March 29, 2020
BCIS 5379 – Chapter 9 – E-Commerce Security and Fraud Protection

BCIS 5379 – Chapter 9 – E-Commerce Security and Fraud Protection

Welcome to BCIS 5379, Technology of E-Business.
My name is Dr. Schuessler and this chapter is over E-Commerce Security and Fraud Protection.
After reading this chapter should have a better understanding of the importance and scope
of security information systems for e-commerce, you will describe the major concepts and terminology
of e-commerce security learn about the major e-commerce e-commerce security threats on
our abilities and technical attacks a better understanding of Internet fraud, phishing
and spam sure he will describe information assurance security principles. You should
be able identify and assess major technologies and methods for securing e-commerce access
and communications will be able to describe the major technologies for for protection
of e-commerce networks and describe various types of controls and special events Muslims
will be able to describe consumer and seller protection for fraud describe the role of
business continuity and disaster recovery planning and disk and discuss e-commerce security,
enterprise securities, enterprise implementation issues lastly you understand why it is not
possible stop computer crimes. Security is a very broad field very, very broad term field
specific when we start to talk about information systems security or computer security it is
sometimes seemingly just as broad information security. For example I was protecting information
information systems from unauthorized access or disclosure, disruption, modification, perusal
inspection, recording, or destruction so different broad definition, but the thing the Rector
mind around is the focus is on information protecting information from a similar definition
for computer security. First, the collection of data networks programs computer power and
other elements of computerized information information systems gives birth broad definition
both the focus shifts to include data but also to include hardware devices as well so
securities is a broad field struck down comes we start to see certain specializations with
computers feel what is e-commerce security. While this book, Excel security in the two
broad categories simply generic security to any information systems e-commerce related
to the right focusing on more of the e-commerce related side of things attacks on e-commerce
sites, identity theft, fraud, phishing, this chapter covers both but really focuses more
on the latter what is how we go about determining whatsoever. Security concerns are both hard
to do so people like to talk about the organization does shed light on it is that the CS or a
service comes up reports information about that and tries to shut, is the CSI computer
crime and security Prof. was about cooperation between CSI and the FBI this is something
that annually in the to release information about organization agencies and talk the threats
are the problems facing things like that. Unfortunately a lot of organizations do not
report computer crime. As a result you see post by CSI all tend to be relatively low
compared to what the truth probably is part of the information security problem is because
it does Crossen cover some different domain is very hard to make sure that when you are
working on a security problem that everybody involved in solving the issue is focused on
demand which are working on for example personal security personal security domain. We have
to consider things that might affect her personal safety operating online environment such as
posting information sites that might help sex offenders to to find out information about
about us, fraud, identity theft, cyber bullies are all issues that we need to consider when
approaching informational social networking sites things like a national security perspective
on national security to me. I went to think about protecting our national infrastructure
or critical structure things like air travel and waterways, financial centers, so make
sure we have smooth and efficient functioning of those services sourcing the more recent
or current security risk that we face when the baseline mean we can security vendors
is a variety of different different issue, cyber espionage and Siebel wars with all the
more attack on mobile assets. Things like our cell phones are smart phones, tablets,
etc. tax on social networks. The second are Facebook, twitter, and those types of things,
cyber gains tax on new technologies, cloud computing, virtualization sold test on web
applications for cyber war, cyber espionage and cyber crimes across borders. There is
the book goes through all kinds of exam if you get another stop by all means read the
section book to give you a number of different examples of these types of things such as
December 2010, the Iranian nuclear program being attacked by a computer program were
to be created in the US and in Israel which will cripple their nuclear program similar
attacks launched against the United States from North Korea against the United States
and South Korea try to knock out a number of different sites, so this this is happening
more and more often so be aware of as far as some of the types of attacks corporate
espionage tax and political espionage warfare couple different broad classes if you will
keep in mind we as corporations put more more online to become bigger and bigger targets
or open bigger and bigger incentive for people to try breaking steel intellectual property
transfer money like that in the example but the Iranian nuclear program falls in the political
espionage for So gives you a graphical representation of what the major e-commerce security management
concerns were in 2011 topping list fraud at e-commerce transactions our presenting what
is really going on this may be something like eBay, for example, some to sell something
that they do not represent as being quite what is: prevention and detection of malware,
viruses, Trojans, etc. security strategy of sufficient budget, especially with the economy
turning down the way it would have been the last few years that we do not have the money
to do. You would like to do play the rest of the solution the drivers of e-commerce
security problems with a lot of different drivers to to solve problems we face on the
Internet and e-commerce. Specifically, but this was a major ones are predominantly on
the fuel I all wrenched few basic issues perhaps foremost is his room. The design of the Internet
was really originally designed remorse a proof of concept that if just being get it to work
and design, ball from there and continue to build on this this proof of concept approach
such security was never a real concern for very early days of the Internet so this led
to some vulnerabilities specifically related to DNS domain name system, which translates
or converts domain names into the numeric IP address and this is that somebody could
potentially remap that relationship. So in some types of correct domain name so for example
your bank Bank of those specific names that instead of going to the
legitimate IP address actually goes to a spoofed IP address long IP address in foreign country
or another place where you collect your information your login information and are able to log
into your account conduct transactions. This is a need to the IP addresses formal self
and address that uniquely identifies each computer connected to a network or the Internet
first two systems Dennis might be have to work together the motivations behind computer
crimes of shifted as well for the early days of networking a lot of times hackers which
is a term of throat have been misused over the years is really oftentimes simply interested
in discovering how devices work how networks work telephone system worked, they were not
interested in profiting more interested in damaging the equipment or machines. However,
because of the amount of financial information systems putting online that focus that that
motivation for some of these crimes has shifted and become more profit induced work is simply
too tempting. The people feel like it is an easy way to profit so that motivation has
changed this profit motivation has led to an Internet underground economy places where
people need to be able to seek out buyers and sellers for information. For information
about bank account numbers will exchange bank account numbers in my social security numbers,
passwords to various websites such as social networking sites are banking side, things
like that the this underground economy is a place where you feel by Selva information
we get that information from a variety of places that capture those puzzles can become
numbers for example, credit card numbers and almost as a variety of ways. One common way
is to be keystroke logging keep capturing and recording keystrokes. See if you happen
to be accessing a secure website that encryption information across the Internet actually relevant
information is kept keystroke is capturing the actual keys and typing on keyboard since
the data at that moment time to whoever is actually trying to capture that information
as far as the dynamic nature of e-commerce systems role insiders want things to do that
really have to keep in mind is good investment Georgia problems that we see our caused by
insiders around half and because organizations are constantly adding new employees was relatively
high turnover with respect to employees constantly reintroducing security threats and the position
so something to be aware wise and e-commerce security strategy needed Larson because tax
change all the time changing the method of changing their methods all the time to address
network administers Consulate Road’s real protector systems solutions change. For example
Texas shifted their focus from Windows PCF base operating systems to other operating
system such as an so, but it is created quite a dilemma for network administrators to 50.
