Securing the Website and Reducing Liability to Prevent Negative Press - Research Paper Example

Introduction Electronic commerce (e-commerce) can be defined as using an electronic network to make simpler and fast all steps of the business procedure, from design and assembling, to trading, selling, and distributing (Furnell and Karweni, 2003, 372). Because the Internet is fast, reasonable, reliable, inexpensive, and universally accessible it is considered to be perhaps the best modern method for business's to communicate with their customers and with their partners. The Internet reaches more the 100 million consumers all over the world. As of 1999, there were three million traders on the Internet and this number is predicted to rise to 14.4 million by 2002, over a 300% increase in three years (Furnell and Karweni, 2003, 374). The risk of ecommerce security is a subject of increasing alarm. In the last years, there is a great increase in the number of people using computers on a daily basis. Internet is not only the source of fun and entertainment but it is use for different kind of businesses. By the passage of time the issue of internet and e-commerce security has been raised. There are many reasons behind this like, absence of global regulation, users’ lack of awareness, easy access and security laps have made the internet an attractive approach for crimes. Areas of exposure and of general security leaks contain chat rooms, e-mail, browsers, and modems. As usage of the Internet as a means to conduct business has increased in recent years, so has Internet fraud and technological crime. Today more than two years later security experts say that system vulnerabilities are popping up at a rate of six or seven per day and over 200 each month. Compared with 1996 only about five new system vulnerabilities showed up each month (Babcock, 2004, 1). Security is the first and last step in building an e-business enterprise. It is also the part of the infrastructure task that gets the least applause for a job well done. No one gets thanked when the hackers are kept out, but people get fired when the hackers get in (Lundquist, 2003, 3). Trust among the participants is very much required if anyone wants to use internet for the purpose of e-commerce. One of the main security flaws of the Internet is an inherent technological flaw caused by decades of software development with little attention to security issues (Stein, 2003, 3). Nowadays it has become very much important to protect business digital along with protecting it physically. A companies' security strategy for e-commerce must be a corporate wide strategy for all Internet and computer use. A security hole at any level could compromise the highest degree of security at another level. Introducing the Internet exposes the server to millions of networks and users, many with less than honourable intentions. Just as Internet use has continued to increase, so too have attacks launched through the Internet. E-Commerce and Security The Internet has opened the door for malicious attacks to be unleashed on any computer connected to it. Viruses, worms, Trojan Horses, spyware, and a host of other destructive software can attack Internet-connected computers on a regular basis and cause widespread harm. Without implementing security precautions, Internet attacks can go unnoticed. There appears to be no end in sight for such attacks. The ramifications of introducing the Internet to an organization that has not made security a priority in the overall business plan are: lost assets, lost time and money, legal action, poor customer service, and negative business presence. •Data theft. In the FBI’s annual Computer Crime and Security Survey, more than 500 U.S. businesses lose on average more than $6.5 million apiece because of data theft (Whitman & Mattord, 2004). •Loss of continuity. A virus that takes a network down can halt production and shipping, force deadline overruns, impede customer service, and damage reputations. •Productivity loss. Activities related to “cleaning up” after a security breach will divert precious resources, such as time and money, away from normal activities. This means that employees or personal computer users cannot be as productive and may not complete important tasks. This can be illustrated by the costs associated with cleaning up after a malicious attack, such as by a virus or worm. In companies that have more than 500 personal computers, it takes an average of 23 work days to recover from each virus disaster. Many companies lose up to 70% of their normal productivity during a virus attack because computers and networks cannot function properly (Whitman & Mattord, 2004). •Competitor espionage. If a competitor hacks into the server of a rival business and gains production and pricing information, the financial and reputational damage can be debilitating. •Legal action. A Confidential Information Disclosure Agreement violation can result in a lawsuit. Solution to Ecommerce Security Risks Firewalls Firewalls avert particular categories