Need for e-Security

By Prof T.R. Vaidyanathan

Need for e-security
Information resources are distributed
throughout the organization and beyond
because internet and wireless technologies
extend and connect organizational boundaries.
The time-to-exploitation of today’s most
sophisticated spyware and mobile viruses has
shrunk from months to days. Time-to-
exploitation is the elapsed time between when
vulnerability is discovered and when it is
exploited. It staff have ever-shorter
timeframes to find and fix flaws before being
compromised by an attack.
Data must be protected against existing and
future attack schemes, and defenses must
satisfy every-stricter government and
international regulations.
Industry groups imposed their own standards to protect
their customers and their members’ brand images and
revenues. One example is the Payment Card Industry
Data Security Standard (PCI DSS) created by Visa, Master
card, American Express, and discover.
PCI is required for all members, merchants, or service
providers that store, process, or transmit cardholder data.
Section 6.6. of PCI DSS mandates that retailers ensure
that Web-facing applications are protected against known
attacks by applying either of the following two methods:
Have all customer application code reviewed for
vulnerabilities by an application security firm.
Install an application layer firewall in front of Web-facing
applications. Each application will have its own firewall to
protect against intrusion and malware.
The purpose of the PCIDSS is to improve customers’ trust
in e-commerce, especially when it comes to online
payments, and to increase the Web Security of online
merchants.
Security in E-commerce
The internet is a public consisting of
thousands of private computer networks
connected together which means that a
private computer network system is
exposed to potential threats from anywhere
on the public network. Protection against
these threats requires businesses to have
stringent security measures in place.
Therefore, good security measures are
needed to trace the source of a cyber-crime.
 Security in E-commerce
The goals of security are:
Integrity of the data sent and received
Confidentiality of the data so that it is not
accessible to others
The data ought to be available to the
people for whom it is meant
 Security in E-commerce
Many internet users perceive that there is a large
risk to their privacy and security when they buy
products and services or submit personal
information online.
 Although the perception of risk may be greater
than the actual risks, it is still a cause for concern.
Therefore, an e-business must address customers’
perceived risks just as much as any actual risks.
 The important issue for an e-business is to have
adequate security to protect its assets, revenue
stream, customer privacy, and its own reputation
 Security in E-commerce
To provide the required level of protection,
an organization needs a security policy to
prevent unauthorized users from accessing
resource on the private network and to
protect against the unauthorized export of
private information.
Even if an organization is not connected to
the Internet, it may still want to establish
an internal security policy to manage user
access to certain portion of the network
and protect sensitive or secret information
IS vulnerabilities and threats:
One of the biggest mistakes managers make
is underestimating vulnerabilities and
threats. Most workers use their PCs and
laptops for both work and leisure, and in era
of multitasking, they often do both at the
same time.
 The computer threats can be classified
unintentional or intentional
Unintentional threats fall into three major
categories; human errors, environmental
hazards and computer system failures
Human errors play a role in many computer problems. Errors can
occur in the design of the hardware or information system. They can
also occur in the programming, testing, data collection, data entry,
authorization, and instructions. Not changing default passwords on a
firewall creates a security hold. Human errors contribute to the
majority of internal control.
Environmental hazards include earthquakes, severe storms (e.g.
hurricanes, blizzards, or sand), floods, power, failures or strong
fluctuations, fires(the most common hazard), defective air conditioning,
explosions, radioactive fallout, and water-cooling-system failures. In
addition to the primary damage, computer resources can be damaged
by side effects, such as smoke and water. Such hazards may disrupt
normal computer operations and result in long waiting periods and
exorbitant costs while computer programs and data files are recreated.
Computer system failures can occur as the result of poor
manufacturing, defective materials, and outdated or poorly maintained
networks. Unintentional malfunctions can also happen for other
reasons, ranging from lack of experience to inadequate testing.
The intentional threats include: theft of data;
inappropriate use of data(e.g. manipulating inputs); theft of
mainframe computer time; theft of equipment and/or
programs; deliberate manipulation in handling, entering,
processing, transferring, or programming data; labor strikes,
riots, or sabotage; malicious damage to computer resources;
destruction from viruses and similar attacks; and
miscellaneous computer abuses and internet fraud. The
scope of intentional threats can be against an entire country
or economy.
