Chapter 2

Security for E-Business

Introduction

 Security is an essential part of any transaction

that takes place over the internet. Customers
will lose his/her faith in e-business if its
security is compromised.
Following are the essential requirements for safe e-
payments/transactions

 Confidentiality − Information should not be

accessible to an unauthorized person. It should
not be intercepted during the transmission.
 Integrity − Information should not be altered

during its transmission over the network.

 Availability − Information should be available

wherever and whenever required within a time

limit specified.
 Authenticity − There should be a mechanism
to authenticate a user before giving him/her
an access to the required information.
 Encryption − Information should be

encrypted and decrypted only by an

authorized user.
 Audit-ability − Data should be recorded in

such a way that it can be audited for integrity

requirements.
Measures to ensure Security
 Encryption − It is a very effective and practical way to
safeguard the data being transmitted over the network.
Sender of the information encrypts the data using a
secret code and only the specified receiver can decrypt
the data using the same or a different secret code.
 Digital Signature − Digital signature ensures the
authenticity of the information. A digital signature is an
e-signature authenticated through encryption and
password.
 Security Certificates − Security certificate is a unique
digital id used to verify the identity of an individual
website or user.
Client-Side Security
 Client-side security is concerned with the
techniques and ’practices that protect a
user's privacy and the integrity of the user's
computing system. The purpose of client-
security is to prevent malicious destruction of
a user's computer systems and to prevent
unauthorized use of a user's private
information, such as use of a user's credit
card number for fraudulent purposes.
Server Side Security
 Server-side security is concerned with the
techniques and practices that protect the Web
server software. The purpose of server-side
security is, to prevent modification of a Web
site’s Contents, prevent use of tire server’s
hardware, software or databases for
malicious purposes and to ensure reasonable
access to a Web site’s services.
Client Threats
 Active Content: Active content refers to programs that are
embedded transparently in web pages and that cause action
to occur. Active content can display moving graphics,
download and play audio or implement web-based
spreadsheet programs. Active content is used in e-commerce
to place items one wishes to purchase into a shopping cart
etc.
  
 Embedding active content to web pages involved in e-

commerce introduces several security risks. Malicious

programs delivered quietly via web pages could reveal credit
card numbers, usernames, and passwords that are frequently
stored in special files called cookies.
  
 Malicious Code: Computer viruses, worms
and Trojan horses are examples of malicious
code.
 A Trojan horse is a program which performs a

useful function, but performs an unexpected

action as well.
 Virus is a code segment which replicates by

attaching copies to existing executables.

 A worm is a program which replicates itself

and causes execution of the new copy. These

can create havoc on the client side.
  
 Server-Side Masquerading: Masquerading lures a
victim into believing that the entity with which it is
communicating is a different entity. For example, if
a u ser tries to log into a computer across the
internet but instead reaches another computer that
claims to be the desired one, the user has been
spoofed. This may be a passive attack in which the
user does not attempt to authenticate the
recipient, but merely accesses it, but it is usually
an active attack in which the masquerader issues
responses to mislead the user about its identity.
Communication Channel Threats
 
 Confidentiality Threats: Confidentiality is the prevention of unauthorized
information disclosure. Breaching confidentiality on the internet is not
difficult.
  

 For instance if one logs onto a website www.anybiz.com that contains a

form with text boxes for name, address, and e-mail address. When one fills
out those text boxes and clicks the submit button, the information is sent to
the web- server for processing. The captured data and the HTTP request to
send the data to the server is then it is sent.
  
 Now, suppose the user changes his mind, decides not to wait for a response

from the anybiz.com server, and jumps to another website instead

www.somecompany.com. The server somecompany.com may choose to
collect web demographics and log the URL from which the user just came
(www.anybiz.com). By doing this, somecompany.com has breached
confidentiality by recording the secret information the user has just
entered.
 Integrity Threats: An integrity threat exists when an unauthorized
party can alter a message stream of information. Unprotected
banking transactions are subject to integrity violations. Cyber
vandalism is an example of an integrity violation.
  
 Cyber vandalism is the electronic defacing of an existing website
page. Masquerading or spoofing pretending to be someone you are
not or representing a website as an original when it really is a fake
is one means of creating havoc on websites.
  