She has workloads. If you have small budgets to to work on optimizer e-commerce systems
for security and efficiency. Since khakis in a state of operating reactively rather
than proactively in terms of addressing the problems and and also another issue is that
from an attacker’s perspective each month much easier to launch an attack and learn
about how to launch an attack in fun tools, automated tools allow them to she is tax very
easily. So the the number of attackers and attack vectors is rising significantly faster
than our ability to protect systems section 9.2 talks about basic e-commerce security
issues in the landscape starts out by talking about some of the basic terminology of security
terminology familiarizing yourself with science jargon is really pretty useful so that we
hear the terms when you use the term for the you know what you are using in the right context
that you when you hear it you understand the context in which is being used muscle terms
are probably somewhat familiar with you but I want you to develop a familiarity with these
terms start with the business continuity plan plan. It keeps the business running after
a disaster occurs each function in the business should have about recovery capability plan.
The idea behind the business continuity plan is that wants an incident occurs that the
organization needs to be able to continue to function. Even if even if at only a minimal
level. That is what the business continuity plan is. It is about determining what the
very air most minimum functions are necessary and finding ways for those to continue to
run even when significant disruptions occur. Cybercrime is the intent are intentional crimes
carried out on the Internet. Several criminals person intentionally carries out crimes over
the so that is the person’s creating or conducting the cybercrime exposure refers to the estimated
cost loss or damage that can result if the threat exploits a vulnerability is really
how vulnerable are you fraud is any business activity that uses deceitful practices or
devices to deprive another property or other rights malware malicious software is a generic
term for malicious software so includes a variety of different types of malicious software
viruses, adware can be at work at spyware certainly is an example. Worms are all examples
of malware fishing is a cybercrime technique to steal the identity of the target company
to get the identities of its customers a long time shall see fishing email. For example,
where you will get an email saying that were from a bank. We need to login and correct
some information and then I will direct you to what seems like the legitimate website,
but in reality oftentimes is it is a set is created by them on fishing techniques as well
but that is a fairly common one in a Bisquick get you to provide personal information or
sensitive information to them and is often done to be able steal one’s identity risk
is the probability that are vulnerable to will be known and used risk is kind of an
interesting concept as it relates to security because the reality is when we when we talk
security when we think about security on oftentimes, people tend to think that we simply eliminate
risk we eliminated threat and therefore there zero risk. The reality is we never truly eliminate
all the risk that we take all the the potential bad things that can happen to us what we really
do as we manage risk we reduce our vulnerabilities down to the point where the risk is it is
to an acceptable level so risk is a relatively concept, but it is more nuanced than what
most people get credit for social engineering is a type of nontechnical attack uses some
ruse to trick users into revealing information or performing an action the compromises a
computer network Pro a great example of this is a guy by the name of Kevin Mitnick who
is probably has a very solid technical skills but were he absolutely excels is in the art
social engineering has written several books on the got himself in trouble with the law
a few times since some time in jail but at this point he actually conducts penetration
tests for organizations legitimately doing the same Sufis always done, I would. I gets
paid to do it is very interesting. He has been some very interesting books on the subject
said recommend recommend looking them up if you get get the opportunity but it is really,
modern-day ConMan if if you stay with them that old term is really been applied to the
computer computer on this. Refer to social engineering. Spam is the electronic equivalent
of junk mail. Some of those voluminous messages that we get the really dosing related to anything
on the reality is that the fact that even if they get half a percentage point of of
people responding to the relative to the millions of emails that actually send the soul. Because she to send those emails alone ability
is a weakness in software or other mechanism that threatens the confidentiality, integrity,
availability of an asset. Refer to CIA model to be directly used by by hacker to gain access
to the system or networks with a weakness. It is a something that we do not are good
at protecting ourselves with times. This is because of unpatched system that most systems
tend to be compromised. The to be compromised do some sort of vulnerability are often oftentimes
simply lacking that patch that would actually correct for that vulnerability was what you
really important. Keep your systems patched. Keep your inner virus software up-to-date
on this to avoid those types of issues. Zombies are computers infected with malware that are
under the control of a spammer hacker or other criminal a lot of times these become tools
to build launched attacks against other computers time so even though you yourself may not actually
be a target on in some cases, your target in the sense that they want to use your system
against somebody else’s system so get support, keep your system patch is one of the terms
are out there annual if this is meant an area of interest you. I am certainly a run across
all of the terms this Pro some of the the basic terms of you to cross so if you think
of e-commerce as a battleground you can think about landscape in terms of attackers and
defenders and security requirements that that are necessary to anything about a taxi think
about the attackers and the methods that they might employees of tax criminals unintentional
attacks. If you want classify them way in terms of natural disasters, malfunctions,
human errors misconfiguration for targets include computers and information systems
and people themselves. So hardware software procedures email and as I said the people
of solo oftentimes people want to cooperate they want to be helpful to those around them
and social engineers are capitalized on that and can oftentimes people contain can obtain
sensitive information from directly from individuals that give that the defenses defenders in the
methods that are used so figure out software, hardware, prevention, detection determines
and so on. Gossiping about regulations, policies, strategies, compliance, privacy in a variety
of other methods that we wish to use to protect herself. Her systems with to do this in the
context of the legal system as well so defenses is it can be complicated. The main were operating
in information systems and e-commerce systems are all honorable to a variety of different
tax sources of tax will be intentional or intentional threats, tax crimes, etc. as first
unintentional threats they can confirm variety of different places that come from human error.