 Intentional crimes carried out on the Internet are called
cybercrime. Hacker is the term often used to describe
someone who gains unauthorized access to a computer
system. Black-hat hackers, also referred to as crackers are
criminals. A cracker is a malicious hacker, who may
represent a serious problem for a corporation.
 Social engineering: Hackers and crackers may involve unsuspecting
insiders in their crimes. In a strategy called social engineering, criminals
or corporate spies trick insiders into giving them information or access
that they should not have. Social engineering is a collection of tactics
used to manipulate people into performing actions of divulging confidential
information. In most cases, the criminal never comes face-to-face with the
victim, but communicates via the phone or e-mail.
 Not all hackers are malicious. While-hat hackers perform ethical hacking,
such as performing penetrating tests on their clients’ systems or searching
the Internet to find the weak points so they can be fixed. The hackers
use crime server to store stolen data for use in committing crimes.
Hacker is the term often used to describe someone who gains
unauthorized access to a computer system. Whereas a cracker is a
malicious hacker, who may represent a serious problem for a corporation.
He is the one who breaks security on a system
The sole purpose of the hacking is to sneak through security systems,
whereas cracker’s sole aim is to break into secure systems. Hackers are
more interested in gaining knowledge about computer systems and
possibly using this knowledge for playful pranks
 Security in E-commerce
Different security deficiencies
Vulnerable TCP /IP services – A number of
the TCP/IP services are not secure and can be
compromised by knowledgeable intruders;
services used in the local area networking
environment for improving network management
are especially vulnerable
Ease of spying and spoofing: Majority of
Internet traffic is unencrypted: email, passwords,
and file transfers can be monitored and captured
using readily-available software. Intruders can
then reuse passwords to break into systems
 Security in E-commerce
Lack of policy: Many sites are configured unintentionally
for wide-open internet access, without regard for potential
for abuse from the internet: many sites permit more
TCP /IP services than they require for their operations, an
do not attempt to limit access information about their
computers that could prove valuable to intruders
Complexity of configuration: Host security access
controls are often complex to configure and monitor;
controls that are accidentally misconfigured often result in
unauthorized access.
 Security in E-commerce
Factors contributing the problems on the
internet
How secure is the server software: Security
should be in place to prevent any unauthorized
remote logon to the system. It should be
extremely difficult to make changes to the
server software. The servers themselves should
be physically located in a secure environment.
How secure are communications: Customer
credit card information and other sensitive data
that is being transmitted across the internet
must the protected
 Security in E-commerce
How is the data protected once it is
delivered to the e-business: Is stored
in unencrypted text files at the websites?
Is it moved to offline storage?
How are credit card transactions
authenticated and authorized: Credit
card transactions must be authenticated
and authorized, so as to make it more
secure for the users.
Method of attack on computing facilities 
Data tampering: It is a common means of attack that
overshadowed by other types of attacks. It refers to an
attack when someone enters false, fabricated, or
fraudulent data into a computer or change or deletes
existing data. Data tampering is extremely serious
because it may not be detected. This is the method often
used by insiders and fraudsters.
 Programming attacks: They are popular with computer
criminals who use programming techniques to modify
other computer programs. For these types of crimes,
programming skill and knowledge of the targeted systems
are needed. Examples are viruses, worms, Trojan horses,
which are types of malicious code, called malware.
Malware can be used to launch denial of service attacks.
Method of attack on computing facilities 
Data tampering: It is a common means of attack that
overshadowed by other types of attacks. It refers to an
attack when someone enters false, fabricated, or
fraudulent data into a computer or change or deletes
existing data. Data tampering is extremely serious
because it may not be detected. This is the method often
used by insiders and fraudsters.
 Programming attacks: They are popular with computer
criminals who use programming techniques to modify
other computer programs. For these types of crimes,
programming skill and knowledge of the targeted systems
are needed. Examples are viruses, worms, Trojan horses,
which are types of malicious code, called malware.
Malware can be used to launch denial of service attacks.