  
 Availability Threats: The purpose of availability threats, also known
as delay or denial threats, is to disrupt normal computer
processing or to deny processing entirely. For example, if the
processing speed of a single ATM machine transaction slows from
one or two seconds to 30 seconds, user will abandon ATM Machine
Entirely
Server Threats
 Web-server Threats: Web-server software is
designed to deliver web pages by responding
to HTTP requests. While web-server software
is not inherently high-risk, it has been
designed with web service and convenience
as the main design goal. The more complex
the software is, the higher the probability that
it contains coding errors (bugs) and security
holes — security weaknesses that provide
openings through which evil doers can enter.
  
 Commerce Server Threat: The commerce server, along with
the web-server, responds to requests from web browsers
through the HTTP protocol and CGI scripts. Several pieces of
software comprise the commerce server software suite,
including an FTP server, a mail server, a remote login server,
and operating systems on host machines. Each of this
software can have security holes and bugs.
  
 Database Threats: E-commerce systems store user data and
retrieve product information from databases connected to the
web-server. Besides product information, databases
connected to the web contain valuable and private information
that could irreparably damage a company if it were disclosed
or altered. Some databases store username/password pairs in
a non-secure way.
  
 Common gateway interface threats: CGI implements the
transfer of information from a web-server to another
program, such as a database program. CGI and the programs
to which they transfer data provide active content to web
pages. Because CGIs are programs, they present a security
threat if misused
  
 Password Hacking: The simplest attack against a password-

based system is to guess passwords. Guessing of passwords

requires that access to the complement, the complementation
functions, and the authentication functions be obtained. If
none of these have changed by the time the password is
guessed, then the attacker can use the password to access
the system.
IMPORTANCE OF E-BUSINESS SECURITY

 As the internet can expose ones e-business

and customers to various risks, it is essential
to ensure that adequate consideration is
made in relation to the security of one’s
computer system and online activities, in
order to protect business' assets, reputation,
ability to generate an income, as well as
customers’ privacy and relationships with
customers.
 As the nature of e-business requires sending
information between one’s business and
customers, it is essential that ample
protection to information is provided, as the
business and their customers may be exposed
to risks such as theft, fraud, hackers etc
 It is important to ensure that electronic
transfers of information and transactions are
secure, as the information runs the risk of
being intercepted and stolen by hackers, who
maliciously and intentionally access data in
order to steal information or cause harm and
disruption to business operations.
 Another potential risk that one’s business
may face is what is referred to as a denial of
service. This occurs when there is an
intentional overload of network to disrupt
operations and ultimately crashes the server.
Customers will not be able to access the
website, 'thus loss of revenue may result.
Steps to be taken for providing E-
Business Security
 Develop culture of security
 Businesses need to have internet security

measures in place and make sure staffs are

aware of, and follow, internet security
practices
 Install antivirus software and keep it updated
 Anti-virus software scans and removes

known viruses computer may have

contracted. It will help protect computer
against viruses, worms and Trojans.
 Install a firewall to stop unauthorized access
to computer
 Firewalls work like a security guard to protect
computer from intruders.
 Protect from harmful emails
 It is important to be cautious about opening
emails from unknown or questionable sources.
 Minimize spam
 While it is not possible to completely stop
spam from entering email box, steps to reduce
the amount of such risks has to be taken.
 Back-up data
 Creating a copy of back-up of data is a

sensible way to ensure that all the business

information is recovered from the computer
or website quickly and easily.
 Develop a system for secure passwords
 Creating effective pass words can provide an

additional means of protecting the

information on the computer.
 Keeping software up-to-date
 Outdated software may make a system vulnerable.
It is essential to keep the software updated.
 Ensuring that the online banking is secure
 Following security advice provided by the
respective financial institutions helps in keeping
financial transactions secure.
 Develop and maintain a security policy
 Monitoring and testing security policies are a
continuous process. Security is not about number
of features but a system process. A
comprehensive security policy is required to
ensure security of the system.
IMPLEMENTING E-COMMERCE SECURITY

