E-Commerce Security
IS406 E-Business
�Contents
• Social Networking Makes Social Engineering Easy
• Security problems in social networking
• Spam in Social Networks and in the Web 2.0 Environment
• EC Security Requirements
• The Information Assurance Model
• E-Commerce Security Strategy
• The Phases of Security Defense
• Assessing Vulnerabilities and Security Needs
• The Defense Side EC Systems
The Defense I: Access Control, Encryption and PKI
The Defense II: Securing E-commerce Networks
IS406 2
�Social Networking Makes Social Engineering Easy
• Social networking sites are a vulnerable and fertile area for hackers and con artists to gain a user’s trust.
• How Hackers Are Attacking Social Networks?
Hackers are exploiting the trusted environment of social networks that contain personal information (especially
Facebook) to launch different social engineering attacks. Unfortunately, many social network sites have poor
track records for security controls. There is a growing trend to use social networking sites as platforms for
stealing users’ personal data.
IS406 3
�Some examples of security problems in social networking
• Users may unknowingly insert malicious code into their profile page, or even their list of friends.
• Most anti-spam solutions cannot differentiate between real and criminal requests to connect to a network.
This enables criminals to obtain personal information about the members in a network.
• Facebook and other popular social networking sites offer free, useful, attractive applications. These
applications may have been built by developers who used weak security.
• Scammers may create a fake profile and use it in a phishing scam.
IS406 4
�Spam in Social Networks and in the Web 2.0 Environment
1. Automated Blog Spam, Bloggers are spammed by automatically generated commercials (some real and
some fake) for items. Blog writers can use tools to ensure that a human, and not an automated system,
posts comments on their blogs.
2. Search engine spam , is technology that enables the creation of pages called spam sites that trick search
engines into offering biased search results so that the ranking of certain pages is inflated.
3. Splogs (short for spam blog sites ), which are blogs created by spammers solely for advertising. The
spammer creates many splogs and links them to the sites of those that pay him (her) to increase certain
page ranking.
IS406 5
�EC Security Requirements
• The following set of security requirements are used to assure success and to minimize EC transaction risks:
1. Authentication: is a process used to verify (assure) the real identity of an EC entity, which could be an
individual, software agent, computer program, or EC website. For electronic messages, authentication
verifies that the sender/receiver of the message is who the person or organization claims to be. (The ability
to detect the identity of a person/entity with whom you are doing business.)
2. Authorization: is the provision of permission to an authenticated person to access systems and perform
certain operations in those specific systems.
3. Auditing :When a person or program accesses a website or queries a database, various pieces of
information are recorded or logged into a fi le. The process of maintaining or revisiting the sequence of
events during the transaction, when, and by whom, is known as auditing.
4. Availability: Assuring that systems and information are available to the user when needed and that the site
continues to function. Appropriate hardware, software, and procedures ensure availability.
5. Nonrepudiation: Closely associated with authentication is nonrepudiation , which is the assurance that
online customers or trading partners will not be able to falsely deny (repudiate) their purchase, transaction,
sale, or other obligation. Nonrepudiation involves several assurances, including providing proof of delivery
from the sender and proof of sender and recipient identities and the identity of the delivery company.
IS406 6
�The Information Assurance Model
• The Information Assurance (IA) model, known as the CIA security triad , is a point of reference used to
identify problem areas and evaluate the information security of an organization. The use of the model
includes three necessary attributes: confidentiality , integrity , and availability.
• The success and security of EC can be measured by these attributes:
1. Confidentiality is the assurance of data secrecy and privacy. Namely, the data is disclosed only to
authorized people. Confidentiality is achieved by using several methods, such as encryption and passwords.
2. Integrity is the assurance that data are accurate and that they cannot be altered. The integrity attribute
needs to be able to detect and prevent the unauthorized creation, modification, or deletion of data or
messages in transit.
3. Availability is the assurance that access to any relevant data, information websites, or other EC services
and their use is available in real time, whenever and wherever needed. The information must be reliable.
IS406 7
�E-Commerce Security Strategy
IS406 8
�The Phases of Security Defense
1. Prevention and deterrence (preparation) .
2. Initial Response .
3. Detection.
4. Containment (contain the damage).
5. Eradication .
6. Recovery.
7. Correction.
8. Awareness and compliance.
IS406 9
�Assessing Vulnerabilities and Security Needs
• A key task in security strategy is to find the weaknesses and strengths of the existing security strategies and
solutions. This is part of a risk assessment and can be accomplished in different ways.
