Unit V PowerPoint presentation

BBA 3331, Introduction to E-commerce 1

Course Learning Outcomes for Unit V Upon completion of this unit, students should be able to:

7. Analyze the impact of e-commerce on businesses. 7.1 Determine the scope of e-commerce crime and security challenges.

8. Summarize the effect of regulations on e-commerce and Internet business.

8.1 Identify the importance of policies, procedures, and laws in creating security.

Course/Unit Learning Outcomes

Learning Activity

7.1 Unit Lesson Chapter 5, pp. 251–300 Unit V PowerPoint Presentation

8.1 Unit Lesson Chapter 5, pp. 251–300 Unit V PowerPoint Presentation

Reading Assignment Chapter 5: E-commerce Security and Payment Systems, pp. 251–300

Unit Lesson Customers’ personal data, including names, addresses, bank and credit card information, social security numbers, birthdates, and e-mail addresses, are all a part of information captured, processed, and stored in e- commerce sites’ infrastructures. Personal identifiable information (PII) pervades every part of e-commerce companies’ networks. E-commerce businesses must be vigilant in their security. There is nothing more important to a web-based enterprise than safeguarding its customers’ information. It is said that it is not a matter of if but when an e-commerce site will be compromised. Internet Security The Internet is the biggest marketplace there is, allowing users to access not only goods and services but also information worldwide (Laudon & Traver, 2018). Today’s society is heavily dependent on the Internet. Unfortunately, the Internet is inherently insecure with many would-be criminals attempting to breach e- commerce sites by leveraging these websites’ weaknesses through cyberattacks. For these criminals, the worldwide e-commerce ecosystem offers a lucrative way to steal from more than 1.6 billion Internet users (Laudon & Traver, 2018). The pervasiveness of the Internet and related technologies allows criminals to leverage vulnerabilities present at almost every single point of an e-commerce transaction chain. Figure 1 outlines the different aspects of an e-commerce transaction as well as the various points of vulnerability along the path of an online purchase. The type of cyberattack varies due to the nature of the e-commerce environment and the type of transaction; however, most of these attacks have something in common with the threat of disruption to e-commerce (Laudon & Traver, 2018). As such, e-commerce sites must apply high levels of continuous security to deter threats such as Distributed Denial of Service (DDoS), Trojan horses, and Wi-Fi listening at all potential vulnerability points in e-commerce (see Figure 1).

UNIT V STUDY GUIDE

E-commerce Security

BBA 3331, Introduction to E-commerce 2

UNIT x STUDY GUIDE

Title

DDoS Attackers use a DDoS attack to prevent legitimate users from reaching e-commerce sites. In a DDoS attack scenario, multiple devices, typically compromised computers, attack a target, either an e-commerce website or network resource, and flood the communication Internet lines to prevent regular users from reaching it. In this manner, the e-commerce sites are overwhelmed with thousands of fake requests and are not able to respond to legitimate ones. Prince (2015) analyzed Cordero networks where attackers distracted the company’s security personnel by allowing sufficient bandwidth for criminals to gain access to the organization’s data and intellectual property. In a DDoS attack, assailants are usually geographically distributed, making it complex to identify and stop the attacker(s). The consequences of a DDoS attack are many; first is the loss of revenue from sales, second is the negative reputation from the knowledge that an e- commerce site has been potentially compromised, and third are the resources invested in trying to recover from the attack(s) in time and human equity. DDoS attacks can take place at different points in an e- commerce transaction, at the e-commerce site, at the merchant’s bank or the customer’s bank, and at the customer’s Internet provider (see Figure 1). Trojan Horse As Laudon and Traver (2018) noted, a Trojan horse is a seemingly benign program that may let other malicious code invade the computer and company networks. Most Trojan horse incidents are disguised as legitimate software. These types of attacks are commonly used with social engineering methods for criminals to gain access to systems and to eventually steal information. Usually, Trojan horse programs will modify or copy a company’s information and allow back-door access to criminals. Back-door access allows malicious criminals to gain control over the infected system and to eventually gain access to the network within the e- commerce organization. In our example in Figure 1, a cyber criminal could be reading customer information from an employee’s network computer without the knowledge of the worker. Wi-Fi Listeners Criminals use discrete techniques to listen to Wi-Fi signals. Attackers devise ways to read information off wireless transmissions and can read encrypted information. As new encryption algorithms are developed, so is the technology to bypass these encryption methodologies. Again, the goal of Wi-Fi listening is to acquire private information from victims for malicious purposes. In our e-commerce transaction depicted in Figure 1, someone can hijack an e-commerce user by capturing data from the wireless transmissions as the user makes a purchase. As cyberattacks increase and become more damaging and sophisticated, e-commerce businesses must ensure that the right security practices are in place and capable of stopping and deterring these attacks. It is quite surprising how many e-commerce businesses fail to implement comprehensive security practices that will protect not only their customers’ data but also their businesses. E-commerce must be prepared and capable of defending systems and infrastructures against adversaries. As our society becomes more digital, these threats become the norm rather than the exception. Companies must have a comprehensive response as a part of their business strategies.