 Security requirement specification and risk analysis

 This is the first phase in the security engineering life
cycle. It collects information regarding assets of the
organization that needs to be protected, threat
perception on those assets, associated access control
policies, existing operational infrastructure, connectivity
aspects, and services required to access the assets and
access control mechanism for the service.
 Security policy specification
 This phase uses security requirement specification and
risk analysis report as input and generates a set of e-
commerce security policies
 Security infrastructure specification
 This phase analyses the “security requirement
specification” and the “security policy
specification” to generate a list of security tools
that are needed to protect the assets. It also
provides views on the location and purpose of
the security tools.
 Security' infrastructure implementation
 The organization, in this phase, procures,
deploys and configures the selected security
infrastructure at the system level.
 Security testing
 In this phase, several tests are carried out to test the
effectiveness of the security infrastructure, functionality of
the access control mechanism, specified operational context,
existence of known vulnerabilities in the infrastructure etc.
 Requirement validation
 This phase analyses the extent of fulfillment of the security
requirements of the e-commerce organization by the
corresponding security policy and the implemented security
infrastructure. Change in the business goal, operational
environment, and technological advancement may lead to a
fresh set of security requirements and thereby, triggering a
new cycle of the “security engineering life cycle”.
Encryption
 To encrypt a file or other information stored
in a computer means to convert it into a
secret code
There are two types of encryptions
◦ Asymmetric Encryption
 In public key (asymmetric) encryption, two
mathematically-related keys are used: one
to encrypt the message and the other to
decrypt it. These two keys combine to form
a key pair. Asymmetric encryption provides
both data encryption and validation of the
communicating parties' identities and is
considered more secure than symmetric
encryption, but is computationally slower.
 ◦ Symmetric Encryption
 Private Key encryption (Symmetric), also referred
to as conventional or single-key encryption is
based on secret key that is shared by both
communicating parties. It enquires all parties
that are communicating to share a common key.
The sending party uses the secret key as part of
the mathematical operation to encrypt (or
encipher) plain text to cipher text. The receiving
party uses the same secret key to decrypt (or
decipher) the cipher text to plain text.
PROTECTING CLIENT COMPUTERS

 Cookies: Most websites use cookies as the only

identifiers for user sessions
 Web bugs: Every subsequent time the e-mail message
is displayed can also send information back to the
sender.
 Programs related to active content on Web pages
 Viruses: Viruses is a self-replicating malware
computer program,
 Worms: Worms is a computer program that can copy
itself and infect a computer.
 As well as from unauthorized people gaining physical
access to client Computers
Cookies:
 Most websites use cookies as the only identifiers for
user sessions the alternatives of identifying web
users other than using cookies have their own
limitations and vulnerabilities.
 For the websites using cookies as session
identifiers, attackers can impersonate user requests
if they have stolen a full set of victims’ cookies.
from web server point of view, a request from
attacker will have the same authentication as the
victim’s and hence is performed on behalf of
victim’s session, with that, victim’s session is
hijacked.
Web Bugs:
 The web bugs are embedded in e-mails have greater
privacy implications than bugs embedded in web
pages. Through tire use of unique identifiers contained
in the URL of the web bugs, the sender of an e-mail
containing a web bug is able to record the exact time
that a message was read, as well as the IP address of
the computer used to read the mail or the proxy server
that the user went through.
 In this way, the sender can gather detailed information

about when and where each particular recipient reads

e-mail. Every subsequent time the e-mail message is
displayed can also send information back to the sender
Worm:
 A computer worm is a self-replicating
malware computer program, which uses a
computer network to send copies of itself to
other nodes (computers on the network) and
it may do so without any user intervention.
This is due to security shortcomings on the
target computer.
Virus:
 A computer virus is a computer program that
can copy itself and infect a computer.
Protection against threats related to active
content is implemented through digital
certificates as well as special security
measures designed specifically for the
various forms of active content for example a
Java sandbox protects against the security
threats related to Java applet
E-COMMERCE COMMUNICATION
CHANNELS
 Live Chat
 Several customers love the live chat feature. It has the benefits
of getting the problem solved right now, without the irritation
of keeping a telephone receiver pressed to the ear while
waiting. Even when the waiting period lasts a few minutes for
live chat, customers do not complain too much as they are able
to continue performing a parallel task on the same computer.
 E-mail
 Unlike live chat, which is an option, email support is an
absolute must-have for any ecommerce player. In addition to
providing an email address for support, it is recommended that
one should have a ticketing system, which allows for efficiently
handling a case in case of multiple emails about the same
issue.
 Phone Support
 Quite like live chat. phone support too is
considered to be resource intensive. But the
demand for phone support is so high that most
ecommerce players end up providing it.
 Product Descriptions
 Product descriptions are the most voluminous
communication between tire ecommerce
merchant and the customer. Though product
descriptions are not personalized they influence
the customer to a great extent.
 Advertisements
 Advertisements are one of the most

