Contenu connexe
Similaire à Protective measures in e commerce to deal with security
Similaire à Protective measures in e commerce to deal with security (20)
Plus de IAEME Publication
Plus de IAEME Publication (20)
Protective measures in e commerce to deal with security
- 1. INTERNATIONALComputer EngineeringCOMPUTER ENGINEERING
International Journal of
JOURNAL OF and Technology (IJCET), ISSN 0976-
& TECHNOLOGY (IJCET)
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
ISSN 0976 – 6367(Print)
ISSN 0976 – 6375(Online)
Volume 4, Issue 1, January- February (2013), pp. 46-53
IJCET
© IAEME: www.iaeme.com/ijcet.asp
Journal Impact Factor (2012): 3.9580 (Calculated by GISI) ©IAEME
www.jifactor.com
PROTECTIVE MEASURES IN E-COMMERCE TO DEAL WITH
SECURITY THREATS ARISING
OUT OF SOCIAL ISSUES – A FRAMEWORK
Biswajit Tripathy1, Jibitesh Mishra2
1
Associate Professor , Dept of Computer Science & Engg, Synergy Institute of Engineering
& Technology,
Dhenkanal 759 001(India), email: biswajit69@gmail.com
2
Associate Professor, HOD, Dept of Computer Sc & Engg, ,College of Engineering &
Technology,Ghatikia,
Bhubaneswar (India), email:mishrajibitesh@gmail.com
ABSTRACT
In the early 1990s due to Internet when computers became popular with the masses,
and knowledge workers began to outnumber factory workers, the era of information
revolution began. The dawn of the internet era has significantly changed the way people and
organizations around the world interact with each other. Vendors around the world have
started setting up shops over the web. Entire market places for trade and commerce have
sprung up online. In a country like India where entrepreneurs are born in every nook and
corner, e-commerce provides a low investment high return opportunity. Traditional
businesses have taken their wares over the net and profited immensely from it. Now the
whole world is their market place. This article give an account of the security aspects and the
different threats to social issues, the causes and remedial measures to such issues.
Keywords: Threats, Privacy, Security, e commerce
1. INTRODUCTION
India, an emerging economy, has witnessed unprecedented levels
of economic expansion, along with countries like China, Russia, Mexico and Brazil. India,
being a cost effective and labor intensive economy, has benefited immensely from
outsourcing of work from developed countries, and a strong manufacturing and export
oriented industrial framework. In 2009 out of $161.3 billion most of the FDI went to the IT
and ITeS sector. Experts expect the Indian economy to be the world’s biggest economy by
2040.
46
- 2. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
India’s software export revenue expecting a growth rate by 13-14% .The IT and
Software industry is a major economy player in India. Mainly based on IT software and
facilities such as system integration, software experiments, custom application development
and maintenance (CADM), Network and IT services and solutions; the country’s IT-BPO
industry expanded by 12% during fiscal year 2009, and attained aggregate returns of US$71.6
Billion. Out of the derived revenue, US$59.6 billion was directly generated by the software
and services sector alone. Market research firm IDC India in a recent study has said that
India’s information technology and IT-enabled services industry will more than $132 billion
by 2012 due to one of the main factor of expanding of domestic market in India[2-8].
The dawn of the internet era has significantly changed the way people and
organizations around the world interact with each other. India with 81 millions internet users
as compare to 825 Millions in Asia and 1966.5 millions World, India stood fourth in World
as per the user. Internet was earlier only a medium of transferring data or communication has
now been replaced by a wider range of application termed as e-commerce. Products and
services are now just a click away. Secure online transactions provided by vendors Visa and
Mastercard etc as well as online bank transfers have only added to the confidence of
audiences willing to participate in online commerce. The emergence of web 2.0 only fueled
this trend even further. Vendors around the world have started setting up shops over the web.
Entire market places for trade and commerce have sprung up online[8,9].
In India where entrepreneurs are born in every nook and corner, e-commerce provides
a low investment high return opportunity. Traditional businesses are profited immensely by
utilizing this opportunity. Now the whole world is their market. It started slowly with
bazee.com leading the way. Slowly trade portals and online travel portals joined the
bandwagon. After e-bay acquired bazee.com, the level of access that users had to e-
commerce increased significantly.
