Topic X Online

6 Security

LEARNING OUTCOMES
By the end of this topic, you should be able to:
1. Describe the key dimensions of e-commerce security;
2. Identify the key security threats in the e-commerce environment;
3. Examine how various forms of encryption technology help protect the
security of messages sent over the Internet;
4. Discuss the tools used to establish secure Internet communications
channels; and
5. Assess the tools used to protect networks, servers and clients.

X INTRODUCTION
Doing business on the web is riskier than doing business with local customers.
Stolen credit cards, disputed charges, off-shore shipping destinations, the power
of credit card companies to force merchants to pay for fraud, and the lack of
international laws governing global e-commerce problems are just some of the
security problems with which e-commerce merchants must take into
consideration.

For consumers, the risk in e-commerce is really no greater than in ordinary

commerce. Although there have been some spectacular losses of credit card
information involving a tiny percentage of companies, because of a variety of
laws, consumers are largely isolated from the impact of stolen credit cards and
credit card information.

In this topic, we will examine e-commerce security issues, identify the major
risks, and describe the variety of solutions currently available.
 TOPIC 6 ONLINE SECURITY W 161

6.1 SECURITY FOR E-COMMERCE

Have you ever been in a situation where you wanted to buy products from the
Internet but you did not feel secure? Why?

For most law-abiding citizens, the Internet promises a global marketplace,

providing access to people and businesses worldwide. For criminals, the Internet
has created entirely new and lucrative ways to steal from more than one billion
Internet users in the world. From products and services to cash and also
information, it is all there for the taking on the Internet.

It is also less risky to steal online. The potential for anonymity on the Internet
cloaks many criminals in legitimate looking identities allowing them to place
fraudulent orders with online merchants, steal information by intercepting e-mail,
or simply to shut down e-commerce sites by using software viruses. In the end,
however, the actions of such cyber criminals are costly for businesses and
consumers, who are then subjected to higher prices and additional security
measures.

6.1.1 The Scope of E-commerce Crime

It is difficult to estimate the actual amount of e-commerce crime for a variety of
reasons. In many instances, e-commerce crimes are not reported because
companies fear losing the trust of legitimate customers. And even when crimes
are reported, it may be hard to quantify the losses incurred.

For instance, a recent survey conducted by Computer Crime and Security Survey
in 2007 on the response of 500 security practitioners in U.S corporations,
government agencies, financial institution, medical institutions and universities,
reported that 46% of the responding organisations experienced a computer
security incident within the last 12 months and incurred a total loss of $67
million. Insider abuse and virus are the most common attacks against computer
systems.

Not every cyber criminal is after money. In some cases, such criminals aim to just
deface, vandalise and/or disrupt a website, rather than actually steal goods or
services. The cost of such an attack includes not only the time and effort to make
repairs to the site but also damage done to the sites reputation and image as well
as revenues lost as a result of the attack.

While the overall size of cybercrime may be unclear, cybercrime against

e-commerce sites is significant, dynamic and changing all the time. Therefore,
162 X TOPIC 6 ONLINE SECURITY

the managers of e-commerce sites must prepare for an ever-changing variety

of criminal assaults and keep current in the latest security solutions.

6.1.2 What is Good E-commerce Security?

What is a secure commercial transaction? Any time you go into a marketplace,
you take the risk, including the loss of privacy (information about what you
purchased). The prime risk as a consumer is that you do not get what you paid
for. In fact, you might pay and get nothing! Worse, someone steals your money
while you are at the market! As a merchant in the market, your risk is that you do
not get paid for what you sell. Thieves take merchandise and then either walk off
without paying anything, or pay you with a fraudulent instrument, stolen credit
card, or forged currency.

E-commerce merchants and consumers face many of the same risks as

participants in traditional commerce, albeit in a new digital environment. Theft is
theft, regardless of whether it is digital theft or traditional theft. Burglary,
embezzlement, trespass, malicious destruction, and vandalism, all crimes in a
traditional commercial environment, are also present in e-commerce.

However, reducing risks in e-commerce is a complex process that involves new

technologies, organisational policies and procedures, and new laws and industry
standards that empower law enforcement officials to investigate and prosecute
the offenders.

Figure 6.1 shows an illustration on cyber security which is meant to eradicate

cyber crimes from occurring.

Figure 6.1: Illustration on cyber security

Source: http://www.darkgovernment.com/news/massive-cyber-attacks-uncovered/
 TOPIC 6 ONLINE SECURITY W 163

To achieve the highest degree of security possible, new technologies are available
and should be used. But these technologies by themselves do not solve the
problem. Organisational policies and procedures are required to ensure the
technologies are not subverted. Finally, industry standards and government laws
are required to enforce payment mechanisms, as well as to investigate and
prosecute violators of laws designed to protect the transfer of property in
commercial transactions.

In conclusion, a good e-commerce security requires a set of laws, procedures,

policies and technologies that protect individuals and organisations from
unexpected breach of security in the e-commerce marketplace.

6.1.3 Dimensions of E-commerce Security

There are six key dimensions of e-commerce security as shown in Figure 6.2.

Figure 6.2: Dimensions of e-commerce security

Table 6.1 gives the definitions for each dimension of e-commerce security. It also
summarises the perspectives of customer and merchant on the different
dimensions of e-commerce security.
164 X TOPIC 6 ONLINE SECURITY

Table 6.1: Customer and Merchant Perspectives on the Different Dimensions of

E-commerce Security

Dimensions Definitions Customers Merchants

Perspective Perspective
Integrity Integrity refers to the Has the Has data on the site
ability to ensure that information that I been altered without
information being transmitted or authorisation? Is the
displayed on a website, or received has been data being received
transmitted or received altered? from customers
over the Internet, has not valid?
been altered in any way by
an unauthorised party.
Nonrepudiation Nonrepudiation refers to Can a party to an Can a customer
the ability to ensure that e- action with me deny ordering
commerce participants do later deny taking products?
not deny or repudiate their the action?
online actions.
Authenticity Authenticity refers to the Who am I dealing What is the real
ability to identify the with? How can I identity of the
identity of a person or be assured that the customer?
entity with whom you are person or entity is
dealing on the Internet. who they claim to
be?
Confidentiality Confidentiality refers to Can someone Are messages or
the ability to ensure that other than the confidential data
messages and data are intended recipient accessible to anyone
available only to those who read my other than those
are authorised to view messages? authorised to view
them. them?
Privacy Piracy refers to the ability Can I control the What use, if any, can
to control the use of use of information be made of personal
information a customer about myself data collected as part
provides about himself or transmitted to an e- of an e-commerce
herself to an e-commerce commerce transaction?
merchant. merchant?
Availability Availability refers to the Can I get access to Is the site
ability to ensure that an e- the site? operational?
commerce site continues to
function as intended.

Source: Adapted from Laudon, K. C., & Traver, C. G. (2009). E-commerce Business,
Technology, Society (5th ed.). Boston: Addison Wesley.
 TOPIC 6 ONLINE SECURITY W 165

Let us look at the explanations provided for each dimension of e-commerce

security.

(a) Integrity
For example, if an unauthorised person intercepts and changes the contents of
an online communication, such as by redirecting a bank wire transfer into a
different account, the integrity of the message has been compromised because
the communication no longer represents what the original sender intended.

An e-commerce customer may question a messages integrity if the contents

seem suspicious and out of character for the person who supposedly sent it.
And a system administrator must deal with the issue of integrity when
determining who should have the authorisation to change data on the
website; the more people with authority to change data, the greater the
threat of integrity violations from both inside and out.

