Professional Documents
Culture Documents
International e-business
Lecture 8:
Aspects of Design
e-Business Security:
Risks and Threats
Legal & Ethical Issues
1
Learning Objectives
2
Reading and Site Visiting
• Chaffey: Chapter 11
• Schneider: Chapters 7 & 8
• Chen: Chapter 9
• Jelassi & Enders: Appendix 3
• Turban: Chapter 9, Chapter 13
• Oz: Chapter 10
• Farhoomand: Module 3 [Chapter 6 and case 6.1]
• http://www.cisecurity.org/
• http://antivirus-software.6StarReview.com/
• http://www.cert.org/
3
Security Issues - Scope
4
Security: Scope of Problem
5
Management Issues
6
Analysis for e-business
7
Client-Server Architecture
9
Vulnerable Areas in e-Biz
10
How Do We Assess the Risks
11
Computer Security Classifications
• Secrecy
• Protecting against unauthorized data disclosure and
ensuring the authenticity of a data source
• Integrity
• Refers to preventing unauthorized data modification
• Problem: Man-in-the-Middle Exploit (Intercept Messages
and make Modifications, before transferring to
Destination)
• Necessity
• Refers to preventing data delays or denials
12
How is Security Compromised?
13
Key Security Issues
14
Requirements for Secure e-commerce
15
UK Information Security Breaches
Source: DTI (2013) Department of Trade and Industry
Information Security Breaches Survey.
http://www.pwc.co.uk/assets/pdf/cyber-security-2013-exec-summary.pdf
16
Other Security Breaches (UK)
Source: DTI (2013) Department of Trade and Industry
Information Security Breaches Survey
See:http://www.pwc.co.uk/pdf/premium/isbs_survey_2013_executive_summary.pdf
17
Security Perspectives
Privacy Can I control information about What use (if any) can be made of
myself transmitted to e-commerce personal data collected as part of an
merchant? e-commerce transaction? Is personal
data used inappropriately?
Availability Can I get access to the site? Is the site operational?
18
Conflict Between Security and
Other Issues
21
Hacking and Cybervandalism
22
Typical B2C Transaction
23
Security Threats in e-business
27
Attempts to Control Spam
28
Use of Firewalls and Proxy Server
29
Encryption
30
Encryption: Debate
31
Encryption: Principles
33
Encryption: Public and Private Keys
Encryption Decryption
Synchronous (Private Key) Encryption
Public Key
Private Key
of Sender
of Recipient
Message Encrypted Message
Text Text Text
Encryption Decryption
35
Public Key Encryption
36
Simple Public Key Encryption
37
Using Signatures and Hash Key
38
Public Key with Digital Signatures
39
Digital Envelopes
40
Public Key Encryption + Envelope
41
Digital Certificates and PKI
42
Digital Certificates and CAs
43
Digital Certificate (Cengage)
45
VeriSign (CA)
46
Amazon’s Security Certificate
47
Security & Electronic Business
48
Securing Communication Channels
49
SSL
50
SSL (2)
Security: Use of VPN
• A VPN is an Extranet
• An Extranet connects companies with suppliers or other
companies, and can take any of the following forms:
• A public network
• A secure (private) network
• A Virtual Private Network (VPN)
• VPN uses public networks and protocols to send sensitive
data to partners, customers, suppliers and employees
using a system called “tunnelling” or “encapsulation”
• Tunnels are private passageways through the public
Internet that provide secure transmission from one extranet
to another
• VPN provides security shells, with the most sensitive data
under tightest control.
• Easy to create (single mouse-click on a Mac)
52
How does VPN work?
• Company employees in remote locations can send information to
the company without outsiders “seeing” the data.
• Data is sent over the public Internet, with additional
• Data encryption (to scramble the communications)
• Authentication (to ensure that the data has not been altered in
transit,
and comes from a legitimate source)
• Access control (to regulate who can access the network -
password protection
and other security measures)
• Benefits of VPN: MUCH cheaper than alternative methods of
secure communication.
• Alternatives:
• Private leased line (expensive, and not easily scaleable)
• Dial-up to Remote Access Server (RAS) using a bank of
modems to obtain direct access to the company LAN.