 Security in E-commerce
Denial-of-service attacks: A denial-of-service
or DOS attack is an attack on a network that is
designed to disable the network by flooding it
with useless traffic or activity. A distributed
denial –of-service, or DDoS, attack uses multiple
computers to launch a DoS attack. While DoS
attack does not do any technique damage, it can
do substantial financial damage to e-business.
The attackers first break, insecure computers on
the internet into hundreds of random to install an
attack program.
 Security in E-commerce
Then, he coordinates them all to attack the target
simultaneously. When the target is attacked from
many places at once, the traditional defenses just
do not work and the system crashes. In a
distributed attack, it is difficult to figure out where
the attack is coming from. It is also difficult to shut
down all connections except the one it knows to be
trustworthy in a public internet site. These
denials-of service attacks do not affect the data
on the websites. They cannot steal credit card
numbers or other proprietary information. No
financial gain out these attacks. It achieves big loss
of income or loss of reputation for big corporation.
 Security in E-commerce
Viruses: Viruses are the most common security
risk faced by e-business today. It is a small
program that inserts into other program files that
then become “infected”, just as a virus in nature
embeds itself in normal human cells. The virus is
spread when an infected program is executed, and
this further infects other programs. Examples of
virus effects include inability to boot, deletion of
files or entire hard drives, inability to create or save
files, and thousands of other possibilities. Viruses
are generally introduced into computer systems via
e-mail or by unauthorized network access
 Security in E-commerce
Trojan horse: This takes its name from a story in
Homer’s Iliad, and is a special type of virus that
emulates a benign application. It appears to do
something useful or entertaining but actually does
something else as well, as destroying or creating a
“back door” entry point to give an intruder access to
the system. A Trojan horse may be an e-mail in the
form of attachment or a downloaded program.
Worm: This is a special type of virus that does not
directly alter program files. Instead, a worm replaces a
document or an application with its own code and then
uses that code to position itself. Worms are often not
noticed until their uncontrolled replication consumes
system resources and slows down or stops the system.
 Security in E-commerce
Macro virus: Macro is a short program written in
an application such as Microsoft Word or Excel to
accomplish a series of keystrokes. A macro virus is
a virus that infects Microsoft Word or Excel macros.
Macro viruses can be introduced into a computer
system as part of a Word or an Excel document
received as an e-mail attachment or as a file on
disk. Opening the e-mail attachment or file triggers
the macro virus.
Several antivirus software vendors maintain up-to-
date information such as the Virus Information
Library at Mcafee.com, the Anti Viral Pro Virus
Encyclopedia on viruses, worms, Trojan horses and
hoaxes.
Botnets: A botnet is a collection of bots (computer infected by
software robots). Those infected computers, called zombies, can be
controlled and organized into a network of zombies on the command
of a remote botmaster (also called bot herder). Botnets expose
infected computers, as well as other network computers, to the
following threats.
A zombie (also known as a bot) is a computer that a remote attacker
has accessed and set up to forward transmissions (including spam
and viruses) to other computers on the Internet. The purpose is
usually either financial gain or malice. Attackers typically exploit
multiple computers to create a botnet, also known as a zombie army.
Spyware: Zombies can be commanded to monitor and steal personal
or financial data
Adware: Zombies can be ordered to download and display
advertisements. Some zombies even force an infected system’s
browser to visit a specific Web site.
Spam: Most junk email is sent by zombies. Owners of infected
computers usually or blissfully unaware that their machines are being
used to commit a crime.
Phishing: Zombies can seek out weak servers that are suitable for
hosting, a phishing Website, which looks like a legitimate Web site, to
trick the user into inputting confidential data.
Phishing: Zombies can seek out weak servers that are suitable for
hosting a phishing Web site, which looks like a legitimate Web site,
to trick the users into inputting confidential data.
Malware Defenses:
Anti-Malware Technology: Anti-Malware tools are designed to
detect malicious codes and prevent users from downloading them.
They can also scan systems for the presence of worms, Trojan
horses, and other types of threats. Anti-malware may not be alone
to detect a previously unknown exploit.
