saving, productivity gains and quality improvements. Digital library technologies are used in manufacturing industries includes aerospace, defense, biotech, automotive, consumers electronics and healthcare. A digital library is also visualized as a coordinated cluster of object oriented user level or application-level services, some of which may be owned or controlled by one or more agencies. Corporate digital libraries differ from public digital libraries in the nature of their collections.
During the lifecycle of a given product or program, corporations maintain their key technology assets in electronic form. These assets can be reports, structured memos, drawings, manuals, specifications etc. stored in formats such as page description languages, markup languages, word processor files, spreadsheets and CAD/CAM files. Corporate also includes highly unusual objects such as telemetry recordings, 3-D models, simulations, x-ray inspection images.
These electronic forms are stored in digital libraries using data conversion utilities. Corporate digital library is also refers to variety of on-line services and tools available from internal support groups such as thermal analysis, simulation and modeling etc. They are capable of giving interfaces for on-line databases.
Write a short note on I.T. Act 2000.
An Act to provide legal recognition for the transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as “Electronic Commerce”, which involve the use of alternatives to paper based methods of communication and storage of information, to facilitate electronic filings of documents with the Government agencies and further to amend the Indian Penal Code, Indian Evidence Act, 1872.
The Bankers’ Books Evidence Act, 1891, and the Reserve Bank of India Act. 1934 and for matters connected therewith or incidental thereto. Whereas the General Assembly of the United Nations by resolution A/RES/51/162, dated the 30th January, 1997 has adopted the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law; and whereas the said resolution recommends inter alia that all State’s give favorable consideration to the said Model Law when they enact or revise their laws, in view of the need for uniformity of the law applicable to alternatives to paper-based methods of communication and storage of information; and whereas it is considered necessary to give effect to the said resolution and to promote efficient delivery of Government services by means of reliable electronic records.