(b) Nonrepudiation
For instance, the availability of free e-mail accounts makes it easy for a
person to post comments or to send a message and perhaps later deny
doing so. Even when a customer uses a real name and an e-mail address, it
is easy for the customer to order merchandise online and then later deny
doing so. In most cases, because merchants typically do not obtain a
physical copy of a signature, the credit card issuer will side the customer
because the merchant has no legal, valid proof that the customer had
ordered the merchandise.

(c) Authenticity
How does the customer know that the Web site operator is who he/she
claims to be? How can the merchant be assured that the customer is really
who he/she says he/she is? Someone who claims to be someone they are
not is spoofing or misrepresenting themselves.

(d) Confidentiality
Confidentiality is sometimes confused with piracy as both are inter-related
(look at the definition provided for privacy).

(e) Privacy
E-commerce merchants have two concerns related to privacy:
(i) They must establish internal policies that govern their own use of
customer information; and
(ii) They must protect the information from illegitimate or unauthorised
use.
166 X TOPIC 6 ONLINE SECURITY

For example, if hackers break into an e-commerce site and gain access to
credit card or other information, this not only violates the confidentiality of
the data, but also the privacy of the individuals who supplied the
information.

(f) Availability
Customers may be wondering about the accessibility of the site while the
operator dwells over the operational aspect of the website.

E-commerce security is designed to protect these six dimensions. When any

one of them is compromised, it is a security issue.

6.1.4 Security Threats in the E-commerce

Environment
The nine most common and most damaging forms of security threats to
e-commerce sites are as shown in Figure 6.3.

Figure 6.3: Security threats in the e-commerce environment

 TOPIC 6 ONLINE SECURITY W 167

Let us examine each form of security threats in detail in the following points.

(a) Malicious Code

What is a malicious code? Let us refer below for its meaning.

Malicious code, which is referred as malware or malicious software,

includes any kind of intrusion of any kind of programmes or software
which intends to get access into a computer without the permission of the
computer user.

The following are a variety of threats for malicious code:

x Viruses;
x Worms;
x Trojan Horses; and
x Bot.

Does a malware named as Trojan horse has similar shape to the famous
Greek mythology? The name given for the malware does not correspond
with the physical shape of the malware, but it corresponds to the function
of the malware (see Figure 6.4).

Figure 6.4: An illustration on malware

Source: http://lima-tujuh.blogspot.com/
168 X TOPIC 6 ONLINE SECURITY

(i) Virus
A virus is a computer programme that has the ability to replicate or
make copies of itself and spread to other files. In addition to the
ability to replicate, most computer viruses deliver a payload.

What is a payload? If you do not know the meaning of the term, refer
below to find out its meaning.

The payload may be relatively light, such as the display of a message

or an image, or it maybe highly destructive such as destroying the
files, reformatting the computer hard drive, or causing programmes
to run improperly.

The major categories of computer viruses include the following:

x Macro Virus
The most common type of virus is a macro virus (refer below for
its definition).

Macro viruses are application-specific, meaning that the virus affects

only the application for which it was written, such as Microsofts
Word, Excel and PowerPoint.

When a user opens an infected document in an appropriate

application, the micro virus copies itself to the templates in the
application, so that when new documents are created, they are
infected with the macro virus as well. Micro viruses can easily be
spread when sent in an email attachment.
x File-Infecting Viruses
File-infecting viruses usually infect executable files, such as *.com,
*.exe, *.drv, and *.dll files. They may activate every time the
affected file is executed by copying themselves into other
executable files. File-infecting viruses are also easily spread
through e-mails and any file-transfer system.
x Script Viruses
What is a script virus? If you do not know what is meant by the
term, refer below in order to learn more on the term.
 TOPIC 6 ONLINE SECURITY W 169

Script viruses are written in script-programming languages such as

VBScript (Visual Basic Script) and JavaScript.

The viruses are activated simply by double-clicking an infected

*.vbs or *.js file. The ILOVEYOU virus (also known as the Love
Bug), which overwrites *.jpg and *.mp3 files, is the most famous
example of a script virus.

(ii) Worm
Macro, file-infecting virus, and script viruses are often combined with
a worm. Instead of just spreading from file to file, a worm is designed
to spread from computer to computer. A worm does not necessarily
need to be activated by a user or a programme in order for it to
replicate itself.

For instance, the Slammer worm infected more than 90% of

vulnerable computer worldwide within 10 minutes of its release on
the Internet.

(iii) Trojan Horse

A trojan horse appears to be not harmful, but it is one of the malware
that need to be taken into consideration. The Trojan horse is not itself
a virus because it does not replicate, but it is often a way for viruses or
other malicious codes such as bots to be introduced into a computer
system.

As explained earlier, a malwares name is not directly referring to the

shape of the malware, instead it refers to the function of it. The
malware Trojan horse is based on the Greeks huge golden horse
which contained hundreds of soldiers (refer to Figure 6.5). The
soldiers revealed themselves and captured the city once the people of
Troy let the massive horse within their gates. In todays world, a
Trojan horse may masquerade as a game, but actually hide a
programme to steal your passwords and e-mail them to another
person.
170 X TOPIC 6 ONLINE SECURITY

Figure 6.5: An illustration on the Trojan horse

Source: http://rollingroots.blogspot.com/

(iv) Bots
What is a bot? Do you know the meaning of it? If you do not, refer
below.

Bot is a type of malicious code that can be covertly installed on a

computer when attached to the Internet.

Once installed, the bot responds to external commands sent by the

attacker. We have studied the meaning of bot; now let us move on to
the term botnets which is another important term in relation of bots.

Botnets are collections of captured computers used for malicious

activities such as spamming, stealing information and participating in
a distributed denial of service attack (DDOS attack).

Malicious code such as that described above is a threat at both the

client and the server level, although servers generally engage in much
more thorough anti-virus activities than do consumers. At the server
level, malicious code can bring down an entire website, preventing
millions of people from using the site. Such incidents are infrequent.
 TOPIC 6 ONLINE SECURITY W 171

Much more frequent malicious code attacks occur at the client level,
but the amount of damage is limited to a single machine.

Malicious code is a threat to a systems integrity and continued

operation, often changing how a system functions or altering
documents created on the system. In some cases, the affected user is
unaware of the attack until it is underway, such as with the macros
that use email address books to send out copies of the virus to
everyone in the users address book. Not only does this slow down
the computer, but it can create hundreds or thousands of bogus
messages that appear to be coming from the user, thereby spreading
the virus further each time it is opened and activated.

(b) Unwanted Programme

We have learned extensively on malicious code; now, let us shift our
attention to unwanted programmes.

Unwanted programmes are those applications that install themselves on a

computer without the users consent. Once they are installed, they are
usually difficult to be removed from the computer.

Examples of these kinds of programmes are the following:

(i) Adware
Adware is used to call for pop-up ads to display when user visits
certain site. For instance, adwares like ZongoSearch and PurityScan.

(ii) Browser Parasite

A browser parasite monitors and changes the settings of a users
browser such as changing the homepage and sending information to
remote sites. For example, browser parasite like WebSearch.

(iii) Spyware
Spyware is used to obtain information of the users such as the users
keystrokes, copies of email and instant messages, and screenshots.
For example, SpySherif, which disguises as a spyware removal
programme but is actually a malicious spyware.