For example, a user may type in incorrect information into the database really rendering
the value of database is less than what would be if at valid information they may miss configure
a switch or router or something like that which opens up vulnerabilities or environmental
hazards things like natural disasters, earthquakes, hurricanes, flow that can damage systems malfunctions
in and computer systems themselves. Sometimes power surges. For example, will cause issues
with computer equipment the age of equipment defective equipment outdated equipment poorly
maintain all that can open an organization up to to be susceptible to certain threats
that exist as far as the is intentional attacks or crimes. Those can occur in which cases
the data may occur perhaps the property stolen or customer information detailing things like
card information personal information things like that inappropriate use of data relating
inputs of hardware, laptops, and other types of souls all the purview of intentional attacks
crimes this person the techniques criminals use the methods of the use, regardless of
whether or not you are hacker cracker. Sometimes those techniques have to be the same always
the case. In some cases it is for example social is something that both might be likely
to use at same time are probably some techniques that crackers are willing to use that this
will code of ethics if you will. The hackers probably are little bit less likely to to
violate so keep in mind that the while the methods are probably very similar between
these two camps. St. Thomas probably some differences as well just for those who are
here hackers will benefit in tweaked over the years, or twisted over the years and is
not always been a malicious time. It is actually traditionally referred to some 217 interested
in technology and understanding how it worked in hacking and assistant to discover how work
enjoy their intentions were not to do harm not to tear up the system cause damage. For
this to learn how work contrary to that was the cracker was intentionally trying to do
harm to try to damage something steal something do something like that so tacky that that
that in mind how it was referred twisted such that hackers come in a generic term that is
really uses that that latter definition in its strictest sense is not really what means
regarding the targets of your taxable areas to recognize the vulnerabilities create risk
and so need whenever you have these Zorro is recognizing how this risk if the rep risk
is a of your degree of comfort if you will, then you have to employ verse methods to reduce
risk or eliminate or reduce those abilities as far as vulnerabilities within an organization
we can broadly break these up into a couple of categories of technical vs. organizational
weaknesses technical weaknesses include things like unencrypted communications and sufficiently
pass operating systems insufficient you spent a virus and firewall week boundary security
for application security organizational weaknesses include things like the lack of end-user training
security awareness training. This was an interesting one because it is a relatively simple one
of the it is cheap, it is easy to do test have very good results. In short yes once
off our but tend to be used as it should organizational weaknesses include the lack security mobile
devices and appropriate use of business computers and network services sparse case in our department
and e-commerce and content of information security but realize information me e-commerce
security was more than just preventing and responding to cyber attacks in intrusions
and booklets a few different assertion of user president website in order to obtain
possible purchase information whatsoever from three different perspectives. The user’s perspective
companies perspectives perspective and from both parts perspective anything about the
users perspective after using the weather Web server is owned and operated by a legitimate
company. You know that is really you are dealing how does the user know that the webpage informs
not been compromised by spyware and other horses code not that long ago I sent out the
last few of the rivers axes the local drive you the brothers. Their website had been Classified
by Google as containing malware so just because you visit a legitimate side does not mean
that the site is not compromised. How is the using of the dishonest employee will interrupt
misuse the information about getting a critic or to a waiter or waitress at a restaurant
to take that car off and you will see what they see one another, skimming any information,
credit card number, your name security code really do not know that so dishonest employees
are certainly concerned users perspective from the company’s perspective how they know
use user will try to compromise their Web server they know that the usual credit to
disrupt server so that will be available of the from both users perspectives both parties
perspectives is no the network connection is free from eavesdropping by third-party
be listening in on the transaction Avenue. The information sent back and forth from the
server and the user browser has been altered so the Sims. This concerns that her one transaction.
So those various scenarios in mind, we could start to think about the most appropriate
mix if you will of the various security tools that we have at our disposal certificate authentication
which if I were REO; the most important aspect of security we need to know that a person
really is who they say they are. If we do not authorization for example does not really
mean anything so authentication is the process to verify or sure the real identity of an
individual computer computer program for e-commerce website really know they were talking to really
is who they say they are authorizations the process of determining what the authenticated
entity is allowed to access and what operations is allowed to perform. So once we identify
correctly identify the user to dedication now can start to figure out what they are
interested in your authorized print is to open a certain file but not deleted or authorized
to open a file and modify it but not deleted and so auditing is another very important
tool that we have disposal allows us to keep track of what is going did what when where
and to what so gives us, trail if you will of the activities occurring on computer network
availability prefers to keep your system running. I am not repudiation is very important concept
is waste e-commerce decisions that online customers with trading partners cannot falsely
deny the purchaser transaction. The idea that once you commit to make a purchase that you
really committed to make that purchase and that you can prove programmatically that you
are the one actually authorize the purchase folder the purchase. You cannot back and a
later date and say that no that I did not offer to purchase. Ideally security would
be everybody’s business and organization reality is that applications oftentimes fall, the
ice department security vendors to provide those services in terms of the technical side
of things the wound management to provide administrative the ministry of aspects such
as policies and procedures things like that together. Both of these groups work in tandem
to develop some sort of an e-commerce strategy is strategy strategy that is e-commerce security
is the process of preventing and detecting offer issues of the organization’s brand identity
website, email, information or other asset intends to defraud dollarization its customers
and employees so they get together these two camps work together to implement some sort
of an e-commerce strategy in an effort to have a thought follicle approach to addressing
position security needs and the idea behind providing methodical approach is that hopefully
you do not miss things you do not leave any gaps in your security posture your security
plan the next several bolts in this slide next slide really borrow some concepts from
the field of criminology, specifically deterrence theory and a a a through the action cycle
put forth by Prof. out of the University of Georgia Straub and general deterrence theory
consists of four dimensions they talk about three here on the fourth one does not translate
well into e-commerce. Does transfer adjustment as well as his these three but deterring detecting
and preventing our intuitive ones of Nicholas transfer quite well deterring measures actions
that will make criminals abandon the idea of attacking a specific system, the possibility
of losing a job for an insider. So basically you have policies in place you make sure that
everybody’s aware of the ramifications of their actions. So we forget policies in place
when you login to tell users what will happen if the user systems appropriately put up warning
signs we do various things to deter users using our systems appropriately. The next
dimension is prevention measures ways to help stop unauthorized users, also known as intruders
from accessing any part of e-commerce system. These are actual preventive measures so the
real world people locked door to the fence with Barb wire across the top and the security
route computer security realm. We may think of passwords biometrics things like encryption
things like that bull estimates were okay here is his detection measures ways to determine
whether intruders attempted to break into e-commerce systems where was successful in
what they may done so think of our our our audit logs which tell us who log in when they
log in what terminal they will what files accessed when they access. What they did with
those files so this will provide us the ability to turn what happened and create an audit
trail if you will trace back what happened when where and how this leads us to information
assurance that the protection of information systems against unauthorized access to or
modification of information for the storage so they rest processing or in transit motion
and against the mile service offers users, including those measures necessary to detect
document counter such threats the ultimate goal of e-commerce securities to be able provide
information assurance Exhibit 9.3 leads off section 9.3 which talks about technical attack
methods from viruses to the mile service in the exhibit list in order descending order
of importance major technical security attack methods starts offer leads off with an hours
viruses and Trojans and the reality is a lot of research search suggest a good handle on
malware in terms of our antivirus solution, but this is something is changing significantly
because our reliance on portable devices are smart phones, tablets, things like that are
creating a lot more attack vectors for malware writers. This is certainly creating a problem
for organizations. Is unauthorized access my message unauthorized
access, not the kid access so I cases unauthorized access is our internal users are simply accessing
resources they should not have access to are not authorized to view this fall mile service
spam hijacking and botanists I mentioned earlier, some of the differences between the computer
virus spread well. The term computer virus comes to us from the field biology because
it does transfer from host to host or similar ways see in biology. First of our start programmer
writes the program itself virus and embedded in some sort of a host program. The virus
attaches itself and travels anywhere that the host program or place of data travels
with and CD. Network bulletin boards. This did not used to be a big deal before the days
of widespread days of networks enough shed infected disk disk had to travel from machine
to machine is usually very slow process of viruses did not traditionally spread fast
virus itself is either of by some for timeline or some other circumstance, such as the simple
sequence of computer operations you again the key combination reopen attachment and
that whatever the program is intended for to do referred to as its payload may be simply
the types of characters on screen to delete your hard drive or rubbishing many things
in between a few very specific viruses are those of micro virus, Trojan horse, and a
very specific example Trojan horse banking Trojan are all like I said very specific examples
of types of of of viruses macro viruses or worms is a is executed when the application
object that contains the macros open for particular procedure is executed. This is obviously very
common to my surprise, specifically office products cases macros are used to do research
of sound within the applications but you also run the risk when this occurs to introduce
a virus into your system. Attorney horses program. It appears to have a useful function,
but the contains a hidden function. The present presents a security risk and this is to on
a zoster quality Trojan horse. The soldiers inside in the ideas that you have a valid
program that you get to use a free program you download and provide some sort of function.