1. Conduct a vulnerability assessment of your EC systems. A vulnerability assessment is a process of
identifying and evaluating problem areas that are vulnerable to attack on a computerized system.
2. Conduct penetration (pen) tests (possibly implemented by hiring ex-hackers) to find the vulnerabilities and
security weaknesses of a system. These tests are designed to simulate outside (external) attacks. This is also
called “black-box” testing.
IS406 10
�The Defense Side EC Systems
The defense is organized into seven categories:
1. Defending access to computing systems, data flow, and EC transactions. (The Defense I)
2. Defending EC networks. (The Defense II)
3. General, administrative, and application controls.
4. Protection against social engineering and fraud.
5. Disaster preparation, business continuity, and risk management.
6. Implementing enterprise wide security programs.
7. Conduct a vulnerability assessment and a penetration test.
IS406 11
�The Defense I: Access Control, Encryption and PKI
Access Control
• Access Control determines who (person, program, or machine) can legitimately use the organization’s
computing resources (which resources, when, and how).
• Access control involves authorization (having the right to access) and authentication , which is also called
user identification (user ID), i.e., proving that the user is who he or she claims to be. Each user has a
distinctive identification that differentiates it from other users.
• Two-Factor Authentication This type of authentication system is a security process that requires two
different types of identify cation (more than just your password). For example, one mechanism is physical
(something a person has ), such as a token card, and the other is something that a person knows (usually a
password or an answer to a security question, or a combination of variations of both).
• A biometric authentication is a technology that measures and analyzes the identity of people based on
measurable biological or behavioral characteristics or physiological signals.
• Examples of biometric features include fingerprints, facial recognition, DNA. Behavioral traits include voice
ID, typing rhythm (keystroke dynamics), and signature verification.
IS406 12
�Cont.
Encryption
• Encryption is the process of encoding data into a form (called a ciphertext ) that will be difficult, expensive,
or time-consuming for an unauthorized person to understand.
• All encryption methods have five basic components: plaintext, ciphertext , an encryption algorithm , the key,
and key space.
• Plaintext is a human-readable text or message. Ciphertext is an encrypted plaintext. The encryption
algorithm is the set of procedures or mathematical algorithms used to encrypt or decrypt a message. The
key (key value) is the secret piece used with the algorithm to encrypt (or decrypt) the message. The key
space is the total universe of possible key values that can be created by a specific encryption algorithm.
• Encryption has two basic options: he symmetric system , with one secret key, and the asymmetric system ,
with two keys.
IS406 13
�Cont.
Public Key Infrastructure
• A public key infrastructure (PKI) is a comprehensive framework for securing data flow and information
exchange that overcomes some of the shortcomings of the one-key system.
• Digital signatures are the electronic equivalent of personal signatures on paper. They are difficult to forge
since they authenticate the identity of the sender that uses the public key.
• Independent agencies called certificate authorities (CAs) issue digital certificates or SSL certificates, which
are electronic files that uniquely identify individuals and websites and enable encrypted communication.
• There are different types of certificates. The major types are: site certificates , personal certificates , and
software publisher certificates .
• PKI systems are further secured with SSL – a protocol for e-commerce. The PKI with SSL make e-commerce
very secure but cumbersome for users.
IS406 14
�IS406 15
�The Defense II: Securing E-commerce Networks
Firewalls
• Firewalls are barriers between an internal trusted network (or a PC) and the untrustworthy Internet. A
firewall is designed to prevent unauthorized access to and from private networks, such as intranets.
• A popular defense system is a DMZ, The Dual Firewall Architecture. In the DMZ architecture (DMZ stands for
demilitarized zone), there are two firewalls between the Internet and the internal users. One firewall is
between the Internet and the DMZ (border firewall) and another one is between the DMZ and the internal
network.
IS406 16
�Cont.
Virtual Private Networks (VPNs)
• A virtual private network (VPN) refers to the use of the Internet to transfer information, but in a more
secure manner. A VPN behaves like a private network by using encryption and other security features to
keep the information secure.
Intrusion Detection Systems (IDS)
• An intrusion detection system (IDS) is a device composed of software and/or hardware designed to monitor
the activities of computer networks and computer systems in order to detect and define unauthorized and
malicious attempts to access, manipulate, and/or disable these networks and systems.
E-Mail Security
Antivirus and antispam.
E-mail encryption.
Outbound filtering.
IS406 17
