E-commerce

and Internet
use
Cyber Security Concepts
E-Commerce security
• The rapid adoption of the Internet by organizations is because the
Internet offers the type of accessibility that is exceptional.
• E-commerce includes various aspects, including EDI(Electronic Data
Exchange), email, web-based trading, and online transactions.
• Since the Internet is open to the public, it also enable malicious
actors to learn and discover information which can lead to
significant security problems.
• Social engineering is a common and rather successful approach
used by malicious parties to gather information and at the core of
most social engineering attacks is the knowledge gathered from the
Internet.
• Industrial espionage and the value of transactional information to
competitors are significant concerns.
• Non-repudiation is a major issue in online commerce. It involves
digital equivalents of traditional proof methods for resolving
disputes such as digital signatures or audit trails, which provide
evidence of transactions and interactions that cannot be disputed.
 E-commerce Security – key components
to nonrepudiation
There are three key components that ensure non-repudiation

01
Non-repudiation of origin:
There must be evidence for a
receiving party that the sender is
genuine, not an impostor. A
vendor would, for instance,
want to be sure that an order
was from a genuine customer.
02
Non-repudiation of
submission: There must be
evidence (such as a postmark)
that a transaction was actually
sent at a particular time.
03
Non-repudiation of receipt: It
must be possible to prove that
the receiving party has actually
received what was sent. Lesser
issues include verifying the time
and place of transmission.
E-commerce Security – ISO 27001 and 27002
requirements.
ISO 27002 and ISO 27001 have specific requirements regarding to e-commerce as follows:

Authentication, to ensure that there is some confidence that customers or traders

are who they say they are.

Authorization, to ensure that trading partners know that prices set, or contracts
agreed, have been agreed by someone authorized to do so, and that trading
partners know what each other’s authorization procedures are.

Dealing in online contract and tendering processes, with non-repudiation, with

confidentiality, integrity, proof of dispatch and receipt of documents is required.
E-commerce Security –
ISO 27002 questions

ISO 27002 has also specified the following questions

must be answered for e-commerce security-
• How confidential are discount arrangements and
how reliable are advertised prices?
• How is the confidentiality of transaction details
(including payment and delivery details) to be
protected?
• What vetting of payment information is necessary?
• What is the most secure method of payment, and
how is credit card fraud to be dealt with?
• How are duplicate transactions, or loss of
transactions, to be avoided?
• Who carries the risk in any fraudulent transactions,
and how is insurance to be dealt with?
E-Commerce Security – ISO 27002
recommendations
In regard to online transactions, ISO 27002 makes a number recommendations, some of which are outlined below:
• Electronic Signatures: While electronic signatures offer enhanced security, they may not always be practical for consumer
transactions due to the widespread absence of digital signature setups. However, they remain highly suitable for commercial
transactions.
• Technical Controls for User Credentials: involve employing technological solutions to verify the identity of users and manage
their access privileges securely. These controls help prevent unauthorized access to sensitive information or resources. Example
MFA.
• Secure Storage of Personal Information: Personal information storage should be inaccessible from the internet. It should be
securely stored on a server within the organizational perimeter to prevent unauthorized access.
• Embedded End-to-End Security: End-to-end security should be ingrained within a trusted authority relationship to ensure
comprehensive protection throughout the transaction process.
• Consideration of Legal Issues: Legal considerations play a crucial role, particularly in determining the jurisdiction of the
transaction. Careful assessment and adherence to legal requirements are essential to mitigate potential legal risks.
• Apply advanced security technologies such as key security technologies (SSL, IPSec, S/MIME and PKIX)
E-commerce security –
SSL security
• SSL: keeps an internet connection secure and safeguarding
any sensitive data, preventing criminals from reading and
modifying any information transferred by encrypting data in
transit.
• It's application-independent and can work with protocols
like HTTP and FTP.
• SSL enables automatic authentication between client and
vendor servers.
• It encrypts all data transmitted during a session with a
unique key, ensuring unauthorized access is prevented.
• Reputable browsers display warnings for insecure sites and
show signs of SSL, like changing the URL prefix to "https"
and displaying a padlock icon for secure connections.
E-commerce security –
Cookies and sessions

SSL alone is not sufficient; organizations must

adapt to evolving web application session
tracking attacks.