Although by most references India only accounts for approximately 2% of the e-
commerce in the Asia-Pacific region, the amount in figures is staggering. It was estimated at
around $2.1 billion in 2008 and predicted to grow to around $6 billion by 2011. In fact that
only 6.9% of the Indian population has access to the internet in 2010[9].
II. SECURITY ASPECTS
Privacy and security can be viewed as ethical questions. At the same time the privacy
and security area attracts a large amount of attention from the commercial sector because it
has the potential to determine the success or failure of many business ventures, most
obviously e-commerce activities. Privacy and security are often described in terms of ethics
and therefore taken to be of an ethical nature. At the same time, they are used by commercial
organizations to promote their particular, usually financial but often also political, objectives.
This is problematic because the commercial use of the terms privacy and security promotes a
particular ideology and uses the ethical recognition of the concepts to limit critical discourses.
There are general definitions, such as the classical one By Landwehr, which states
that a system is secure “if it adequately protects information that it processes against
unauthorized disclosure, unauthorized modification, and unauthorized withholding”.
Unfortunately, the text goes on to say that no practical system can achieve these goals
47
- 3. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
simultaneously and that security is inherently relative. Security is thus important for the
ability to interact with others in a self-confident manner. It is also required to develop
relationships of trust with others.[1].
Privacy concerns have garnered much attention in recent years with the rise in identity
fraud and the new capabilities to collect and process information brought about by
technology. During 1998 to 2003, there have been a reported 27.3 million cases of identity
fraud accounting for nearly $48 billion in losses to financial institutions and $5 billion worth
of out-of-pocket expenses to consumers, according to the Federal Trade Commission (FTC)
report in 2003.[ 2].
Strengthening the trust framework, including information security and network
security, authentication, privacy and consumer protection, is a prerequisite for the
development of the Information Society and for building confidence among users .
In a nutshell, the perception of cyber-threats therefore has two main aspects: On one
side A new kind of vulnerability due to modern society’s dependency on inherently insecure
information systems, and the expansion of the threat spectrum, especially in terms of
malicious actors and their capabilities, on the other side[10].
III. THREAT CAUSES
It was only in the early 1990s that a confluence of events brought about what can be
described as a “techno-crescendo” of information revolution dreams, when computers
became popular with the masses, and knowledge workers began to outnumber factory
workers[11].
One major reason for the rise of identity fraud is that increases in Internet transactions
make the authentication of persons more difficult than ever before, because there is no human
contact and less opportunity for identification checks. Hence, methods for identification and
verification in e-commerce environments are becoming increasingly necessary to avoid
potential issues such as identity fraud. Online banking, electronic financial transactions,
online data stores, and Internet commerce, for example, are becoming extremely popular and
the technologies to prevent misuse of these systems continue to expand as their importance
increases and the potential for financial loss grows[2].
Potentially damaging events that could happen to the information infrastructure can
be commonly categorized as “failures”, “accidents”, and “attacks”. These events are only
considered to be potentially damaging, because not all events actually produce harmful
results – system failure will not occur as long as the error does not reach the service interface
of the system, and might go unobserved[9].
Failures are potentially damaging events caused by deficiencies in the system or in an
external element on which the system depends. Failures may be due to software design errors,
hardware degradation, human errors, or corrupted data.
48
- 4. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
Accidents include the entire range of randomly occurring and potentially damaging
events such as natural disasters. Usually, accidents are externally generated events from
outside the system, whereas failures are internally generated events.
It is found statistically, out of various causes for cyber threats some of the biggest
threats are from attacks committed by “insiders” – individuals who are, or previously had
been, authorized to use the information systems they eventually employ to spread harm[10].
In fact, different types of hackers must be distinguished[14], mainly by their
motivation and skill level:
• Script kiddies: The more immature but unfortunately often just as dangerous exploiter
of security lapses on the Internet. The driving force of script kiddies has been shown
to be boredom, curiosity, or teenage bravado.
• Hacktivists: If hacking as "illegally breaking into computers" is assumed, then
hacktivism could be defined as "the nonviolent use of illegal or legally ambiguous
digital tools in pursuit of political ends".