Sometimes the game or perhaps give information about the weather or shopping something like
that. It appears that legitimate purpose. Oftentimes in the background. There is another
program is attached to this caption your keystrokes or something like that and that is the the
catch to creates the security risk banking purchase a specific specific example of a
Trojan horse a Trojan counsel. I computer owners visit one of a number of online banking
e-commerce site again performs a very similar function captures your keystrokes captures
any kind transactional data things like that mile service attack is an attack on site which
an attacker uses special. I saw this in the form data packets to the target computer with
the aim of overloading its resources. Think of it kind of those as being in line at Citibank
and it seems like you you go to the bank. You get in line and the patroness of the phone
line keeps talking to the teller and just when you think they are about Don my start
talking with horse more ramp another talking on the top they never finished their topic
they keep talking to the teller your be denied service being denied access to the bank to
the teller. This serves in the this is conceptually one of the mile service attack is distributed
that the mile services. The same concept is just rather than having a single attacker
attacking a target multiple attackers attacking target page decking is related to one councils
we talked about earlier weakness one of the weaknesses of the Internet in terms of DNS
and IP addressing them and somebody changing that mapping between those two was to addresses
and this will happen is you can redirect the user from the legitimate IP address to a fake
IP address were two different IP address to a page that looks very similar, if not almost
identical to the page trying to get to secreting a row copy of a popular website that shows
contents similar to the original to wall crawler. Once there, and unsuspecting users redirected
to a malicious website may contain all this content about their their criminals. In many
cases they do not care about stealing the logos of companies on they do not think twice
about any of any of those types of legal issues copyright issues they are trying to capture
your information so that to make to make it as authentic looking as I possibly can to
get you to share information that you might not otherwise sure for jumping into a botnet
first need to know what thought is bought is a capture computer. It is a computer that
a cracker remotely is captured and has control over in some respect way to get control that
bought over the computer that computers have been referred to the bottom is being robotically
controlled the lot botnet is a collection of those computers. The huge number hundreds
of thousands potential of hydrogen computers up and set up for traffic, including spam,
viruses, computer and Internet. By controlling this botnet gives the controller is an awful
lot control wants these distributed denial of service attacks. They can remotely since
spam and for traffic and viruses very quickly around the globe. Salon has become a very
powerful tool personal crackers malware ties is a basically fast false online at designed
to trick you into downloading malicious software on your computer usually what will happen
is a big message on on the screen saying computer infected with a virus has some sort of security
portability was the most popular type of malware return encourage you to download fake security
software to build correct the issue is really infected software designed to capture personal
information some social is another potential threat and perhaps the scary thing about social
engineering is one need not have a a particularly strong skill set that up a little of any virtually
any skill set. Technically, the process basically works by applying a variety of different fishing
methods in order to be able target victims and obtain personal information from this
may be sent with your phone calls for example, getting victims to share information with
you that often times might not seem to important at the time terms of the very important later.
Once I obtain this information either use the information to commit financial crime
or crop fraud themselves or they can sell it in the the underground subtype of the market
under in exchange for cash or some something else to the criminals who themselves in some
sort of financial sophisticated fishing methods are often used on the to obtain personal information
which usually lead to various types of fraud committed. This is the kind of things can
be pretty commonly have environment were buyers and sellers can see each other breeds possible
for fraud occur on the sparse specific samples from the Internet book talks about page 472
couple different examples one airline specifically Google apps is specific examples in general
things like literary scams, poetry, scans, chain letters, email scams, lottery scams
dreams can work-at-home scams. The way to make scams far more than could possibly possibly
list those are all examples of types of scams can run the idea behind this is that you can
use this information together in these phishing attempts user can build an online profile
you build an identity for a person can use that identity to commit fraud, identity theft,
the first stealing identity of a person that information is in use for someone pretending
to be someone else in order to steal money or get some of the short benefit Exhibit 9.6
illustrates how shows one example how fishing might occur in a specific or specific situation
first to visitor hacker tries to attack website nor reviewer redirect users to another server.
Once the the the a legitimate user tries to to reach the legitimate server redirected
to the website is back website and sends data malware back to the user it was for the that
the software is installed without the user knowing that has completed the software tends
to run in the background. Since private information back to the hacker virtually every online
organization subject to various are out there in going think that the banks for example
mental institutions might have more stringent security. There is are susceptible as well
write it up types of online financial fraud exist for the financial fraud things like
syllables and investments phantom business opportunities and get rich quick schemes to
view source spam and spyware attacks were 90% messages of corporate networks in April
2010 were spam or email spam estimated that worldwide total of 62 trillion trillion with
a T spam emails percent in 2008 globally annuals annual spam energy use totals 33 billion be
kilowatt hours ethical to run orders to use 2.4 million homes in the United States with
the same vigor admissions 3.1 million passenger cars using 2 billion gas gallons of gasoline
spent frustrating and confused and annoyed email users for years. Approximate 80% whole
spam is sent by fewer than 200 spam throw up a small number of individuals that are
generally vast majority of systems your comments on the blog personal brand of this on e-commerce
site where products are offered for sale under section, periodically will get comments that
have literally nothing to do with the website. The product or anything of that nature completely
and related be filled in by my individual this surgeon is defined as pages create incredibly
related trick to searching and offering inappropriate redundant for holy search results of those
pages are called spam sites use techniques that deliberately subvert search engines algorithms
artificially inflate pages rank rankings the pages somewhere text involves uses blogs which
is short first spam blog sites to block solely for marketing purposes. Spanish 300 spots
that increase the sites search engine rankings users, even if the intended purpose of the
one or more for a snake in itself is for most clicks. Since it is a subjective confidential
data is copied transform authorized to do types of incidents that attacked criminals
with careless disposal of used computer types of information that can be obtained. Financial
information personal health information. Personally identifiable information, trade secrets, Inc.