(c) Identity Theft and Phishing

Let us look below at the definition and examples given for identity theft.
172 X TOPIC 6 ONLINE SECURITY

Identity theft is a crime in which a criminal obtains key pieces of personal

information, such as identity cards numbers or driver's license numbers, in
order to pose as someone else. The information can be used to obtain credit,
merchandise, and services using the victims name.

Identity theft can also provide a thief with false credentials for immigration
or other applications. One of the biggest problems with identity theft is that
very often the crimes committed by the identity theft expert are often
attributed to the victim.

(S
Source: http://www.identitytheftcreditfraud.com/)

Now, let us shift our attention to the definition provided below for
phishing.

Phishing is a deceptive online attempt by a third party to obtain

information of individual or organisation for financial gain. Phishing relies
on straightforward misrepresentation and fraud approach.

The most popular phishing attempt is the spear phishing email scam as
described below.

Spear phishing describes any highly targeted phishing attack. The

operation mode of spear phishers is by sending e-mail to certain
individuals, groups or organisations. The message might look genuine and
could include requests for user names or passwords. However, bear in
mind that the e-mail sender information has been faked or "spoofed".

If you respond with a user name or password, or if you click links or open
attachments in a spear phishing e-mail, pop-up window, or website, you
might become a victim of identity theft and you might put your employer
or group at risk.

Source:
http://www.microsoft.com/hk/protect/yourself/phishing/spear.mspx

For instance, someone from a rich country sends an email to you asking for
your bank account number. The purpose is mentioned as to stash millions
 TOPIC 6 ONLINE SECURITY W 173

of dollars for a short period of time and in return you will receive certain
amount of money.

(d) Hacking and Cyber Vandalism

The terms hacker and cracker are used interchangeably in the public. Let us
look at the definitions for both terms.

A hacker is an individual who intends to gain unauthorised access to

a computer system.

A cracker is typically used to denote a hacker with criminal intent.

Hackers and crackers gain unauthorised access by finding weaknesses in

the security procedures of websites and computer systems, often taking
advantage of various features of the Internet that make it an easy to use
open system. Hackers and crackers are computer enthusiasts who are
excited by the challenge of breaking into corporate and government
websites.

Sometimes, they are satisfied merely by breaking into the files of an

e-commerce site. Others have more malicious intentions and commit cyber
vandalism, an act of intentionally disrupting, defacing or even destroying
the site.

Let us look at another three terms which are inter-related to the term
hacker.

Malicious insider is a hacker who is an employee in an organisation. They

obtain access to the computer systems or networks of the organisation and
conduct harmful activities which are purposely done to bring bad impact to
the organisation.

Cyber criminal deals with any criminal act related to Internet, computers
and networks.
174 X TOPIC 6 ONLINE SECURITY

Cyber terrorist conducts unlawful attacks and threats of attack against

computers, networks, and the information stored in it. Cyber terrorist aims
to intimidate or forcefully persuade a government or its people for political
or social purposes.
- Dorothy Denning

Source: http://www.crime-research.org/library/Cyber-terrorism.htm

The hacker phenomenon has diversified over time. Hackers activities have
also broadened beyond mere system intrusion to include theft of goods and
information, as well as vandalism and system damage. Groups of hackers
called tiger teams (will be explained later) are used by corporate security
departments to test their own security measures. By hiring hackers to break
into the system from the outside, the company can identify weaknesses in
the computer systems armour.

Hackers can be categorised into three categories as shown in Table 6.2.

Table 6.2: Categories of Hackers

Hackers Descriptions
White hats hackers are known as good hackers because of their
White hats role in helping organisations to locate and fix security flaws. White
hats do their work under contract, with agreement from clients that
they will not be prosecuted for their efforts to break-in.

In contrast, black hats are bad hackers who engage in the

same kinds of activities but without any pay or contract from the
targeted organisation. They have the intention of causing harm to
Black hats
the organisation. They will break into websites and reveal the
confidential or proprietary information they find. These hackers
believe strongly that information should be free, so sharing
previously-secret information is part of their mission.
 TOPIC 6 ONLINE SECURITY W 175

Grey hats Grey hats hackers are those who believe they are pursuing some
greater good by breaking in and revealing systems flaws. Grey
hats discover weaknesses in a systems security and then publish
the weakness without disrupting the site or attempting to profit
from their finds.

Their only reward is the prestige of discovering the weakness.

However, grey hats actions are suspicious and sometimes harmful,
especially when the hackers reveal security flaws that make it
easier for other criminals to gain access to a system.

(e) Credit Card Fraud

One of the most feared occurrences on the Internet is theft of credit card
data. Users avoid from making any online purchases due to the fear of
losing their credit card information through theft of the card. Interestingly,
this fear appears to be largely unfounded. Incidences of stolen credit card
information are much lower than users think.

For instance, a study by ActivMedia research reports that 58% of consumers

reported a fear of online credit card theft, when only 1.6% to 1.8% occurrence
was reported (CyberSource, 2008). It is unclear at this time if the realistic
threat to consumers for credit card fraud is greater in e-commerce than in
traditional commerce as shown below:

(i) Traditional Commerce

In traditional commerce, there is substantial credit card fraud, but the
consumer is largely insured against the losses by federal law. Credit
card fraud amounts to approximately $1 billion to $1.5 billion a year.
The most common cause of credit card fraud is as follows:
 Lost or stolen card that is used by someone else;
 Employee theft of customers numbers; and
 Stolen identities such as criminals applying for credit cards using
false identities.

The costs of credit card fraud are recouped by banks by charging

higher interest rates on unpaid balances, and by merchants who raise
prices to cover the losses.

(ii) E-commerce
The fraud in e-commerce is slightly different compared to the
traditional credit card fraud. In e-commerce, the greatest threat to
consumers is that the merchants server with which the consumer is
176 X TOPIC 6 ONLINE SECURITY

transacting will lose the credit information or permit it to be

diverted for a criminals use.

Credit card files are a major target of website hackers. Moreover,

e-commerce sites are wonderful sources of customers personal
information such as name, address, and phone number. Armed
with this information, criminals can assume a new identity and
establish new credit for their own purposes.

International orders have been particularly prone to repudiation. If an

international customer places an order and then later disputes it, online
merchants often have no way to verify that the package was actually
delivered and that the credit card holder is the person who placed the
order.

(f) Spoofing and Spam Websites

What is spoofing? Refer below in order to know to know more on this term.

Spoofing refers to the act of hackers who attempts to hide their true
identities by misrepresenting themselves through fake e-mail addresses or
masquerading as someone else.

Spoofing also involves the act of redirecting a web link to an address

different from the intended one, with the site masquerading as the intended
destination.

Links that are designed to lead to one site can be reset to send users to a
totally unrelated site, one that benefits the hacker. Although spoofing does
not directly damage files or network servers, it threatens the integrity of a
site.

For example, if hackers redirect customers to a fake website that looks

almost exactly like the true site, they can collect and process the orders,
effectively stealing business from the true site. Or, if the intent is to disrupt
rather than steal, hackers can alter orders inflating them or changing
products ordered and then send them on the true site for processing and
delivery.

Customers become dissatisfied with the improper order shipment and the
company may have huge inventory fluctuations that impact its operations.
In addition to threatening integrity, spoofing also threatens authenticity by
 TOPIC 6 ONLINE SECURITY W 177

making it difficult to discern the true sender of a message. Clever hackers

can make it almost impossible to distinguish between a true and fake
identity or web address.

We have learned on spoofing; now let us shift our attention on spam

website as defined below.