Intrusion Detection Systems (IDS): An IDS scans for unusual or
suspicious traffic. It can identify; the start of a Dos attack by the
traffic pattern, alerting the network administrator to take defensive
action, such as switching to another IP address and diverting critical
servers from the path of the attack.
Intrusion Prevention Systems (IPS) It is designed to take
immediate action-such as blocking specific IP addresses-whenever a
traffic-flow anomaly is detected. ASIC (application-specific
integrated circuit)-based IPS have the power and analysis
capabilities to detect and block Dos attacks, functioning somewhat
like an automated circuit breaker.
IT Security Management
 The objective of IT security management practices
is to defend all of the components of an information
system, specifically data, software applications,
hardware, and networks.
Successful implementation of any IT project depends
on the commitment and involvement of executive
management, also referred to as the “tone at the
top”. The same is true of IT Security
Senior Management Commitment and Support:
An IT security model beings with senior
management and support. Senior Managers'
influence is needed to implement and maintain
security, ethical standards, privacy practices, and
internal control.
Security Policies and Training: The next step is
to develop a security policy and provide training to
ensure that everyone is aware of and understands
them. The greater the understanding of how
security affects production levels, customer and
supplier relationships, revenue streams, and
management’s liability, the more security will be
incorporated into business projects and proposals.
 Most critical is an acceptable use policy (AUP)
that informs users of their responsibilities in order
to 1) prevent misuse of information and computer
resources and 2) reduce exposure to fines,
sanctions, and legal liability.
 
Defense Strategy: The defense strategy and
controls that should be used depend on what
needs to be protected and the cost-benefit
analysis. That is, companies should neither
underinvest nor overinvest. The following are the
major objectives of defense strategies:
Prevention and deterrence: Properly designed
controls may prevent errors from occurring, deter
criminals from attacking the system and, better
yet, deny access to unauthorized people.
Detection; The earlier an attack is detected, the
easier it is to combat, and the less damage is
done. Detection can be performed in many cases
by using special diagnostic software, at a minimal
cost.
Containment(contain the damage): This objective
is to minimize or limit losses once a malfunction has
occurred. It is also called damage control. This can
be accomplished, for example, by including a fault-
tolerant system that permits operation in a degraded
mode until full recovery is made.
Recovery: A recovery plan explains how to fix a
damaged information system as quickly as possible.
Replacing rather than repairing components is one
route to fast recovery.
Correction: Correcting the causes of damaged
systems can prevent the problem from occurring
again.
Awareness and compliance. All organization
members must be educated about the hazards and
must comply with the security rules and regulations
The major categories of general controls are:
Physical control. It refers to the protection of
computer facilities and resources. Appropriate physical
security may include several controls such as

I. Design of the data centre(e.g. the site should be non

combustible and waterproof)
II. Shielding against electromagnetic fields
III. Good fire prevention, detection, and extinguishing
systems, including sprinkler systems, water pumps,
and adequate drainage facilities
IV. Emergency power shutoff and backup batteries, which
must be maintained to operational condition
V. Properly designed, maintained, and operated air-
conditioning system
VI. Motion detector alarms that detect physical intrusion
The major categories of general controls are(contd):
Access Control: It is the management of who is
and is not authorized to use a company’s hardware
and software. It involves authorization(having right
to access) and authentication, which is also called
user identification (proving that the use is who he
claims to be). Authentication includes
 Something only the user knows, such as password
 Something only the user has, for example, a smart
card or a token
 Something only the user is, such as a signature,
voice, fingerprint, or retinal (eye scan; implemented
via biometric controls, which can be physical or
behavioral.
The major categories of general controls are(contd):
Biometric Control: It is an automated method of
verifying the identify of a person, based on physical
or behavioral characteristics. The most common
biometrics are a) finger print,2) retinal scan, 3) voice
scan) and 4) signature.
Administrative Control: It deals with issuing
guidelines and monitoring compliance with the
guidelines.
Application Controls; Sophisticated attacks are
aimed at the application level, and many applications
are not designed to withstand such attacks. For
better survivability, information processing
methodologies are being replaced with agent
technology. An agent is able to adapt itself based on
changes occurring in an unpredictable environment.
