Professional Documents
Culture Documents
CIS Electronic Commerce
CIS Electronic Commerce
NETWORKS
A network is a system of computers, peripherals, terminals, and databases connected by
communications lines. One way of distinguishing between types of networks is the geographic area
covered by their distributed sites.
TYPES
LANs – Local area networks are often confined to a single room in a building, or they may link
several buildings within a close geographic area. However, a LAN can cover distances of several
miles and connect hundreds of users. Typically privately owned and controlled.
WANs – When networks exceed the geographic limitations of LAN, they are called wide area
networks. WANs typically employ common-carrier facilities between remote nodes because of
distances and the high cost of interconnections. The WAN may be used to link together
geographically dispersed segments of a single organization or connect multiple organizations in
a trading partner arrangement.
Internet/Internet-Works – With the advent of the internet, networks expanded beyond WANs
to a global “network of networks.”
NETWORK TOPOLOGY – the physical arrangement of components (terminals, servers, and
communication links) in a network
Star Topology – a network of computers with a large central computer (the host) at the hub that
has direct connections to a periphery of smaller computers. Communications between the
nodes in the star are managed and controlled from the host site. If one or more nodes in a star
network fail, communication between the remaining nodes is still possible through the central
site. However, if the central site fails, individual nodes can function locally but cannot
communicate with the other nodes.
Hierarchical Topology – a host computer is connected to several levels of subordinate smaller
computers in a master-slave relationship. This structure is applicable to firms with many
organizational levels that must be controlled from a central location.
Ring Topology – this eliminates the central site. All nodes in this configuration are of equal
status; thus, responsibility for managing communications is distributed among the nodes. The
ring topology is a peer-to-peer arrangement in which all nodes are of equal status.
Bus Topology – nodes are all connected to a common cable—the bus. Communications and file
transfers between workstations are controlled centrally by one or more servers.
ARCHITECTURES – this refers to either hardware or software, or a combination of both. The architecture
of a system always defines its broad out-lines, and may define precise mechanisms as well.
Peer-to-peer (P2P) – this is a type of network in which each workstation has equivalent
capabilities and responsibilities. This architecture differs from client-server architectures, in
which some computers are dedicated to serving the others.
Client-server – This is often misused to describe any type of network arrangement. This model
distributes the processing between the user’s (client) computer and the central file server. Both
computers are part of the network, but each is assigned functions that it performs best.
PROTOCOLS
Network protocols are the rules and standards governing the design of hardware and software
that permits users of networks manufactured by different vendors to communicate and share data.
Function of protocols:
they facilitate the physical connection between the network devices. Through protocols, devices
are able to identify themselves to other devices as legitimate network entities and thus initiate a
communication session.
synchronize the transfer of data between physical devices.
provide a basis for error checking and measuring network performance.
promote compatibility among network devices.
promote network designs that are flexible, expandable, and cost-effective.
COMPONENTS
Network Operating System – manages the functions and data across the network. NOS controls
communications between the physical devices connected to the network. There are three basic
methods for managing and controlling these transmissions:
1. Polling – the most popular technique for establishing communication sessions. In here,
the master node polls the slave nodes to determine if they have data to transmit.
2. Token Passing – this involves transmitting a special signal—the token—around the
network from node to node in a specific sequence. Only the node possessing the token
is allowed to transmit data.
3. Carrier Sensing – this is a random access technique that detects collisions when they
occur. The node wishing to transmit listens to the bus to determine if it is in use. If it
senses no transmission in progress, the node transmits its message to the receiving
node.
Nodes/Terminals – any input-output device connected by a communications line to a computer
is a node. Many users interact with computers via terminals, which come in numerous varieties
and are produced by scores of vendors
1. Dumb Terminals – they can only send and receive data. All processing capability is
centralized in the host computer.
2. Smart Terminals – they can support user applications under the control of the host
computer. Most smart terminals provide local storage of data and permit data editing
before transmission.
3. Programmable Terminals – personal computer is used as a programmable terminal
Transmission Channels
1. Asynchronous transmission – there is no continuous synchronization between the
sending and receiving devices
2. Synchronous transmission – this method uses a separate timing signal to keep the
receiving end’s device in constant synchronization with the transmitting device
3. Simplex transmission – allows transmission in one direction only
4. Half duplex transmission – allows signal to be sent in both directions but not
simultaneously
5. Full duplex transmission – signals can be sent and received simultaneously
Server(s) – LAN nodes often share common resources such as programs, data, and printers,
which are managed through special-purpose computers called servers.
INTERNET
TYPES
Intranet – this is designed to be accessible only by the organization’s members and employees,
or others who have proper authorization. Like the internet, intranets are used to share
information.
