Your SlideShare is downloading. ×
50120130406020
50120130406020
50120130406020
50120130406020
50120130406020
50120130406020
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

50120130406020

66

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
66
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING & ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME TECHNOLOGY (IJCET) ISSN 0976 – 6367(Print) ISSN 0976 – 6375(Online) Volume 4, Issue 6, November - December (2013), pp. 175-180 © IAEME: www.iaeme.com/ijcet.asp Journal Impact Factor (2013): 6.1302 (Calculated by GISI) www.jifactor.com IJCET ©IAEME E-BUSINESS TRANSACTION SECURITY: CHANGING TRENDS IN DATABASE SECURITY-CRITICAL REVIEW Anuradha Sharma Dr. Puneet Mishra Dept. of Computer Science, Amity University, Lucknow campus Asst.Prof, Dept. of Computer Science, Lucknow University, Lucknow ABSTRACT The electronic business has grown leaps and bounds with the popularity of internet. The popularity has also grown due to the services provided by the ISP companies. As the e-business is growing, so is the problem of data breaching. For breaching, a hacker needs an internet connection and a careless worker/administrator so that the hacker can gain access to gigabytes of information using his own laptop. These hacking incidences result in theft of personal information in the database. This paper is a review showing that the greatest losses to someone or an organization result when there is breaching of mainly confidentiality, integrity and availability. Keywords: Confidentiality, Integrity, Availability. I. INTRODUCTION E-business or electronic business is not only limited to buying and selling of goods over the internet. E-business includes using internet to provide better customer service, streamline business process, increase sales and reduce cost of the business for the customer as well as the organization. IBM first used the term e-business in October 1977. Transaction simply means an instance of buying and selling something. A transaction consists of a unit of work in a database management system against a database which is in general independent of other transactions. The transaction has to complete in its entirety in order to make the database changes permanent. The transaction should be atomic, consistent, isolated and durable. The transactions in case of e-business have tree major constituents viz. the client computer, the communication medium, and the web and commerce servers. The security can be penetrated at any of the three parts. There are also three parties which are involved in transactions over the internet viz. the client, the merchant and the transmission way (internet)[8]. 175
  • 2. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME E-business has not grown to its full potential despite its wide use and opportunities, – one of its most important obstacles being the lack of adequate security measures as well as difficulties to specify adequate security requirements. An abundance of research about security in e-business can be found in literature[10]. As a start reference, we suggest the final report of the SEMPER (Secure Electronic Market Place for Europe) project . Database security breaching is not new to the internet world. Many breaches happen together daily around the world and increase the count. Some are very small and some are huge. Huge security breaches result in great loss of database and small once, cause some loss, but not to a great extend. E-commerce activities are tempered by security breaches. Millions of dollars are spent by organizations on security appliances to make online transactions more secure. Then too, a new virus (a clever computer program) or a clever hacker can easily compromise these deterrents and cause losses of millions of dollars annually [1]. Security breaches can be categorized as unauthorized data observation, incorrect data modification, and data unavailability [2]. Out of these, disclosure of information to users not entitled for it is an unauthorized data observation. It consequences in heavy losses in terms of both financial and human point of view for commercial as well as social organizations. Incorrect data modification, be it intentional or unintentional, results in an incorrect database state. The use of this incorrect database results in heavy losses for the organization. Data unavailability means that the crucial information for the proper functioning of the organization is not available when needed [2]. Ponemon Institute’s research The Human Factor in Data Protection focuses on how employees and other insiders can put sensitive and confidential information of organizations at risk [3]. II. SECURITY GOALS The term security can have different meanings in different aspects of life. In terms of computers, security can be précised as confidentiality, integrity and availability. 