4. Amity School of Business
• The electronic system that supports e-commerce is
susceptible to abuse and failure in many ways:
• Fraud
The act that results in direct financial loss.
Funds might be transferred from one account to another, or
financial records might simply be destroyed.
• Theft
Theft of confidential, proprietary, technological, or marketing
information belonging to the firm or to the customer.
An intruder may disclose such information to a third party, resulting
in damage to the key customer, a client, or the firm itself.
Security in Cyberspace
5. Amity School of Business
• The electronic system that supports e-commerce is
susceptible to abuse and failure in many ways:
• Disruption of service
It may result in major losses of the business or inconvenience to the
customer.
• Illegal intrusion in customer data
The act leads to loss of customer confidence stemming from illegal
intrusions into customer files or company business, dishonesty,
human mistakes, or network failures.
Security in Cyberspace
7. Amity School of Business
Why the Business on Internet is Different?
• The nature of E-Commerce and Bricks & Mortar Models of
doing business is quite different.
• The difference in the physical payment systems
(electronic money and real money)
• Practical and legal differences exist between traditional
store (paper based commerce) and computer based
commerce.
• 24x7x365 availability of electronic medium compared to
limited time processing at physical business house.
• Electronic business works on the concept of anyone,
anywhere, anytime which is quite different from the
business culture of physical houses.
Online Business Nature
8. Amity School of Business
Why the Business on Internet is Different?
Paper-Based Commerce Electronic Commerce
•Signed paper document. •Digital Signature.
•Physical Interaction. •Electronic Via Website.
•Physical payment system. •Electronic Payment System.
•Merchant & customer are face •No Face to Face contact.
to face. •Detection is difficult.
•Easy detection of •Negotiable documents require
modifications. special security.
•Easy negotiability of
documents.
Online Business Nature
10. Amity School of Business
Security Concerns
• The nature of E-Commerce and Bricks & Mortar Models of
doing business is quite different.
• The difference in the physical payment systems
(electronic money and real money)
• The first issue in security is identifying the principals. They are
the people, processes, machines, and keys that transact
(send, receive, access, update, delete) information via
databases, computers, and networks.
• Security concerns generally involve the following issues:
• Confidentiality
Knowing who can read data and ensuring that information in the
network remains private. This is done via encryption
Conceptualizing Security
11. Amity School of Business
Security Concerns
• Authentication
Making sure that message senders or principals are who they say
they are.
• Integrity
Making sure that information is not accidentally or maliciously
altered or corrupted in transit.
• Access Control
Restricting the use of a resource to authorized principals.
• Non-repudiation
Ensuring that principals cannot deny that they sent the message
• Firewalls
A filter between corporate networks and the Internet to secure
corporate information and files from intruders, but that allows
access to authorized principals.
Conceptualizing Security
12. Amity School of Business
The Privacy Factor
• In the absence of regulatory protection experts urge privacy-
sensitive surfers to take basic steps to protect their privacy
while online.
• Send e-mail through remailers.
• Improve security through Web browsers.
• Use a secondary free e-mail service to prevent your main
business e-mail account.
• Stay away from filling out any form or questionnaire online.
• Use a privacy application/software/utility to give your files
or PC contents some privacy.
• Install a firewall program to protect your computer from
hackers.
Conceptualizing Security
13. Amity School of Business
The Woes of a Password
• One can see that there is no silver bullet solution to user
authentication. There are ideas, however, to improve security
systems:
• Limit the number of times a password can be repeated in
accessing a sensitive system
• Train employees, customers, and the general public in
more advanced methods like biometrics, PKE, and smart
cards and be prepared to use such technology when it
becomes available.
• Ensure that systems designers and systems analysts are
well versed in security issues and security procedures as
part of every future application.
• Review and evaluate the strength of the current password
schemes used by customers and employees alike.
Conceptualizing Security
14. Amity School of Business
The Ph-ear of Phishing
• Phishing is a relatively recent phenomenon, having appeared
within the past few years. It is becoming an effective tool with
online criminals.