Spam website (also known as junk website) appears on search results which
cloak its identity by using domain name similar to legitimate firm name
and redirect traffic to known-spammer redirection domains.

For example, you enter the keywords of an established firm in order to

learn more on the firm. The search engine provides lists of websites having
the key words entered by you. Once you click on a website which has the
similar domain name of the firm you searched for, the website is quickly
redirected to other spammer-related websites.

(g) Denial of Service (DOS) and Distributed Denial of Service (DDOS) Attacks
Let us look at the definitions of both terms in order to be able to
differentiate it clearly.

In a Denial of Service (DOS) attack, hackers flood a website with useless

traffic to overwhelm the network.

A Distributed Denial of Service (DDOS) attack uses numerous computers to

attack the target network from numerous launch points.

DOS attacks may cause a network to shut down, making it impossible for
users to access the site. For busy e-commerce sites such as e-Bay.com and
Buy.com, these attacks are costly as while the site is shut down, the sites
reputation is damaged profoundly.

Although such attacks do not destroy information or access-restricted areas

of the server, they are nuisances that interfere with a companys operations
as shown in the example.
178 X TOPIC 6 ONLINE SECURITY

In February 2000, a series of hackers attacks caused many websites to shut

down for several hours. E-Bay was down for five hours, Amazon for just
below four hours, CNN for more than three hours, and E-Trade for below
three hours. Yahoo, Buy.com, and ZDNet were also affected for three to
four hours.

Now, let us focus on smurf. Smurf, which is a type of DOS attack, brings a
network down by sending out a request to many broadcast addresses with
an address that can communicate with up to 255 host computers to verify
that the address is working. When the 255 hosts on each broadcast address
reply to the verification request, the hacker spoofs the IP address reply to
the verification request, listing a particular companys server as the
supposed reply address. Soon, the victim companys server is quickly
overwhelmed with thousands of PING responses (refer below) that tie it
up.

Ping is a basic Internet programme that allows a user to verify that a

particular IP address exists and can accept requests.

DOS and DDOS attacks are threats to a systems operation because they can
shut it down indefinitely. Major websites such as Yahoo! and even
Microsoft have recently experienced such attacks, making the companies
aware of their vulnerability and the need to introduce new measures to
prevent any future attacks.

(h) Sniffing
What is a sniffer? Refer below to know more on it.

A sniffer is a type of eavesdropping programme that monitors information

travelingtravelling over a network.

When used legitimately, sniffers can help to identify potential network

trouble spots, but when used for criminal purposes, they can be damaging
and very difficult to detect. Sniffers enable hackers to steal proprietary
information from anywhere on a network, including e-mail messages,
company files, and confidential reports.

Email wiretaps (refer below) are a new variation on the sniffing threat.
 TOPIC 6 ONLINE SECURITY W 179

An email wiretap is a hidden code in an e-mail message that allows

someone to monitor all succeeding messages forwarded with the original
message.

For example, suppose an employee reports on a manufacturing flaw that

she has discovered to her supervisor, who then runs through the message
in an organisation. Someone using an e-mail wiretap will be privy to all of
the subsequent e-mails that are shared on the email sent by the supervisor.

When sensitive internal communication occurs, this type of eavesdropping

can be damaging and dangerous. The threat of sniffing is that confidential
or personal information will be made public. For both companies and
individuals, such an occurrence can be potentially harmful.

(i) Insider Jobs

We tend to think of security threats to a business as originating outside the
organisation. In fact, the largest financial threat to business institutions
comes not from robberies, but from the insiders itself.

The same is true for e-commerce sites: Some of the largest disruptions to
service, destruction to sites, and diversion of customer credit data and
personal information have come from insiders who are once trusted
employees. Employees have access to privileged information, and in the
presence of sloppy internal security procedures, they are often able to roam
throughout an organisations system without leaving a trace.

To get more information on e-commerce or Internet security, you can visit

the following websites:

 Center for Internet Security:

http//www.cisecurity.org/
 E-Commerce Security - Attacks and preventive strategies:
http://www.ibm.com/developerworks/websphere/library/techarticl
es/ 0504_mckegney/0504_mckegney.html
180 X TOPIC 6 ONLINE SECURITY

SELF-CHECK 6.1

List all the common and damaging forms of security threats to e-commerce
sites.

ACTIVITY 6.1

You are planning to develop an e-commerce site for your business

organisation. Would you build your own or outsource to other
vendors? State your reasons.

EXERCISE 6.1

1. List six key dimensions of e-commerce security.

2. One of the most common forms of security threat to e-commerce
sites is malicious code. Explain what the malicious code is.

6.2 TECHNOLOGY SOLUTIONS

The first line of defence against the wide variety of security threats to an
e-commerce site is a set of tools that can make it difficult for outsiders to invade
or destroy a site.

In the coming sections, we will look into the following aspects:

(a) Encryption;
(b) Securing channels of communication; and
(c) Protecting the network, servers and clients.
 TOPIC 6 ONLINE SECURITY W 181

6.2.1 Encryption
What is an encryption? Read below for the definition of the term.

Encryption is the process of transforming plain text or data into cipher text
that cannot be read by anyone outside of the sender and the receiver.

The purpose of encryption is:

x To secure stored information; and
x To secure information transmission.

This transformation of plain text to cipher text is accomplished by using the key
or cipher (algorithm) method as illustrated in Figure 6.6.

Figure 6.6: Encryption

Source: http://securitycerts.org/review/symmetric-key-cryptography.htm

Encryption has been practiced since the earliest forms of writing and commercial
transaction. Ancient Egyptian and Phoenician commercial records were
encrypted using the following ciphers:

(a) Substitution Cipher

In a substitution cipher, every occurrence of a given letter is replaced
systematically by another letter.

For instance, if we used the cipher letter plus two meaning replace every
letter in a word with a new letter two places forward, then the word
182 X TOPIC 6 ONLINE SECURITY

HELLO in plain text would be transformed into the following cipher text:
JGNNQ.

(b) Transposition Cipher

In a transposition cipher, the ordering of the letters in each word is changed
in some systematic way. Leonardo da Vinci recorded his shop notes in
reverse order, making them readable only with a mirror. The word Hello
can be written backwards as OLLEH.

A more complicated cipher would be to break all words into two words
and spell the first word with every other letter beginning with the first
letter, and then spell the second word with all the remaining letters. In this
cipher, HELLO would be written as HLO EL.

In order to decipher the above messages, there are a number of deciphering tools
and they are:
x Symmetric Key Encryption;
x Public Key Cryptography;
x Public Key Encryption Using Hash Function and Digital Signature;
x Digital Envelope; and
x Digital Certificate and Public Key Infrastructure (PKI).

(a) Symmetric Key Encryption

So, what is a symmetric key encryption?

Symmetric key encryption, also called as secret key encryption, is used to

decode or decipher a message which is originally encrypted in a plain text.

In symmetric key encryption, both the sender and the receiver use the same
key to encrypt and decrypt the message as can be seen in Figure 6.7. You
may wonder how the sender and the receiver have the same key. They
have to send it over some communication media or exchange the key in
person.
 TOPIC 6 ONLINE SECURITY W 183

Figure 6.7: Symmetric key encryption

Source: http://www.devx.com/dbzone/Article/29232/0/page/3

Symmetric key encryption was used extensively throughout World War II

and is still part of the Internet encryption. The Germans added a new
wrinkle in the 1940s with the invention of the Enigma machine (refer to
Figure 6.8). The Allies (anti-German coalition) captured several Enigma
machines, examined their operation, understood the role of time in
changing the codes, and eventually were able to routinely decipher the
Germans military and diplomatic messages.

