Module 5

 Phishing attacks.
Phishing is social engineering. Here, attackers obtain private information about a
target and use it in an attempt to trick someone into providing important information
such as bank account information or social security numbers.
 Malware and ransomware attacks.
Malware and ransomware go back to the dial up modem days of the internet. Malware
can significantly damage systems and ransomware can completely lock you out unless
you pay a ransom, with no guarantee you’ll ever be able to get access again.
 SQL injection.
If there are vulnerabilities in the database where you store sensitive information, a
malicious query can be injected to give the attacker view or even edit rights.

 Cross-site scripting (XSS).

XSS inserts malicious code into a website, typically through JavaScript. This may or
may not impact the site itself, but could impact customers or visitors to the site.

 E-skimming.
In e-skimming, hackers steal sensitive payment information, such as credit card
numbers, from online shoppers. This is typically done by injecting malicious code
 into ecommerce websites or point-of-sale (POS) systems to steal credit card details as
customers make purchases.
 Distributed Denial of Service (DDoS) attacks.
A Distributed Denial of Service (DDoS) overloads a website with traffic from
multiple sources, making it unavailable to users. In a DDoS attack, a large number of
compromised devices are used to flood a website with traffic.

 Brute force tactics.

Brute force attacks are used by hackers where an attacker attempts to guess a user's
login password by systematically trying every possible combination until the correct
one is found.This method is time-consuming and requires a lot of computing power,
but it can be successful if the password is weak or simple.

Protection and Recovery

  Secure payment gateways: Implementing secure & trusted payment gateways is
fundamental for protecting financial transactions. Encryption protocols, such as
SSL/TLS, ensure that customer payment details are transmitted securely over the
internet, preventing interception by malicious actors.

 Data encryption & tokenization: Encrypting sensitive data, including customer

information & payment details, adds an extra layer of protection. Tokenization
replaces sensitive data with unique tokens, reducing the risk associated with storing &
transmitting confidential information.

 Multi-factor authentication [MFA]: MFA enhances the security of user accounts by

requiring multiple forms of verification. This additional layer of authentication,
beyond passwords, helps prevent unauthorised access, especially to customer
accounts containing personal & financial information.

 Regular security audits & vulnerability assessments: Conducting regular security

audits & vulnerability assessments helps identify & address potential weaknesses in
the e-commerce infrastructure. This proactive approach allows businesses to stay
ahead of emerging threats & fortify their security measures.

 Employee training & awareness: Human error is one of the significant factors in
cybersecurity incidents. Comprehensive training programs ensure that employees are
aware of cybersecurity best practices, recognize phishing attempts & understand their
role in maintaining a secure online environment.

 Incident response plan: Developing a robust incident response plan is crucial for
minimising the impact of a cyber incident. This plan outlines the steps to be taken in
the event of a security breach, ensuring a swift & coordinated response to mitigate
damage & protect customer data.
Secure e-commerce transactions:

Ensuring cybersecurity in e-commerce goes beyond individual measures, it requires a

comprehensive approach to protect both businesses & their customers from evolving threats.
Here are additional aspects to consider:

 Fraud prevention mechanisms: Implementing advanced fraud prevention

mechanisms, such as machine learning algorithms & behavioural analytics, adds an
 extra layer of security. These technologies can identify patterns indicative of
fraudulent activities, providing real-time alerts & minimising financial risks.

 Dynamic security policies: Adopting dynamic security policies that adapt to

changing cyber threats is essential. These policies should encompass real-time
monitoring, anomaly detection & automatic adjustments to respond to emerging risks,
ensuring a proactive defence against evolving attack vectors.

 Secure mobile transactions: With the rise of mobile commerce, securing

transactions conducted through mobile devices is paramount. Implementing strong
authentication methods, secure mobile apps & encryption for mobile transactions
safeguards the growing number of consumers who prefer to shop through their
smartphones & tablets.