• Phishing has several characteristics:
• Trojan horses are installed on vulnerable machines to
gather data.
• They “harvest” user names and passwords to distribute to
attackers.
• Users’ PCs are compromised without their knowledge.
• Software vulnerabilities force PCs to download code.
Conceptualizing Security
15. Amity School of Business
Identity Theft
• Victims of ID theft have been known to find no quick fix to
clearing their names. Nearly one third said they have been
unable to repair their wrecked credit or restore their identities
to good standing a year after their personal information was
stolen.
• Here are some basic guidelines for the users to protect
themselves from identity theft:
• Protect your identification no/SSN no/ Licence No/ by
supplying it when absolutely necessary.
• Check your credit reports as least once a year. Check
your statements for unexplained charges or unusual
withdrawals from your bank accounts.
Conceptualizing Security
16. Amity School of Business
Identity Theft
• Be careful whom you talk to on the telephone –
telemarketers, ISP employees, or even members of
government agencies could all be disguised criminals.
• Use shredders to get rid of your statements of receipts.
When using ATMs, never leave your receipts behind.
• Use strong passwords. Don’t use the information related
about you and could be guessed easily, like telephone
no, vehicle registration, own name, close relative name,
house no, and the like.
• Remove your mail from your mailbox promptly. Use offline
applications like outlook.
• Also make sure, in case of any theft of your personal
information, file a report with local police and keep a copy for
dealing with creditors later.
Conceptualizing Security
18. Amity School of Business
Designing Security
• Hacking, net-spionage, cracking viruses, global worms,
employees with malicious intent, cyber terrorism, internal theft
– these are just some of the security challenges today’s
organizations face.
• Hackers and malicious code writers are automating the
Internet Shell that ensures they stay one step ahead of the
laws and security officers. Technology without strategy can
actually leave the organization more vulnerable.
• For information security design, the key question is: How do
you know that the design will be secure? The answer lies in an
effective design that should be part of the business-to-
consumer installations from the beginning. Adding security
mechanisms as an afterthought can be costly and
ineffective. The design process begins with a chief security
officer and involves five major steps: Designing Security
19. Amity School of Business
Designing Security
• The design process begins with a chief security officer and
involves five major steps:
• Accessing the security needs of the firm
The chief security officer should be able to pinpoint the security
breaches that threaten the company’s business and how well
the company is in compliance with various laws and regulations.
It is prudent to look for security vulnerability before it is too late. The
cheapest and most effective way to fix problems is while they
are in development.
A system assessment life cycle begins with development of a new
system using security best practices. Then the system should be
tested to detect unforeseen security flaws before it is released for
implementation. Finally, a running system should be monitored
and maintained at all times.
Designing Security
20. Amity School of Business
Designing Security
• The design process begins with a chief security officer and
involves five major steps:
• Adopt a security policy that makes sense.
Security policies should cover the entire e-commerce system
including the merchant’s LAN, H/W, S/W, firewalls, protocols,
standards, databases, and the staff directly involved in the e-
commerce process.
The policies should spell out Internet security practices, the nature
and level of risks, the level of protection, and the procedure to
follow to react to threats and recover from failure.
Above all, policies must have the blessing of top management if
they are to have a chance of succeeding.
Designing Security
21. Amity School of Business
Designing Security
• The design process begins with a chief security officer and
involves five major steps:
• Considering Web Security Needs.
Here the companies lists top vulnerabilities and take a close look at
critical applications to decide risk levels.
The amount of security a Web merchant needs depends on the
sensitivity of its data and the demand for it. If the site collects
credit card numbers for access, the company would require the
highest security possible for Web server, the network, and the
Website.
The company also consult a security consultant to see what options
are available and how to put them to good use.
Designing Security
22. Amity School of Business
Designing Security
• The design process begins with a chief security officer and
involves five major steps:
• Design the security environment.
The design begins with sketching out the stepping stones – the
sequence and parameters in the security network based on the
security policy and requirements of the e-commerce system.
Physical security design looks at PCs, LAN, OS, Firewalls, Security
Protocols, other Network Infrastructure, Physical location and
layout, Bandwidth, Security Protocols of the ISP, and the
communication medium that connect the merchant to the ISP.