How did the enigma machine operate? The Enigma machine would
generate, in an everyday-basis, a new secret cipher that used both
substitution and transposition ciphers based on the settings made by a
mechanical device. As long as all Enigma machines around the world were
set to the same settings, they could communicate securely, and every day
the codes would change, hindering code-breakers from breaking the codes
in a timely-fashion.
184 X TOPIC 6 ONLINE SECURITY

Figure 6.8: Enigma machine

Source: http://maestro-sec.com/blogs/2008/10/

The possibilities for simple substitution and transposition ciphers are

endless, but they all suffer from common flaws such as:

(i) Easy to be Broken Into

In the digital age, computers are so powerful and fast that these
ancient means of encryption can be broken quickly.

(ii) Key being Lost or Stolen

Symmetric key encryption requires that both parties share the same
key. In order to share the same key, they must send the key over a
presumably insecure medium, where it could be stolen and used to
decipher messages. If the secret key is lost or stolen, the entire
encryption system will fail.

(iii) Impossible to be Implemented

In commercial use, where we are not all part of the same team or
army, you would need a secret key for each of the parties with whom
you transacted, that is, one key for the bank, another for the
department store, and another for the government.

However, in a large population of users, this could result in as many

as (n-1) keys. In a population of millions of Internet users, thousands
of millions of keys would be needed to accommodate all e-commerce
customers. It is estimated there are about 35 million purchasers in the
United States alone. Clearly, this situation would be too impossible to
work in practice.
 TOPIC 6 ONLINE SECURITY W 185

Modern encryption systems are digital. The ciphers or keys used to

transform plain text into cipher text are digital strings. Computers store
text and other data as binary strings composed of 0s and 1s.

For instance, the binary representation of the capital A in ASCII

computer code is accomplished with eight binary digits (bits): 01000001.
One way in which digital strings can be transformed into cipher text is by
multiplying each letter by another binary number, say, an eight-bit key
number 0101 0101. If we multiplied every digital character in our text
messages by this eight-bit key, sent the encrypted message to a friend along
the secret eight-bit key, the friend could decode the message easily.

The strength of modern security protection is measured in terms of the

length of the binary key used to encrypt the data. In the above example, the
eight-bit key is easily deciphered because there are only 28 or 256
possibilities. If the intruder knows you are using an eight-bit key, then he
or she could decode the message in a few seconds in a modern computer
just by using the Brute Force Algorithm Method of checking each of the 256
possible keys.

The brute force algorithm consists in checking, at all positions in the text
between 0 and n-m, whether an occurrence of the pattern starts there or not.
Then, after each attempt, it shifts the pattern by exactly one position to the
right.

For this reason, modern digital encryption systems use keys with 56,128,
256, or 512 binary digits. With encryption keys of 512 digits, there are 2512
possibilities to check out. It is estimated that all the computers in the world
would need to work for ten years before stumbling upon the answer.

The most widely used symmetric key encryption on the Internet today is
the Data Encryption Standard (DES), which uses a 56-bit encryption key,
developed by the National Security Agency (NSA) and IBM in the 1950s.
To cope with much faster computers, it has been improved recently to
Triple DES, which essentially encrypts the message three times each with
separate key. There are many other symmetric key systems with keys up to
2048 bits. Like all symmetric key systems, DES requires the sender and the
receiver to exchange and share the same key, and requires a different set of
keys for each set of transactions.
186 X TOPIC 6 ONLINE SECURITY

(b) Public Key Cryptography

In 1976, an entirely new way of encrypting messages called as Public Key
Cryptography was invented by Whitfield Diffie and Martin Hellman.
Public key cryptography solves the problem of exchanging keys. In this
method, two mathematically related digital keys are used as illustrated in
Figure 6.9:

(i) A Public Key

The private key is kept secret by the owner, and the public key is
widely disseminated. Both keys can be used to encrypt and decrypt a
message. The mathematical algorithms used to produce the keys are
one-way functions.

A one-way reversible mathematical function is one which, once the

algorithm is applied, the input cannot be subsequently derived from
the output.

(ii) A Private Key

Public key cryptography is based on the idea of irreversible
mathematical functions. The keys are sufficiently long (128-bit, 256-
bit, and 512-bit keys) that it would take enormous computing power
to derive one key from the other using the largest and fastest
computers available.

Figure 6.9: Public key cryptography

Source: http://www.aarontoponce.org/presents/gpg/

(c) Public Key Encryption Using Hash Function and Digital Signature
In public key encryption as shown in Figure 6.10, some elements of security
are missing. Although we can be quite sure the message was not
understood or read by a third party (message confidentiality), there is no
 TOPIC 6 ONLINE SECURITY W 187

guarantee the sender really is the sender that is, there is no authentication
of the sender. This means the sender could deny ever sending the message
(repudiation). And there is no assurance the message was not altered
somehow in transmit.

For example, the message Buy Sisco @ $25 could have been accidentally
or intentionally altered to read Sell Sisco @ &25. This suggests a potential
lack of integrity in the system.

Let us look at the two components used in public key encryption.

(i) Hash Function

A more sophisticated use of public key cryptography can achieve
authentication, nonrepudiation and integrity. To check the
confidentiality of a message and to ensure it has not been altered in
transit, a hash function (refer below) is used first to create a digest
of the message.

A hash function is an algorithm that produces a fixed-length number

called a hash or message digest. A hash function can be simple, and
count the number of digital 1s in a message, or it can be more
complex, and produce a 128-bit number that reflects the number of 0s
and 1s, the number of 00s, 11s, and so on.

The results of applying the hash function are sent by the sender to
the recipient. Upon receipt, the recipient applies the hash function to
the received message and checks to verify the same result is
produced. If so, the message has not been altered. The sender then
encrypts both the original message using the recipients public key,
producing a single block of cipher text.

(ii) Digital Signature

One more step is required. To ensure the authenticity of the
message, and to ensure nonrepudiation, the sender encrypts the
entire block of cipher text one more time using the senders private
key. This produces a digital signature, also called as an e-signature
or ssigned cipher text, that can be sent over the Internet.
188 X TOPIC 6 ONLINE SECURITY

Figure 6.10: Public key encryption using hash function and digital signature
Source: http://www.microsoft.com/mspress/books/sampchap/6429.aspx

A digital signature is a close parallel to a handwritten signature. Like a

handwritten signature, the digital signature is unique as only one person
presumably possesses the private key. When used with a hash function, the
digital signature is even more unique than a handwritten signature. In
addition to being unique to a particular individual, when used to sign a
hashed document, the digital signature is also unique to the document and
changes for every document.

The recipient of this signed cipher text first uses the senders public key to
authenticate the message. Once authenticated, the recipient uses his or her
private key to obtain the hash result and original message. As a final step,
the recipient applies the same hash function to the original text and
compares the result with the result sent by the sender. If the results are the
same, the recipient now knows the message has not been changed during
transmission. The message has integrity.

(d) Digital Envelope

Public key encryption is computationally slow. If one used 128-bit or 256-
bit keys to encode large documents such as this topic or the entire module,
significant declines in transmission speeds and increases in processing time
would occur.

Symmetric key encryption is computationally faster but as we pointed out

above, it has a weakness, namely, the symmetric key must be sent to the
recipient over insecure transmission lines. One solution is to use the digital
envelope technique.
 TOPIC 6 ONLINE SECURITY W 189

The digital envelope is applied by using more efficient symmetric

encryption and decryption for large documents, but public key encryption
is used instead to encrypt and send the symmetric key.