 Network security:
The Factors that influence the level of risk at the
Internet sites
Sites that are connected to the internet face significant risk in
some form by intruders. The following factors would influence
the level of risk
Number of systems connected to the site
Services utilized by the site
Interconnectivity of the site to the internet
Site’s profile, or how well-known the site is
Site’s readiness to handle computer security incidents.
If more number of systems is connected, it is difficult to control
their security. Similarly if a site is connected to the internet at
several points, it is likely to be more vulnerable to attacks
than a site with a single gateway.
 Security in E-commerce
Website Defacement
Website vandalism or defacement can be the result of
a hacker breaking into a network, accessing the
website files, and modifying the HTML to physically
change webpage. Not only do website defacements
embarrass an e-business, but some website
defacement can have serious financial repercussion.
E-mail security:
Email users who desire confidentiality and sender
authentication use encryption. Encryption is simply
intended to keep personal thoughts personal. There
are two good programs to encrypt e-mails and they
are Pretty Good Privacy (PGP) and Privacy Enhanced
Mail (PEM).
 Security in E-commerce
Website SECURITY
The network performance is to be monitored continuously
to prevent an unauthorized access by an hacker. Setting
up logging, and monitoring established network reference
points, called bench marks can alert an e-business to
security problems. A skilled system administrator and other
well-trained technicians, who use these benchmarks to
monitor and manage the network and servers, are critical.
The following tools should be used to protect an business
network and website.
Password
Firewalls
Intrusion detection systems
Virus scanning software
 Security in E-commerce
Password: Password is a code used to gain access to a computer
network. Often, a computer user chooses a bad password, such as
a short, common word- a name, or birthday so that the user can
remember the password easily. The packer penetrates the network
security by using software that “guesses” a password by trying
millions of common words until one of the words is accepted.
Passwords that require a minimum length of six characters in a mix
of letters and numbers increase the number of potentials passwords
into billions and make it more difficult for a hacker to guess them.
This apart, the computer user should change passwords regularly.
It is always good to have different passwords on each system, if the
user has access multiple systems.
Firewall: It is software or hardware used to isolate and protect a
private system or a network from the public network. Firewalls can
control the type of information that is allowed to pass from the
public network to the private work, as well as what services inside
the firewall are accessible from the outside. Firewalls can also log
activity, to provide an audit in case the network is penetrated
 Security in E-commerce
Intrusion detection systems: It is the ability to
analyze real-time data to detect, log and stop
unauthorized network access as it happens. Business
can install intrusion detection systems that monitor
the network for real-time intrusions and respond to
intrusions in a variety of user-detected ways. An
intrusion detection system can defend a website
against DoS attacks by adding more servers to
increase the traffic the website can handle, by using
filters and routers to manage traffic, and by having a
backup plan to reroute legitimate traffic during
attack. Cisco’s Secure Intrusion System and Network
ICE’s ICEpac Security Suite are the best examples.
 Security in E-commerce
Virus scanning software that includes e-
mail scanning should be installed on all
network computers. Antivirus software
should be kept updated. Communication
ports should be used to allow data to enter
and exit the network. The system
administrator should close all unused
communication ports. Up-to-date security
patches for operating systems should be
installed as soon as the patches are
available, to prevent the hackers from
exploiting the built-in system weaknesses.
 Security in E-commerce
 HOW TO ENSURE TRANSACTION SECURITY AND
DATA PROTECTION.
Transaction security, especially for credit card transaction,
and the protection of customer data are as important as
website and network security. The tools are:
 Using predefined key to encrypt and decrypt the data
during transmission.
 Using the Secure Socket
 Layer (SSL) protocol to protect data transmitted over the
internet. SSL provides encryption of data between the
browser on the customer’s computer and the software on
the web server, allowing data such as credit information to
be transmitted securely. SSL uses digital certificates so
that a web browser can authenticate the server it is
connected to, making sure that credit card data is going to
the appropriate server
 Security in E-commerce
Moving sensitive customer information
such as credit card numbers offline, or
encrypting the information if it is to be
stored online
Removing all files and data from storage
devices, including disk drives and tapes,
before getting of the devices and
Shredding all hard-copy documents
containing sensitive information before
trashing them