Extranet – this internet-work is a password-controlled network for private users rather than the
general public. Extranets are used to provide access between trading partner internal databases.
COMPONENTS
Client-server architecture – the foundational structure of the internet technologies used for the
internet
Web Browser – the universal user interface to not only the internet and web, but many of the
newer systems and networks based on internet technologies as well
Web Development Technologies – the tools used to build, maintain, and manage Web sites.
Email
File Transfer Protocol (FTP) – used to transfer files across the internet
TCP/IP protocol suite – enables disparate systems and computers to communicate seamlessly
with each other
ELECTRONIC COMMERCE
TYPES
Business-to-Business (B2B) – encompasses all electronic transactions of goods or services
conducted between companies. Producers and traditional commerce wholesalers typically
operate with this type of electronic commerce.
Business-to-Consumer (B2C) – distinguished by the establishment of electronic business
relationships between businesses and final consumers. It corresponds to the retail section of e-
commerce, where traditional retail trade normally operates.
Consumer-to-Consumer (C2C) – encompasses all electronic transactions of goods or services
conducted between consumers. Generally, these transactions are conducted through a third
party, which provides the online platform where the transactions are actually carried out.
Consumer-to-Business (C2B) – there is a complete reversal of the traditional sense of
exchanging goods. This type of e-commerce is very common in crowdsourcing based projects. A
large number of individuals make their services or products available for purchase for
companies seeking precisely these types of services or products.
Business-to-Administration (B2A) - encompasses all transactions conducted online between
companies and public administration. This is an area that involves a large amount and a variety
of services, particularly in areas such as fiscal, social security, employment, legal documents and
registers, etc. These types of services have increased considerably in recent years with
investments made in e-government.
Consumer-to-Administration (C2A) – encompasses all electronic transactions conducted
between individuals and public administration.
RISKS
Internal:
• Accidents or System/Infrastructure Failure – most common reason for problems
• Ineffective Accountability – in making sure the procedures are actually working. This creates the
same risk as if no policy or procedure were ever developed.
• Malicious Activities – from entity’s own employees (e.g., a fired employee might seek revenge
by an act of cyber terrorism or fraud.
• Fraud – by entity’s own employees
External:
• Intruders – hackers, crackers, script kiddies
• Viruses
• Cyber Terrorism/ Cyber-Crime
CONTROLLING INTERNET/ E-COMMERCE
CONTROLS
• Policies and Procedures – Once the risk assessment team identifies a risk, they should develop a
policy to state the organization’s intents regarding the risky event, which will lead to a choice of
procedures to prevent and detect the event.
• SDLC Techniques – practices such as documentation, involvement of end-users, testing of
systems offline before implementing them operationally, etc. have proven to be effective
• Anti-Virus Systems – AVS alone is not sufficient. It is necessary to also be a part of some alert
system or early warning system for emerging viruses.
• Message Sequence Numbers – a sequence number is inserted in each message, and any
attempt to delete a message, change the order of messages received, or duplicate a message by
an intruder in the communications channel will become apparent at the receiving end.
• Logs – all incoming and outgoing messages, as well as attempted (failed) access, should be
recorded in a message transaction log. The log records the ID, time of access, and the terminal
location or telephone number from which the access originated.
• Monitoring Systems – when combined with graphs that are conscientiously read, any malicious
activity could be spotted by radical changes in the trend line of the graph.
• Access Control Systems – used to authorize and authenticate users.
1. Call Back Systems – requires the dial-in user to enter a password and be identified. If the
caller is authorized, the call-back device dials the caller’s number to establish connection
2. Challenge-Response Systems – a control message from the sender and a response from
the receiver are sent at periodic, synchronized intervals.
3. Multifaceted Password Systems – combine passwords with other access controls such as
biometrics, dynamic PIN systems, advances security tools, etc.
4. Biometrics – automated measuring of one or more specific attributes of a person, with
the objective of being able to distinguish that person from all others.
5. Firewalls – consists of both software and hardware that provide a focal point for security
by channelling all network connections through a control gateway. It has two types:
network-level firewall and application-level firewall.
6. Intrusion Detection Systems – inspects all inbound and outbound network activity and
identifies suspicious patterns that may indicate a network or system attack from
someone attempting to break into or compromise a system.
7. Controlling Denial-of-Service Attacks
8. Encryption – conversion of data into a secret code for storage in databases and
transmission over networks.
AUDIT OBJECTIVES
• Verify the security and integrity of the electronic commerce transactions by determining that
controls (1) can detect and correct message loss due to equipment failure, (2) can prevent and
detect illegal access both internally and from the Internet, and (3) will render useless any data
that are successfully captured as a perpetrator.
