PROTECTIVE MEASURES IN E COMMERCE TO DEAL WITH SECURITY

Document Sample
PROTECTIVE MEASURES IN E COMMERCE TO DEAL WITH SECURITY Powered By Docstoc
					                              JOURNAL OF and Technology (IJCET), ISSN 0976-
 INTERNATIONALComputer EngineeringCOMPUTER ENGINEERING
  International Journal of
                             & TECHNOLOGY (IJCET)
  6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME

ISSN 0976 – 6367(Print)
ISSN 0976 – 6375(Online)
Volume 4, Issue 1, January- February (2013), pp. 46-53
                                                                             IJCET
© IAEME: www.iaeme.com/ijcet.asp
Journal Impact Factor (2012): 3.9580 (Calculated by GISI)                ©IAEME
www.jifactor.com




         PROTECTIVE MEASURES IN E-COMMERCE TO DEAL WITH
                    SECURITY THREATS ARISING
               OUT OF SOCIAL ISSUES – A FRAMEWORK
                                Biswajit Tripathy1, Jibitesh Mishra2
   1
       Associate Professor , Dept of Computer Science & Engg, Synergy Institute of Engineering
                                           & Technology,
                       Dhenkanal 759 001(India), email: biswajit69@gmail.com
        2
          Associate Professor, HOD, Dept of Computer Sc & Engg, ,College of Engineering &
                                        Technology,Ghatikia,
                        Bhubaneswar (India), email:mishrajibitesh@gmail.com


  ABSTRACT

          In the early 1990s due to Internet when computers became popular with the masses,
  and knowledge workers began to outnumber factory workers, the era of information
  revolution began. The dawn of the internet era has significantly changed the way people and
  organizations around the world interact with each other. Vendors around the world have
  started setting up shops over the web. Entire market places for trade and commerce have
  sprung up online. In a country like India where entrepreneurs are born in every nook and
  corner, e-commerce provides a low investment high return opportunity. Traditional
  businesses have taken their wares over the net and profited immensely from it. Now the
  whole world is their market place. This article give an account of the security aspects and the
  different threats to social issues, the causes and remedial measures to such issues.

  Keywords: Threats, Privacy, Security, e commerce

  1. INTRODUCTION

         India, an emerging economy, has witnessed unprecedented levels
  of economic expansion, along with countries like China, Russia, Mexico and Brazil. India,
  being a cost effective and labor intensive economy, has benefited immensely from
  outsourcing of work from developed countries, and a strong manufacturing and export
  oriented industrial framework. In 2009 out of $161.3 billion most of the FDI went to the IT
  and ITeS sector. Experts expect the Indian economy to be the world’s biggest economy by
  2040.

                                                46
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME

         India’s software export revenue expecting a growth rate by 13-14% .The IT and
Software industry is a major economy player in India. Mainly based on IT software and
facilities such as system integration, software experiments, custom application development
and maintenance (CADM), Network and IT services and solutions; the country’s IT-BPO
industry expanded by 12% during fiscal year 2009, and attained aggregate returns of US$71.6
Billion. Out of the derived revenue, US$59.6 billion was directly generated by the software
and services sector alone. Market research firm IDC India in a recent study has said that
India’s information technology and IT-enabled services industry will more than $132 billion
by 2012 due to one of the main factor of expanding of domestic market in India[2-8].

        The dawn of the internet era has significantly changed the way people and
organizations around the world interact with each other. India with 81 millions internet users
as compare to 825 Millions in Asia and 1966.5 millions World, India stood fourth in World
as per the user. Internet was earlier only a medium of transferring data or communication has
now been replaced by a wider range of application termed as e-commerce. Products and
services are now just a click away. Secure online transactions provided by vendors Visa and
Mastercard etc as well as online bank transfers have only added to the confidence of
audiences willing to participate in online commerce. The emergence of web 2.0 only fueled
this trend even further. Vendors around the world have started setting up shops over the web.
Entire market places for trade and commerce have sprung up online[8,9].

        In India where entrepreneurs are born in every nook and corner, e-commerce provides
a low investment high return opportunity. Traditional businesses are profited immensely by
utilizing this opportunity. Now the whole world is their market. It started slowly with
bazee.com leading the way. Slowly trade portals and online travel portals joined the
bandwagon. After e-bay acquired bazee.com, the level of access that users had to e-
commerce increased significantly.