How much security goes into a system depends on how much risk
the company is willing to take, the security policy it is willing to
adopt, and the present state of security practices in the
workplace.
Designing Security
23. Amity School of Business
Designing Security
• The design process begins with a chief security officer and
involves five major steps:
This phase generally deals with designing of Security Perimeter
that generally includes firewalls, authentication, VPNs, and
intrusion detection devices. Installing such software and devices
is part of physical design. The challenge is to police the entire
perimeter.
•Authorize and Monitor the Security System.
Only authorized users are allowed access to the e-commerce
site and other IT systems. This involves installing a system that
generates authorization to different users to handle different jobs.
Most companies adopt a policy that denies access to all except
those who are explicitly allowed. This policy, along with good
security design, should keep a site reasonably secure.
Designing Security
24. Amity School of Business
Designing Security
• The design process begins with a chief security officer and
involves five major steps:
Monitoring means capturing processing details for evidence,
verifying that e-commerce is operating within the security policy,
and verifying that attacks have been unsuccessful.
•Raise Awareness of Possible Intrusions.
With today’s firms relying more and more on the Internet, they
face an ever-growing spectrum of threats, which means an
increase in protection against cyber-risks.
This is noticed that the risks are more not because there is breach
in security policy of a company, but more because of improper
use of the internet technologies. Users should be made aware of
the potential risk factors and how to elope from them with simple
but cautious use of Internet Technologies.
Designing Security
25. Amity School of Business
How Much Risk Can One Afford
• The top officials of the company generally ask two questions
regarding their company’s security and how it relates to e-
commerce
• How secure we are?
• How much will it cost to secure our e-system?
• Few other questions arise as well:
• How secure do we need to be?
• What are we doing to monitor and improve security?
• What monitors do we have that tell us whether we have
been hit and how hard?
Security Risk Analysis
26. Amity School of Business
How Much Risk Can One Afford
• The level of security can be determined by the specific
threats inherent in the system’s design. The way of addressing
the risk factor is to estimate the pain threshold a company
and the attacker are willing to tolerate.
• In this case, the network administrator needs to know what is
being protected, its value to the company, and its value to
outsiders. The statements “when you have nothing, you have
nothing to lose” and “there is not much that they can steal”
do not apply in network and Internet security. The goal of
security strategies, methods, and procedures is to raise the
threshold of pain an attacker must endure to access and
cause damage to a system.
Security Risk Analysis
27. Amity School of Business
Thefts and Underground Economy
• Organized electronic crime and work-writing activity has been
surging in the open, with nothing to slow it down. It is powering
an underground economy specializing in ID theft and spam.
Signs of the underground economy include:
• Credit card databases bought and sold.
• Hacked servers bought and sold.
• Distributed Denial-of-Service attack networks bought and
sold.
• Machines infected with viruses, then turned into proxies or
attack networks.
Thefts & Economy
28. Amity School of Business
Kinds of Theft or Crime
• Before promoting security, one must know what they are
trying to prevent. Web merchants must consider three kinds of
threats or crimes.
• Those that are physically related:
A hacker might attempt to steal or damage inventory. Other
examples include credit card records, stolen computer hardware
or software, and sheer vandalism. An attacker, often by guessing
passwords, might succeed in gaining access to another user’s
account. The attacker might even be capable of drumming up
unauthorized features such as discount coupons or specials in an
effort to get merchandise free of charge.
Designing Security
29. Amity School of Business
Kinds of Theft or Crime
• Those that are order related:
A customer might attempt to use an invalid or a stolen credit card
or claim no merchandise was received on a good credit card.
Children might use their parents’ credit card without permission.
Insiders can do a lot to infect an order because they have
access to sensitive systems and information. All it takes is a
disgruntled or greedy employee to disrupt or divert an order to
his or her advantage.
• Those that are electronically related:
A hacker might try to sniff e-mail information or attempt to steal
credit card numbers and use them illegally at a later stage.
Designing Security