of information from stirring between the external world, identified as the untrusted network like; internet, and the in the interior world, recognized as the trusted network like; private network. A firewall is a separate hardware device or software service running on a router or server that filters the information coming through the Internet connection into the trusted network. Incoming packets of information flagged by the filters will not be allowed through. Firewalls control by exploratory a data packet and performing an assessment with a number of programmed logical regulations. The logic is based on different guiding standard programmed by a firewall supervisor, or formed vigorously and based on extrovert requirements for information. Most of the time firewalls apply packet header information to in order to decide whether a particular packet must be permitted to exceed through or be dropped (Whitman & Mattord, 2004). A firewall is nothing more than a combination of hardware and software that insulates your company's computers from outside intrusion, while still allowing the user to access the Internet freely. A firewall should be installed and is necessary for companies that use network systems, as well as individual or home personal computers that want to have a strong first line of defence. Firewalls work most of the time, but are not fool proof. The most common problem with firewalls is that they can become mis-configured, or their configurations can change from one day to the next. Encryption Encryption is the process of using an algorithm, or cipher, to scramble data into a format that only the intended recipient with the corresponding key can decrypt (unscramble). Encryption is based on the science of cryptography. Cryptosystems are made up of a number of elements or mechanism, generally algorithms and data handling methods, combined in multiple ways to meet an organization’s need for confidentiality and provide specialized authentication and authorization for its business processes (Whitman & Mattord, 2004). Digital signatures are encrypted messages that are independently verified as authentic by a central facility and provide non-repudiation. A digital certificate is an electronic document, similar to a digital signature that is attached to a file to certify that the file is from the organization it claims to be from and has not been modified from its original form (Whitman & Mattord, 2004). When a web page is not encrypted, it means that it is possible for other people, hackers, to view the web page when it is downloaded. It also means that the user cannot check the identity of the web site. Encryption software is available that can automatically encrypt files and directories when the user logs off the computer and decrypt them when the user logs back on. Some security settings can warn a user to let them know when he/she is about to do something that might be unsafe such as enter, leave, view, and/or send encrypted information. Virtual Private Network (VPNs) A VPN is a virtual tunnel through the Internet connecting two points for secure remote access. The concept of using a public network such as the Internet to transfer sensitive data presents obvious security concerns. Without encapsulation, encryption, and authentication, a connection does not qualify as a VPN. The encapsulation of the original data packet wrapped with the header containing the source and destination addresses that correspond to the VPN client and VPN server inside the tunnelling protocol is hidden as it travels through the Internet and is the first line of defence in securing the data (Whitman & Mattord, 2004). Encryption protects the data’s confidentiality. The tunnelling protocols encrypt the data at the sending point and decrypt it at the receiving point. Data encrypted with unauthorized encryption keys cannot enter the VPN tunnel (Burnett, Locher, Anonymous, Amaris, Doyle, & Morimoto, 2001). VPN example: A user in Detroit needs a file transferred from a server in Los Angeles. The two networks are linked through a VPN tunnel enabling the Detroit user to access the needed file as if the Los Angeles server were in the next room. The fact that the file is transmitted from the Los Angeles office through the Internet is transparent to the Detroit user. Intrusion Detection Systems (IDSs) and Penetration Testing Intrusion detection systems are used to detect anomalies with the objective of catching hackers before they do real damage to a network or system. It examines all inbound and outbound network action and recognizes suspicious patterns that could specify an attack (Whitman & Mattord, 2004). A penetration test is a process of assessing the protection of a network by imitating an attack by a spiteful user. The procedure engages an active scrutiny of the system for any possible exposure that could consequence from deprived or inappropriate system configuration and any hardware or software fault or operational fault in procedure or mechanical countermeasures (Whitman & Mattord, 2004). E-mail