       Although by most references India only accounts for approximately 2% of the e-
commerce in the Asia-Pacific region, the amount in figures is staggering. It was estimated at
around $2.1 billion in 2008 and predicted to grow to around $6 billion by 2011. In fact that
only 6.9% of the Indian population has access to the internet in 2010[9].

II.    SECURITY ASPECTS

        Privacy and security can be viewed as ethical questions. At the same time the privacy
and security area attracts a large amount of attention from the commercial sector because it
has the potential to determine the success or failure of many business ventures, most
obviously e-commerce activities. Privacy and security are often described in terms of ethics
and therefore taken to be of an ethical nature. At the same time, they are used by commercial
organizations to promote their particular, usually financial but often also political, objectives.
This is problematic because the commercial use of the terms privacy and security promotes a
particular ideology and uses the ethical recognition of the concepts to limit critical discourses.
        There are general definitions, such as the classical one By Landwehr, which states
that a system is secure “if it adequately protects information that it processes against
unauthorized disclosure, unauthorized modification, and unauthorized withholding”.
Unfortunately, the text goes on to say that no practical system can achieve these goals

                                               47
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME

simultaneously and that security is inherently relative. Security is thus important for the
ability to interact with others in a self-confident manner. It is also required to develop
relationships of trust with others.[1].

        Privacy concerns have garnered much attention in recent years with the rise in identity
fraud and the new capabilities to collect and process information brought about by
technology. During 1998 to 2003, there have been a reported 27.3 million cases of identity
fraud accounting for nearly $48 billion in losses to financial institutions and $5 billion worth
of out-of-pocket expenses to consumers, according to the Federal Trade Commission (FTC)
report in 2003.[ 2].

        Strengthening the trust framework, including information security and network
security, authentication, privacy and consumer protection, is a prerequisite for the
development of the Information Society and for building confidence among users .

       In a nutshell, the perception of cyber-threats therefore has two main aspects: On one
side A new kind of vulnerability due to modern society’s dependency on inherently insecure
information systems, and the expansion of the threat spectrum, especially in terms of
malicious actors and their capabilities, on the other side[10].

III.    THREAT CAUSES

       It was only in the early 1990s that a confluence of events brought about what can be
described as a “techno-crescendo” of information revolution dreams, when computers
became popular with the masses, and knowledge workers began to outnumber factory
workers[11].

        One major reason for the rise of identity fraud is that increases in Internet transactions
make the authentication of persons more difficult than ever before, because there is no human
contact and less opportunity for identification checks. Hence, methods for identification and
verification in e-commerce environments are becoming increasingly necessary to avoid
potential issues such as identity fraud. Online banking, electronic financial transactions,
online data stores, and Internet commerce, for example, are becoming extremely popular and
the technologies to prevent misuse of these systems continue to expand as their importance
increases and the potential for financial loss grows[2].

        Potentially damaging events that could happen to the information infrastructure can
be commonly categorized as “failures”, “accidents”, and “attacks”. These events are only
considered to be potentially damaging, because not all events actually produce harmful
results – system failure will not occur as long as the error does not reach the service interface
of the system, and might go unobserved[9].

       Failures are potentially damaging events caused by deficiencies in the system or in an
external element on which the system depends. Failures may be due to software design errors,
hardware degradation, human errors, or corrupted data.




                                               48
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME

       Accidents include the entire range of randomly occurring and potentially damaging
events such as natural disasters. Usually, accidents are externally generated events from
outside the system, whereas failures are internally generated events.

        It is found statistically, out of various causes for cyber threats some of the biggest
threats are from attacks committed by “insiders” – individuals who are, or previously had
been, authorized to use the information systems they eventually employ to spread harm[10].

       In fact, different types of hackers must be distinguished[14], mainly by their
motivation and skill level:
   • Script kiddies: The more immature but unfortunately often just as dangerous exploiter
       of security lapses on the Internet. The driving force of script kiddies has been shown
       to be boredom, curiosity, or teenage bravado.
   • Hacktivists: If hacking as "illegally breaking into computers" is assumed, then
       hacktivism could be defined as "the nonviolent use of illegal or legally ambiguous
       digital tools in pursuit of political ends".
   • Cracker or “Black Hat Hacker”: Someone who (usually illegally) attempts to break
       into or otherwise subvert the security of a program, system, or network, often with
       malicious intent. Hackers themselves like to distinguish between this type of hacker
       and
   • Sneakers or “White Hat Hackers”, which is someone who attempts to break into
       systems or networks in order to help the owners of the system by making them aware
       of security flaws in it.