 Supply chain security: Recognizing the interconnected nature of e-commerce,

securing the entire supply chain is critical. Collaborating with suppliers, ensuring
secure data exchange & conducting regular security assessments throughout the
supply chain help prevent vulnerabilities that could be exploited by cybercriminals.

 Customer data privacy: Prioritising customer data privacy involves transparent data
handling practices & compliance with privacy regulations. Providing clear privacy
policies, obtaining explicit consent for data processing & giving customers control
over their data contribute to a positive & secure online shopping experience.

 Continuous monitoring & threat intelligence: Continuous monitoring of network

traffic & the adoption of threat intelligence tools enable e-commerce businesses to
stay informed about emerging cyber threats. This proactive approach allows for
timely responses to potential security incidents, reducing the impact of cyberattacks.

 Blockchain technology: Exploring the potential of blockchain technology in e-

commerce can enhance security by providing a decentralised & tamper-resistant
ledger. Blockchain can be applied to secure transactions, supply chain management &
identity verification, offering a robust foundation for trust in online transactions.
Encryption

Encryption is a form of data security in which information is converted to ciphertext. Only

authorized people who have the key can decipher the code and access the original plaintext
information.
In even simpler terms, encryption is a way to render data unreadable to an unauthorized
party. This serves to thwart cybercriminals, who may have used quite sophisticated means to
gain access to a corporate network—only to find out that the data is unreadable and therefore
useless.

Encryption not only ensures the confidentiality of data or messages but it also provides
authentication and integrity, proving that the underlying data or messages have not been
altered in any way from their original state.

Types of Encryption
There are many different types of encryption, each with its own benefit and use case.

Symmetric Encryption

In this simple encryption method, only one secret key is used to both cipher and decipher
information. While the oldest and best-known encryption technique, the main drawback is
that both parties need to have the key used to encrypt the data before they can decrypt it.
Symmetric encryption algorithms include AES-128, AES-192, and AES-256. Because it is
less complex and executes faster, symmetric encryption is the preferred method for
transmitting data in bulk.

Asymmetric Encryption

Also known as public key cryptography, asymmetric encryption is a relatively new method
that uses two different but related keys to encrypt and decrypt data. One key is secret and one
key is public. The public key is used to encrypt data, and the private key is used to decrypt
(and vice versa). Security of the public key is not needed because it is publicly available and
can be shared over the internet.

Asymmetric encryption presents a much stronger option for ensuring the security of
information transmitted over the internet. Websites are secured using Secure Socket Layer
(SSL) or Transport Layer Security (TLS) certificates. A query to a web server sends back a
copy of the digital certificate, and a public key can be extracted from that certificate, while
the private key stays private.

Data Encryption Standard (DES)

DES is a deprecated symmetric key method of data encryption. DES works by using the same
key to encrypt and decrypt a message, so both the sender and the receiver must have access to
the same private key. DES has been superseded by the more secure AES algorithm. It was
adopted by the U.S. government as an official standard in 1977 for the encryption of
government computer data. It can be said that DES was the impetus for the modern
cryptography and encryption industry.

Triple Data Encryption Standard (3DES)

The Triple Data Encryption Standard involved running the DES algorithm three times, with
three separate keys. 3DES was largely seen as a stopgap measure, as the single DES
algorithm was increasingly becoming seen as too weak to stand up to brute force attacks and
the stronger AES was still under evaluation.

RSA

Rivest-Shamir-Adleman (RSA) is an algorithm and the basis of a cryptosystem—a suite of

cryptographic algorithms used for specific security services or purposes. This enables public
key encryption and is often used by browsers to connect to websites and by virtual private
networks (VPNs). RSA is asymmetric, in which two different keys are used for encryption:
one public and one private. If decryption is carried out with the public key, encryption is
performed with the private key, or vice versa.