• Cracker or “Black Hat Hacker”: Someone who (usually illegally) attempts to break
into or otherwise subvert the security of a program, system, or network, often with
malicious intent. Hackers themselves like to distinguish between this type of hacker
and
• Sneakers or “White Hat Hackers”, which is someone who attempts to break into
systems or networks in order to help the owners of the system by making them aware
of security flaws in it.
Some of the key issues that can create threats to the e-commerce application is given below:
• Gathering information about employees through mailers e.g. survey etc.
• Gathering information about employees by developing relationships
• Forensic analysis of the hard drives, memory sticks etc.
• Pretending to be a senior manager or helpless user
• Pretending to be a technical support engineer
• Disgruntled employees
Basically, there are two threat scenarios ─ one from hackers and individuals termed as
“unstructured”, and the other from foreign nation states termed as “structured” threat[16].
• The unstructured threat is random and relatively limited & it consists of adversaries
with limited funds and organization and short-term goals. These actors have limited
resources, tools, skills, and funding to accomplish a sophisticated attack. However,
such attacks might cause considerable damage if they are sufficiently foolish or lucky.
• The structured threat is considerably more methodical and better supported. These
adversaries have all-source intelligence support, extensive funding, organized
professional support, and long-term goals. Foreign intelligence services, criminal
elements, and professional hackers involved in information warfare, criminal
activities, or industrial espionage fall into this threat category[17].
The following is an overview of important common issues currently discussed in the context
of legislation procedures in the countries covered in the handbook[18]:
49
- 5. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
• Data protection and security in electronic communications;
• IT security and information security requirements;
• Fraudulent use of computer and computer systems, damage to or forgery of data, and
similar offences;
• Protection of personal data and privacy;
• Identification and digital signatures;
• Responsibilities in e-Commerce and e-Business;
• International harmonization of cybercrime law;
• Minimum standards of information security for e-governance, service providers, and
operators, including the implementation of different security standards such as
BS7799, the code of practice for information security management ISO/IEC 17799,
the Common Criteria for Information Technology Security Evaluation ISO/IEC
15408, and others;
• Public key infrastructure and its regulation.
Across all boundaries, there are two main factors that influence and sometimes even hinder
efficient law enforcement ─ one with a national, the other with an international dimension:
• Lack of know-how or of functioning legal institutions: Even if a country has strict
laws and prohibits many practices, the enforcement of such laws is often difficult.
Frequently, the necessary means to effectively prosecute misdemeanours are lacking,
due to resource problems, inexistent or emerging cyber-crime units, or a lack of
supportive legislation, such as the storing of rendition data[10].
• Lack or disparity of legal codes: While most crimes, such as theft, burglary, and the
like are punishable offences in almost every country of the world, some rather grave
disparities still remain. For example, in most European countries, it is illegal to
publish right-wing extremist or anti-Semitic statements on the Internet. However, the
US does not prosecute such offences if committed within its borders, as they are
usually protected by the First Amendment to the Constitution, which guarantees
freedom of speech[19].
IV. MEASURES TO REMOVE THREATS
In the following, we will look more closely at four possible categories of initiatives launched
by multilateral actors: deterrence, prevention, detection, and reaction.
• Deterrence – or the focus on the use of multilateral cyber-crime legislation:
Multilateral initiatives to deter the malicious use of cyberspace include initiatives to a)
harmonize cyber-crime legislation and to promote tougher criminal penalties (e.g. the
Council of Europe Convention on Cybercrime) [20], and b) improve e-commerce
legislation (e.g., the efforts of the United Nations Commission on International Trade
Law (UNCITRAL) for electronic commerce) [21].
• Prevention – or the design and use of more secure systems, better security
management and the promotion of more security mechanisms: Multilateral initiatives
to prevent the malicious use of cyberspace centre around a) promoting the design and
use of more secure information systems[22]; b) improving information security
management in the organizations of all sectors (e.g., the ISO and OECD standards and
guidelines initiatives) [23]; c) legal and technological initiatives such as the
promotion of security mechanisms (e.g., electronic signature legislation in Europe).