(e) Digital Certificate and Public Key Infrastructure (PKI)

There are still some deficiencies in the message security regime described
above. How do we know that people and institutions are who they claim to
be? Anyone can make up a private and public key combination and claim
to be the Defence Department or Santa Claus. Before you place an order
with an online merchant such as Amazon.com, you want to be sure that it
really is Amazon.com that you have on the screen and not a spoofer
masquerading as Amazon.

In the physical world, if someone asks who you are and you show a social
security number, they may well ask to see your identification cards picture
or a second form of certifiable or acceptable identification. If they really
doubt who you are, they may ask references to other authorities and
actually interview those authorities. Similarly in the digital world, we need
a way to know who people and institutions really are.

There are two methods to solve this problem of digital identity and they
are:

(i) Digital Certificate

A digital certificate is a digital document issued by a trusted
certificate authority (CA). Refer below to know more on CA.

Certificate authority is a trusted third party institution. In the United

States, private corporations such as VeriSign and government agencies
such as the U.S. Postal Service act as certificate authorities.

The digital certificate contains the following elements as can be seen

in Figure 6.11:
x The name of the subject or company;
x The subjects public key;
x A digital certificate serial number;
x An expiration date;
x An issuance date;
190 X TOPIC 6 ONLINE SECURITY

x The digital signature of the certificate authority (the name of the

CA encrypted using the CAs private key); and
x Other identifying information.

Figure 6.11: Digital certificate

Source: https://p10.secure.hostingprod.com/@spyblog.org.uk/ssl/wikileak/index.html

(ii) Public Key Infrastructure

What is a Public key infrastructure? Refer below to find out its
meaning.

Public key infrastructure (PKI) refers to the certificate authorities and

digital certificate procedures that are accepted by all parties.

To create a digital certificate, the user generates a public/private key

pair and sends a request for certification to the CA along with the
users public key. The CA verifies the information and then issues a
certificate containing the users public key and other related
information. Finally, the CA creates a message digest from the
 TOPIC 6 ONLINE SECURITY W 191

certificate itself (just like a hash digest) and signs it with the CAs
private key. This signed digest is called the signed certificate. We end
up with a totally unique cipher text document that there can be only
one signed certificate like this in the world.
There are several ways the certificates are used in commerce. Before
initiating a transaction, the customer can request the signed digital
certificate of the merchant and decrypt it using the merchants public
key to obtain both the message digest and the certificate as issued. If
the message digest matches the certificate, then the merchant and the
public key are authenticated. The merchant may in return request
certification of the user, in which case the user would send the
merchant his or her individual certificate. There are many types of
certificates: personal, institutional, web server, software publisher,
and CAs themselves.
You can easily obtain a public and private key at the Pretty Good
Privacy (PGP) site (www.pgpi.org.). PGP was invented in 1991, and
has become one of the most widely used e-mail public key encryption
software tools in the world. Using PGP software installed on your
computer, you can compress and encrypt your messages as well as
authenticate both yourself and the recipient.

6.2.2 Limitations to Encryption Solutions

How is your private key to be protected? Most private keys will be stored on in
secure desktop or laptop machines.

Therefore, there are three limitations in using the encryption and they are:

(a) No Guarantee of Determining the User of the Computer

There is no guarantee the person using your computer and your private
key is really you. Under many digital signature laws (such as those in Utah
and Washington), you are responsible for whatever your private key does
even if you were not the person using the key. This is very different from
mail order or telephone order credit card rules, where you have a right to
dispute the credit card charge.

(b) No Guarantee to Verify the Computer is Secured

There is no guarantee to verify that the computer of the merchant is
secured.
192 X TOPIC 6 ONLINE SECURITY

(c) No Definite Policy in Revoking or Renewing the Certificates

The expected life of a digital certificate or private key is a function of the
frequency of use and the vulnerability of systems that use the certificate. Yet,
most CA has no policy or just an annual policy for reissuing certificates.

6.2.3 Securing Channels of Communication

The concepts of public key encryption are used routinely for securing channels of
communications.

In this section, we will look into the following:

x Secure Sockets Layer (SSL);
x Secure Hypertext Transfer Protocol (S-HTTP); and
x Virtual Private Networks (VPN).

(a) Secure Sockets Layer (SSL)

The most common form of securing channels is through the secure sockets
layer (SSL) of TCP/IP. When you receive a message from a server on the web
that you will be communicating through a secure channel, this means that you
will be using SSL to establish a secure negotiated session (refer below).

A secure negotiated session is a client-server session in which the URL of

the requested document, along with the contents, contents of forms, and
the cookies exchanged, are encrypted. You will also notice that the URL
changes from HTTP to HTTPS.

For instance, your credit card number that you entered into a form would be
encrypted. Through a series of handshakes and communications, the browser
and the server establish one another s identity by exchanging digital
certificates, decide on the strongest shared form of encryption and then
proceed to communicate using an agreed-upon session key (refer below).

A session key is a unique symmetric encryption key chosen just for this
single secure session. The key can be used only once.

In practice, most private individuals do not have a digital certificate. In this

case, the merchant server will not request a certificate, but the client
 TOPIC 6 ONLINE SECURITY W 193

browser will request the merchant certificate once a secure session is called
for by the server.

The SSL protocol provides data encryption, server authentication, optional

client authentication, and message integrity for TCP/IP connections. SSL is
available in 40-bit and 128-bit levels, depending on what version of
browser you are using. The strongest shared encryption is always chosen.

SSL was designed to address the threat of authenticity by allowing users to

verify another users identity, or the identity of a server. It also protects the
integrity of the messages exchanged. However, once the merchant receives
the encrypted credit and order information, that information is typically
stored in unencrypted format on the merchants servers.

While the SSL protocol provides secure transactions between merchant and
consumer, it only guarantees server side authentication as client
authentication is optional. In addition, SSL cannot provide irrefutability
that consumers can order goods or download information products, and
then claim the transaction which never occurred. Other protocols for
protecting financial transactions such as Secure Electronic Transaction
Protocol ( SET) have emerged that require all parties of a transaction to use
digital certificates.

(b) Secure Hypertext Transfer Protocol (S-HTTP)

A competing method is called as Secure Hypertext Transfer Protocol ( S-HTTP).
S-HTTP is a secure message-oriented communications protocol designed for use
in conjunction with HTTP. It is designed to co-exist with HTTP and to be easily
integrated with HTTP applications. Basically, S-HTTP attempts to make HTTP
more secure. Whereas SSL is designed to establish a secure connection between
two computers, S-HTTP is designed to send individual messages securely.

However, you need to bear in mind that not all browsers and not all
websites support S-HTTP. You know you are dealing with a supporting
site when the URL starts with SHTTP. The use of this as part of an anchor
tag indicates that the target server is S-HTTP capable. A message which
uses S-HTTP maybe:
(i) Signed;
(ii) Authenticated;
(iii) Encrypted; and
(iv) In any combination of the mentioned ways.
194 X TOPIC 6 ONLINE SECURITY

(c) Virtual Private Networks (VPN)

Virtual Private Networks (VPN) allow remote users to securely access
internal networks via the Internet, using the Point-to-Point Tunneling
Protocol (PPTP). Refer below to find out its meaning.

Point-to-Point Tunneling Protocol is an encoding mechanism that allows

one local network to connect to another using the Internet as the conduit.