Cookies, a common session tracking

mechanism, can be manipulated by attackers
to take over user sessions.

Security advisers and technology specialists

should assess and fix weaknesses in web
application session tracking mechanisms.
E-commerce security -
IPSec
• IPSec: It encrypts IP packets, along with
authenticating the source where the packets
come from.
• IPSec establishes a secure connection between
two systems.
• IPSec defines secure host-to-host and client-to-
host connections, often referred to as VPNs
(Virtual Private Networks).
• It creates an encrypted tunnel over a public
network, ensuring privacy comparable to that
of a private network.
E-commerce security
- MIME

• MIME (Multipurpose Internet Mail

Extensions) allows attaching files to email
messages, including pictures, audio, and
applications.
• S/MIME is integrated into most modern
email systems.
• Secure MIME (S/MIME) enhances MIME by
adding security features like digital
signatures and encryption.
• S/MIME provides authentication, message
integrity, and non-repudiation through
digital signatures.
E-commerce security -
PKIX

• PKIX focuses on standardizing public key

infrastructure.
• It defines encryption mechanisms and outlines
structures for public/private keys, certificates,
and digital signatures.
• PKIX also addresses certificate management,
host addressing, and certificate authority (CA)
operations.
E-commerce security - SET

• SET (Secure Electronic Transaction) is a protocol jointly developed by Visa and MasterCard for secure
online bank and credit card transactions.
• SET includes protocols for electronic purchasing, payment authorization, and obtaining digital
certificates.
• SET adoption is limited as it requires advance registration with a payment gateway for both
customers and merchants.
Internet Use

• The organization needs to have a comprehensive

set of tools to regulate the Internet access in
addition to the policy on Internet usage
• An internet acceptable use policy (AUP) should
combine statements on use of the internet and
use of e-mail.
• It is important that, as for all other components of
the ISMS, the organization adopts and develops
an AUP that reflects in detail the culture of the
organization but that also provides the level of
security required by a risk assessment.
Internet Use - Acceptable Use Policy
AUP must comply with the following legislation guidelines:
Documented;

Be clearly communicated to all employees;

Set out permissible use of both internet and e-mail; example: for business purposes only;

Specify what uses are prohibited; example: downloading offensive or illegal material;

State what monitoring (if any) will take place;

Set out acceptable online behaviors;

Specify which online areas are prohibited; example hot sites;

Set out privacy rules in relation to other users, and in respect of the employer’s right to monitor the employees’ activity;

Set out the likely disciplinary consequences of breaching the AUP.

Internet use – Organizations System
The organization's system also needs to specify that:
The internet must be consistent with the organization’s standards of business conduct and must occur as part of the normal
execution of the employee’s job responsibilities.

Organizational user IDs or websites (or e-mail accounts) should only be used for organizationally sanctioned communication.

Use of internet/intranet/e-mail/instant messaging may be subject to monitoring for reasons of security and/or network
management.

The distribution of any information through the internet (including by email, instant messaging systems and any other
computer-based systems) may be scrutinized by the organization

The use of organizational computer resources is subject to law and any abuse will be dealt with appropriately.

Users shall not visit internet sites or spam emails that contain obscene, hateful or other objectionable material, shall not
attempt to bypass organizational surf control technology.
 Internet use – Organizations System
• Users shall not solicit e-mails that are unrelated to business activity or that are for personal gain,
shall not send or receive any material that is obscene or defamatory
• Users may not upload, download or otherwise transmit commercial software or any copyrighted
materials belonging to the company or any third parties
• Users shall not seek to avoid and shall uphold all malware prevention policies of the organization,
shall not intentionally interfere in the normal operation of the network.
References
• https://isoupdate.com/general/why-e-commerce-sellers-need-to-think-about-iso-standards/
• https://www.bigcommerce.com/blog/iso-certification/
• https://www.cyber.gov.au/acsc/view-all-content/guidance/how-reduce-spam-and-malicious-email