Unit 5 Article Review: E-Commerce

BBA 3331, Introduction to E-commerce 1

Course Learning Outcomes for Unit V Upon completion of this unit, students should be able to:

5. Develop strategies for running an e-commerce company. 5.1 Describe a key security threat in the e-commerce environment. 5.2 Examine the effectiveness of using the security life cycle model for preventing security threats. 5.3 Determine if an e-commerce site has sacrificed any form of customer service by

implementing security measures.

Reading Assignment Chapter 5: E-commerce Security and Payment Systems

Unit Lesson There is nothing more important to an e-commerce site than having a vigilant and untiring security posture. It is never a matter of if your site is going to become compromised, it is only a matter of when. Though we cannot stop or prevent a cyber-attack from occurring, we can take the steps to help mitigate the risks. When approaching the importance of a strong and updated security strategy, the security life cycle (SLC) conceptual model is used (Harris, 2006). This model consists of four steps:

 identify,

 assess,

 protect and maintain, and

 monitor and evaluate.

Identify We start by mapping out our network and e-commerce site. We identify and map all network devices, servers, and web applications. We locate and identify everything related to the network. We need to understand our resources to be able to protect them. Assess In this phase, we identify all of the key assets of the e-commerce infrastructure. Next, we perform a thorough security assessment. We look for hardware and software vulnerabilities, website vulnerabilities, and we thoroughly document all hardware settings and software configurations. Protect and Maintain Once the network has been assessed, it is time to protect and maintain the system. This is done through mitigation or by reducing the risk as much as possible. We identified the known vulnerabilities, we rated them by the severity of their impact on e-commerce operation, and this leads to taking the appropriate steps to mitigate or reduce the impact.

UNIT V STUDY GUIDE

E-commerce Security

BBA 3331, Introduction to E-commerce 2

UNIT x STUDY GUIDE

Title

Monitor and Evaluate Information technology is dynamic and constantly changing. When this happens, the dynamics of the security settings must be monitored to ensure they stay in place. One of the major goals for monitoring security is to ensure compliance and verification. Things can change on the network. Servers, firewalls, and other hardware are rotated in and out of the network as needed. Software is updated and patched at regular intervals. These changes bring with them new risks and vulnerabilities that must be found and mitigated. The removal of any security device from the physical network takes down a security layer. The missing hardware may not be identified for some time, and it could provide the attack vector needed by cyber criminals to gain access. That is why the cycle repeats itself, to find the missing hardware and to identify the risks brought with it. Types of E-commerce Cyber Attacks By its most simplistic definition, e-commerce is the buying and selling of products and services over the Internet. What differentiates an e-commerce site from just a website is the ability to conduct business transactions. To that end, not all websites are created equal nor do they present the same target value to cyber criminals. A website that reviews books does not represent the same target value as those conducting business, containing sensitive information, or reflecting a political view. E-commerce sites are subjected to a higher level of security threats, such as distributed denial of service, website defacement, data theft, and fraud. Distributed denial of service: The main purpose of any distributed denial of service attack (DDoS) is to prevent legitimate customers from visiting the site. DDoS attacks harm e-commerce sites in at least one of two ways. First, the e-commerce site loses revenue by not being able to service clients and lost advertising revenue. Secondly, investors and customers can become frustrated and seek better alternatives. Recently, DDoS attacks have been used to distract their victims while a hacker tries gaining access to credit card information and client account data. In a report published in its fourth quarter of 2014, Corero stated that a number of the DDoS attacks reported were designed to distract a security team by allowing just enough available bandwidth for attackers to circumvent the victims’ networks before gaining access to sensitive customer data or intellectual property (as cited in Prince, 2015). Website defacement: Website defacement attacks are designed to change the physical appearance of the website (Trend Micro, n.d.). The defacement can be a result of a hacker gaining access to HTML documents and replacing the legitimate code with something a bit more malicious. This can be done to embarrass the company and to cause financial hardship such as manipulating stock prices by posting a bogus press release. Data theft: Data theft as it relates to e-commerce is the loss of sensitive customer data such as credit card information and other personal data. From 2013-2014, the following e-commerce sites were greatly impacted by the theft of customer data (Vantiv, 2014):

 Target: Over 100 million people were affected by stolen information such as credit and debit cards as well as other customer details.

 Neiman Marcus: Credit and debit cards were stolen that affected 350,000 people.

 eBay: The attackers acquired encrypted passwords, customer names, e-mail addresses, mailing addresses, phone numbers, and dates of birth that belonged to 145 million people.

 Home Depot: Over 55 million people were affected by stolen credit and debit card numbers. A data breach can be identified by the signature of the attack:

 breach the company’s IT systems—intrusion detection phase,

 extract valuable information—indicator of compromise phase, and

 monetize information—fraud phase. The cost of cleanup after a major data breach is significant. For example, Target paid over $254 million to recover from an attack (Argyle Data, n.d.). Plus, Target was forced to withstand reductions in revenue for