As shown in Figure 6.12, a remote user can dial into a local Internet Service
Provider (ISP), and PPTP makes the connection from the ISP to the
corporate network as if the user had dialled into the corporate network
directly. The process of connecting one protocol (PPTP) through another
Internet Protocol (IP) is called as tunneling because PPTP creates a private
connection by adding an invisible wrapper around a message to hide its
content. As the message travels through the Internet between the ISP and
the corporate network, it is shielded from prying eyes by PPTPs encrypted
wrapper.

Figure 6.12: Virtual private networks

A virtual private network is virtual in the sense that it appears to users as

a dedicated secured line, when in fact it is a temporary secure line. The
primary use of VPNs is to establish secure communications among
business partners larger suppliers or customers. A dedicated connection to
a business partner can be very expensive. Using the Internet and PPTP as
the connection method significantly reduces the cost of secure
communications.
 TOPIC 6 ONLINE SECURITY W 195

6.2.4 Protecting Network

Once you have protected communications as well as possible, the next sets of
tools to consider are those that can protect your networks, and the servers and
clients on those networks. The tools used for this purpose are:
(a) Firewalls; and
(b) Proxy servers.

Firewalls and proxy servers are intended to build a wall around your network,
and the attached servers and clients, just like physical world firewalls which
protect you from fires for a limited period of time. Firewalls and proxy servers
share some similar functions, but they are quite different as explained below:

(a) Firewalls
Firewalls are software applications that act as filters between a companys
private network and the Internet as illustrated in Figure 6.13.

Figure 6.13: Firewalls

Source: http://www.barbardata.com/2009/11/design-of-a-computer-system/

They prevent remote client machines from attaching to your internal

network. Firewalls monitor and validate all incoming and outgoing
communications. Every message that is to be sent or received from the
196 X TOPIC 6 ONLINE SECURITY

network is processed by the firewall software, which determines if the

message meets the security guidelines established by the business. If it
does, it is permitted to be distributed. However, if it does not, the message
is blocked.

There are two major methods firewalls use to validate traffic:

(i) Packet Filters

Packet filters examine data packets to determine whether they are
destined for a prohibited port, or originate from a prohibited IP address
(as specified by the security administrator). The filter specifically looks at
the source and destination information, as well as the port and packet
type, when determining whether the information may be transmitted.
One downside of the packet filtering method is that it is susceptible to
spoofing, since authentication is not one of its roles.

(ii) Application Gateways

Application gateways are a type of firewall that filter communications
based on the application being requested, rather than the source or
destinations of the message. Such firewalls also process requests at the
application level, farther away from the client computer than packet
filters. By providing a central filtering point, application gateways
provide greater security than packet filters, but can compromise on the
performance of the system.

(b) Proxy Servers

What is a proxy server? Let us learn more on it by taking a look at the
explanation provided below.

Proxy servers (proxies) are software servers that handle all

communications originating from or being sent to the Internet, acting as a
spokesperson or bodyguard for the organisation.

Proxies act primarily to limit access of internal clients to external Internet

servers, although some proxy servers act as firewalls as well. Proxy servers
are sometimes called dual-home systems because they have two network
interfaces. To internal machines, a proxy server is known as the gateway,
while to external machines it is known as a mail server or numeric address.

How does a dual home systems of proxy servers work? Let us look at
Figure 6.14 which shows the processes involved in the system.
 TOPIC 6 ONLINE SECURITY W 197

Figure 6.14: The dual-home systems of proxy servers

By prohibiting users from communicating directly with the Internet,

companies can restrict access to certain types of sites, such as pornographic,
auction, or stock-trading sites. Proxy servers also improve Web
performance by the using the following ways:
(i) Storing frequently requested web pages locally;
(ii) Reducing upload times; and
(iii) Hiding the internal networks address, thus making it more difficult
for hackers to monitor.

6.2.5 Protecting Servers and Clients

Servers and clients can be further protected from certain types of attacks by the
following ways:

(a) Operating System Controls

Computer operating systems typically have a built-in username and
password requirement that provides a level of authentication. Some
operating systems also have an access control function that automates user
198 X TOPIC 6 ONLINE SECURITY

access (or more commonly denies access by clients) to various areas of the
network.

For instance, operating systems security can manage access to selected

network paths so that only authorised personnel can obtain access to
payroll information. Application software including Microsoft office and all
server-side database packages containing extensive security management
features that can be used on networks and intranets to manage access to
data files.

(b) Anti-virus Software

The easiest and least expensive way to prevent threats to system integrity is
to install anti-virus software. Programmes by McAfee and Symantec
provide inexpensive tools to identify and eradicate the most common
types of viruses as they enter a computer, as well as destroy those already
lurking on a hard drive.

It is not enough, however, to simply install the software once. Since new
viruses are being developed daily, routine updates are needed in order to
prevent new threats from being loaded.

(c) Intrusion Detection System

This system, which is more complex and expensive, work much more like
an anti- virus software in that they look for recognised hacker tools or
signature actions.

Designed to trigger an alarm when such an action is noted, these systems

must be monitored by staff members or intrusion-detection services in
order to work properly. Sensors set up on a computer network will trigger
hundreds of alarms, with only a very small percentage being a potential
security threat. Regular monitoring and analysis help weed out the
insignificant from the potentially harmful. Despite the extra work involved
in eliminating false alarms, intrusion detection systems also serve as a first
line of defensedefence against hacker attacks.

SELF-CHECK 6.2

1. How do anti-virus programmes detect and identify a virus?

2. What are the tools used to protect networks, servers and clients?
 TOPIC 6 ONLINE SECURITY W 199

EXERCISE 6.2

1. What is encryption?
2. Give four different forms of encryption technology currently
in use.
3. Explain these two tools which are used to establish secure
Internet communication channels:
(a) SSL (Secure Sockets Layer)
(b) S-HTTP (Secure Hypertext Transfer Protocol)

You can visit the following websites to get more information on technology
solutions for e-commerce security:

(a) Encryption:
x http://tools.devshed.com/c/a/How-To/What-Is-Encryption-
Technology/
(b) Guide to intrusion detection and prevention systems:
x http://csrc.ncsl.nist.gov/publications/nistpubs/800-94/SP800-94.pdf
(c) Articles on security topics:
x www.windowsecurity.com/

6.3 POLICIES AND PROCEDURES

Most Chief Executive Officers (CEO) and Chief Information Officers (CIO) of
existing e-commerce operations believe that technology is not the key issue in
managing the risk of e-commerce. The technology provides a foundation, but in
the absence of intelligent management policies even the best technology can be
easily defeated. Public laws and active enforcement of cybercrime statutes are
also required to both raise the costs of illegal behaviour on the Internet and guard
against corporate abuse of information. Let us consider briefly the development
of management policy.
200 X TOPIC 6 ONLINE SECURITY

6.3.1 A Security Plan: Management Policies

In order to minimise security threats, e-commerce firms must develop a coherent
corporate policy as shown in Figure 6.15. This policy takes into account the
nature of the risks, the information assets that need protection, and the
procedures and technologies required to address the risk, as well as the
implementation and auditing mechanisms.