Some of the key issues that can create threats to the e-commerce application is given below:
   • Gathering information about employees through mailers e.g. survey etc.
   • Gathering information about employees by developing relationships
   • Forensic analysis of the hard drives, memory sticks etc.
   • Pretending to be a senior manager or helpless user
   • Pretending to be a technical support engineer
   • Disgruntled employees

Basically, there are two threat scenarios ─ one from hackers and individuals termed as
“unstructured”, and the other from foreign nation states termed as “structured” threat[16].
   • The unstructured threat is random and relatively limited & it consists of adversaries
       with limited funds and organization and short-term goals. These actors have limited
       resources, tools, skills, and funding to accomplish a sophisticated attack. However,
       such attacks might cause considerable damage if they are sufficiently foolish or lucky.
   • The structured threat is considerably more methodical and better supported. These
       adversaries have all-source intelligence support, extensive funding, organized
       professional support, and long-term goals. Foreign intelligence services, criminal
       elements, and professional hackers involved in information warfare, criminal
       activities, or industrial espionage fall into this threat category[17].

The following is an overview of important common issues currently discussed in the context
of legislation procedures in the countries covered in the handbook[18]:


                                             49
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME

      •   Data protection and security in electronic communications;
      •   IT security and information security requirements;
      •   Fraudulent use of computer and computer systems, damage to or forgery of data, and
          similar offences;
      •   Protection of personal data and privacy;
      •   Identification and digital signatures;
      •   Responsibilities in e-Commerce and e-Business;
      •   International harmonization of cybercrime law;
      •   Minimum standards of information security for e-governance, service providers, and
          operators, including the implementation of different security standards such as
          BS7799, the code of practice for information security management ISO/IEC 17799,
          the Common Criteria for Information Technology Security Evaluation ISO/IEC
          15408, and others;
      •   Public key infrastructure and its regulation.

Across all boundaries, there are two main factors that influence and sometimes even hinder
efficient law enforcement ─ one with a national, the other with an international dimension:
    • Lack of know-how or of functioning legal institutions: Even if a country has strict
        laws and prohibits many practices, the enforcement of such laws is often difficult.
        Frequently, the necessary means to effectively prosecute misdemeanours are lacking,
        due to resource problems, inexistent or emerging cyber-crime units, or a lack of
        supportive legislation, such as the storing of rendition data[10].
    • Lack or disparity of legal codes: While most crimes, such as theft, burglary, and the
        like are punishable offences in almost every country of the world, some rather grave
        disparities still remain. For example, in most European countries, it is illegal to
        publish right-wing extremist or anti-Semitic statements on the Internet. However, the
        US does not prosecute such offences if committed within its borders, as they are
        usually protected by the First Amendment to the Constitution, which guarantees
        freedom of speech[19].

IV.       MEASURES TO REMOVE THREATS

In the following, we will look more closely at four possible categories of initiatives launched
by multilateral actors: deterrence, prevention, detection, and reaction.
    • Deterrence – or the focus on the use of multilateral cyber-crime legislation:
        Multilateral initiatives to deter the malicious use of cyberspace include initiatives to a)
        harmonize cyber-crime legislation and to promote tougher criminal penalties (e.g. the
        Council of Europe Convention on Cybercrime) [20], and b) improve e-commerce
        legislation (e.g., the efforts of the United Nations Commission on International Trade
        Law (UNCITRAL) for electronic commerce) [21].
    • Prevention – or the design and use of more secure systems, better security
        management and the promotion of more security mechanisms: Multilateral initiatives
        to prevent the malicious use of cyberspace centre around a) promoting the design and
        use of more secure information systems[22]; b) improving information security
        management in the organizations of all sectors (e.g., the ISO and OECD standards and
        guidelines initiatives) [23]; c) legal and technological initiatives such as the
        promotion of security mechanisms (e.g., electronic signature legislation in Europe).

