Madushan Sandaruwan, profile picture
Uploaded byMadushan Sandaruwan
105 views

Information Security

This document discusses information security as it relates to e-commerce applications. It covers several technical security attack methods that e-commerce applications can be vulnerable to, including financial frauds, spam, phishing, bots, DDoS attacks, brute force attacks, SQL injections, XSS, and Trojan horses. It also discusses vulnerability assessments, penetration testing stages and methods, and ISO/IEC 27001:2013 as an international standard for managing information security risks.

Technology
Related topics:
Information Security

Embed presentation

Download to read offline
Information Security ICT2243 - E-Commerce Implementation, Management & Security by TG/2017/233 - W. W. M. S. Karunasena Lecturer in charge: Mrs. Iromi R. Paranavithana Submission Date: 20th April 2020 Bachelor of Information and Communication Technology Department of Information and Communication Technology Faculty of Technology University of Ruhuna.
Contents Introduction to InfoSec ..............................................................................................................3 Technical security attack methods that ecommerce applications can be vulnerable.................4 Vulnerability Assessments.........................................................................................................5 Penetration Testing ....................................................................................................................6 Penetration testing stages .......................................................................................................7 Penetration testing methods ...................................................................................................8 ISO/IEC 27001:2013 .................................................................................................................9
Introduction to InfoSec Information Security is not all about securing information from unauthorized access. Information Security is basically the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. Information can be physical or electrical one. Information can be anything like Your details or we can say your profile on social media, your data in mobile phone, your biometrics etc. Thus, Information Security spans so many research areas like Cryptography, Mobile Computing, Cyber Forensics, Online Social Media etc. During First World War, Multi-tier Classification System was developed keeping in mind sensitivity of information. With the beginning of Second World War formal alignment of Classification System was done. Alan Turing was the one who successfully decrypted Enigma Machine which was used by Germans to encrypt warfare data. Information Security programs are built around 3 objectives, commonly known as CIA – Confidentiality, Integrity, Availability. 1. Confidentiality – means information is not disclosed to unauthorized individuals, entities, and process. For example, if we say I have a password for my Gmail account, but someone saw while I was doing a login into Gmail account. In that case my password has been compromised and Confidentiality has been breached. 2. Integrity – means maintaining accuracy and completeness of data. This means data cannot be edited in an unauthorized way. For example if an employee leaves an organization then in that case data for that employee in all departments like accounts, should be updated to reflect status to JOB LEFT so that data is complete and accurate and in addition to this only authorized person should be allowed to edit employee data. 3. Availability – means information must be available when needed. For example, if one needs to access information of a particular employee to check whether employee has outstand the number of leaves, in that case it requires collaboration from different organizational teams like network operations, development operations, incident response and policy/change management.
Technical security attack methods that ecommerce applications can be vulnerable o Financial Frauds Financial fraud has afflicted online businesses since their inception. Hackers make unauthorized transactions and wipe out the trail costing businesses significant amounts of losses. Some fraudsters also file requests for fake refunds or returns. Refund fraud is a common financial fraud where businesses refund illegally acquired products or damaged goods. o Spam Where emails are known as a strong medium for higher sales, it also remains one of the highly used mediums for spamming. Nonetheless, comments on your blog or contact forms are also an open invitation for online spammers where they leave infected links in order to harm you. They often send them via social media inbox and wait for you to click on such messages. Moreover, spamming not only affects your website’s security, but it also damages your website speed too. o Phishing It is one of the common security threats of ecommerce where hackers masquerade as legitimate businesses and send emails to your clients to trick them into revealing their sensitive information by simply presenting them with a fake copy of your legitimate website or anything that allows the customer to believe the request is coming from the business. o Bots You may recognize bots from your good books such as those that crawl the web and help you rank your website in Search Engine Result Pages. However, there are exclusive bots developed to scrape websites for their pricing and inventory information. The hackers use such information to change the pricing of your online store, or to garner the best-selling inventory in shopping carts, resulting in a decline in sales and revenue. o DDoS Attacks Distributed Denial of Service (DDoS) attacks and DOS (Denial of Service) attacks aim to disrupt your website and affect overall sales. These attacks flood your servers with numerous requests until they succumb to them and your website crashes.