Figure 6.15: Management e-commerce security plans

(a) Risk Assessment

A security plan begins with risk assessment, which is an assessment of the
risks and points of vulnerability. The first step in addressing the risk is to
inventory the information and knowledge assets of the e-commerce site
and company. What information is at risk? Is it the customer information,
proprietary designs, business activities, secret processes, or other internal
information such as price schedules, executive compensation, or payroll?
For each type of information asset, try to estimate the dollar value to the
firm if this information were compromised and then multiply that amount
by the probability of the occurring loss. Once you have done so, rank the
results. You now have a list of information assets prioritised by their value
to the firm.
 TOPIC 6 ONLINE SECURITY W 201

(b) Develop Security Policy

Based on your quantified list of risks, you can start to develop a security
policy (refer below).

Security policy is a set of statements prioritising the information risks,

identifying acceptable risk targets, and identifying the mechanisms for
achieving these targets.

You will obviously want to start with the information assets that you
determined to be the highest priority in your risk assessment.
Below are the questions that might guide in developing the security policy:
(i) Who generates and controls this information in the firm?
(ii) What existing security policies are in place to protect the information?
(iii) What enhancements can you recommend to improve security of these
most valuable assets?
(iv) What level of risk are you willing to accept for each of these assets?
(v) Are you willing, for instance, to lose customer credit data once every
ten years?
(vi) Or will you pursue a hundred-year hurricane strategy by building a
security edifice for credit card data that can withstand the once in a
hundred-year disaster?
You will need to estimate how much it will cost to achieve this level of
acceptable risk. Remember, total and complete security may require
extraordinary financial resources.

(c) Implementation Plan

An implementation plan is the action steps you will take to achieve the
security plans goals. Specifically, you must determine how you will
translate the levels of acceptable risk into a set of tools, technologies,
policies, and procedures. What new technologies will you deploy to
achieve the goals, and what new employee procedures will be needed?

To implement your plan, you will need a security organisational unit and a
security officer.

Let us look at the definitions provided for both of the terms.

202 X TOPIC 6 ONLINE SECURITY

Security officer is someone who is in charge of security on a daily basis. For

a small e-commerce site, the security officer will likely be the person in
charge of the Internet services or the site manager; whereas for larger
firms, there typically is a dedicated team with a supporting budget.

The security organisation educates and trains the users, keeps

management aware of security threats and breakdowns and maintains the
tools chosen to implement the security.

The security organisation typically administers the following:

(i) Access Controls

Access controls determine which outsiders and insiders can gain
legitimate access to your networks. Outsider access controls include
firewalls and proxy servers, while insider access controls typically
consist of login procedures (username, passwords and access codes).

(ii) Authentication Procedures

Authentication procedures include the use of digital signatures,
certificates of authority, and public key infrastructure. Now that
e-signatures have been given the same legal weight as an original
pen-and-ink version of signature, companies are in the process of
devising ways to test and confirm a signers identity.

Attaching a digital thumbprint and showing a live video image of the

signer are two methods under consideration. Companies frequently
have signers to type their full name and click on a button indicating
their understanding that they have just signed a contract or
document.

Biometric devices, which measure the biological or physical

characteristics of an individual, are used along with digital
signatures. These devices verify individuals physical attributes such
as a fingerprint or retina (eye) scan or speech recognition system.

A company could require, for example, that an individual undergo a

fingerprint scan before being allowed access to a website, or before
being allowed to pay for merchandise with a credit card. Biometric
devices make it even more difficult for hackers to break into sites or
facilities, significantly reducing the opportunity for spoofing.
 TOPIC 6 ONLINE SECURITY W 203

(iii) Authorisation Policies

Let us look below at the two terms related to authorisation.

Authorisation policies determine differing levels of access to

information assets for differing levels of users.

Authorisation management systems establish where and when a user

is permitted to access certain parts of a website. Their primary
function is to restrict access to private information within a
companys Internet infrastructure.

Although there are several authorisation management products

currently available, most operate in the same way. The system
encrypts a user session to function like a passkey that follows the user
from page to page, allowing access only to those areas that user is
permitted to enter, based on information set at the management
system which knows who is permitted to go where at all times.

(d) Security Audit

The last step in developing an e-commerce security plan is performing
a security audit (refer below).

A security audit involves the routine reviews of access logs by identifying

how outsiders are using the site as well as how insiders are accessing the
sites assets. A monthly report should be produced that establishes the
routine and non-routine accesses to the systems and identifies unusual

Tiger teams are often used by large corporate sites to evaluate the strength
of existing security procedures.

Before we move further, what is a tiger team? Does the team have any
similar characteristic to the real black striped orange-reddish coloured
animal?
204 X TOPIC 6 ONLINE SECURITY

A tiger team is a group whose sole job activity is attempting to break into a
site and stopping just short of actually making any unauthorised changes
to the site. Many small firms have sprung up in the last five years to
provide these services to large corporate sites.

6.3.2 CyberSecurity Malaysia

CyberSecurity Malaysia, which is established in 1997, is a national cyber security
body under the Ministry of Science, Technology and Innovation (MOSTI). It
includes various units and provides services for Internet users and organisations
in the field of cyber security. For example, Cyber999 Help Centre deals with the
detection, interpretation and response to computer security incidents. It also
provides safety tips, advisories and specialised services such as Digital Forensics
and wireless security. It also runs a training centre for professional certification.

ACTIVITY 6.2

Imagine you are the owner of an e-commerce website. What are some
of the signs that your site has been hacked?

EXERCISE 6.3

1. Identify and discuss the five steps in developing an e-commerce

security plan.
2. How do biometric devices help to improve the security?

Visit the following websites for more information on organisations that promote
computer security:
 TOPIC 6 ONLINE SECURITY W 205

(a) CyberSecurity Malaysia:

 http://www.cybersecurity.my
(b) Computer Emergency Response Team:
 http://www.cert.org
(c) SANS Institute:
 http://www.sans.org/
(d) Center for Education and Research in Information Assurance and
Security:
 http://www.cerias.purdue.edu/

 E-Commerce is vulnerable to a wide range of security threat. Attacks against

e-commerce systems can disclose or manipulate proprietary information.
Threat to commerce can occur anywhere in the commerce chain, beginning
with a client computer and ending with the computers in the website
architecture.
 Communication channels, in general, and the Internet, in particular, are
especially vulnerable to attacks.
 The key dimensions of e-commerce security are: integrity, non-repudiation,
authenticity, confidentiality, privacy and availability.
 The seven most common and most damaging forms of security threat to
e-commerce sites include: malicious code, hacking and cyber-vandalism,
credit card fraud/theft, spoofing, denial of service attacks and sniffing.
 The different forms of encryption technology help to protect the security of
messages sent over the Internet: symmetric key encryption, public key
cryptography, digital envelope, and digital certificates and public key
infrastructure.
 In addition to encryption, there are several other tools that are used to secure
Internet channels of communication, including: SSL, S-HTTP, and VPN.
 After communication channels are secured, tools to protect networks, server
and clients should be implemented include: Firewalls, Proxies, Operating
System Controls and Anti Virus Software.
206 X TOPIC 6 ONLINE SECURITY

 The technology itself is not the key issue in managing the risk of e-commerce,
public laws and active enforcement of cyber crime statues are also required to
both raise the costs of illegal behaviour on the Internet and guard against
corporate abuse of information.

Antivirus software Malicious code

Cipher Operating system controls
Credit card fraud Phishing
Cyber vandalism Point-to-point tunnelling protocol
Denial of service Proxy servers
Digital certificate Secure hypertext transfer protocol
Digital envelope Secure sockets layer
Digital signature Sniffing
Distributed denial of service Spam websites
Encryption Spoofing
Firewalls Unwanted programme
Hacking Virtual private networks
Hash function
Identity theft
Insider jobs
Intrusion detection system