                                                50
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME

   •   Detection – or cooperative policing mechanisms and early warning of attacks:
       Multilateral initiatives to detect the malicious use of cyberspace include a) the
       creation of enhanced cooperative policing mechanisms (e.g., the G-8 national points
       of contact for cyber-crime); and b) early warning through information exchange with
       the aim of providing early warning of cyber-attack by exchanging information
       between the public and private sectors (e.g., US Information Sharing & Analysis
       Centers, the European Early Warning & Information System, and the European
       Network and Information Security Agency (ENISA)).
   •   Reaction – or the design of stronger information infrastructures, crisis management
       programs, and policing and justice efforts: Multilateral initiatives to react to the
       malicious use of cyberspace include a) efforts to design robust and survivable
       information infrastructures; b) the development of crisis management systems; and c)
       improvement in the coordination of policing and criminal justice efforts[24].

In order to counter the security threats due to the social factors, some recommendations can
be mentioned as given below.
    • A well documented Security Policy accessible to employees & training provided to
        the employees
    • Awareness of threats and impact of social engineering on the company
    • Implementation of proper security audit
    • Proper Identity Management policy for authentication
    • Clear cut operating policies & procedures to limit vulnerabilities.
    • Use of advanced physical solutions such as intelligent revolving doors, biometric
        systems, etc. to eliminate or reduce unauthorized physical access

Also along with each policy, the standards and guidelines to be followed should be clearly
explained. Some of the broad outlines of this policy should include the following:
    • Computer system usage: Monitoring the usage of the use of non-company standard
        mails or activity.
    • Proper Information classification and handling: Confidential information should be
        properly classified and should not be available to everybody.
    • Personnel security: Proper screening new employees and other visitors to ensure that
        they do not pose a security threat.
    • Physical security: Proper authentication process for allowing employees to secure
        portions inside the company e.g. sign in procedures through electronic and biometric
        security devices etc.
    • Information access: Password usage and guidelines for generating secure passwords,
        access authorization.
    • Protection from viruses: Working policies for protection of the systems from viruses
        and other threats.
    • Security awareness training: This ensures that employees are kept informed of threats
        and counter measures.
    • Compliance monitoring: This ensures that the security policy is being complied with.
    • Documentation destruction: All information should be disposed of by shredding not
        by discarding in the trash or recycle bins.



                                            51
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME

V.         CONCLUSION

       Insider threats are a major social issue that causes extensive damage to any system. A
more generalized framework has been proposed in the article that covers different
organizations/agencies. This framework will guide the e-commerce companies in establishing
a more secure system. However, a localized policy has to be made for each companies in
order to address the local social issues. Apart from these proper training guidelines to the
general users working in the company/organization needs to be frame.

REFERENCES

     1.    Stahl B C: Privacy and Security as Ideology by IEEE Technology & Society
           Magazine, SPRING,IEEE page:35-45(2007)
     2.    Taner Pirim, et al :An empirical Investigation of an Individual’s Perceived need for
           Privacy and Security, , International Journal of Information Security and Privacy,
           Volume 2, Issue 1 edited by Hamid R. Nemati © 2008, IGI Global, Page 42-53(2008)
     3.    http://www.economywatch.com/indianeconomy/indian-economy-overview.html
           visited on 2.January.2013.
     4.    http://teck.in/indias-software-export-revenue-to-grow-by-13-14-in-fy-2010-2011.html
           visited 2 jan 2013.
     5.    http://www.intology.com/business-finance/indian-it-industry-revenue-to-be-more-
           than-doubled-by-2012/ visited 2 Jan 2013.
     6.    http://www.nasscom.in/Nasscom/templates/NormalPage.aspx?id=53404 visited 2 Jan
           2013.
     7.    http://economictimes.indiatimes.com/tech/internet/wikileaks-to-publish-files-on-
           aliens-ufos/articleshow/7042278.cms visited on 2 Jan 2013.
     8.    http://www.internetworldstats.com/stats.htm visited on 2 jan 2013.
     9.    http://www.chillibreeze.com/articles_various/ecommerce-India.asp) visited on 2 jan
           2013.
     10.   Myriam Dunn: A comparative analysis of cyber security initiatives worldwide
           international telecommunication union, WSIS Thematic Meeting on Cyber security,
           Geneva, Center for Security Studies, Swiss Federal Institute of Technology (ETH
           Zurich) for the WSIS Thematic Meeting on Cyber security.(2005)
     11.    Kushnick, Bruce: The Unauthorized Biography of the Baby Bells & Info-Scandal
           (New Networks Institute): p. 22.( (1999)
     12.   Avizienis et al.; Fundamental concepts of Dependability, Research report
           N01145(2000);Office of the Critical Infrastructure Protection and Emergency
           Preparedness(OCIPEP),( 2003).
     13.   U.S. Secret Service and Carnegie Mellon University Software Engineering Institute
           Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors.
           URL: http://www.secretservice.gov/ntac_its.shtml((2005)
     14.   Levy, Steven: Hackers Heroes of the Computer Revolution (New York: Anchor
           Press)(1984).
     15.   Denning, Dorothy E: Activism, Hacktivism, and Cyberterrorism: The Internet as a
           Tool for Influencing Foreign Policy, presented at Internet and International Systems:
           Information Technology and American Foreign Policy Decision making Workshop,
           (1999).