Security Solutions One of the most important technology solutions for preventing an infection through an e-mail attachment is to install antivirus software. Antivirus software can halt nearly all e-mail worm and virus attacks dead in their tracks. Regular updates of the antivirus signature files are also critical (Ciampa, 2005). Another technology solution involves the addition of filters that can be installed and configured on e-mail servers. These filters block risky e-mail attachments from being received. Filters typically look at the file extension of the name of an attachment. The file extension follows the period in a file name and is used to identify the contents of the file. Filters are typically set up to reject files that have infectious extensions (e.g., .exe Executable file, .bat Batch file). Over 36 different file extensions have been identified as attachments that can carry e-mail viruses and worms (Ciampa, 2005). A technology solution for spam involves the enabling of a filter that can be configured in the local computer’s e-mail software. Any spam that is received can be added to a list that then filters out any future mail messages from that sender. Microsoft Outlook contains a set of integral filters that recognize junk e-mail, such as commercial bulk e-mail and e-mail supposed of having adult material. It also enables users to highlight a message or move it to a folder for later review and disposal (Ciampa, 2005). E-mail risks can be reduced by consistently following these procedures: •Approach e-mail messages from unknown senders with caution. •Do not use preview mode in e-mail software because it will automatically run any dangerous code hidden within the message. •Never answer an e-mail request for personal information; pick up the phone and call the company that requested it, using the number found in the telephone book and not in the e-mail message (Ciampa, 2005). Web Security through Browser Settings Modern Internet browsers are highly customizable and allow the user to tailor the settings based on personal preferences. Beyond basic settings such as the colour and the size of the characters that are displayed, browser settings also allow the user to customize security and privacy (Ciampa, 2005). Telecommunication Network (Telnet) Telnet, also known as remote login, is a terminal emulation program and protocol that enables one computer to connect to another computer across a local area network or the Internet. The computer initiating the connection is the local computer, and the computer accepting the connection is the remote computer. Once connected, the local computer emulates the remote computer; commands entered on the local computer are executed on the remote computer. Connecting via the Internet, the remote computer can be physically located anywhere in the world. Although some computers may require an account and password, many computers allow users to access resources stored on them without an account and password (Ciampa, 2005). File Transfer Protocol (FTP) FTP (File Transfer Protocol) gives the potential of transferring files among clients and a server. The distant command potential is useful for working with remote systems or to move files between systems. However, using FTP across the Internet has inherent security risks. A hacker can escalate a refutation of service attack on an FTP server to put out of action user profiles by continually challenge to log on with an false password until the maximum login count is attained and the user profile is immobilize. Demilitarized Zone (DMZ) A DMZ is a sub-network that serves as an isolated network segment buffer between the LAN and the Internet, preventing external users from directly accessing internal servers containing company data. Any service provided to external users should be placed in the DMZ. The DMZ interrupts traffic and agents requests for the remaining of the LAN, adding up an extra layer of safety for computers following the firewall (Ewens & Hoppe, 2007). Keep Systems Updated New security threats and viruses are discovered every day, so e-commerce security must keep pace. Potential e-commerce threats can be minimized by keeping systems as up-to-date as possible. To ensure critical software is up-to-date: Compile a list of all the critical software: operating systems, e-mail applications, firewall software, spam filters, antivirus and spyware definitions Check vendor's website to verify the latest software version on a regular basis Check vendor's website for new security patches and updates on a regular basis Turn on automatic updating to explore the software vendor's website for new updates and install them automatically (Internet Security Guide, 2007). E-Commerce Security through Appropriate Procedures Not all Internet attacks can be defended by technology tools or browser settings. Establishing proper policies and procedures is an equally important line of defence. Security procedures such as those listed below should be followed: Do not accept any unsigned Java applets unless they are