1. Confidentiality: Confidentiality means preventing disclosure of unauthorized information. Confidentiality may be sometimes called secrecy or privacy. It means that only a person who has been given access to something will only be able to access it. This access can be a reading, writing or even printing permissions [4]. 2. Integrity: Integrity refers to the trustworthiness of data or resources, and refers to preventing improper or unauthorized changes. As [4] quotes, Welke and Mayfield recognize three particular aspects of integrity- authorized action, separation and protection of resources, and error detection and correction [5][6]. Integrity can be enforced for e-business in the same manner as confidentiality i.e. by controlling who or what can access which resources in which manner [4]. 3. Availability: Availability is the ability to use the information or resource desired. Availability applies to both data and services. Expectations of availability are very high and the security community is just beginning to understand what availability is and how to ensure it. 4. Accountability: If the accountability of a system is guaranteed, the participants of a communication activity can be sure that their communication partner is the one he or she claims to be. Thus, the communication partners can be held accountable for their actions [10][12]. Confidentiality and integrity can be preserved by a single access control point but it is not clear that it can enforce availability or not[4]. Studies by Gartner Research point out that, due to online fraud, 33% of online shoppers are buying fewer items. Similarly, according to studies by TRUSTe, 40% of consumers avoid buying from small online retailers due to identity theft concerns. Gartner report adds that, during the period May 2004 to May 2005, about 73 million consumers have received phishing attacks through e-mails. Of which 2.4 million users have reported losing money. Companies up in arms after being targeted include Paypal, eBay, Citizens bank, bank 176
  • 3. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME of America, MSN, Amazon.com, VISA, Citibank, Lloyds TSB, Yahoo, US Bank, Microsoft and AOL. According to Forester Research, 0.6 million Internet banking customers turned away from online financial transactions due to fear of keystroke logging Trojans and phishing mails. This clearly reveals that growth of e-commerce is greatly deterred by malicious activities like hacking, virus / worm or phishing attacks [1]. III. LOSSES CAUSED DUE TO VARIOUS TYPES OF BREACHES Some hackers might be involved in planting worms and viruses to interrupt business operations, others are involved in getting more profit in less time. Some ways that hackers can profit from breaching an organization’s security and obtaining confidential content are identity theft, selling of sensitive technical or financial information to competitors, abusing customers' confidential data, and also misusing the organization’s name or product brands[7]. Following major breaches occurred in the year 2009 and 2010. As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. These breaches are now posted in a new, more accessible format that allows users to search and sort the posted breaches. Additionally, this new format includes brief summaries of the breach cases that OCR has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected health information to the Secretary [9]. The following breaches, enlisted in table 1 and table 2, have been reported to the Secretary: Table 1: Breaches of Health Information in the year 2009 Country U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A State Missouri California Torrance, California Torrance, California Torrance, California Torrance, California Torrance, California California Texas Tennessee District of Columbia District of Columbia Tennessee Texas Kentucky Pennsylvania Michigan District of Columbia Indiana Nebraska New York Texas New York California California Wyoming Wilmington, North Carolina Rhode Island Michigan Arizona Tennessee Utah Approx.# effected 1000 610 952 857 5,257 5,166 6,145 5,900 1,430 998,442 15,000 3,800 6,400 1,000 676 943 10,000 3,400 480,000 800 83,000 3,800 344,579 7,300 15,500 9,023 2,000 528 10,000 1,101 3,900 5,700 177 Date of breach 9/22/09 9/22/09 9/27/09 9/27/09 9/27/09 9/27/09 9/27/09 9/27/09 9/30/09 10/02/09 10/07/09 10/09/09 10/11/09 10/16/09 10/20/09 10/20/09 10/22/09 10/26/09 11/03/09 11/11/09 11/12/09 11/19/09 11/24/09 11/30/09 12/01/09 12/02/09 12/08/09 12/11/09 12/15/09 12/15/09 12/23/09 12/27/09 Type of Breach Theft Phishing Scam Theft, Unauthorized Access Theft, Unauthorized Access Theft, Unauthorized Access Theft, Unauthorized Access Theft, Unauthorized Access Theft Loss, Improper Disposal Theft Unauthorized Access Loss Theft Theft Misdirected E-mail Theft Theft Unauthorized Access Hacking/IT Incident Theft Incorrect Mailing Loss Other Theft Theft Unauthorized Access Hacking/IT Incident Unauthorized Access Theft Theft Other Theft
  • 4. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME 1200000 1000000 800000 600000 Series1 400000 200000 0 theft loss incorrect mail/hacking others Graph 1: Comparison of different data breaches during 2009 Table 2: Breaches of Health information in the year 2010 Country U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A State Missouri Illinois California Illinois Texas Colorado Florida Minnesota Florida Florida North Carolina Connecticut Approx.# effected 9,309 1,300 532 1,300 689 649 568 16.291 12,580 3,800 5,220 957 Date of breach 1/10/10 1/13/10 1/11/10 1/13/10 1/18/10 1/19/10 1/19/10 1/26/10 1/27/10 1/29/10 2/03/10 2/04/10 U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A U.S.A Tennessee Texas Washington Connecticut Illinois Florida Wisconsin Tennessee New York Ohio California California Illinois Tennessee Ohio New York Maryland Kansas Texas Nevada 1,874 763 5,080 54,165 180,111 2,600 600 10,515 130,495 60,998 40,000 584 1,000 1,745 1,001 1,020 937 1,105 600 7,526 2/05/10 2/09/10 2/12/10 2/18/10 2/27/10 3/09/10 3/19/10 3/20/10 3/24/10 3/27/10 4/02/10 4/04/10 4/12/10 4/19/10 4/22/10 4/30/10 5/03/10 5/12/10 5/29/10 6/11/10 178 Type of Breach Theft Theft Other Theft Theft Improper Disposal Loss Other Theft Other Loss Unauthorized Access, Hacking/IT Incident Loss Unauthorized Access Theft Theft Theft Unauthorized Access Other Theft Loss Theft Theft Theft Theft Loss Other Unauthorized Access Other Theft Theft Theft
  • 5. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME 450000 400000 350000 300000 250000 200000 150000 Series1 100000 50000 0 Graph 1: Comparison of different data breaches during 2010 The analysis of the above table1 and table 2 has been done with the help of graph 1 and graph 2 respectively. Based on the above analysis of the health sector in USA during the years 2009 and 2010, it can be concluded that the greatest losses have been caused because of the breaches which can be broadly categorized as confidentiality, integrity and availability. Thus, the major objective of security of electronic business transactions should be considered as confidentiality, integrity and availability [12]. There is great requirement for security analysts to focus on these three areas of security breaches viz. confidentiality, integrity and availability. IV. CONCLUSION AND FUTURE SCOPE With the growing usage of internet, there is always threat to our valuable data. Lot of people are affected when ever such type of data reaches occur. With the study done in this paper, with the data analyzed during the year 2009 and 2010, it can be concluded that most of the breaches that occurred on the above data can be broadly categorized as falling in the categories of confidentiality, integrity and availability. Thus, a lot of work needs to be done for securing these type of breaches. The above analysis has been done on the health sector data of USA. Similar attacks occur in case of electronic business. Thus, based on the conclusion done in the above analysis, we can say that in case of electronic business also, the security breaches can be broadly categorizes as confidentiality, integrity and availability. There can be many more types of breaches also like accountability, but for our further study, we will focus on the above mentioned three categories. With the help of this study, we can develop a framework for the various categories of electronic business and the types of breaches that can attack the data. The framework can be used to define the possibilities of threats for the various categories of e-business. Based on the possibilities of the threats, a security measure can be further developed that can help the parties involved in the electronic business. These parties can be the clients and the merchants which are being directly involved in the electronic business. With the help of the security measure, the database of the electronic business can be secured. 179