50
- 6. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
• Detection – or cooperative policing mechanisms and early warning of attacks:
Multilateral initiatives to detect the malicious use of cyberspace include a) the
creation of enhanced cooperative policing mechanisms (e.g., the G-8 national points
of contact for cyber-crime); and b) early warning through information exchange with
the aim of providing early warning of cyber-attack by exchanging information
between the public and private sectors (e.g., US Information Sharing & Analysis
Centers, the European Early Warning & Information System, and the European
Network and Information Security Agency (ENISA)).
• Reaction – or the design of stronger information infrastructures, crisis management
programs, and policing and justice efforts: Multilateral initiatives to react to the
malicious use of cyberspace include a) efforts to design robust and survivable
information infrastructures; b) the development of crisis management systems; and c)
improvement in the coordination of policing and criminal justice efforts[24].
In order to counter the security threats due to the social factors, some recommendations can
be mentioned as given below.
• A well documented Security Policy accessible to employees & training provided to
the employees
• Awareness of threats and impact of social engineering on the company
• Implementation of proper security audit
• Proper Identity Management policy for authentication
• Clear cut operating policies & procedures to limit vulnerabilities.
• Use of advanced physical solutions such as intelligent revolving doors, biometric
systems, etc. to eliminate or reduce unauthorized physical access
Also along with each policy, the standards and guidelines to be followed should be clearly
explained. Some of the broad outlines of this policy should include the following:
• Computer system usage: Monitoring the usage of the use of non-company standard
mails or activity.
• Proper Information classification and handling: Confidential information should be
properly classified and should not be available to everybody.
• Personnel security: Proper screening new employees and other visitors to ensure that
they do not pose a security threat.
• Physical security: Proper authentication process for allowing employees to secure
portions inside the company e.g. sign in procedures through electronic and biometric
security devices etc.
• Information access: Password usage and guidelines for generating secure passwords,
access authorization.
• Protection from viruses: Working policies for protection of the systems from viruses
and other threats.
• Security awareness training: This ensures that employees are kept informed of threats
and counter measures.
• Compliance monitoring: This ensures that the security policy is being complied with.
• Documentation destruction: All information should be disposed of by shredding not
by discarding in the trash or recycle bins.
51
- 7. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
V. CONCLUSION
Insider threats are a major social issue that causes extensive damage to any system. A
more generalized framework has been proposed in the article that covers different
organizations/agencies. This framework will guide the e-commerce companies in establishing
a more secure system. However, a localized policy has to be made for each companies in
order to address the local social issues. Apart from these proper training guidelines to the
general users working in the company/organization needs to be frame.
REFERENCES
1. Stahl B C: Privacy and Security as Ideology by IEEE Technology & Society
Magazine, SPRING,IEEE page:35-45(2007)
2. Taner Pirim, et al :An empirical Investigation of an Individual’s Perceived need for
Privacy and Security, , International Journal of Information Security and Privacy,
Volume 2, Issue 1 edited by Hamid R. Nemati © 2008, IGI Global, Page 42-53(2008)
3. http://www.economywatch.com/indianeconomy/indian-economy-overview.html
visited on 2.January.2013.
4. http://teck.in/indias-software-export-revenue-to-grow-by-13-14-in-fy-2010-2011.html
visited 2 jan 2013.
5. http://www.intology.com/business-finance/indian-it-industry-revenue-to-be-more-
than-doubled-by-2012/ visited 2 Jan 2013.
6. http://www.nasscom.in/Nasscom/templates/NormalPage.aspx?id=53404 visited 2 Jan
2013.
7. http://economictimes.indiatimes.com/tech/internet/wikileaks-to-publish-files-on-
aliens-ufos/articleshow/7042278.cms visited on 2 Jan 2013.
8. http://www.internetworldstats.com/stats.htm visited on 2 jan 2013.
9. http://www.chillibreeze.com/articles_various/ecommerce-India.asp) visited on 2 jan
2013.
10. Myriam Dunn: A comparative analysis of cyber security initiatives worldwide
international telecommunication union, WSIS Thematic Meeting on Cyber security,
Geneva, Center for Security Studies, Swiss Federal Institute of Technology (ETH
Zurich) for the WSIS Thematic Meeting on Cyber security.(2005)
11. Kushnick, Bruce: The Unauthorized Biography of the Baby Bells & Info-Scandal
(New Networks Institute): p. 22.( (1999)
12. Avizienis et al.; Fundamental concepts of Dependability, Research report
N01145(2000);Office of the Critical Infrastructure Protection and Emergency
Preparedness(OCIPEP),( 2003).