• Verify that backup procedures are sufficient to preserve the integrity and physical security of the
databases and other files connected to the network.
• Determine that (1) all EDI transactions are authorized, validated, and in compliance with the
trading partner agreement; (2) no authorized organizations accessed database records; (3)
authorized trading partners have access only to approved data; and (4) adequate controls are in
place to ensure a complete audit trail of all EDI transactions.
Backup Control for Network
• Verify that backup is performed routinely and frequently to facilitate the recovery of lost,
destroyed or corrupted data.
• Production databases should be copied at regular intervals.
• Verify that automatic backup procedures are in place and functioning, and copies of files and
databases are stored off-site for further security.
Test of Validation Controls
1. Review agreements with the VAN facility to validate transactions and ensure that information
regarding valid trading partners is complete and correct.
2. Examine the organization’s valid trading-partner file for accuracy and completeness.
Test of Access Controls
1. The auditor should determine that access to the valid vendor or customer file is limited to
authorized employees only. The auditor should verify that access to this file is controlled by
password and authority tables and that the data are encrypted.
2. The degree of access a trading partner should have to the firm’s database records will be
determined by the trading agreement. The auditor should reconcile the terms of the trading
agreement against the trading partner’s access privileges stated in the database authority table.
3. The auditor should simulate access by a sample of trading partners and attempt to violate
access privileges.
Test of Audit Trail Controls
1. The auditor should verify that the EDI system produces a transaction log that tracks transactions
through all stages of processing.
AUDIT PROCEDURES
1. Select a sample of messages from the transaction log and examine them for garbled contents
caused by line noise. The auditor should verify that all corrupted messages were successfully
retransmitted.
2. Review the message transaction log to verify that all messages were received in their proper
sequence.
3. Test the operation of the call-back feature by placing unauthorized call from outside the
installation.
4. Review security procedures governing the administration of data encryption keys.
5. Verify the encryption process by transmitting a test message and examining the contents at
various points along the channel between the sending and receiving locations.
6. Review the adequacy of the firewall in achieving the proper balance between control and
convenience based on the organization’s business objectives and potential risks. Criteria for
assessing the firewall effectiveness include flexibility, proxy services, filtering, segregation of
systems, audit tools, probe for weaknesses, and review password control procedures.
SEALS OF ASSURANCE
E-commerce assurance seal services are defined as web assurance services (WASSs) for internet
e-retailers’ sites provided by third-party. The third-party web assurance seal is one strategy where
vendors can signal trust-worthiness to the online shopper, especially for smaller vendors. The online
symbols are usually displayed on the front page of the vendor’s website and vendors see the investment
as an enhancement of trustworthiness to the consumer.
Three functions are most commonly served by these web assurance seals: transaction security,
consumer privacy, and transaction integrity.
TYPES
Privacy assurance – a promise from the vendor to the consumer to not share consumer’s
personal information with a third party.
Security assurance – has the objective of making online transactions safer through the use of
encryption; it stops the unauthorized access to the private information without the consent of
either the consumer or vendor. This prevents the use of credit data for personal or nefarious
gains by the hacker.
PROS
Ease of recognition of vendor credentials – consumers turn to third party seal programs to
verify credentials of online vendors
Signal of trustworthiness of online vendors – web assurance seals play an important role in
increasing the perceived trustworthiness of vendors for consumers who perceive a high risk in
conducting online purchases
Brand enhancement – web assurance seals are also used as a co-branding strategy to signal to
consumers that the site has achieved a certain high standard
Role of risk reliever – the presence of an assurance seal on a website is essential form of
guarantee to the customers
Price premium seal protected websites – Firms that display security seals charge a higher price
for their product than competitors without a seal. However, the premium disappears when
many vendors are all sealed.
CONS
Weakening effects of seals when combined – the privacy assurance function, when combined
with other security assurance, can have less impact on consumers’ initial trust on a per-seal
basis. This means that customers can become desensitized when there are too many seals
displayed simultaneously on a website.
Potential breach of customer trust – since a seal represents all its e-retailors that use the seal
on their website, if a potential e-retailor breaches a seal standard, it may significantly impact the
reputation of that seal for all the vendors who carry that seal
Information asymmetry – if consumers are unfamiliar with the role of seals and are not able to
distinguish the seals that require a rigorous verification process from those that are weak, then
seals do not provide useful information to users and users remain distrustful towards the site
Lack of guarantee – obtaining a seal merely means that a business is able to pass certain
predesigned monitoring tests on an ongoing basis; there is no guarantee that a security breach
would not occur in the future
Benitez, Ralph
Felices, Jeanette
Iral, Jean Nicole