between the. January 2000 over 227 million individual records containing sensitive personal
security breaches in the United States succumbing to current just in the state of the information
assurance starts to introduce to you framework with which you can use think about security
mechanism is a way of start with what is known as the CIA security triad. The CIA triad three
security concepts important to information on the Internet. Confidentiality, integrity
and availability. Confidentiality is the assurance data privacy and accuracy of information from
being disclosed individuals and entities or processes torture data is seen by those who
need to see if not seen by those who do not need to see it confidential. The I in the
CIA triad stands for integrity. This is the assurance of store data has not been modified
without authorization message that was sent is the same message that we in that last sentence
or the last part of some sums about whatever data we send is that in fact received on the
other end without being modified all if it is modified that messages sent messages have
integrity so that we know that messages a CIA caught triad stands for veiled access
to the website e-commerce data services time restricted to authorized users. Remember the
conversation we had earlier we talked about denial of service attacks response to this
is we want to make sure we do have access to whatever it happens to be that is what
available is all about me, security strategy needs to address the information assurance
model’s components. You will take a look at the Exhibit 9.7 here in just a moment, but
we need to start think about that the security strategy. First is the person look at is the
objective of security, defense tools are to think about prevention deterrence ideally
prevent something and deter people from trying to reach our site first place. If that does
not work we want detection one of you know when our systems been breached limited’s damages
occurred will be able to contain the damage to limit the amount of damage that is can
do to your site want the ability to recover so we will repair the damage need to be able
to correct the damage that works get back to work before the damage occurred and then
we also need awareness and compliance which is really more of a continual process of constantly
reminding users members follow proper policies and procedures are how to avoid some of the
hazards that exist as far as spending vs. the needs gap major concern information security
management because it is hard to match the money, labor time against the various security
threats that exist because the threat landscape is constantly changing new techniques, new
software tools constantly evolving trends the threats are constantly evolving, so it
is hard to align the spending with the dangerous threats in the environment. Therefore, we
need some sort of defense strategy in which we can export the next seven items need to
be able to determine, for example, when the greatest and current data security issues
again system is constantly along we need to answer these questions and revisit them answer
these questions to be down to periodically revisit the these questions and answers to
want is what is the greatest risk of exposure where you spend the money and how much spending
is matched with rich risk exposure. What are the benefits including intangible, which are
tough to measure the get the money spent on security project tools were the losses due
to security incidents in your organization. In general, one of the top security technologies
that reduce security losses. Physical firewalls, antivirus things like that and lastly will
be the guidelines. Security budget lastly assessing security needs political ways of
trying to find out what the current strategies and solution should be, and this is done through
risk assessment process. The first way is through ability assessment. The process of
identifying, quantifying and prioritizing vulnerabilities in the system and e-commerce
work faster artfully our networks database proper protection. Another method is by conducting
Christian text test which will just mom, but the concept of the pen tester nutrition test
that the method of evaluating the security of the computer system or network for simulating
tactile malicious source example cracker on such a way to test the system to make sure
that your resilience to some degree more or less to various vulnerabilities that exist
as far as as he security programs which are defined as all policies, procedures, documents
and standards standards hardware, software, training and personal work together to protect
information the ability to conduct business. Other assets keep in mind that the lifecycle
which the throughout the lifecycle e-commerce security permits must be continuously evaluated
just now lifecycle management information system security involves maintaining this
discrete posture of an information system throughout its life throughout its lifecycle
from the conception of of the system to design to implementation to release to retirement
through through the integration of information source computers security incident management
system that involves the day-to-day operations the monitoring and detection of security events
computer computer network and the execution of responses to those bins. The goal is to
be able to create well understood events and produce predictable responses to damage events
and computer intrusions in order to make sure that you respond appropriately responding
properly met weight control and make sure that your responding in a quick and timely
manner graphically Exhibit 9.8 illustrates the e-commerce security lifecycle management
process. I this is one representation it could actually take on number of forms PC response
at are actually executing incident response plan training requirements, design, implementation,
verification release and you start echo work for you tire the plan to move on to a new
plan in order below pliable this in the context of everything discussed so far we can look
at it that if his general framework is presented here starting off with depending access to
computing systems, data flows and e-commerce transactions how we go about doing that. However
start to to count for think about access control, encryption, content and public-key infrastructure
perspective. Second, I am defending e-commerce networks sort firewall start step in your
protector systems intrusion detection systems and intrusion prevention systems are a good
fit here as well. Sorry general ministry and application controls � are concerned, establishing
guidelines and checklist procedures for protection against social engineering from this is where
we used to describe protection against spam phishing spyware sort to be based on training
trainer various user server organization on how to spot these these types of issues five
disaster preparation, business continuity and risk management is usually managerial
issues that are supported by software pieces and lastly implement enterprisewide security
programs. The sooner we can bring it all together recorded activities of pre-five previous points
in a cohesive manner to make sure that were not missing any section 9.6 access control,
encryption, structured, picks up on in detail on the very first point we just finished with
access control is the mechanism that determines who can legitimately use a network resource.
This is Dr. some form of authentication. Education is a verify user is really is the claim to
be is usually tightly integrated with authorization. Once we have identified that they really are
who they say they are now we know what were resources to grant access to which wants to
not access from generally someone ways and about authenticating users tie around either
something that we know such as a password something that we have a token think of her
18 part is an example user ATM card and a pen combine those two have a token your appendage
and obit without the ATM card in the lastly what we are perhaps the best choice of three
because we cannot lose need to reset it reset our phone that is an example of a biometric
control so controls an automated method for verifying density of a person based on physical
behavior characteristics systems are in occasion systems identify person by measuring a logical
characteristic such as fingerprints, iris patterns, facial features, voice center. They
are not failsafe metrics is not having said that they they hold a lot of promises and
this shift towards him having said by by a long shot passwords or what you know is still
the most common form Jews were said because people know before familiar with its cheap
to implement most systems have passwords built in already and it is easy for me with so is
still tends to be the most widely used form of authentication. There is this push to go
more towards biometrics and an through token-based authentication techniques, encryption comes
in a couple of different general flavors public-key and private key encryption and used to protect
some of our communication specifically for sending sensitive information such as credit
card numbers or things like that across the Internet need some way protecting that as
it goes out in public sphere, which is the we do that using encryption Christians the
process of scrambling encrypting message in such a way that is difficult, expensive and
time-consuming for unauthorized person to unscramble the cryptic scope term terms a
company made with start to talk about encryption plaintext which is the encrypted message in
human readable form. It is the original message they spend on the altar ciphertext is plaintext
message after it has been encrypted into a machine readable form. So now you know really
understand what the meaning is I met by that original text. It has been encrypted encryption,
his mathematical form used to encrypt the plaintext into ciphertext and vice versa essentially
said it is a math form of some sort and it is the key along was a key confusion, but
it is the method with which he used to to Chris so resume should use a ship Cyprus on.