  • 6. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print), ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME V. REFERENCES [1]. [2]. [3]. [4]. [5]. [6]. [7]. [8]. [9]. [10]. [11]. [12]. [13]. [14]. [15]. [16]. [17]. [18]. [19]. [20]. [21]. [22]. [23]. [24]. A. Mukhopadhyay et.al, “Insuring Big Losses to Security Breaches Through Insurance: A Business Model”, Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 © 2007, IEEE. Elisa Bertio, Ravi Sandhu, Fello IEEE, “Database Security- Concepts, Approaches and Challenges”, IEEE Transactions on Dependable and Secure Computing, Vol. 2, No.1, January-March 2005. Ponemon Institute Research Report, “The Human Factor in Data Protection”, January 2012. Charles P. Pfleeger, Shari Lawrence Pfleeger, Deven N. Shah, “Security in Computing”, pp. 7-11, Pearson Prentice Hall, 2009, ISBN 978-81-317-2725-6. Mayfield, T., et al. “Integrity in Automated Information Systems”, C Technical Report, 79-91, Sep1991. Welke, S., et al, “A Taxonomy of Integrity Models Implementations, and Mechanisms”, Proc National Computer Security Conf, 1990, p541-551. White paper, “Data Leakage Worldwide: The High Cost of Insider Threats”, 2008, Cisco Systems, Inc. Anuradha Sharma, Puneet Mishra, “Security requirements for e-business applications”, proceedings of TIMES-2013, Alwar, 2013. U.S. Department of Health and Human Services, “Breaches affecting 500 or more individuals” , available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html. Konstantin Knorr, Susanne Röhrig, “Security requirements of e-business processes”, Volume 202 of IFIP Conference Proceedings, pages 73-86, Kluwer, 2001. Lacoste, G.; Pfitzmann, B.; Steiner, M.; Waidner, M. (Hrsg.), “SEMPER-Secure Electronic Marketplace for Europe”, LNCS 1854, Springer, 2000. Knorr, Konstantin; Röhrig, Susanne, “security of electronic business applications- Structure and Quantification”, In: Proceedings of the 1st International Conference on Electronic Commerce and Web Technologies EC-Web 2000, Greenwich, UK, Sep. 2000, pp. 25-37. Randy C. Marchany, Joseph G.Tront, “E-Commerce Security Issues”, Proceedings of the 35th Hawaii International Conference on System Sciences – 2002. Singh, M. P. , “Introduction to web semantics, The Practical Handbook of Internet Computing”, pp29-1-29-13, Chapman & Hall/CRC2005, 2005. Zwass Vladimir, “E Commerce: Structures and issues”, International Journal of Electronic Commerce, 1(1):3-23, 1996. Matt Bishop, “Introduction to Computer Security”, Pearson, 2011, pp. 4-10. A Sengupta, C.Mazumdar, M.S.Barik, “E-commerce Security-A Lifecycle Approach”, Sadhana, vol. 30, Parts 2&3, April/June 2005, pp. 119-140. Atul kahate, “Cryptography and Network Security”, TMH, New Delhi, pp. 4-10,2006. Singh, M. P. , “Introduction to web semantics, The Practical Handbook of Internet Computing”, pp291-29-13, Chapman & Hall/CRC2005, 2005 O. SamySayadjari, “Multilevel Security: Reprise,” IEEE Security and Privacy, vol. 3, no. 5, 2004. Vijay Arputharaj J and Dr.R.Manicka Chezian, “Data Mining with Human Genetics to Enhance Gene Based Algorithm and Dna Database Security”, International Journal of Computer Engineering & Technology (IJCET), Volume 4, Issue 3, 2013, pp. 176 - 181, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375. V.Srikanth and Dr.R.Dhanapal, “Ecommerce Online Security and Trust Marks”, International Journal of Computer Engineering & Technology (IJCET), Volume 3, Issue 2, 2012, pp. 238 - 255, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375. Abhishek Pandey, R.M.Tugnayat and A.K.Tiwari, “Data Security Framework for Cloud Computing Networks”, International Journal of Computer Engineering & Technology (IJCET), Volume 4, Issue 1, 2013, pp. 178 - 181, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375. M. Karthikeyan, M. Suriya Kumar and Dr. S. Karthikeyan, “A Literature Review on the Data Mining and Information Security”, International Journal of Computer Engineering & Technology (IJCET), Volume 3, Issue 1, 2012, pp. 141 - 146, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375. 180

×