from a trusted source. Disable or restrict macros from opening or running automatically. Disable ActiveX and JavaScript. If this is too restrictive, disable ActiveX and only enable JavaScript by security zone. Install anti-spyware and antivirus software and keep it updated. Regularly install critical operating system patches. Block all cookies. Never respond to an e-mail that asks to click on a link to verify personal or business information. When using the Internet for financial or other important transactions, check the spelling of the Web site to verify the site. Turn on all Web browser security settings. If this proves too restrictive, only turn on essential settings. Keep cache clear of temporary files and cookies. Use the security zones feature (Ciampa, 2005). Unauthorized modems also pose a huge threat to the security of a business. If a modem is attached to a networked computer, business security measures can be rendered insufficient. When an employee is connected to his/her computer through the modem the firewall is bypassed opening up the entire company computer network to the Internet. This practice is too common to be ignored. (Garfinkle, 2004, 4). Security for Transaction Among the more advanced methods of security, the most common approach used to secure online transactions, is the Secure Sockets Layer (SSL) protocol. Developed by Netscape, SSL allows encryption of messages, message integrity, and authentication services to be provided. SSL was intended to present security in different scenarios not only to that of e-commerce. SSL version 3 has been used as the basis for a new protocol, Transport Layer Security (TLS), which shares the property of application independence with SSL, but is developed as a no-nonsense approach (Dierks and Allen, 1999). Secure Electronic Transfer (SET) is used as an alternative of SSL or TSL especially in credit card companies. One of the most remarkable strengths of SET is its ability to be applied to any payment service. Some of the numerous securities needs particular to e-commerce which SET addresses are: confidentiality and secrecy of payment data and order information; authentication of credit card holder via digital signatures and certificates; authentication of merchants to accept credit card payment via digital signatures and certificates; special purpose certificates; and non-repudiation for dispute resolution. All of these technologies while clearly necessary do not completely resolve the issue of security and trust. Statistics released by VISA show just how prominent fraud is. In 1999 only 2% of their credit card transactions were conducted via the Internet, however this accounted for about 50% of disputes and discovered frauds (Furnell and Karweni, 2003, 277). In response to the understandable lack of trust in credit card security over the Internet, Electronic Money (E-money), developed by Digicash, mimics cash transactions on the Internet. The customers can download digital coins from a bank's server. The coins encrypted with a serial number known only by the customer can be sent electronically to a merchant. A main drawback of Digicash E-money system is that customers lose Federal protection of their money once it is transferred into E-money. In another system developed by First Virtual Holdings Inc., a customer sets up an account with First Virtual and communicates over the phone to supply the credit card information and to select a secure password. When transactions are made the merchant contacts First Virtual to request authorization, and First Virtual then e-mails the customer to verify the transaction. A main advantage of this system is that customer credit card numbers are not sent over the Internet. Disadvantages include reliance on relatively unsecured e-mail for some degree of sensitive personal data and liability under existing laws of fraud. These are just a few of the more popular programs designed to help make e-business safer for all parties involved. The FTC has in recent years, has also taken a more active role in making the Internet safe. In order to maximize their resources the FTC has been using the Internet as a law enforcement tool. The FTC created the Consumer Sentinel, now the largest database of consumer fraud complaints in North America. The FTC also established www.consumer.gov, an Internet site that provides access to consumer information from over 60 federal agencies. Use of the Internet to develop and spread information about fraud and technology-related matters is an integral part of the FTC's idea of education as the most effective form of consumer protection. The FTC has also been active in establishing policies in international consumer protection principles. E-mail Vulnerability E-mail has become a double-edged sword; an essential business and personal tool for communications and distribution of material, and the primary vehicle through which viruses, worms, and other malicious programs can infect a computer. E-mail has become so troublesome that some businesses have disabled their e-mail