expensive modes of communication.

 Blog
 A blog presents an interesting platform to

converse with customers and prospects. In

adding to the freshness of the site, a well-
cultivated blog helps build credibility and
trust.
 User Generated
 It is unanimously accepted that encouraging user

engagement by permitting them to add their own content

increases the stickiness of the site. This user-generated
content could be in the form of buyer reviews, comments.
queries, discussion boards, shared images and videos.
 Organic search
 Organic search is trending towards user value instead of

technical manipulation. This means that usable content is just

as important if not more important than technical SEO.
Content should be usable, relevant and shareable, as social
sharing directly impacts search. When search results are
relevant, users are more empowered, spend more time on
sites and are better educated about products.
 Comparison shopping engines
 Comparison shopping engines give empowered buyers the
ability to look at several products at the same time. These
engines are huge traffic generators, so marketers have an
opportunity to capture the traffic going to comparison
shopping engines and then redirect it to their sites.
 Marketplaces
 Online marketplaces are a great avenue for brand
manufacturers and distributors because the marketplace does
the selling. With both shopping engines and paid search,
marketers pay for redirected traffic, but with online
marketplaces, marketers only pay when a customer makes a
purchase. Marketplaces will typically receive 7-15% of the
order, but marketers are not paying for wasted clicks.
 Display advertisement retargeting
 Display ad retargeting uses cookies to retarget
users who have visited ones’ site before, allowing
him/her to market relevantly.
 Private sale sites (for brands)
 Private sale sites offer items for a limited time at
deeply discounted prices, and have become
increasingly more important for brands.
 Mobile marketing
 With the adoption of smart phones and tablets as
content consumption devices, retailers that
Tips to implement and maintain
adequate e-security measures
 Use strong passwords: Use long and random passwords for any
application that provides access to our personal information,
including logging onto our computer. Ideally, the password
should be eight or more characters in length, not a dictionary
word, contain a mixture of letters and numbers and contain a
mixture of upper and lower case letters. Change passwords
regularly and use different passwords for each application.
 Install and update anti-virus and other security software:
Viruses and other malicious software, such as worms and
Trojan horse viruses, can alter or erase data on our computers
and allow spammers and other intruders to use our computer
and network. Viruses and worms spread fast, and new
variations are constantly being released, so anti-virus software
must be updated regularly.
 Anti-virus Software: It should be set to automatically scan all
incoming• and outgoing emails and any devices that are intermittently
connected to a computer, such as a memory stick, a music player,
digital camera or other USB device. Set the software to automatically
check for updates when connected to the internet.
 Use a firewall and make cure it is turned on: A firewall is our
computer’s first line of defense against intruders. Firewalls can block
all traffic between our network and the internet that is not explicitly
allowed, preventing unauthorized access to our data. A firewall should
be used in conjunction with anti-virus and anti-spyware software.
 Manage E-mails safety: Delete suspect emails immediately. If we do
open an email that seems suspect, don't click on any links in the
email. Visiting websites through clicking on links in suspect emails
may result in malware (malicious software). This is a commonly used
and effective means of compromising a computer. All email
attachments should be scanned by anti-virus software before being
opened. Anti-virus software can be set to do this automatically. Use
spam filtering software to manage unwanted emails and report spam
 Use Safe Internet Browser Settings: When browsing the
web, creating documents, reading email and playing
games, using a limited permission account can prevent
malicious code from being installed onto our computer.
  