BBA 3331, Introduction to E-commerce 3

UNIT x STUDY GUIDE

Title

Figure 1. Vulnerabilities present in an e-commerce transaction (Laudon & Traver, 2018) Security Frameworks There are several approaches to implementing cybersecurity. A strong and sustainable security strategy uses a security life cycle (SLC) model. A well-known model is published by the National Institute of Standards and Technologies (NIST, 2014). This publication outlines best practices of a company’s information technology (IT) cybersecurity to facilitate the implementation, maintenance, and improvement of an overall cybersecurity program. The International Organization for Standardization (ISO) offers another approach. This global organization offers a family of standards specifically for information security. The ISO 27000 family helps organizations to secure their information, assets, and employees (ISO, n.d.). Specifically, ISO 27001 is one of the most used standards, providing a comprehensive information security management system (ISMS).

Core concepts (ISO, n.d.; NIST, 2014)

Regardless of which standard is used, an information security program is comprised of an organizational-wide set of controls with the sole objective of protecting information systems. According to ISO (2013), the ISO 27001 standard provides guidance in the establishment, implementation, maintenance, and continuous improvement of an ISMS. The ISO 27001 standard outlines a security framework based on seven specific areas, described in more depth below:

CORE CONCEPTS

A security framework integrates industry security standards and best practices to assist organizations in managing security risks. Further, security frameworks are based on specific business drivers to guide security-related activities as a part of an organization’s risk management processes (ISO, n.d.; NIST, 2014).

BBA 3331, Introduction to E-commerce 4

UNIT x STUDY GUIDE

Title

1. context of the organization, 2. leadership, 3. planning, 4. support, 5. operation, 6. performance evaluation, and 7. improvement (ISO, 2013).

Context of the Organization A security framework must be implemented within the context of an organization. Organizations need to determine internal and external risks and their resources and ability to implement organization controls to manage those risks (ISO, 2013). Along with this approach, organizations must decide the scope and boundaries of an information security program. Leadership For an information security program to be successful, management must demonstrate leadership and commitment. Organizational management must support and ensure that security policies are implemented and provide guidance as to security roles and responsibilities. Leadership is established by directing and integrating information security into a company’s processes. Planning Organizations need to assess the needs of the company to address the proper risks and opportunities when it comes to security. Companies need to plan and implement security activities and evaluate the effectiveness of an information security program by performing a business impact analysis (BIA) along with a security risk treatment (ISO, 2013). Support Support is critical for the sustainability of an organization’s information security program. An information security program’s support system encompasses competence, awareness, communication, and control (ISO, 2013). Implementation of a support system is contextual; the organization needs to determine the needed resources and approach for establishing, maintaining, and improving a security program. Operation Once an information security program has been implemented, organizations need to implement operational control and processes needed for the specific security program approach. Controls come in the form of documentation and planned changes to address any inconsistencies introduced as a part of security policies. Operational activities also include a security risk assessment and treatment plans (ISO, 2013). Performance Evaluation The ISO (2013) security framework recommends the monitoring, measurement, analysis, and evaluation of the implemented information security program. Organizations must be able to quantify the effectiveness of the security program. Evaluations include internal audits and management reviews to take corrective actions if needed. Continuous Improvement Findings from the information security program’s evaluation indicate that there may be corrective action needed. Changes to the information security program may be needed along with the review of the effectiveness of the corrective actions taken. The ISO (2013) recommends that organizations undertaking information security programs strive to continually review the suitability and effectiveness of information security initiatives.

BBA 3331, Introduction to E-commerce 5

UNIT x STUDY GUIDE

Title

Conclusion The constant evaluation of the Internet and, by extension, e-commerce will continually present new security challenges that cyber criminals are ready to exploit. E-commerce enterprises need to start with security in mind as a foundational principle of their businesses. The benefits of a comprehensive information security program cannot be understated. If security is designed by default into e-commerce systems, consumers and enterprises will avoid security incidents, which could prove to be detrimental to businesses. Should we fail to act responsibly, cyber threats will certainly overtake our ability to protect our networks and information contained therein.

References International Organization for Standardization. (n.d.). ISO/IEC 27000 family - Information security

management systems. Retrieved from https://www.iso.org/isoiec-27001-information-security.html International Organization for Standardization. (2013). ISO/IEC 27001:2013(en) Information technology—

Security techniques—Information security management systems—Requirements. Retrieved from https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en

Laudon, K. C., & Traver, C. G. (2018). E-Commerce 2017: Business, technology, society (13th ed.). Boston,

MA: Pearson Education. National Institute of Standards and Tehnology. (2014). Framework for improving critical infrastructure

cybersecurity (Version 1.0). Retrieved from https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework- 021214.pdf

Prince, B. (2015). DDoS attackers distracting security teams with shorter attacks: Corero networks. Retrieved

from http://www.securityweek.com/ddos-attackers-distracting-security-teams-shorter-attacks-corero- networks