13. U.S. Secret Service and Carnegie Mellon University Software Engineering Institute
Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors.
URL: http://www.secretservice.gov/ntac_its.shtml((2005)
14. Levy, Steven: Hackers Heroes of the Computer Revolution (New York: Anchor
Press)(1984).
15. Denning, Dorothy E: Activism, Hacktivism, and Cyberterrorism: The Internet as a
Tool for Influencing Foreign Policy, presented at Internet and International Systems:
Information Technology and American Foreign Policy Decision making Workshop,
(1999).
52
- 8. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME
16. National Academy of Sciences, (1991).
17. Minihan,Kenneth A.: Prepared statement before the Senate Governmental Affairs
Committee,24 June 1998. (1998)
18. Finnish Communications Regulatory Authority: Information Security Review Related
to the National Information Security Strategy (24 May 2002). URL
http://www.ficora.fi/englanti/document/review.pdf. (2002)
19. Gelbstein, Eduardo and Ahmad Kamal: Information Insecurity. A Survival Guide to
the Uncharted Territories of Cyber threats and Cyber security. United Nations ICT
Task Force and United Nations Institute for Training and Research (New York,
November 2002). URL:http://www.un.int/unitar/patit/dev/oldsite/curriculum/
Information_Insecurity_Second_Edition_PDF.pdf(2002).
20. Council of Europe Convention on Cybercrime.
URL:http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm .
21. http://www.uncitral.org/english/workinggroups/wg_ec/index.htm.
22. http://www.commoncriteriaportal.org/.
23. The International Organization for Standardization ISO has developed a code of
practice for information security management (ISO/IEC 17799:2000). URL:
http://www.iso.org/iso/en/prodsservices/popstds/-informationsecurity.html.
24. The Organisation for Economic Co-operation and Development (OECD) promotes a
“culture of security” for information systems and networks. URL:
http://www.oecd.org/document/42/0,2340,en_2649_33703_15582250_1_1_1_1,00.ht
ml .
25. Porteous, Holly: Some Thoughts on Critical Information Infrastructure Protection, in:
Canadian IO Bulletin, 2, 4, October.
URL: http://www.ewa-canada.com/Papers/IOV2N4.htm(1999).
26. L. Chandra Sekaran and Dr. S. Balasubramanian, “Website Based Patent Information
Searching Mechanism”, International journal of Computer Engineering & Technology
(IJCET), Volume1, Issue2, 2010, pp. 180 - 191, Published by IAEME
27. M. B. Thulase and Dr. G. T. Raju, “Website Based Patent Information Searching
Mechanism”, International journal of Computer Engineering & Technology (IJCET),
Volume3, Issue2, 2012, pp. 487 - 498, Published by IAEME
28. Neeraj Tiwari, Rahul Anshumali and Prabal Pratap Singh, “Wireless Sensor
Networks: Limitation, Layerwise Security Threats, Intruder Detection”, International
journal of Electronics and Communication Engineering &Technology (IJECET),
Volume3, Issue2, 2012, pp. 22 - 31, Published by IAEME.
29. Dr. V.Antony Joe Raja, “The Study of E-Commerce Service Systems In Global Viral
Marketing Strategy”, International Journal of Marketing & Human Resource
Management (IJMHRM), Volume3, Issue1, 2012, pp. 9 - 18, Published by IAEME.
30. Mahmoud M. Maqableh, “Secure Hash Functions Based On Chaotic Maps For E-
Commerce Applications”, International Journal of Information Technology and
Management information System (IJITMIS), Volume1, Issue1, 2010, pp. 12 - 22,
Published by IAEME.
31. Gurudatt Kulkarni, Ruchira Chandorkar and Nikita Chavan , “A Security By
Biometric Authentication”, International Journal of Computer Science and
Engineering Research and Development (IJCSERD), Volume 2, Number 1, 2012
pp. 7 - 14, Published by PRJpublication.
53