o Brute Force Attacks These attacks target your online store’s admin panel in an attempt to figure out your password by brute-force. It uses programs that establish a connection to your website and use every possible combination to crack your password. You can protect yourself against such attacks by using a strong, complex password. Do remember to change it regularly. o SQL Injections SQL injections are cyber-attacks intended to access your database by targeting your query submission forms. They inject malicious code in your database, collect the data and then delete it later on. o XSS Hackers target your website visitors by infecting your online store with malign code. You can safeguard yourself against it by implementing Content Security Policy. o Trojan Horses Admins and customers might have Trojan Horses downloaded on their systems. It is one amongst the worst network security threats where attackers use these programs to swipe sensitive information from their computers with ease. Vulnerability Assessments A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Examples of systems for which vulnerability assessments are performed include, but are not limited to, information technology systems, energy supply systems, water supply systems, transportation systems, and communication systems. Such assessments may be conducted on behalf of a range of different organizations, from small businesses up to large regional infrastructures. Vulnerability from the perspective of disaster management means assessing the threats from potential hazards to the population and to infrastructure. It may be conducted in the political, social, economic, or environmental fields.
Vulnerability assessment has many things in common with risk assessment. Assessments are typically performed according to the following steps: 1. Cataloging assets and capabilities (resources) in a system. 2. Assigning quantifiable value (or at least rank order) and importance to those resources 3. Identifying the vulnerabilities or potential threats to each resource 4. Mitigating or eliminating the most serious vulnerabilities for the most valuable resources. Penetration Testing A penetration test, also known as a pen test, is a simulated cyber-attack against your computer system to check for exploitable vulnerabilities. In the context of web application security, penetration testing is commonly used to augment a web application firewall (WAF). Pen testing can involve the attempted breaching of any number of application systems, (e.g., application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, such as unsensitized inputs that are susceptible to code injection attacks. Insights provided by the penetration test can be used to fine-tune your WAF security policies and patch detected vulnerabilities.
Penetration testing stages 1. Planning and reconnaissance The first stage involves: Defining the scope and goals of a test, including the systems to be addressed and the testing methods to be used. Gathering intelligence (e.g., network and domain names, mail server) to better understand how a target works and its potential vulnerabilities. 2. Scanning The next step is to understand how the target application will respond to various intrusion attempts. This is typically done using: Static analysis – Inspecting an application’s code to estimate the way it behaves while running. These tools can scan the entirety of the code in a single pass. Dynamic analysis – Inspecting an application’s code in a running state. This is a more practical way of scanning, as it provides a real-time view into an application’s performance. 3. Gaining Access This stage uses web application attacks, such as cross-site scripting, SQL injection and backdoors, to uncover a target’s vulnerabilities. Testers then try and exploit these vulnerabilities, typically by escalating privileges, stealing data, intercepting traffic, etc., to understand the damage they can cause.
4. Maintaining access The goal of this stage is to see if the vulnerability can be used to achieve a persistent presence in the exploited system— long enough for a bad actor to gain in-depth access. The idea is to imitate advanced persistent threats, which often remain in a system for months in order to steal an organization’s most sensitive data. 5. Analysis The results of the penetration test are then compiled into a report detailing: Specific vulnerabilities that were exploited Sensitive data that was accessed The amount of time the pen tester was able to remain in the system undetected This information is analyzed by security personnel to help configure an enterprise’s WAF settings and other application security solutions to patch vulnerabilities and protect against future attacks. Penetration testing methods External testing External penetration tests target the assets of a company that are visible on the internet, e.g., the web application itself, the company website, and email and domain name servers (DNS). The goal is to gain access and extract valuable data. Internal testing In an internal test, a tester with access to an application behind its firewall simulates an attack by a malicious insider. This is not necessarily simulating a rogue employee. A common starting scenario can be an employee whose credentials were stolen due to a phishing attack. Blind testing In a blind test, a tester is only given the name of the enterprise that is being targeted. This gives security personnel a real-time look into how an actual application assault would take place. Double-blind testing
In a double-blind test, security personnel have no prior knowledge of the simulated attack. As in the real world, they will not have any time to shore up their defenses before an attempted breach. Targeted testing In this scenario, both the tester and security personnel work together and keep each other appraised of their movements. This is a valuable training exercise that provides a security team with real-time feedback from a hacker’s point of view. ISO/IEC 27001:2013 ISO 27001 is the international standard which is recognized globally for managing risks to the security of information you hold. Certification to ISO 27001 allows you to prove to your clients and other stakeholders that you are managing the security of your information. ISO 27001:2013 (the current version of ISO 27001) provides a set of standardized requirements for an Information Security Management System (ISMS). The standard adopts a process-based approach for establishing, implementing, operating, monitoring, maintaining, and improving your ISMS.

