E-Commerce Lecture 22

A new variant of a computer virus spreading around the Internet on Thursday spoofs the e-mail address of the sender, making it difficult to determine the source of infection, antivirus experts said.
Click here to read the rest of this news story.

The learning objectives of lesson 8 include:

Computer security can be classified into three categories: Secrecy, integrity and necessity. Secrecy involves protection against unauthorized data disclosure, while integrity, is concerned with unauthorized data modification, and necessity refers to preventing data delays, denial or removal. All three are potential sources of threats and need to be addressed in a corporate security policy.

The roles of copyright and intellectual property and their importance in any study of electronic commerce

Intellectual property is the ownership of ideas and control over the tangible or virtual representation of those ideas. For example, the design of a product is a form of intellectual property. Copyright protects intellectual property such as books, movies, articles, and recordings. Copyright and other intellectual property laws are important to computer security as they provide the legal basis for protecting and controlling much of the data and information contained on and within a computer system.

Electronic commerce threats involve security throughout the “commerce chain,” including the client computers, the messages traveling on the channel communication, both the Web and commerce server, and any hardware attached to those servers. The entire chain is only as secure as the weakest link in the chain. For example, customer credit card information can be encrypted while being transmitted over the Internet, but if an employee of the company receiving the credit card information accesses this information without authorization, it can circumvent the precautions taken at the network level.

Client machines are vulnerable to active content. Active content includes programs that can be embedded within HTML documents or email messages. These applications function as a Trojan horse and subject a client computer to any number of security violations including release of confidential information and deletion of files on the computer.

The network that connects the client and server can also be a source of threats. Most information traveling on the Internet is in plain text, so anyone with access to a packet could view its contents. While there is a chance that someone could intercept packets in this way, the greatest threat is loss of service. Almost everyone in the networking business has a story to tell about the time the back hoe cut the fiber optical cable. This is why large electronic commerce operations have redundant network access, so a single failure will not isolate them from their customers.

Servers are the most exposed to security threats, because by their nature they are always available. A common and simple form of a threat to a server is a denial of service (dos) attack. In this type of threat, the server is intentionally bombarded with so many false requests that the server is unable to respond to real requests. An unauthorized user may also gain access to a server either as an administrator and modify Web pages or copy sensitive data stored on the server.

Methods you can use to enhance security in back office products, such as database servers

Servers can be increased in their security by storing data in a database. A database system has built in security provisions, such as password and user logins. Even with a user password, only certain information maybe available to a user. In addition, a database may allow encryption of data storage, further protecting it from unauthorized access.

1. Prepare a network/computer security policy for your organization. (Many such policies are available from security organizations)
2 Evaluate your own network using a standard testing tool. Then be sure to fix the problems found. Retest after Step 3.
3 Hire a third party organization to do independent testing of your network. Fix the problems that are uncovered.
4 Deploy a network monitoring tool.
5 Deploy encryption for data transmission and storage.
6 Fix static passwords. Install a password management program and cracking program.
7 Obtain dynamic passwords for mobile computing users.
8 Run a "war dialer" on your network to identify security problems.
9 Establish an Incident Response Group for your organization -- before a problem occurs.
10 Require every business partner that connects to your network to provide evidence of security testing on their own networks and have fixed the problems.

Source: James Settle

SSL uses public key cryptography to send data between client and web server during a secure session. Public key cryptography is based on a pair of asymmetric keys used for encryption and decryption. Each key pair has a public key and a private key. The public key is just that -- made publicly available on a key server. The private key is kept secret by the owner. Data encrypted with the public key can be decrypted only with the private key. Conversely, data encrypted with the private key can be decrypted only with the public key.

The asymmetric nature of public key cryptography makes it a valuable encryption tool for messaging on the web because it means the two parties (sender and receiver) do not need to share a single key. When you encrypt a message with your private key, then a recipient using your public key to decrypt the message will know that it is in fact from you. When someone uses your public key to encrypt a message to you, they will know that only you (as the holder of the private key) will be able to decrypt and read it.