 Keep up to date with security patches: Most operating

systems are supported by automatic updates that fix

vulnerabilities found in important software components.
We should either use the 'automatic update' option or
subscribe to security-related mailing list and install
these patches when necessary.
 Check and Alter Default Settings: After installing

software, check the configuration and setting options we

may find the software has extra features we don't need
or want. Turning off unnecessary services is a good
security precaution.
 Back up our Data and Files: Back up our data
regularly and check that backups are working.
Creating a copy or backup of data is an Effective
way to help recover information from a computer if
a virus destroys files, or the computer is stolen or
destroyed. For example, burn data, photos, videos
etc. on to a CD-Rom or a USB stick, or use an
external hard drive regularly.
 Use Caution When Sharing or Downloading Files:
Don't download files or applications from suspect
websites. The file or application could be malware.
Sometimes the malware may even he falsely
represented as e-security software designed to
protect us.
 free alert service.
 Protecting wireless internet connection
 Change the default password to a strong password.
 Turn off the SSID broadcast on the wireless router.
 Engage the highest level of encryption available for

their wireless network, including turning the WPA

encryption on..
 Turn off the wireless connection when not in use.
 Internet service providers or software vendors will be

able to provide specific advice about protecting

wireless networks.
 Keep up-to-date with security information: Users can

keep up-to-date with security advice that affects their

systems. Stay Smart Online at
www.staysmartonline.gov.auprovides home users with
information on the latest e-security threats through a
Security policy and procedure in e-commerce:

 Policy: A policy may be defined as an agreed

approach in theoretical form, which has been agreed
to/ratified by a governing body, and which defines
direction and degrees of freedom for action. In
other words, a policy is the stated views of the
senior management on a given subject.
 Procedure: procedure spells out the specific steps of

how the policy and the supporting standards and

guidelines will actually be implemented. They are a
description of tasks that must be completed in a
specific order.
  
 Information Security Policy
 Control: Information security policy shall be
approved by the top management and published
and communicated to all concerned (employees and
external parties) with information system.
 Explanation: The security policy state management
commitment and set out organization’s approach to
manage information security. The corporate security
policy refers to individual policies and guidelines
that exist to govern the secure and appropriate use
of technology and processes with the organization.
The area covers policy to address users, system,
data etc. and the policy is appropriately
communicated to employees and users, suppliers
etc.
 Operational procedure:
 Control: To ensure correct and secure operation of the

information system, operating procedures shall be identified,

documented, maintained and made available to the all users
who need them.
  

 Explanation: The relevant procedures shall be identified for

various activities associated with the information system,

which are required for correct and secure operation. These
procedures shall be documented, maintained and available to
the concerned users. The examples of such procedures are
backup, start-up and close-down procedure of servers,
desktop, equipment maintenance, change management
procedure, media handling etc.
 Segregation of Responsibility
 Control: The procedure with responsibilities shall
be defined in such as way that initiating of an event
shall be separated from authorization.
 Explanation: The principle of segregation of
responsibility should be kept in mind in order to
reduce the risk of accidental or deliberate misuse
of security policies. While defining the operating
procedures, care should be taken that no single
person can access, use or modify information
system without authorization.
 Acceptable Usage Policy
 Control: The usage policy ot assets and services

associated with the information system shall be

defined and implemented, ’
 Explanation: All employees, contractors, and third

party users should follow the usage policy as

identified for the assets and services associated with
the information system. The various assets and
services associated with the information system may
include electronic mail, internet and mobile device
and usage policy for such assets and services should
be identified and implemented.
 Monitoring and Review
 Control: Monitoring and review of policy, procedures and
applicable controls shall be in place to, evaluate the effectiveness
and identify area of improvement at defined frequency and in
response to changes to the organizational and business, legal
conditions or technical environment.
 Explanation: Monitoring and review of policies, procedures and
controls provide the input to the management on effectiveness of
the controls implemented and any corrective/preventive action to
be taken. The monitoring and review also help to evaluate and
identify the area of the improvement required in the information
system. The monitoring and review should be carried out at
defined frequency and in response to any changes to the
organizational 'environment, business circumstances, legal,
statutory and regulatory conditions or technical environment.