More Related Content

PDF
Study on Phishing Attacks and Antiphishing Tools
byIRJET Journal
 
PDF
CERT STRATEGY TO DEAL WITH PHISHING ATTACKS
bycsandit
 
PDF
Rapport X force 2014
byPatrick Bouillaud
 
PDF
Review of the machine learning methods in the classification of phishing attack
byjournalBEEI
 
PDF
IRJET- Detecting the Phishing Websites using Enhance Secure Algorithm
byIRJET Journal
 
PDF
IRJET - An Automated System for Detection of Social Engineering Phishing Atta...
byIRJET Journal
 
PDF
IRJET - Phishing Attack Detection and Prevention using Linkguard Algorithm
byIRJET Journal
 
PPT
Phishing detection & protection scheme
byMussavir Shaikh
 
Study on Phishing Attacks and Antiphishing Tools
byIRJET Journal
 
CERT STRATEGY TO DEAL WITH PHISHING ATTACKS
bycsandit
 
Rapport X force 2014
byPatrick Bouillaud
 
Review of the machine learning methods in the classification of phishing attack
byjournalBEEI
 
IRJET- Detecting the Phishing Websites using Enhance Secure Algorithm
byIRJET Journal
 
IRJET - An Automated System for Detection of Social Engineering Phishing Atta...
byIRJET Journal
 
IRJET - Phishing Attack Detection and Prevention using Linkguard Algorithm
byIRJET Journal
 
Phishing detection & protection scheme
byMussavir Shaikh
 

What's hot

PDF
Study of Cross-Site Scripting Attacks and Their Countermeasures
byEditor IJCATR
 
PDF
IRJET- Phishing Web Site
byIRJET Journal
 
PDF
IRJET- Phishing and Anti-Phishing Techniques
byIRJET Journal
 
PDF
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
byAM Publications,India
 
PDF
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
byAlan McSweeney
 
PPTX
Detection of phishing websites
bym srikanth
 
PDF
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
byCMR WORLD TECH
 
PDF
IBM X-Force Threat Intelligence Quarterly 1Q 2014
byIBM Software India
 
PDF
IRJET - Chrome Extension for Detecting Phishing Websites
byIRJET Journal
 
PPTX
SQL injection
byRaj Parmar
 
PDF
Phishing detection in ims using domain ontology and cba an innovative rule ...
byijistjournal
 
PDF
IJSRED-V2I4P0
byIJSRED
 
PPTX
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
byPhil Legg
 
PDF
Detecting Phishing using Machine Learning
byijtsrd
 
PDF
The Evolution of Phising Attacks
byBee_Ware
 
PDF
How To Catch a Phish: User Awareness and Training
byLondon School of Cyber Security
 
PDF
Detecting phishing websites using associative classification (2)
byAlexander Decker
 
PPTX
PHISHING DETECTION
byumme ayesha
 
PDF
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
byEMC
 
PDF
V01 i010413
byIJARBEST JOURNAL
 
Study of Cross-Site Scripting Attacks and Their Countermeasures
byEditor IJCATR
 
IRJET- Phishing Web Site
byIRJET Journal
 
IRJET- Phishing and Anti-Phishing Techniques
byIRJET Journal
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
byAM Publications,India
 
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
byAlan McSweeney
 
Detection of phishing websites
bym srikanth
 
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
byCMR WORLD TECH
 
IBM X-Force Threat Intelligence Quarterly 1Q 2014
byIBM Software India
 
IRJET - Chrome Extension for Detecting Phishing Websites
byIRJET Journal
 
SQL injection
byRaj Parmar
 
Phishing detection in ims using domain ontology and cba an innovative rule ...
byijistjournal
 