BBA 3331, Introduction to E-commerce 3

UNIT x STUDY GUIDE

Title

three consecutive quarters. If that was not enough, Target also searched to replace the executive management team, including the CEO and CISO. Fraud: According to the Aite Group, 50% of malware found in the wild is designed for committing some type of identity theft. The Aite group also estimates that there are 111,111 new variants of malware being released every day (ThreatMetrix, n.d.). Credit card fraud is the most common type of fraud facing e-commerce businesses. In 2012, credit-card fraud that occurred within e-commerce organizations was $3.5 billion, with roughly 0.8 percent of all e-commerce transactions proving to be fraudulent (Bishop, n.d.). Prevention Strategy As if being a victim of an e-commerce attack is not bad enough, not being in compliance with certain laws and regulations is another major concern when developing an e-commerce business strategy. From the outset of your e-commerce design, there needs to be an inclusion of security in the business strategy for the site. With website and e-commerce security, there is not one configuration or hardening procedure that will cover every potential vulnerability. Every feature, every service offered on an e-commerce site comes with its own set of inherited risks. That being said, there are steps that can be taken to help reduce the likelihood of a cybersecurity attack. The following steps are recommended to reduce such a risk (Bishop, n.d.): Select the right e-commerce platform: Not all e-commerce platforms are created equal, and price is not an indicator of quality. Be sure to investigate beyond the monthly fees and transaction rates. Risk management is a feature that should be a major consideration when choosing the right platform. Achieve and maintain PCI compliance: The Payment Card Industry Data Security Standard (PCI DSS) is in place to ensure any merchant that handles and stores credit card information does so using a secure environment. The government can levy hefty fines for banks that are not in compliance. Unfortunately, the costs of those penalties are eventually passed onto the e-commerce clients. Merchants are subject to different levels of compliance, and it depends upon the number of transactions completed within a year. It is important for entrepreneurs and business managers to know that complying with the standards does cost an organization a bit of money. However, it is more important to know that not being in compliance and experiencing a data breach costs an organization even more money. Use credit card security codes: All credit cards come with either a three or four digit code on the back. This number is not printed out on receipts nor invoices. While the transaction is being processed, the card issuer responds with the correct code given by the customer. Do not store sensitive customer or transaction data: More PCI standards require strict compliance for the storage of any credit card information such as card numbers, common vulnerabilities and exposures (CVE) numbers, or expiration dates. For repeat customers that use the same credit card time and again, the credit card information must be encrypted to the PCI standard and stored properly. The best policy is to not store any credit card information onsite. Use tracking numbers for all orders: Tracking numbers help to ensure that an order was delivered when the customer claims it was not. By using tracking numbers and requiring a signature on delivery, an organization can help prevent chargeback fraud. Require strong passwords from customers: It might seem like an odd and silly policy, but requiring strong passwords is a great security measure. Doing so helps prevent hackers from being able to use the front end of the site to breach customer information. Educate staff on security and fraud protocols: Ensure that your employees practice strict security measures at all times while also adhering to the site’s security policies. Create and maintain a file of past fraudulent transactions and attempts: We can all learn from history and even the mistakes that we have made. The same is true for e-commerce sites. Learn from your past mistakes by keeping records of past attacks or fraudulent events. By sorting through the existing records, look

BBA 3331, Introduction to E-commerce 4

UNIT x STUDY GUIDE

Title

for patterns and trends that might occur. Ask questions such as where and when are we most vulnerable? The following list contains a few examples of the types of trends that might exist:

 geographical location,

 billing addresses that do not match the shipping address, and

 large orders Train your employees to look out for certain patterns and come up with a system that places certain transactions on hold. Conclusion This lesson just scratched the surface of securing an e-commerce website. The business strategy must include steps to secure the infrastructure while also allowing the site to be scalable and customer friendly. E-commerce security is not like a switch—something you activate and then walk away. Securing an e-commerce organization involves following the key steps: (a) identify, (b) assess, (c) protect and maintain, and (d) monitor and evaluate. Threats change. As soon as one risk is mitigated, another is discovered and must be addressed. E-commerce security never sleeps. It is vigilant 24/7.

References Argyle Data. (n.d.). Real-time fraud analytics in modern e-commerce and e-retail. Retrieved from

https://www.argyledata.com/real-time-analytics-in-e-commerce/ Bishop, E. (n.d.). Stop ecommerce fraud in its tracks: Arm your business with these 10 practices. Retrieved

from https://blog.kissmetrics.com/stop-ecommerce-fraud/ CNP. (2014, November 14). Ecommerce in the wake of data theft: A three-pronged approach to rebuilding

customer trust [White paper]. Retrieved from https://www.litle.com/downloads/resources/Three_Pronged_Approach_White_Paper_040414.pdf

Harris, S. (2006). Steps in the information security program life cycle. Retrieved from

http://searchsecurity.techtarget.com/tip/Steps-in-the-information-security-program-life-cycle Prince, B. (2015, March 23). DDoS attackers distracting security teams with shorter attacks: Corero networks.

Retrieved from http://www.securityweek.com/ddos-attackers-distracting-security-teams-shorter- attacks-corero-networks

ThreatMetrix. (n.d.). E-commerce. Retrieved from http://www.threatmetrix.com/industries/e-commerce/ Trend Micro. (n.d.). Website defacement. Retrieved from

http://www.trendmicro.com/vinfo/us/security/definition/website-defacement

Learning Activities (Non-Graded) The following video provides some additional details about e-commerce security: Selvam, N. (2013). E-commerce security [Video file]. Retrieved from https://youtu.be/wXgwbRP9FEs The following video explains the importance of e-commerce security: AllenMichaels64. (2012, August 26). The importance of ecommerce security [Video file]. Retrieved from

https://youtu.be/BdlndDGe_V8 Non-graded Learning Activities are provided to aid students in their course of study. You do not have to submit them. If you have questions, contact your instructor for further guidance and information.