system to prevent it from accepting messages from outside the company. Although most organizations would have difficulty going to that extreme, it does illustrate how some organizations view the dangers of e-mail. Most of e-mails vulnerabilities can be categorized into three major areas: attachments, spam, and spoofing. E-mail is not restricted to only sending text-based messages. It can also be used to send and receive documents, spreadsheets, photographs, and almost anything in electronic format. These additions to e-mail are known as attachments. Almost all e-mail packages allow users to attach files to an e-mail message. However, attachments also open the door for viruses and worms to infect a system. Once the user opens the e-mail attachment, the worm or virus infects the computer (some attachments do not even have to be opened before the infection begins). The malicious worm or virus can then forward itself to everyone listed in the user’s e-mail address book. When the recipients get the infected message they assume it was sent from a trusted source and they unwittingly open the attachment to start the process all over again. An unsolicited e-mail message, known as spam, is often considered to be just a nuisance. However, because malicious worms and viruses can be attached to spam e-mail messages, spam is a security risk. Spam now accounts for 45%, or 15 billion, of the total e-mail messages sent each day and is growing at a rate of 5% each month (Ciampa, 2005). A growing practice among hackers is e-mail spoofing. A message that falsely identifies the sender as someone else is sent to unsuspecting recipients. Because the sender’s address looks similar to an authentic name (e.g., auditor@internalrevenueserivce.com) the receiver is fooled into thinking the address is valid. Because they believe the sender is authentic, the recipient will typically do whatever they ask including purchasing items at inflated prices or sending personal information such as a social security number. E-mail spoofing is becoming a serious problem for both consumers and legitimate businesses whose source addresses are placed in the e-mail that has been sent by the hacker (Ciampa, 2005). Conclusion In the discussion of e-commerce, most internet security experts warn that it's not a matter of if your site is attacked; it's a matter of when; how much damage is done; and whether an appropriate response was taken. Mainly thieves look for credit card numbers, purchasing requests, client lists, and employee phone listings. This ever-present security breach possibility requires management to understand that hosting a Web site is the simple part of a solution. Securing the website to reduce liability and prevent negative press is vital to success and does not come without significant cost. From the consumers' perspective, while there is no one solution, there are steps to take. Whether it is by paying a lot of money on security devices for your personal computer, or being cautious and aware of the companies and web sites with which you do business, paying by credit card is still considered by many to be the safest way to pay. It is the best approach of doing business on internet as compare to travel for the sake of it. Whereas there is enormous prospective for adversity at the same period if there are proper safety measures and protection there is a good time, money, and exertion to be accumulated. References Babcock, Charles, 2004. Deluge of Security Threats Overwhelms I-Managers. Interactive I-Week 13 Burnett, M., Locher, Anonymous, L.J., Amaris, C., Doyle, C., Morimoto, R. 2001. Maximum Windows 2000 Security. Sams Publishing. Available At: http://books.google.com/books?hl=en&id=nWz1oG3p4PYC&dq=burnett+%22maximum+windows%22&printsec=frontcover&source=web&ots=4kNe1xeU6Z&sig=-sKlHELugT2T09mkJyYPrQCSWh0#PPT1,M1 [Accessed 14 February 2009] Ciampa, M. 2005. Security Awareness: Applying Practical Security in Your World. Internet Security. Available At: https://ecampus.phoenix.edu/content/eBookLibrary/content/eReader.h [Accessed 18 January 2008] Dierks, T., and Allen, C., 1999. The TLS Protocol Version 1.0, New Jersey: Auerbach. Ewens, L., Hoppe, H. 2007. DMZ. Available at: http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213891,00.html [Accessed 22 September 2008] Furnell, S.M., and Karweni, T., 1999. Security Implications of Electronic Commerce: A Survey of Consumers and Businesses. Internet Research 372-382. Garfinkle, Simson, 2004. Web Security & Commerce. Tokyo: O'Reilly & Associates, Inc. Internet Security Guide. 2007. Keep Your Software Up-To-Date. Available At: http://www.internetsecurityguide.com/internetsecurity/8software.shtml [Accessed 24 December 2008] Lundquist, 2003. Security: That Most Thankless of Tasks. eWeek 11. Stein, Lincoln D., 2003. Web Security: A Step by Step Reference Guide. Amsterdam: Addison-Wesley. Whitman, E., Mattord, H. 2004. Principles of Information Security. Available At: https://ecampus.phoenix.edu/content/eBookLibrary/content/eReader.h [Accessed 20 December 2008] Read More