IJSRED-V2I4P0
byIJSRED
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
byPhil Legg
 
Detecting Phishing using Machine Learning
byijtsrd
 
The Evolution of Phising Attacks
byBee_Ware
 
How To Catch a Phish: User Awareness and Training
byLondon School of Cyber Security
 
Detecting phishing websites using associative classification (2)
byAlexander Decker
 
PHISHING DETECTION
byumme ayesha
 
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
byEMC
 
V01 i010413
byIJARBEST JOURNAL
 

Similar to Information Security

PDF
Introduction to the Current Threat Landscape
byMelbourne IT
 
PPTX
Ecommerce security
bypolitegcuf
 
PDF
How Can I Reduce The Risk Of A Cyber-Attack?
byOsei Fortune
 
PDF
Ijnsa050215
byIJNSA Journal
 
PPTX
Web Application Security Session for Web Developers
byKrishna Srikanth Manda
 
PDF
Unit 3B.pdf
byTuhinUtsabPaul
 
PPTX
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
byrausdeen anfas
 
PPTX
It security the condensed version
byBrian Pichman
 
PPTX
Implementing security for your library | PLAN Tech Day Conference
byBrian Pichman
 
PPTX
Cyber Attacks and Defences - JNTUH,Cyber Attacks and Defences
byNiharikaGuptas
 
PDF
5 network-security-threats
byReadWrite
 
PDF
Five Network Security Threats And How To Protect Your Business Wp101112
byErik Ginalick
 
PPS
Amazon & E Bay
bySabyasachi Dasgupta
 
PDF
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
byIJNSA Journal
 
PPTX
The Evolution of Cybercrime
byStephen Cobb
 
PPTX
Security_Awareness_Primer.pptx
byFaith Shimba
 
PPTX
Understanding Cybersecurity theme .pptx
byasretdinovamamura
 
PDF
A6704d01
bymudigonda
 
PPTX
An An Exploration Into the Cyber Security
bysivasakthin2022cse
 
PPTX
Vulenerability Management.pptx
byThavaselviMunusamy1
 
Introduction to the Current Threat Landscape
byMelbourne IT
 
Ecommerce security
bypolitegcuf
 
How Can I Reduce The Risk Of A Cyber-Attack?
byOsei Fortune
 
Ijnsa050215
byIJNSA Journal
 
Web Application Security Session for Web Developers
byKrishna Srikanth Manda
 
Unit 3B.pdf
byTuhinUtsabPaul
 
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
byrausdeen anfas
 
It security the condensed version
byBrian Pichman
 
Implementing security for your library | PLAN Tech Day Conference
byBrian Pichman
 
Cyber Attacks and Defences - JNTUH,Cyber Attacks and Defences
byNiharikaGuptas
 
5 network-security-threats
byReadWrite
 
Five Network Security Threats And How To Protect Your Business Wp101112
byErik Ginalick
 