You may shift the three letters over four letters over five. The algorithm is a shift
to the right X number of keys X number of letters. The key is the number so for its
OSHA cipher and and were shifting through space is the right key is three all we need
to knows is two things encryption algorithm. The ship and the key three bows to tell us
how to decrypt and how to encrypt and decrypt the message key spaces. The large number possible
key values created by algorithm to use when transferring the message. The larger the key
space the Morse say for the encryption technique is going to be the harder it is to guess if
you have two possibilities for the key space obviously very easy more space that you have
more possibilities of key values that you have more difficult it is to break the encryption
Exhibit 9.10 shows shows us a very simple encryption approaches refer to symmetric private
key encryption couplings about symmetrical private key encryption you see symmetric.
It starts with the letter S thinks same reason that is important is what you are using to
encrypt and decrypt the message is exactly the same the same key something else to keep
in mind about it because it is the same key. You have to keep it private. Both parties
have to keep profit if the key is discovered by anybody else. The messages run the risk
of no longer being private. This creates a problem you have to be able sure that key
with her trying to send a message to all of the recalls bond that is not a difficult process.
If, however, there very far away. We can figure out some way to get a copy of the key Safeway
copy. So again, provided through the referred to as an out of band transmission networks
remain mail it to me why over and personally handed to some, but if it is an email message
that were trying to encrypt by no means do you email it to the to the user intercepts
email they got the email and the key. One advantage to symmetric key encryption very
efficient approach to the art bandages, but there is also dispenses as well know the disadvantages.
The disadvantage is key management process to people that want to share message. It is
very simple straightforward just two keys, one key and a copy of Becky, but if there
is three people. The number of keys goes up especially if you want have individually private
message with you have a private key between you and this second recipient and you in the
third recipient. So now you have managed to keys and the process of getting those copies
to enter number three if you got four users probably key management a big problem quickly
using symmetric encryption. There are a number different. The types of public key encryption
standards. If you willful key encryption. One popular ones is DES data encryption standard
standard symmetric encryption are supported by the NIST in use various government agencies
until October 2000 the reality is that encryption algorithms be have a finite lifetime as faster
powerful and in this
is the reality of of the encryption business. Having said that there, encryption standards
are always evolving as a recent standard triple DES for example much more robust and is still
used in one case alternative to private key use of private keys were symmetric key encryption
is the use of the public interest section which is a scheme for securing the payments
using public-key encryption and various technical components parts of make a public-key encryption
included public-key asymmetric encryption just a public-key private paired key set so
poker asymmetric encryption is a method of encryption uses a pair of matched keys key
to encrypt message predicated decrypt it vice versa publication encryption code this public
publicly available any may encrypt a message using your public-key and public keys available
and say the body of your email signature in some sort of directory the people you want
everybody to know what your public-key is a private key is encryption code that is only
to its owner. You do not share with anybody. It is not posted any sort of directory or
any other place public-key infrastructure public-key encryption really is something
that basically allows us to send messages back and forth and safe manner, and much more
process than private key encryption key management process is simplified essentially for once
an encrypted message to an individual we look at their public key and the directory or in
previous messages were seated in her signature or where we happen to be able find we encrypt
a message with the public key and send it to that individual because of the unique relationship
between public and private key. The only key that will decrypt that messages the private
key which has anybody else that has access public-key is unable to decrypt that message
is unique relationship between these two keys gives us the capability doing something else.
This is the capability reading what is known as a digital certificate or vigils signature.
This allows us to validate the sender and timestamp the transaction so it cannot be
later claimed that the transaction was authorized or that is invalid so referring to her apartment
number. This is the ability salesperson really did make this purchase. The digital signatures
created by essentially generating hash function using a hash function which is not competition
is applied to a message using the private key to encrypt a message this hash function
takes the original message runs this hash to generate calculation is because our message
digest a summary of the message converted into a string of digits after the hash and
apply were able to compare this hash at a later date in were allowed Celeste compare
the two files to file matchup. We know that the message is authentic if the message digest
does not match up. It is not that something is altered that message. The process might
look something like this message Creek a person create some sort of a message sender sends
a message encrypt a message digest and ends up generating a digital signature so the message
with the digital signature has a hash from the against its creditors envelope and sent
but is off lope since the recipient precipitant opens up that message they compare that digital
signature see the receipt recipient decrypts using recipients private key and they are
able to look at the message recipient applies a hash function that matches the original
message digest the to match the legitimate message. If they do not � it is not something
that the digital envelope of this mention is a combination of the encrypted original
message and the digital signature using recipients public-key cases recipient the sender and
receiver do not know each other and if you are conducting some thought some sort of a
financial transaction, especially the large one, one where you may trusted neither party
trust each other. You may end up using what is known as a certificate authority which
is a third-party that issues digital certificates digital certificate is basically a a certificate
that someone has identified this individual certifying that this person this organization
really is who they claim to be on its way to add a little additional security to individuals
and these people to conduct these types of transactions related to all this to the transactions
crossing is the concept of SSL secure socket layer as a self just a method of encrypting
messages across Internet that combines both public-key and private key encryption in order
to deal with take advantage of the he the intervention about the advantages of each
approach. In other words we use public-key infrastructure to be away exchange private
keys which operate more efficiently conduct the rest of the transactions using the private
key is it something that adds complexity to transactions (across Internet. Fortunately,
a lot of that infrastructure is going on loans process is going on are facilitated by web
browsers and Web servers so that happens in the background, this case most of the time
users I have have any familiarity with any of these types of things that just will not
be aware that they are actually occurring. Make sure that they know their transactions
are our secure part two defense securing e-commerce networks is by far the most part are also
single-point between two or more networks were all traffic must pass through the checkpoint
is a device that authenticates controls and laws all traffic reality is writing different
types of firewalls in return for old self originates with literally a firewall that
exists in multi-multi-housing units that allows the fire to occur in one area and protect
areas to help prevent from spreading to quickly use for occupant. Check it out so firewalls
were designed to detect one network from another network. The bad guys keep the fire out about
the technique when it comes to firewalls. This is a packet which is certain looks at
the segments of data sent from one computer to another network and analyzes information
that they make sense. While on to the network as far as the DMZ its demilitarized zone is
reminiscent of the DMZ that existing North and South Korea. It is a simple viral case
in which a firewall between the Internet and the internal users usually sitting on the
Internet. The DMZ architecture. The DMZ stands demilitarized zone there to firewalls between
Internet internal users area between the two firewalls is referred to as the DMZ a dedicated
it it, and it is dedicated as the one for business partners. The architecture shown
in Exhibit 9.12. As stated earlier firewalls come along different
flavors if you will terms of the host-based those installed on individual computer and
network based firewalls which are designed to protect an entire network personal firewalls,
network node designed to protect an individual user’s desktop system from the public network
monitoring all the traffic that passes through computers network interface card. This is
what typically see built into Windows analog cases or third-party firewalls personal firewalls,
maybe install with your virus suite or something nature is on alarms of is an example of a
personal firewall. Additionally there is there is a variety of other defense mechanisms that
you can use as antivirus, malware detection and protection. Another defense mechanism
that you can use as a virtual private network of VPN. This is a network that uses the public
Internet to carry information but remains private. By using encryption scramble with
medications authentication to ensure that information is not been tampered with and
access control to verify the identity of anyone using network so the idea is that were going
to used for this protocol to to be able to use on the public Internet, which is relatively
expensive and create a virtual environment that is virtually private. It appears private
because everything all the data is encrypted so notes in a very public forum marketing
data might liken it to being in a room with nothing but English speakers and being able
and you be you, along with the person trying to indicate being was speaking another language
and because of that you are conversation is virtually private. Even though everybody else
can hear it. They do not understand what is actually occurring sadunn for process refer
to this protocol tunneling method used to ensure confidentiality and integrity of data
transmitted over the Internet. My encrypting data packets, sending them in packets across
Internet and decrypting them at the destination intrusion detection systems radius is her
special category of software that can monitor activity across the network or the host computer.
