Security Requirements and Threats
Definition
In the e-Business world,security refers primarily to the techniques used to store and transmit data,to form policies that govern how data is used,and to protect networks and equipment from potential harm or failure.
Internet Security
The TCP/IP protocol used to transmit data over the Internet was not designed to be secure,which means that data transmitted from computer to computer can be intercepted,read,and even altered.For example,a sniffer program can record information that passes through a computer(or router)on its way to a destination computer,unless that information is scrambled.Security breaches can occur when many e-mails and files are transmitted in their original form.
Security Requirements
The security of an individual's computer,a corporate Intranet,and an online store depends on four requirements:
1.Identification
In the cyberworld,identification methods include the use of passwords,Personal Identification Number(PIN),digital signature,and digital certificate.
2.Access Control
A company's Web site is designed to communicate to the world.However,the company certainly does not want the world to have access to confidential information,such as the names and addresses of employees,the credit card numbers of customers,and internal memos that refer to proprietary business information.A security system is required to identify individuals according to their access rights.For example,the casual Web surfer can only view public pages on the Web site,while the company's Web developer can post updated Web pages to the site.Within most organizations,various levels of access to information are clearly defined,often with the aid of an Access Control List(ACL).
3.Protection
The Internet is a wide-open land populated by the same ratio of responsible and irresponsible individuals found in the real world.While the majority of Web surfers—just like the majority of citizens—are law-abiding individuals,certain measures are required to guard against the activities perpetrated by“bad apples”.A consumer surfing the Web needs to feel that strangers can't learn personal information about them,that thieves can't steal their credit card numbers,and that viruses will not attack the data on their computers.Methods used to protect both individuals and data from damage,loss,or unauthorized use include technical solutions such as the encryption of data,and social solutions such as the enforcement of privacy policies.
4.Validity
When you send an e-mail message to a friend or a colleague,you don't expect its contents to be modified in transit.Similarly,no online business expects its Web site to be tampered with.Security measures should ensure the validity of information by protecting it from unauthorized modification.
Figure 1 summarizes each of these four requirements as they relate to the security of an online store.
Figure 1:Security requirements
Security Threats
Security on the Internet relates primarily to data.When unauthorized persons access or sell data,damage can occur resulting in a loss of money,time,personal information,or privacy.
Damage to Data
Companies and individuals depend on the integrity—or truth—of the data that they access from the Internet.For example,a customer will make a purchasing decision based on the price shown on a Web page.If this price has been altered because of a security breach,the online company could risk losing money,the customer,or both.Damage to data can occur from viruses,vandalism,and technical breakdown.
●Viruses:Some viruses can wipe out or seriously damage computer systems.
When viruses are transmitted over the Internet—often as attachments to e-mail message—one infected computer can quickly infect thousands more computers.
●Vandalism:Vandalism on the Internet usually takes the form of modifying or erasing data.For example,a company could access its Web site one morning to find a competitors address in place of its own.Another form of vandalism occurs when an individual attempts to crash computers and servers by sending huge files or thousands of messages to the same e-mail address at once.
●Technical Breakdown:All computers are at risk from power surges,physical threats such as floods,tornados,and hurricanes,and damage caused by faulty software.
Loss of Data
Loss or unauthorized use of data can be attributed to three causes:theft,fraud,and human error.
●Theft:Consumers worry that their credit card number could be stolen on its way across the Internet,particularly if they send it in unscrambled form.From a company's point of view,the theft of confidential information such as product specifications and employee data could have a devastating effect on the company's ability to serve its customers.
●Fraud:Fraud occurs when a customer uses a stolen credit card,or a company takes a customer's money without delivering the promised goods or services.
●Human Error:Data can disappear from a computer system if an operator mistakenly deletes it or fails to make backup copies to replace files that might become corrupted because of software errors.
Unauthorized Use of Data
Two issues related to unauthorized use of data are privacy violations and copyright infringement.
●Privacy Violations:Privacy relates to the unauthorized use of personal information.A company that sells a customer's personal information to marketers without informing the customer may be guilty of privacy violations.
●Copyright Infringement:The Web is a gold mine of information—ranging from printed materials to artwork to sound files to video files.However,all of the people who create these materials are not necessarily compensated.Frequently,copyright violations occur as a result of ignorance.The teen who downloads a sound file of the latest hip-hop hit that someone posted on a Web page may not realize that the band playing the music receives no financial compensation.Copyright issues may become increasingly complex as more and more information is distributed freely on the Internet.If consumers are able to download the latest hit song for free,are they likely to buy the entire CD?
Notes
1.digital signature:An authentication mechanism that is impossible to duplicate or forge.
2.digital certificate:Verifies that the sender of a message is who he or she claims to be,and provides the person who receives the message with the public key required to encrypt a reply.
3.Access Control List(ACL):Specifies which users are allowed to access which data to perform which functions.
4.encryption:The process of scrambling data into a secret code that can only be broken by complicated mathematical algorithms.
Questions for further Discussion
1.What are the major security concerns when conducting e-Business?
2.What kinds of data are usually issued in e-Business?How can we protect them?
3.Show examples of the potential risks due to the human error.
Further Exploration
The success of e-Business depends on consumers.If they feel that shopping online is safe and secure,e-Business will become a part of their daily life.
Can you explore consumer security issues from different facets,such as cookies,e-mails,privacy,surfing history,and so on.