                                                52
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-
6367(Print), ISSN 0976 – 6375(Online) Volume 4, Issue 1, January- February (2013), © IAEME

   16.   National Academy of Sciences, (1991).
   17.   Minihan,Kenneth A.: Prepared statement before the Senate Governmental Affairs
         Committee,24 June 1998. (1998)
   18.   Finnish Communications Regulatory Authority: Information Security Review Related
         to the National Information Security Strategy (24 May 2002). URL
         http://www.ficora.fi/englanti/document/review.pdf. (2002)
   19.   Gelbstein, Eduardo and Ahmad Kamal: Information Insecurity. A Survival Guide to
         the Uncharted Territories of Cyber threats and Cyber security. United Nations ICT
         Task Force and United Nations Institute for Training and Research (New York,
         November 2002).             URL:http://www.un.int/unitar/patit/dev/oldsite/curriculum/
         Information_Insecurity_Second_Edition_PDF.pdf(2002).
   20.    Council of Europe Convention on Cybercrime.
         URL:http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm .
   21.   http://www.uncitral.org/english/workinggroups/wg_ec/index.htm.
   22.   http://www.commoncriteriaportal.org/.
   23.   The International Organization for Standardization ISO has developed a code of
         practice for information security management (ISO/IEC 17799:2000). URL:
         http://www.iso.org/iso/en/prodsservices/popstds/-informationsecurity.html.
   24.   The Organisation for Economic Co-operation and Development (OECD) promotes a
         “culture of security” for information systems and networks.                      URL:
         http://www.oecd.org/document/42/0,2340,en_2649_33703_15582250_1_1_1_1,00.ht
         ml .
   25.   Porteous, Holly: Some Thoughts on Critical Information Infrastructure Protection, in:
         Canadian IO Bulletin, 2, 4, October.
         URL: http://www.ewa-canada.com/Papers/IOV2N4.htm(1999).
   26.   L. Chandra Sekaran and Dr. S. Balasubramanian, “Website Based Patent Information
         Searching Mechanism”, International journal of Computer Engineering & Technology
         (IJCET), Volume1, Issue2, 2010, pp. 180 - 191, Published by IAEME
   27.   M. B. Thulase and Dr. G. T. Raju, “Website Based Patent Information Searching
         Mechanism”, International journal of Computer Engineering & Technology (IJCET),
         Volume3, Issue2, 2012, pp. 487 - 498, Published by IAEME
   28.   Neeraj Tiwari, Rahul Anshumali and Prabal Pratap Singh, “Wireless Sensor
         Networks: Limitation, Layerwise Security Threats, Intruder Detection”, International
         journal of Electronics and Communication Engineering &Technology (IJECET),
         Volume3, Issue2, 2012, pp. 22 - 31, Published by IAEME.
   29.   Dr. V.Antony Joe Raja, “The Study of E-Commerce Service Systems In Global Viral
         Marketing Strategy”, International Journal of Marketing & Human Resource
         Management (IJMHRM), Volume3, Issue1, 2012, pp. 9 - 18, Published by IAEME.
   30.   Mahmoud M. Maqableh, “Secure Hash Functions Based On Chaotic Maps For E-
         Commerce Applications”, International Journal of Information Technology and
         Management information System (IJITMIS), Volume1, Issue1, 2010, pp. 12 - 22,
         Published by IAEME.
   31.   Gurudatt Kulkarni, Ruchira Chandorkar and Nikita Chavan , “A Security By
         Biometric Authentication”, International Journal of Computer Science and
         Engineering Research and Development (IJCSERD), Volume 2, Number 1, 2012
         pp. 7 - 14, Published by PRJpublication.



                                               53

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:8
posted:2/2/2013
language:
pages:8