Watch for suspicious activity into government action based on what he sees basically what
happens is it in most cases, it has definitions must locate an antivirus application might
and it looks for patterns of intrusions to occur when it monitors those are observes
those patterns occurring usually do one of two things he can either notify someone who
can take action, such as a network. Mr. or you can actually automate actions itself,
such as setting the report blocking a particular IP address or something of that nature. This
is correlated to dealing with denial of service attacks intrusion to one keys to dealing with
ulcers taxes being the detect such an attack very early on in the stages of the attack
is were intrusion detection systems come in helping to to determine that more quickly
than you might otherwise be able to to notice. Additionally, some a promise of computing
is that it has been shown that cloud computing is relatively resistant to denial of service
attacks so it is a denial of service attacks though they are still occurring are not quite
as effective as they once were, decide not to intrusion detection system are the original
concept of a hunting pot hunting that is a network of honeypots iPod is a production
system present only the system that it acts as a firewall racks as a router or a Web server,
database server, an email server or combination of one or two more these that looks like it
does real work but in reality it is a decoy in it simply used as a study mechanism is
a tool to monitor the techniques that hackers use crackers used to try to infiltrate system
issues with this useful for studying their patterns in front of us discover what it is
that you have a do it. I have a gray area because you run into the risk of entrapping
individuals into doing illegal behavior. So the legality of of the approaches somewhat
murky but back to the more general concept of security in the in these areas that regardless
of your firewalls and your your intrusion detection systems and the information that
you learn from use of honeypots are hunting at install sent to address email security
email is traditionally not actively secure mechanism for sending and receiving messages.
There are some things he can do to increase your security such as encrypting your messages
and and running antivirus packages that test your email as your sending messages and receiving
messages to reduce the amount of malware they might send or receive the third step both
the category of defending our e-commerce systems includes the use of general controls, application
controls and things like that application controller see general controls or controls
or styles to protect the system regardless of specific applications. For example, protecting
hardware, controlling access the data center independent of any sort of specific application
so things like the appropriate design of the data center shielding cables against electromagnetic
and fire prevention, detection, extinguishing systems, I am may include power shop backup
batteries properly designed and maintained in operated air-conditioning system to help
cool the data center under things like motion detection alarms in the detect physical intrusion.
These are all examples of general controls really are specific to the software and the
hardware. This being used application controls are intended to protect specific applications
so this would be controls are built into a specific application safer Web server. For
example, to help protect the the software that is in the diverse files are located within
Web server. Same thing for email server, file server, etc. Exhibit 1.13, gives you a graphical
representation of some of different defense controls that you can utilize again on the
general area of general defense controls the physical act physical access data security
indication administrator other than you can use a variety different tools to help defend
systems this way. For example, when we talk about access. You can use biometrics use various
web controls for authentication and encryption things like that on the application side.
Maybe your your monitoring input your monitoring processing or output very things that you
can monitor to be able to help defend the applications that you are using traditionally
compliance or noncompliance or breach information was gathered manually and obviously this is
very time-consuming and often resulted in incomplete information. The use of intelligent
agents horribly provide a lot of promise online does it allow you to gather a lot of that
in information automatically. But it also allows you to be more complete and two. In
some cases respond automatically situations that could occur until the agents are software
applications have some degree of activity, autonomy, adaptability as is needed in unpredictable
pack situations. An agent is able to adapt itself based on changes occurring in the in
its environment. So for example intrusion detection system intrusion prevention system
may have sensors placed throughout the network to be able to observe the date of its coming
across the network as it notices changes. It is not able to react as it is necessary
in order to be able protect the network. Those are examples of intelligent agents that the
firewalls monitoring the information that is back not sensors and adjusting fly, protecting
yourself against spam is more art than science. However, there are certainly a person attempts
to to make it a more scientific my assessing where emails originating from automatically
examining the contents of subject header subject information or the content of an email and
directing it either into spam or junk email folder were sending it to the email box. Those
those of processes of been attempted and are utilized but they are not failsafe. They are
not perfect. The still required manual investigation periodically into your junk mail folder destroyed
by the occasional false positive in the United States, specifically in approaches to take
the to deal with the spam issue for which is referred to as the can spam act: the assault
of non-solicited in marketing act is a law that makes it a crime to send commercial email
messages with false or misleading message headers or miss misleading subject lines wall
great in theory a little part of the issue comes from the fact that email messages originate
from around the globe. It is very difficult for something like this. Having said that
the majority of spam actually originates from the United States so something to keep in
mind talking about this, but again, because other countries do not necessarily have the
same laws are difficult to enforce something like foresees as far as protecting yourself
against pop-up ads so will depends on where the ads originating from several solutions
that exist one which includes software that will block off about prevent them from appearing
in some cases ISPs offer tools. Puppets from occurring. Certain browsers offer that feature
as well. Keep in mind some cases it is not the bathroom originating from a browser rather
there originate for applications in order on the computer all those tools that stockpot
browsers to be less effective or ineffective completely against those types of pop-ups
this for yourself against social engineering attacks and specifically gives fishing and
Albertine realize that there in many cases, some of these attacks. There is no one specific
way of protecting yourself against the users a variety of different ways you can take depending
on the needs of your specific organization. For example, Microsoft involved Albertine
reference a variety of different approaches so far along to be on using automatic updating
the operating system up-to-date. Installing a virus and spy software such Microsoft security
essentials get updated. If you have our software does not include and test our software use
should install separate anti-spyware software such as well a Windows defender Spybot search
and destroy like that first protecting yourself spyware and specifically against the a lot
of various types of of our modest mouse is not a specific spiral of our general using
policies entrances is extremely important things like training, etc. we use policies
reminding employees what they can and cannot do what they should should sharing information
in terms of of downloading applications and files from from in front trusted sites and
opening attachments a lot of the basics of the the are some of the central tenets of