Advanced Encryption Standard (AES)

Developed in 1997 by the National Institute of Standards and Technology (NIST) as an
alternative to the Data Encryption Standard, the Advanced Encryption Standard is
a cipher chosen by the U.S. government to protect sensitive information. AES has three
different key lengths to encrypt and decrypt a block of messages: 128-bit, 192-bit, and 256-
bit. AES is widely used for protecting data at rest in such applications as databases and hard
drives.

Encryption in the Cloud

Cloud encryption is a service offered by cloud storage providers in which data is

first encrypted using algorithms before being pushed to a storage cloud. Customers of a cloud
storage provider must be aware of and comfortable with the level of depth of the provider's
policies and procedures for encryption and encryption key management.

Because encryption consumes more bandwidth, many cloud providers only offer basic
encryption on a few database fields, such as passwords and account numbers. This is often
not enough for some organizations. So they rely on a Bring Your Own Encryption (BYOE)
model in which they use their own encryption software and manage their own encryption
keys to ensure a level of cloud computing security they are comfortable with.

As an opposite approach, Encryption as a Service (EaaS) has emerged as a simple, pay-as-

you-go service customers can purchase from a cloud provider, managing encryption
themselves in a multi-tenant environment.

End-to-End Encryption

End-to-end encryption (E2EE) ensures that only the two users communicating with one
another can read the messages. Even the intermediary, such as the telecom or internet service
provider, cannot decrypt the messages. E2EE is generally seen as the most secure way to
communicate privately and securely online. Examples of E2EE in use include the WhatsApp
messaging service, which famously asserts that users' messages are secured with "locks."
The Benefits of Encryption

Encryption has become an enormous asset to organizations, allowing them to confidently

offer a more secure experience for employees, customers, and other stakeholders.

Privacy and Security

Encryption can prevent data breaches. Even if an attacker maliciously gains access to a
network, if a device is encrypted, the device will still be secure, rendering attempts by the
attacker to consume the data useless. Encryption ensures no one can read communications or
data except the intended recipient or data owner. This prevents attackers from intercepting
and accessing sensitive data.

Regulations
Encrypting data allows organizations to protect data and maintain privacy in accordance with
industry regulations and government policy. Many industries, especially those in financial
services and healthcare, have explicit rules on data protection. For example, the Gramm-
Leach-Bliley Act requires financial institutions to let customers know how their data is being
shared and also how their data is remaining protected. Encryption helps financial institutions
comply with this act.

Secure Internet Browsing

Encryption also keeps users safe while browsing the internet. Earlier in the internet's history,
attackers found ways to steal unencrypted information sent between users and web services
over the Hypertext Transfer Protocol (HTTP). The standard to encrypt web content by
running HTTP over the Secure Socket Layer protocol emerged, soon to be replaced with the
Transport Layer Security protocol, enabling enterprises, publishers, and e-commerce
providers to offer a secure experience for users.

With encryption, users feel safer entering personal information into webpages and carrying
out financial or e-commerce transactions.

Digital Signature

Digital signature is a mathematical technique used to validate the authenticity and integrity of
a digital document, message or software. It's the digital equivalent of a handwritten signature
or stamped seal, but it offers far more inherent security. A digital signature is intended to
solve the problem of tampering and impersonation in digital communications.

Digital signatures work

Digital signatures are based on public key cryptography, also known as asymmetric
cryptography. Using a public key algorithm -- such as Rivest-Shamir-Adleman, or RSA --
two keys are generated, creating a mathematically linked pair of keys: one private and one
public.

Digital signatures work through public key cryptography's two mutually authenticating
cryptographic keys. For encryption and decryption, the person who creates the digital
signature uses a private key to encrypt signature-related data. The only way to decrypt that
data is with the signer's public key.

If the recipient can't open the document with the signer's public key, that indicates there's a
problem with the document or the signature. This is how digital signatures are authenticated.

Digital certificates, also called public key certificates, are used to verify that the public key
belongs to the issuer. Digital certificates contain the public key, information about its owner,
expiration dates and the digital signature of the certificate's issuer. Digital certificates are
issued by trusted third-party certificate authorities (CAs), such as DocuSign or GlobalSign,
for example. The party sending the document and the person signing it must agree to use a
given CA.

Digital signature technology requires all parties trust that the person who creates the signature
image has kept the private key secret. If someone else has access to the private signing key,
that party could create fraudulent digital signatures in the name of the private key holder.

Benefits of digital signatures

Digital signatures offer the following benefits:

 Security. Security capabilities are embedded in digital signatures to ensure a legal

document isn't altered and signatures are legitimate. Security features include
asymmetric cryptography, personal identification numbers (PINs), checksums and
cyclic redundancy checks (CRCs), as well as CA and trust service provider (TSP)
validation.

 Timestamping. This provides the date and time of a digital signature and is
useful when timing is critical, such as for stock trades, lottery ticket issuance and
legal proceedings.

 Globally accepted and legally compliant. The public key infrastructure (PKI)
standard ensures vendor-generated keys are made and stored securely. With
digital signatures becoming an international standard, more countries
are accepting them as legally binding.
  Time savings. Digital signatures simplify the time-consuming processes of
physical document signing, storage and exchange, enabling businesses to quickly
access and sign documents.

 Cost savings. Organizations can go paperless and save money previously spent
on the physical resources, time, personnel and office space used to manage and
transport documents.

 Positive environmental effects. Reducing paper use also cuts down on the
physical waste generated by paper and the negative environmental impact of
transporting paper documents.

 Traceability. Digital signatures create an audit trail that makes internal record-
keeping easier for businesses. With everything recorded and stored digitally, there
are fewer opportunities for a manual signee or record-keeper to make a mistake or
misplace something.

Classes and types of digital signatures

There are three different classes of digital signature certificates (DSCs) as follows:

 Class 1. This type of DSC can't be used for legal business documents, as they're
validated based only on an email ID and username. Class 1 signatures provide a
basic level of security and are used in environments with a low risk of data
compromise.

 Class 2. These DSCs are often used for electronic filing (e-filing) of tax
documents, including income tax returns and goods and services tax returns. Class
2 digital signatures authenticate a signer's identity against a pre-verified database.
Class 2 digital signatures are used in environments where the risks and
consequences of data compromise are moderate.

 Class 3. The highest level of digital signatures, Class 3 signatures require people
or organizations to present in front of a CA to prove their identity before signing.
Class 3 digital signatures are used for e-auctions, e-tendering, e-ticketing and
court filings, as well as in other environments where threats to data or the
consequences of a security failure are high.
Digital signature attacks

Possible attacks on digital signatures include the following:

 Chosen-message attack. The attacker either obtains the victim's public key or
tricks the victim into digitally signing a document they don't intend to sign.

 Known-message attack. The attacker obtains messages the victim sent and a key
that enables the attacker to forge the victim's signature on documents.

 Key-only attack. The attacker only has access to the victim's public key and can
re-create the victim's signature to digitally sign documents or messages that the
victim doesn't intend to sign.

Digital signature security

Security is the main benefit of using digital signatures. Security features and methods used in
digital signatures include the following:

 PINs, passwords and codes. These are used to authenticate and verify a signer's
identity and approve their signature. Email, username and password are the most
common methods used.

 Asymmetric cryptography. This employs a public key algorithm that includes

private and public key encryption and authentication.
 Checksum. This long string of letters and numbers is used to determine the
authenticity of transmitted data. A checksum is the result of running a
cryptographic hash function on a piece of data. The value of the original
checksum file is compared against the checksum value of the calculated file to
detect errors or changes. A checksum acts like a data fingerprint.

 CRC. A type of checksum, this error-detecting code and verification feature is

used in digital networks and storage devices to detect changes to raw data.

 CA validation. CAs issue digital signatures and act as trusted third parties by
accepting, authenticating, issuing and maintaining digital certificates. The use of
CAs helps avoid the creation of fake digital certificates.

 TSP validation. This person or legal entity validates a digital signature on a

company's behalf and offers signature validation reports.