Amazon & E Bay
bySabyasachi Dasgupta
 
E-COMMERCE SYSTEMS SECURITY FOR SMALL BUSINESSES
byIJNSA Journal
 
The Evolution of Cybercrime
byStephen Cobb
 
Security_Awareness_Primer.pptx
byFaith Shimba
 
Understanding Cybersecurity theme .pptx
byasretdinovamamura
 
A6704d01
bymudigonda
 
An An Exploration Into the Cyber Security
bysivasakthin2022cse
 
Vulenerability Management.pptx
byThavaselviMunusamy1
 

More from Madushan Sandaruwan

PPTX
Sri Lanka A/L Technology stream - English
byMadushan Sandaruwan
 
PPTX
Sri Lanka A/L Technology stream - Sinhala
byMadushan Sandaruwan
 
PPTX
ChefGuru Hotel Management System - JAVA
byMadushan Sandaruwan
 
PDF
DigiMart Online Shopping System PHP - Business plan
byMadushan Sandaruwan
 
PPTX
Fingerprint Voting System Proposal
byMadushan Sandaruwan
 
PPTX
ICC concrete mixture counter Software using Python
byMadushan Sandaruwan
 
PDF
ICT Related Glossary - Letter C
byMadushan Sandaruwan
 
PDF
Software maintenance and evolution
byMadushan Sandaruwan
 
PPTX
Software maintenance and evolution
byMadushan Sandaruwan
 
PDF
Computer networks
byMadushan Sandaruwan
 
PPTX
V shape process model
byMadushan Sandaruwan
 
PPTX
Incremental process model
byMadushan Sandaruwan
 
PPT
Ariane 5 failure
byMadushan Sandaruwan
 
PPTX
Ariane 5 failure (3)
byMadushan Sandaruwan
 
PPTX
Ariane 5 failure (2)
byMadushan Sandaruwan
 
PDF
Ariane 5 failure
byMadushan Sandaruwan
 
PPTX
The dhahram patriot missile failure
byMadushan Sandaruwan
 
PPTX
The dhahram patriot missile failure (3)
byMadushan Sandaruwan
 
PPTX
The dhahram patriot missile failure (1)
byMadushan Sandaruwan
 
PPTX
Denver airport baggage handling system
byMadushan Sandaruwan
 
Sri Lanka A/L Technology stream - English
byMadushan Sandaruwan
 
Sri Lanka A/L Technology stream - Sinhala
byMadushan Sandaruwan
 
ChefGuru Hotel Management System - JAVA
byMadushan Sandaruwan
 
DigiMart Online Shopping System PHP - Business plan
byMadushan Sandaruwan
 
Fingerprint Voting System Proposal
byMadushan Sandaruwan
 
ICC concrete mixture counter Software using Python
byMadushan Sandaruwan
 
ICT Related Glossary - Letter C
byMadushan Sandaruwan
 
Software maintenance and evolution
byMadushan Sandaruwan
 
Software maintenance and evolution
byMadushan Sandaruwan
 
Computer networks
byMadushan Sandaruwan
 
V shape process model
byMadushan Sandaruwan
 
Incremental process model
byMadushan Sandaruwan
 
Ariane 5 failure
byMadushan Sandaruwan
 
Ariane 5 failure (3)
byMadushan Sandaruwan
 
Ariane 5 failure (2)
byMadushan Sandaruwan
 
Ariane 5 failure
byMadushan Sandaruwan
 
The dhahram patriot missile failure
byMadushan Sandaruwan
 
The dhahram patriot missile failure (3)
byMadushan Sandaruwan
 
The dhahram patriot missile failure (1)
byMadushan Sandaruwan
 
Denver airport baggage handling system
byMadushan Sandaruwan
 

Recently uploaded

PDF
Early Signs of Constraint Loss in Modern System Design
byReality Drift Archive
 
PPTX
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 
PPTX
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
PPTX
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
PPTX
Lecture 05. API Security for DevSecOps Eng.pptx
byvinocol222
 
PDF
Master the FME Connector for ArcGIS: Streamlined Data Management & Robust Met...
bySafe Software
 
PPTX
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PDF
Josh Chu Boston - An Innovative Technology Executive
byJosh Chu Boston
 
PDF
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
PDF
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
PDF
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
PDF
Requestly or Postman: What’s the Right API Tool for Your Team?
byhenrycavill30521
 
PDF
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
PDF
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
PDF
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
PPTX
Oracle SCM Cloud Solutions for Smart Supply Chain Management
byChetu
 
PDF
Governing Agentic Enterprise - From Shadow AI to Autonomous Security.pdf
bysajjasridhar1990
 
PPTX
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Early Signs of Constraint Loss in Modern System Design
byReality Drift Archive
 
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
Lecture 05. API Security for DevSecOps Eng.pptx
byvinocol222
 
Master the FME Connector for ArcGIS: Streamlined Data Management & Robust Met...
bySafe Software
 
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
Josh Chu Boston - An Innovative Technology Executive
byJosh Chu Boston
 
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
Requestly or Postman: What’s the Right API Tool for Your Team?
byhenrycavill30521
 
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
Oracle SCM Cloud Solutions for Smart Supply Chain Management
byChetu
 
Governing Agentic Enterprise - From Shadow AI to Autonomous Security.pdf
bysajjasridhar1990
 
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 

Information Security

  • 1.
    Information Security ICT2243 -E-Commerce Implementation, Management & Security by TG/2017/233 - W. W. M. S. Karunasena Lecturer in charge: Mrs. Iromi R. Paranavithana Submission Date: 20th April 2020 Bachelor of Information and Communication Technology Department of Information and Communication Technology Faculty of Technology University of Ruhuna.
  • 2.
    Contents Introduction to InfoSec..............................................................................................................3 Technical security attack methods that ecommerce applications can be vulnerable.................4 Vulnerability Assessments.........................................................................................................5 Penetration Testing ....................................................................................................................6 Penetration testing stages .......................................................................................................7 Penetration testing methods ...................................................................................................8 ISO/IEC 27001:2013 .................................................................................................................9
  • 3.
    Introduction to InfoSec InformationSecurity is not all about securing information from unauthorized access. Information Security is basically the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. Information can be physical or electrical one. Information can be anything like Your details or we can say your profile on social media, your data in mobile phone, your biometrics etc. Thus, Information Security spans so many research areas like Cryptography, Mobile Computing, Cyber Forensics, Online Social Media etc. During First World War, Multi-tier Classification System was developed keeping in mind sensitivity of information. With the beginning of Second World War formal alignment of Classification System was done. Alan Turing was the one who successfully decrypted Enigma Machine which was used by Germans to encrypt warfare data. Information Security programs are built around 3 objectives, commonly known as CIA – Confidentiality, Integrity, Availability. 1. Confidentiality – means information is not disclosed to unauthorized individuals, entities, and process. For example, if we say I have a password for my Gmail account, but someone saw while I was doing a login into Gmail account. In that case my password has been compromised and Confidentiality has been breached. 2. Integrity – means maintaining accuracy and completeness of data. This means data cannot be edited in an unauthorized way. For example if an employee leaves an organization then in that case data for that employee in all departments like accounts, should be updated to reflect status to JOB LEFT so that data is complete and accurate and in addition to this only authorized person should be allowed to edit employee data. 3. Availability – means information must be available when needed. For example, if one needs to access information of a particular employee to check whether employee has outstand the number of leaves, in that case it requires collaboration from different organizational teams like network operations, development operations, incident response and policy/change management.
  • 4.
    Technical security attackmethods that ecommerce applications can be vulnerable o Financial Frauds Financial fraud has afflicted online businesses since their inception. Hackers make unauthorized transactions and wipe out the trail costing businesses significant amounts of losses. Some fraudsters also file requests for fake refunds or returns. Refund fraud is a common financial fraud where businesses refund illegally acquired products or damaged goods. o Spam Where emails are known as a strong medium for higher sales, it also remains one of the highly used mediums for spamming. Nonetheless, comments on your blog or contact forms are also an open invitation for online spammers where they leave infected links in order to harm you. They often send them via social media inbox and wait for you to click on such messages. Moreover, spamming not only affects your website’s security, but it also damages your website speed too. o Phishing It is one of the common security threats of ecommerce where hackers masquerade as legitimate businesses and send emails to your clients to trick them into revealing their sensitive information by simply presenting them with a fake copy of your legitimate website or anything that allows the customer to believe the request is coming from the business. o Bots You may recognize bots from your good books such as those that crawl the web and help you rank your website in Search Engine Result Pages. However, there are exclusive bots developed to scrape websites for their pricing and inventory information. The hackers use such information to change the pricing of your online store, or to garner the best-selling inventory in shopping carts, resulting in a decline in sales and revenue. o DDoS Attacks Distributed Denial of Service (DDoS) attacks and DOS (Denial of Service) attacks aim to disrupt your website and affect overall sales. These attacks flood your servers with numerous requests until they succumb to them and your website crashes.
  • 5.
    o Brute ForceAttacks These attacks target your online store’s admin panel in an attempt to figure out your password by brute-force. It uses programs that establish a connection to your website and use every possible combination to crack your password. You can protect yourself against such attacks by using a strong, complex password. Do remember to change it regularly. o SQL Injections SQL injections are cyber-attacks intended to access your database by targeting your query submission forms. They inject malicious code in your database, collect the data and then delete it later on. o XSS Hackers target your website visitors by infecting your online store with malign code. You can safeguard yourself against it by implementing Content Security Policy. o Trojan Horses Admins and customers might have Trojan Horses downloaded on their systems. It is one amongst the worst network security threats where attackers use these programs to swipe sensitive information from their computers with ease. Vulnerability Assessments A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Examples of systems for which vulnerability assessments are performed include, but are not limited to, information technology systems, energy supply systems, water supply systems, transportation systems, and communication systems. Such assessments may be conducted on behalf of a range of different organizations, from small businesses up to large regional infrastructures. Vulnerability from the perspective of disaster management means assessing the threats from potential hazards to the population and to infrastructure. It may be conducted in the political, social, economic, or environmental fields.
  • 6.
    Vulnerability assessment hasmany things in common with risk assessment. Assessments are typically performed according to the following steps: 1. Cataloging assets and capabilities (resources) in a system. 2. Assigning quantifiable value (or at least rank order) and importance to those resources 3. Identifying the vulnerabilities or potential threats to each resource 4. Mitigating or eliminating the most serious vulnerabilities for the most valuable resources. Penetration Testing A penetration test, also known as a pen test, is a simulated cyber-attack against your computer system to check for exploitable vulnerabilities. In the context of web application security, penetration testing is commonly used to augment a web application firewall (WAF). Pen testing can involve the attempted breaching of any number of application systems, (e.g., application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, such as unsensitized inputs that are susceptible to code injection attacks. Insights provided by the penetration test can be used to fine-tune your WAF security policies and patch detected vulnerabilities.
  • 7.
    Penetration testing stages 1.Planning and reconnaissance The first stage involves: Defining the scope and goals of a test, including the systems to be addressed and the testing methods to be used. Gathering intelligence (e.g., network and domain names, mail server) to better understand how a target works and its potential vulnerabilities. 2. Scanning The next step is to understand how the target application will respond to various intrusion attempts. This is typically done using: Static analysis – Inspecting an application’s code to estimate the way it behaves while running. These tools can scan the entirety of the code in a single pass. Dynamic analysis – Inspecting an application’s code in a running state. This is a more practical way of scanning, as it provides a real-time view into an application’s performance. 3. Gaining Access This stage uses web application attacks, such as cross-site scripting, SQL injection and backdoors, to uncover a target’s vulnerabilities. Testers then try and exploit these vulnerabilities, typically by escalating privileges, stealing data, intercepting traffic, etc., to understand the damage they can cause.
  • 8.
    4. Maintaining access Thegoal of this stage is to see if the vulnerability can be used to achieve a persistent presence in the exploited system— long enough for a bad actor to gain in-depth access. The idea is to imitate advanced persistent threats, which often remain in a system for months in order to steal an organization’s most sensitive data. 5. Analysis The results of the penetration test are then compiled into a report detailing: Specific vulnerabilities that were exploited Sensitive data that was accessed The amount of time the pen tester was able to remain in the system undetected This information is analyzed by security personnel to help configure an enterprise’s WAF settings and other application security solutions to patch vulnerabilities and protect against future attacks. Penetration testing methods External testing External penetration tests target the assets of a company that are visible on the internet, e.g., the web application itself, the company website, and email and domain name servers (DNS). The goal is to gain access and extract valuable data. Internal testing In an internal test, a tester with access to an application behind its firewall simulates an attack by a malicious insider. This is not necessarily simulating a rogue employee. A common starting scenario can be an employee whose credentials were stolen due to a phishing attack. Blind testing In a blind test, a tester is only given the name of the enterprise that is being targeted. This gives security personnel a real-time look into how an actual application assault would take place. Double-blind testing
  • 9.
    In a double-blindtest, security personnel have no prior knowledge of the simulated attack. As in the real world, they will not have any time to shore up their defenses before an attempted breach. Targeted testing In this scenario, both the tester and security personnel work together and keep each other appraised of their movements. This is a valuable training exercise that provides a security team with real-time feedback from a hacker’s point of view. ISO/IEC 27001:2013 ISO 27001 is the international standard which is recognized globally for managing risks to the security of information you hold. Certification to ISO 27001 allows you to prove to your clients and other stakeholders that you are managing the security of your information. ISO 27001:2013 (the current version of ISO 27001) provides a set of standardized requirements for an Information Security Management System (ISMS). The standard adopts a process-based approach for establishing, implementing, operating, monitoring, maintaining, and improving your ISMS.