6. Security Threats with E-Commerce


Published on

Published in: Education, Technology, Business
1 Comment
  • Jitendra, your presentation starts with security in cyber space, which is fantastic - coz that is exactly I was researching for. This is also informative: https://blog.appknox.com/top-5-cyber-threats-that-e-commerce-companies-should-watch-out-for-2/
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

6. Security Threats with E-Commerce

  1. 1. Amity School of Business Jitendra Tomar 09650512300 jitendratomar@hotmail.comjitendratomar@rediffmail.com Orator
  2. 2. Amity School of Business• Part 6: SeCuRiTy ThReAtS WiTh E-CoMmErCe
  3. 3. Amity School of Business• Security In Cyberspace
  4. 4. Amity School of Business• The electronic system that supports e-commerce is susceptible to abuse and failure in many ways: • Fraud The act that results in direct financial loss. Funds might be transferred from one account to another, or financial records might simply be destroyed.  • Theft Theft of confidential, proprietary, technological, or marketing information belonging to the firm or to the customer. An intruder may disclose such information to a third party, resulting in damage to the key customer, a client, or the firm itself. Security in Cyberspace
  5. 5. Amity School of Business• The electronic system that supports e-commerce is susceptible to abuse and failure in many ways: • Disruption of service It may result in major losses of the business or inconvenience to the customer. • Illegal intrusion in customer data The act leads to loss of customer confidence stemming from illegal intrusions into customer files or company business, dishonesty, human mistakes, or network failures. Security in Cyberspace
  6. 6. Amity School of Business• Nature of Cyber Business
  7. 7. Amity School of BusinessWhy the Business on Internet is Different?• The nature of E-Commerce and Bricks & Mortar Models of doing business is quite different. • The difference in the physical payment systems (electronic money and real money) • Practical and legal differences exist between traditional store (paper based commerce) and computer based commerce. • 24x7x365 availability of electronic medium compared to limited time processing at physical business house. • Electronic business works on the concept of anyone, anywhere, anytime which is quite different from the business culture of physical houses. Online Business Nature
  8. 8. Amity School of BusinessWhy the Business on Internet is Different? Paper-Based Commerce Electronic Commerce •Signed paper document. •Digital Signature. •Physical Interaction. •Electronic Via Website. •Physical payment system. •Electronic Payment System. •Merchant & customer are face •No Face to Face contact. to face. •Detection is difficult. •Easy detection of •Negotiable documents require modifications. special security. •Easy negotiability of documents. Online Business Nature
  9. 9. Amity School of Business• Conceptualizing Security
  10. 10. Amity School of BusinessSecurity Concerns• The nature of E-Commerce and Bricks & Mortar Models of doing business is quite different. • The difference in the physical payment systems (electronic money and real money)• The first issue in security is identifying the principals. They are the people, processes, machines, and keys that transact (send, receive, access, update, delete) information via databases, computers, and networks. • Security concerns generally involve the following issues: • Confidentiality Knowing who can read data and ensuring that information in the network remains private. This is done via encryption Conceptualizing Security
  11. 11. Amity School of BusinessSecurity Concerns • Authentication Making sure that message senders or principals are who they say they are. • Integrity Making sure that information is not accidentally or maliciously altered or corrupted in transit. • Access Control Restricting the use of a resource to authorized principals. • Non-repudiation Ensuring that principals cannot deny that they sent the message • Firewalls A filter between corporate networks and the Internet to secure corporate information and files from intruders, but that allows access to authorized principals. Conceptualizing Security
  12. 12. Amity School of BusinessThe Privacy Factor• In the absence of regulatory protection experts urge privacy- sensitive surfers to take basic steps to protect their privacy while online. • Send e-mail through remailers. • Improve security through Web browsers. • Use a secondary free e-mail service to prevent your main business e-mail account. • Stay away from filling out any form or questionnaire online. • Use a privacy application/software/utility to give your files or PC contents some privacy. • Install a firewall program to protect your computer from hackers. Conceptualizing Security
  13. 13. Amity School of BusinessThe Woes of a Password• One can see that there is no silver bullet solution to user authentication. There are ideas, however, to improve security systems: • Limit the number of times a password can be repeated in accessing a sensitive system • Train employees, customers, and the general public in more advanced methods like biometrics, PKE, and smart cards and be prepared to use such technology when it becomes available. • Ensure that systems designers and systems analysts are well versed in security issues and security procedures as part of every future application. • Review and evaluate the strength of the current password schemes used by customers and employees alike. Conceptualizing Security
  14. 14. Amity School of BusinessThe Ph-ear of Phishing• Phishing is a relatively recent phenomenon, having appeared within the past few years. It is becoming an effective tool with online criminals. • Phishing has several characteristics: • Trojan horses are installed on vulnerable machines to gather data. • They “harvest” user names and passwords to distribute to attackers. • Users’ PCs are compromised without their knowledge. • Software vulnerabilities force PCs to download code. Conceptualizing Security
  15. 15. Amity School of BusinessIdentity Theft• Victims of ID theft have been known to find no quick fix to clearing their names. Nearly one third said they have been unable to repair their wrecked credit or restore their identities to good standing a year after their personal information was stolen.• Here are some basic guidelines for the users to protect themselves from identity theft: • Protect your identification no/SSN no/ Licence No/ by supplying it when absolutely necessary. • Check your credit reports as least once a year. Check your statements for unexplained charges or unusual withdrawals from your bank accounts. Conceptualizing Security
  16. 16. Amity School of BusinessIdentity Theft • Be careful whom you talk to on the telephone – telemarketers, ISP employees, or even members of government agencies could all be disguised criminals. • Use shredders to get rid of your statements of receipts. When using ATMs, never leave your receipts behind. • Use strong passwords. Don’t use the information related about you and could be guessed easily, like telephone no, vehicle registration, own name, close relative name, house no, and the like. • Remove your mail from your mailbox promptly. Use offline applications like outlook. • Also make sure, in case of any theft of your personal information, file a report with local police and keep a copy for dealing with creditors later. Conceptualizing Security
  17. 17. Amity School of Business• Designing the Security
  18. 18. Amity School of BusinessDesigning Security• Hacking, net-spionage, cracking viruses, global worms, employees with malicious intent, cyber terrorism, internal theft – these are just some of the security challenges today’s organizations face.• Hackers and malicious code writers are automating the Internet Shell that ensures they stay one step ahead of the laws and security officers. Technology without strategy can actually leave the organization more vulnerable.• For information security design, the key question is: How do you know that the design will be secure? The answer lies in an effective design that should be part of the business-to- consumer installations from the beginning. Adding security mechanisms as an afterthought can be costly and ineffective. The design process begins with a chief security officer and involves five major steps: Designing Security
  19. 19. Amity School of BusinessDesigning Security• The design process begins with a chief security officer and involves five major steps: • Accessing the security needs of the firm The chief security officer should be able to pinpoint the security breaches that threaten the company’s business and how well the company is in compliance with various laws and regulations. It is prudent to look for security vulnerability before it is too late. The cheapest and most effective way to fix problems is while they are in development. A system assessment life cycle begins with development of a new system using security best practices. Then the system should be tested to detect unforeseen security flaws before it is released for implementation. Finally, a running system should be monitored and maintained at all times. Designing Security
  20. 20. Amity School of BusinessDesigning Security• The design process begins with a chief security officer and involves five major steps: • Adopt a security policy that makes sense. Security policies should cover the entire e-commerce system including the merchant’s LAN, H/W, S/W, firewalls, protocols, standards, databases, and the staff directly involved in the e- commerce process. The policies should spell out Internet security practices, the nature and level of risks, the level of protection, and the procedure to follow to react to threats and recover from failure. Above all, policies must have the blessing of top management if they are to have a chance of succeeding. Designing Security
  21. 21. Amity School of BusinessDesigning Security• The design process begins with a chief security officer and involves five major steps: • Considering Web Security Needs. Here the companies lists top vulnerabilities and take a close look at critical applications to decide risk levels. The amount of security a Web merchant needs depends on the sensitivity of its data and the demand for it. If the site collects credit card numbers for access, the company would require the highest security possible for Web server, the network, and the Website. The company also consult a security consultant to see what options are available and how to put them to good use. Designing Security
  22. 22. Amity School of BusinessDesigning Security• The design process begins with a chief security officer and involves five major steps: • Design the security environment. The design begins with sketching out the stepping stones – the sequence and parameters in the security network based on the security policy and requirements of the e-commerce system. Physical security design looks at PCs, LAN, OS, Firewalls, Security Protocols, other Network Infrastructure, Physical location and layout, Bandwidth, Security Protocols of the ISP, and the communication medium that connect the merchant to the ISP. How much security goes into a system depends on how much risk the company is willing to take, the security policy it is willing to adopt, and the present state of security practices in the workplace. Designing Security
  23. 23. Amity School of BusinessDesigning Security• The design process begins with a chief security officer and involves five major steps: This phase generally deals with designing of Security Perimeter that generally includes firewalls, authentication, VPNs, and intrusion detection devices. Installing such software and devices is part of physical design. The challenge is to police the entire perimeter. •Authorize and Monitor the Security System. Only authorized users are allowed access to the e-commerce site and other IT systems. This involves installing a system that generates authorization to different users to handle different jobs. Most companies adopt a policy that denies access to all except those who are explicitly allowed. This policy, along with good security design, should keep a site reasonably secure. Designing Security
  24. 24. Amity School of BusinessDesigning Security• The design process begins with a chief security officer and involves five major steps: Monitoring means capturing processing details for evidence, verifying that e-commerce is operating within the security policy, and verifying that attacks have been unsuccessful. •Raise Awareness of Possible Intrusions. With today’s firms relying more and more on the Internet, they face an ever-growing spectrum of threats, which means an increase in protection against cyber-risks. This is noticed that the risks are more not because there is breach in security policy of a company, but more because of improper use of the internet technologies. Users should be made aware of the potential risk factors and how to elope from them with simple but cautious use of Internet Technologies. Designing Security
  25. 25. Amity School of BusinessHow Much Risk Can One Afford• The top officials of the company generally ask two questions regarding their company’s security and how it relates to e- commerce • How secure we are? • How much will it cost to secure our e-system? • Few other questions arise as well: • How secure do we need to be? • What are we doing to monitor and improve security? • What monitors do we have that tell us whether we have been hit and how hard? Security Risk Analysis
  26. 26. Amity School of BusinessHow Much Risk Can One Afford• The level of security can be determined by the specific threats inherent in the system’s design. The way of addressing the risk factor is to estimate the pain threshold a company and the attacker are willing to tolerate.• In this case, the network administrator needs to know what is being protected, its value to the company, and its value to outsiders. The statements “when you have nothing, you have nothing to lose” and “there is not much that they can steal” do not apply in network and Internet security. The goal of security strategies, methods, and procedures is to raise the threshold of pain an attacker must endure to access and cause damage to a system. Security Risk Analysis
  27. 27. Amity School of BusinessThefts and Underground Economy• Organized electronic crime and work-writing activity has been surging in the open, with nothing to slow it down. It is powering an underground economy specializing in ID theft and spam. Signs of the underground economy include: • Credit card databases bought and sold. • Hacked servers bought and sold. • Distributed Denial-of-Service attack networks bought and sold. • Machines infected with viruses, then turned into proxies or attack networks. Thefts & Economy
  28. 28. Amity School of BusinessKinds of Theft or Crime• Before promoting security, one must know what they are trying to prevent. Web merchants must consider three kinds of threats or crimes. • Those that are physically related: A hacker might attempt to steal or damage inventory. Other examples include credit card records, stolen computer hardware or software, and sheer vandalism. An attacker, often by guessing passwords, might succeed in gaining access to another user’s account. The attacker might even be capable of drumming up unauthorized features such as discount coupons or specials in an effort to get merchandise free of charge. Designing Security
  29. 29. Amity School of BusinessKinds of Theft or Crime • Those that are order related: A customer might attempt to use an invalid or a stolen credit card or claim no merchandise was received on a good credit card. Children might use their parents’ credit card without permission. Insiders can do a lot to infect an order because they have access to sensitive systems and information. All it takes is a disgruntled or greedy employee to disrupt or divert an order to his or her advantage.  • Those that are electronically related: A hacker might try to sniff e-mail information or attempt to steal credit card numbers and use them illegally at a later stage. Designing Security