53
Technical Issues
• Maintaining Confidentiality and Integrity of Data
• How? Protocol tunnelling:
• Data packets are first encrypted,
• then encapsulated into IP packets for transmission
across the Internet,
• and then decrypted (using a special host computer or
router)
• Protocol tunnelling also supports multiprotocol networking
(e.g. LANs typically employ protocols such as Novell’s IPX,
which need to be encrypted for IP packet transmission, then
encapsulated and read at the other end). To users the data
appears as if they are directly connected to the LAN
• Protocols used:
1. Point-to-point (PTP) [implemented by Microsoft, and used
in Windows NT, Windows 2000, Win XP];
2. Layer 2 Tunnelling Protocol (L2TP) - becoming the
standard
54
Creating a VPN
• L2TP: Multivendor interoperability is important
• Often combined with IPSec [IP Security standard, developed by IETF]
• Three crucial technology components:
• Firewall products (hardware and software) [Activity: Find out
what a Firewall is]
(Visit Check Point Software Technologies)
• Routers (can operate as firewalls as well as routers) can ALSO
operate as VPN servers
• Software applications that operate as complete VPN service
providers
(visit www.vpnc.org/features-chart.html for a comparative list of
features and benefits of a range of commercial VPN Products)
• Many telecoms companies and ISPs offer VPN services for dial-up
and PTP communications. Often these include private network
service backbones with added security services, Internet
connectivity and dial-up (e.g AT&T; PSINet; Cable & Wireless (at the
moment!) etc.
55
e-Business and Fraud
56
Common online scams
57
Protection for Sellers
58
Government Initiatives
59
Electronic Payments
60
PayPal
61
Online Payment Systems
62
Limitations of CC Online
63
Digital Divide (US)
64
Digital Cash
65
Other Security Measures: Biometrics
• Photo of face
• Fingerprints
• Hand geometry
• Blood vessel pattern in the retina of a person’s
eye (fairly commonplace)
• Voice (can be difficult: illness or stress affects
voice)
• Signature (and Digital Signatures)
• Keystroke dynamics
66
E-Signatures
67
Digital Signatures
68
Issues for Discussion
• SSL:
• communication protocol, included in most browser
software
• Common Method of Encrypting Credit Card Numbers
• Does NOT verify ownership of credit card!!!
• Used by Visa, MasterCard, American Express, etc.
• Is SSL adequate in protecting purchaser from fraud?
• Mondex Cards (and other Smart Cards) – higher security,
but not a successful product/service
• Digital Wallet Systems (e.g. Gator) – not widely used
• Electronic Cheques (complete with digital signatures)
• VeriSign; TrustE; thawte and other Trusted third Parties
69
Managerial Issues
70
Management and Security
71
Security Tools
Network
Security Access
Protocols Controls
Security
Virtual Management
Private Authentication
Networks
Proxy
Tunnelling Agent Intrusion
Systems Detection
72
Internet Security Environment
73
e-commerce Security Plan
74
Some Legal Issues in E-Biz
• All businesses:
• Must comply with the same laws and regulations
• Face the same set of penalties
• Web businesses face additional complicating
factors
• Web extends reach beyond traditional boundaries
• Subject to more laws more quickly than brick-and-mortar
business
• More interactive and complex customer relationships
• Due to increased communications speed and efficiency
• Online communications
• Facilitate strategic alliances and supply web
relationships
• Web creates network of customers
• Significant levels of interaction (with each
other)
• Implications of violating law or breaching
ethical standards
• Web businesses face rapid, intense reactions
from customers and stakeholders
Borders and Jurisdiction
• Difficult
• No geographic boundaries
• Power, effects, legitimacy, and notice
• Do not translate well to e-commerce
• Governments need to enact and enforce Internet
business conduct laws:
• Must establish jurisdiction over conduct
• Contract
• Promise between two or more legal entities
• Provides for exchange of value between
them
Jurisdiction on Internet (2)
• Breach of contract
• Occurs if either party does not comply with
contract terms
• Other party can sue (failure to comply)
• Tort
• Intentional (negligent) action taken by a legal
entity
• Causing harm to another legal entity
• Other than breach of contract
• Sufficient jurisdiction requires:
• Subject-matter jurisdiction and personal
jurisdiction (Court’s Authority & Subject’s
Residence Issues)
Online Contractual Issues
• http://www.palamida.com/solutions/open-source-
security.html
• http://security.symantec.com/sscv6/default.asp?langid=ie&
venid=sym (checks your own computer’s security)
• http://www.onlinesecurity.com/
• http://www.auditmypc.com/ (conducts a complete
assessment of your machine’s security)
• http://security.yahoo.com/
• http://www.onlinesecurity-guide.com/
• http://www.onlinesecurity-guide.com/articles/pc-security-
for-beginners.htm
88