security is a long way to protecting organizations also one of the cheapest ways of protecting
your systems so periodically reminding way periodically reminding your employees what
those policies and procedures are additionally identifying specifically identifying typically
sensitive positions within the organization to target those individuals for additional
training. So for example if you have certain employees within an organization that were
there are going to be around particularly sensitive information you target those particular
employees for additional training to make sure that they do not fall prey to various
social engineering techniques things like that business continuity and disaster recovery
planning starts with disaster avoidance approach oriented toward prevention. That is to minimize
the chance of avoidable disaster such as fire for the human cost threats that is that you
want to avoid it. To begin with. That is the case, and never have to worry about figuring
out how to continue to do business through the disaster or after the disaster getting
back up to speed. You can prevent it from ever occurring in the first place. Those other
issues from point. The purpose of business, is to keep the business of running after disaster
occurs each function of the business should have about recovery capability recovery planning
is part of the asset protection. Every organization should assign responsibility to managers identify
and protect assets within the spheres of of functional control planning should focus first
on recovery from a total loss of all capabilities capability usually involves some kind of what-if
analysis shows a recovery of the recovery plans current all critical Abkhazians must
be identified in the recovery procedures addressed in the plan. The plan should be written so
that if it so that will be effective in case of disaster, not just in order to satisfy
the authors lastly plan should be kept in a safe place Is to get all key managers were
should be available on the Internet or on the Internet plan should be audited periodically.
In other words, it is dynamic. It is not static in these to be something is periodically reviewed
and revised as necessary as the organization changes in his threats change related to business,
nobody is concept of risk management and within the but also the idea of a cost-benefit analysis
of our how much risk willing to accept the risk management process includes identification
of assets and estimating the value conducting a threat assessment conducting vulnerability
assessment calculating impact of each threat will have on on each asset identifying, selecting
and implementing appropriate controls as part of risk management analysis to calculate the
expected losses calculation based on the probability of an attack occurring in first place. The
probability of that attack actually being successful and minimal loss. We would incur
if the attack were successful. Once we been able create backpack calculation and were
able to actually talk cost for prevention system implementing any security program is
going to raise some ethical issues. For example we start to incur utilize various monitoring
tools are network may raise the ire of some employees in some cases, some external groups.
This is we might be violating freedom of speech or other civil rights issues swiftly, so that
when thinking about the various measure controls for wind place balances against the needs
and wants of our employees. Section 9.10 including enterprisewide e-commerce security starts
off by talking up the drivers of e-commerce security management. This includes proliferating
World War I laws and regulations. Complexity of global organizations due to outsourcing
and ever-increasing emphasis on the value of intangible information assets new and fast.
Apologies and often brutal competition in the global marketplace. One of the most important
things in terms of implementing security within an organization is having strong commitment
for management. The idea, the top sets the tone for the rest of the organization so genuine
and well communicated executive commitment about e-commerce security privacy measures
is needed to convince you that insecure practices risky or unethical methods and mistakes due
to ignorance will not be tolerated. The idea is to ultimately build as a unified front
such that is consistent tone throughout the organization regarding security a unified
participatory process that includes everybody in the organization unified front to solve
the security problem. So I have always emphasis on e-commerce security. Why is it difficult.
Internet crime well. One reason is that by it. If we become too restrictive with respect
to security to make shopping and convenient certainly an issue is a lack of corporate
credit card issuers nice piece a foreign ones. The really me and Sen. Roy participate their
sock shopper negligence individual just do not pay attention to the information of their
putting out there and there is ignoring e-commerce security best practices. The first to study
put out over a survey put out by CompTIA computing technology industry Association without a
lot of organizations is simply failed to follow the best practices such as business continuity
plans disaster. Whatever he plans the reason it is difficult to establish e-commerce security
is some of the design and architecture issues that exist for example in designing an e-commerce
solution was’s emphasis is placed on getting the solution up and running and adding on
security after the fact and as a result we look what is referred to as a Band-Aid affect
were much better off to be thinking about security from the very beginning and having
security built into the application and if that does not tend to be the norm so that
design that initial design architecture perspective tends to to play a role as well. Lastly, the
lack of due care and business practices. In some cases we have poor hiring practices or
design poor procedures. We outsource certain critical components to your organization.
In some cases we both business partnerships that may not be the best partnerships as a
result being the compromising customer data, intellectual property and things like that
in this chapter we talk about e-commerce security. Security issues and some managerial issues
that are faced with that are worse the best e-commerce security strategies for your particular
company. This can be different for your company be different for your industry is the budget
for e-commerce security. Adequate answer to be no but how close are you to having an adequate
budget was steps should businesses follow in establishing security plan, usually following
a methodical approach tends to do much better because you are able to have reproducible results. Once you
have reproducible results. You can then start to identify where you are failing and in the
back and improve the most areas should organizations be concerned with internal security threats
absolutely. I think the book talks about roughly half of threats originating from internal
workers. This is something is been historically true and wall threats really are kind of all
around internal threats Posey a unique threat that you have to be accounted for and lastly,
what is the key to establishing strong eco-e-commerce security really having strong leadership and
having that leadership est. on security procedures and policies and adhering to themselves so
that the the support can grow from the top down throughout the organization’s after reading
this chapter, you should have the good idea of some of the keys to establishing strong
e-commerce security implementation is that the basic idea of e-commerce security issues
and terminology show pretty good idea about the threats, vulnerabilities and technical
tax know what Internet fraud, phishing and spam are just understand what information
assurances you should know’s what securing e-commerce access control medications means
you should know as technologies for protecting networks are you should know the different
controls and special defense mechanisms. You should BeOS have some idea of how to protect
yourself fraud. You should know the role of business continuity and disaster recovery
planning, you should understand and appreciate enterprisewide e-commerce security you should
know why it is impossible to stop computer crimes. This concludes chapter 9, security
and fraud protection. Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *