50120130406020.pdf by iaemedu

VIEWS: 0 PAGES: 6

									International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
 INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING &
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME
                                  TECHNOLOGY (IJCET)
ISSN 0976 – 6367(Print)
ISSN 0976 – 6375(Online)
Volume 4, Issue 6, November - December (2013), pp. 175-180
                                                                                  IJCET
© IAEME: www.iaeme.com/ijcet.asp
Journal Impact Factor (2013): 6.1302 (Calculated by GISI)                      ©IAEME
www.jifactor.com




     E-BUSINESS TRANSACTION SECURITY: CHANGING TRENDS IN DATABASE
                       SECURITY-CRITICAL REVIEW


                 Anuradha Sharma                                   Dr. Puneet Mishra
           Dept. of Computer Science,                    Asst.Prof, Dept. of Computer Science,
       Amity University, Lucknow campus                     Lucknow University, Lucknow



ABSTRACT

       The electronic business has grown leaps and bounds with the popularity of internet. The
popularity has also grown due to the services provided by the ISP companies. As the e-business is
growing, so is the problem of data breaching. For breaching, a hacker needs an internet connection
and a careless worker/administrator so that the hacker can gain access to gigabytes of information
using his own laptop. These hacking incidences result in theft of personal information in the
database. This paper is a review showing that the greatest losses to someone or an organization result
when there is breaching of mainly confidentiality, integrity and availability.

Keywords: Confidentiality, Integrity, Availability.

I. INTRODUCTION

        E-business or electronic business is not only limited to buying and selling of goods over the
internet. E-business includes using internet to provide better customer service, streamline business
process, increase sales and reduce cost of the business for the customer as well as the organization.
IBM first used the term e-business in October 1977.
        Transaction simply means an instance of buying and selling something. A transaction
consists of a unit of work in a database management system against a database which is in general
independent of other transactions. The transaction has to complete in its entirety in order to make the
database changes permanent. The transaction should be atomic, consistent, isolated and durable.
        The transactions in case of e-business have tree major constituents viz. the client computer,
the communication medium, and the web and commerce servers. The security can be penetrated at
any of the three parts. There are also three parties which are involved in transactions over the internet
viz. the client, the merchant and the transmission way (internet)[8].


                                                  175
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME

         E-business has not grown to its full potential despite its wide use and opportunities, – one of
its most important obstacles being the lack of adequate security measures as well as difficulties to
specify adequate security requirements. An abundance of research about security in e-business can
be found in literature[10]. As a start reference, we suggest the final report of the SEMPER (Secure
Electronic Market Place for Europe) project .
         Database security breaching is not new to the internet world. Many breaches happen together
daily around the world and increase the count. Some are very small and some are huge. Huge
security breaches result in great loss of database and small once, cause some loss, but not to a great
extend. E-commerce activities are tempered by security breaches. Millions of dollars are spent by
organizations on security appliances to make online transactions more secure. Then too, a new virus
(a clever computer program) or a clever hacker can easily compromise these deterrents and cause
losses of millions of dollars annually [1].
         Security breaches can be categorized as unauthorized data observation, incorrect data
modification, and data unavailability [2]. Out of these, disclosure of information to users not entitled
for it is an unauthorized data observation. It consequences in heavy losses in terms of both financial
and human point of view for commercial as well as social organizations. Incorrect data modification,
be it intentional or unintentional, results in an incorrect database state. The use of this incorrect
database results in heavy losses for the organization. Data unavailability means that the crucial
information for the proper functioning of the organization is not available when needed [2].
Ponemon Institute’s research The Human Factor in Data Protection focuses on how employees and
other insiders can put sensitive and confidential information of organizations at risk [3].

II. SECURITY GOALS

        The term security can have different meanings in different aspects of life. In terms of
computers, security can be précised as confidentiality, integrity and availability.
1. Confidentiality: Confidentiality means preventing disclosure of unauthorized information.
Confidentiality may be sometimes called secrecy or privacy. It means that only a person who has
been given access to something will only be able to access it. This access can be a reading, writing or
even printing permissions [4].
2. Integrity: Integrity refers to the trustworthiness of data or resources, and refers to preventing
improper or unauthorized changes. As [4] quotes, Welke and Mayfield recognize three particular
aspects of integrity- authorized action, separation and protection of resources, and error detection and
correction [5][6]. Integrity can be enforced for e-business in the same manner as confidentiality i.e. by
controlling who or what can access which resources in which manner [4].
3. Availability: Availability is the ability to use the information or resource desired. Availability
applies to both data and services. Expectations of availability are very high and the security
community is just beginning to understand what availability is and how to ensure it.
4. Accountability: If the accountability of a system is guaranteed, the participants of a
communication activity can be sure that their communication partner is the one he or she claims to
be. Thus, the communication partners can be held accountable for their actions [10][12].
Confidentiality and integrity can be preserved by a single access control point but it is not clear that
it can enforce availability or not[4].
Studies by Gartner Research point out that, due to online fraud, 33% of online shoppers are buying
fewer items. Similarly, according to studies by TRUSTe, 40% of consumers avoid buying from small
online retailers due to identity theft concerns.
        Gartner report adds that, during the period May 2004 to May 2005, about 73 million
consumers have received phishing attacks through e-mails. Of which 2.4 million users have reported
losing money. Companies up in arms after being targeted include Paypal, eBay, Citizens bank, bank

                                                  176
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME

of America, MSN, Amazon.com, VISA, Citibank, Lloyds TSB, Yahoo, US Bank, Microsoft and
AOL. According to Forester Research, 0.6 million Internet banking customers turned away from
online financial transactions due to fear of keystroke logging Trojans and phishing mails.
        This clearly reveals that growth of e-commerce is greatly deterred by malicious activities like
hacking, virus / worm or phishing attacks [1].

III. LOSSES CAUSED DUE TO VARIOUS TYPES OF BREACHES

        Some hackers might be involved in planting worms and viruses to interrupt business
operations, others are involved in getting more profit in less time. Some ways that hackers can profit
from breaching an organization’s security and obtaining confidential content are identity theft,
selling of sensitive technical or financial information to competitors, abusing customers' confidential
data, and also misusing the organization’s name or product brands[7].
Following major breaches occurred in the year 2009 and 2010.
        As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of
breaches of unsecured protected health information affecting 500 or more individuals. These
breaches are now posted in a new, more accessible format that allows users to search and sort the
posted breaches. Additionally, this new format includes brief summaries of the breach cases that
OCR has investigated and closed, as well as the names of private practice providers who have
reported breaches of unsecured protected health information to the Secretary [9]. The following
breaches, enlisted in table 1 and table 2, have been reported to the Secretary:

                      Table 1: Breaches of Health Information in the year 2009
     Country                 State             Approx.# effected   Date of breach         Type of Breach
      U.S.A                Missouri                 1000              9/22/09                  Theft
      U.S.A               California                 610              9/22/09              Phishing Scam
      U.S.A          Torrance, California            952              9/27/09       Theft, Unauthorized Access
      U.S.A          Torrance, California            857              9/27/09       Theft, Unauthorized Access
      U.S.A          Torrance, California           5,257             9/27/09       Theft, Unauthorized Access
      U.S.A          Torrance, California           5,166             9/27/09       Theft, Unauthorized Access
      U.S.A          Torrance, California           6,145             9/27/09       Theft, Unauthorized Access
      U.S.A               California                5,900             9/27/09                  Theft
      U.S.A                  Texas                  1,430             9/30/09        Loss, Improper Disposal
      U.S.A               Tennessee                998,442           10/02/09                  Theft
      U.S.A          District of Columbia          15,000            10/07/09          Unauthorized Access
      U.S.A          District of Columbia           3,800            10/09/09                   Loss
      U.S.A               Tennessee                 6,400            10/11/09                  Theft
                             Texas                  1,000            10/16/09                  Theft
      U.S.A                Kentucky                  676             10/20/09           Misdirected E-mail
      U.S.A             Pennsylvania                 943             10/20/09                  Theft
                           Michigan                10,000            10/22/09                  Theft
                     District of Columbia           3,400            10/26/09          Unauthorized Access
      U.S.A                 Indiana                480,000           11/03/09          Hacking/IT Incident
      U.S.A                Nebraska                  800             11/11/09                  Theft
      U.S.A               New York                 83,000            11/12/09            Incorrect Mailing
      U.S.A                  Texas                  3,800            11/19/09                   Loss
      U.S.A               New York                 344,579           11/24/09                  Other
      U.S.A               California                7,300            11/30/09                  Theft
      U.S.A               California               15,500            12/01/09                  Theft
      U.S.A               Wyoming                   9,023            12/02/09          Unauthorized Access
      U.S.A       Wilmington, North Carolina        2,000            12/08/09          Hacking/IT Incident
      U.S.A             Rhode Island                 528             12/11/09          Unauthorized Access
      U.S.A                Michigan                10,000            12/15/09                  Theft
      U.S.A                 Arizona                 1,101            12/15/09                  Theft
      U.S.A               Tennessee                 3,900            12/23/09                  Other
      U.S.A                   Utah                  5,700            12/27/09                  Theft


                                                     177
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME

               1200000


               1000000


               800000


               600000
                                                                               Series1
               400000


               200000


                    0
                             theft     loss        incorrect       others
                                                  mail/hacking

                   Graph 1: Comparison of different data breaches during 2009

                    Table 2: Breaches of Health information in the year 2010
     Country            State         Approx.# effected      Date of breach     Type of Breach
      U.S.A           Missouri             9,309                1/10/10              Theft
      U.S.A            Illinois            1,300                1/13/10              Theft
      U.S.A           California            532                 1/11/10              Other
      U.S.A            Illinois            1,300                1/13/10              Theft
      U.S.A             Texas               689                 1/18/10              Theft
      U.S.A           Colorado              649                 1/19/10        Improper Disposal
      U.S.A            Florida              568                 1/19/10              Loss
      U.S.A          Minnesota            16.291                1/26/10              Other
      U.S.A            Florida            12,580                1/27/10              Theft
      U.S.A            Florida             3,800                1/29/10              Other
      U.S.A         North Carolina         5,220                2/03/10              Loss
      U.S.A          Connecticut            957                 2/04/10       Unauthorized Access,
                                                                              Hacking/IT Incident
      U.S.A          Tennessee             1,874                 2/05/10             Loss
      U.S.A             Texas               763                  2/09/10      Unauthorized Access
      U.S.A          Washington            5,080                 2/12/10             Theft
      U.S.A          Connecticut          54,165                 2/18/10             Theft
      U.S.A            Illinois           180,111                2/27/10             Theft
      U.S.A            Florida             2,600                 3/09/10      Unauthorized Access
      U.S.A          Wisconsin              600                  3/19/10             Other
      U.S.A          Tennessee            10,515                 3/20/10             Theft
      U.S.A          New York             130,495                3/24/10             Loss
      U.S.A             Ohio              60,998                 3/27/10             Theft
      U.S.A           California          40,000                 4/02/10             Theft
      U.S.A           California            584                  4/04/10             Theft
      U.S.A            Illinois            1,000                 4/12/10             Theft
      U.S.A          Tennessee             1,745                 4/19/10             Loss
      U.S.A             Ohio               1,001                 4/22/10             Other
      U.S.A          New York              1,020                 4/30/10      Unauthorized Access
      U.S.A           Maryland              937                  5/03/10             Other
      U.S.A            Kansas              1,105                 5/12/10             Theft
      U.S.A             Texas               600                  5/29/10             Theft
      U.S.A            Nevada              7,526                 6/11/10             Theft


                                               178
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME

                450000
                400000
                350000
                300000
                250000
                200000
                150000
                100000                                                             Series1

                 50000
                      0




                     Graph 1: Comparison of different data breaches during 2010

       The analysis of the above table1 and table 2 has been done with the help of graph 1 and graph
2 respectively. Based on the above analysis of the health sector in USA during the years 2009 and
2010, it can be concluded that the greatest losses have been caused because of the breaches which
can be broadly categorized as confidentiality, integrity and availability.
Thus, the major objective of security of electronic business transactions should be considered as
confidentiality, integrity and availability [12]. There is great requirement for security analysts to focus
on these three areas of security breaches viz. confidentiality, integrity and availability.

IV. CONCLUSION AND FUTURE SCOPE

        With the growing usage of internet, there is always threat to our valuable data. Lot of people
are affected when ever such type of data reaches occur. With the study done in this paper, with the
data analyzed during the year 2009 and 2010, it can be concluded that most of the breaches that
occurred on the above data can be broadly categorized as falling in the categories of confidentiality,
integrity and availability. Thus, a lot of work needs to be done for securing these type of breaches.
        The above analysis has been done on the health sector data of USA. Similar attacks occur in
case of electronic business. Thus, based on the conclusion done in the above analysis, we can say
that in case of electronic business also, the security breaches can be broadly categorizes as
confidentiality, integrity and availability. There can be many more types of breaches also like
accountability, but for our further study, we will focus on the above mentioned three categories. With
the help of this study, we can develop a framework for the various categories of electronic business
and the types of breaches that can attack the data. The framework can be used to define the
possibilities of threats for the various categories of e-business. Based on the possibilities of the
threats, a security measure can be further developed that can help the parties involved in the
electronic business. These parties can be the clients and the merchants which are being directly
involved in the electronic business. With the help of the security measure, the database of the
electronic business can be secured.

                                                   179
International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME

V. REFERENCES

 [1].    A. Mukhopadhyay et.al, “Insuring Big Losses to Security Breaches Through Insurance: A Business
         Model”, Proceedings of the 40th Annual Hawaii International Conference on System Sciences
         (HICSS'07) 0-7695-2755-8/07 © 2007, IEEE.
 [2].    Elisa Bertio, Ravi Sandhu, Fello IEEE, “Database Security- Concepts, Approaches and Challenges”,
         IEEE Transactions on Dependable and Secure Computing, Vol. 2, No.1, January-March 2005.
 [3].    Ponemon Institute Research Report, “The Human Factor in Data Protection”, January 2012.
 [4].    Charles P. Pfleeger, Shari Lawrence Pfleeger, Deven N. Shah, “Security in Computing”, pp. 7-11,
         Pearson Prentice Hall, 2009, ISBN 978-81-317-2725-6.
 [5].    Mayfield, T., et al. “Integrity in Automated Information Systems”, C Technical Report, 79-91,
         Sep1991.
 [6].    Welke, S., et al, “A Taxonomy of Integrity Models Implementations, and Mechanisms”, Proc
         National Computer Security Conf, 1990, p541-551.
 [7].    White paper, “Data Leakage Worldwide: The High Cost of Insider Threats”, 2008, Cisco Systems,
         Inc.
 [8].    Anuradha Sharma, Puneet Mishra, “Security requirements for e-business applications”, proceedings
         of TIMES-2013, Alwar, 2013.
 [9].    U.S. Department of Health and Human Services, “Breaches affecting 500 or more individuals” ,
         available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html.
 [10].   Konstantin Knorr, Susanne Röhrig, “Security requirements of e-business processes”, Volume 202
         of IFIP Conference Proceedings, pages 73-86, Kluwer, 2001.
 [11].   Lacoste, G.; Pfitzmann, B.; Steiner, M.; Waidner, M. (Hrsg.), “SEMPER-Secure Electronic
         Marketplace for Europe”, LNCS 1854, Springer, 2000.
 [12].   Knorr, Konstantin; Röhrig, Susanne, “security of electronic business applications- Structure and
         Quantification”, In: Proceedings of the 1st International Conference on Electronic Commerce and
         Web Technologies EC-Web 2000, Greenwich, UK, Sep. 2000, pp. 25-37.
 [13].    Randy C. Marchany, Joseph G.Tront, “E-Commerce Security Issues”, Proceedings of the 35th
         Hawaii International Conference on System Sciences – 2002.
 [14].    Singh, M. P. , “Introduction to web semantics, The Practical Handbook of Internet Computing”,
         pp29-1-29-13, Chapman & Hall/CRC2005, 2005.
 [15].   Zwass Vladimir, “E Commerce: Structures and issues”, International Journal of Electronic
         Commerce, 1(1):3-23, 1996.
 [16].   Matt Bishop, “Introduction to Computer Security”, Pearson, 2011, pp. 4-10.
 [17].   A Sengupta, C.Mazumdar, M.S.Barik, “E-commerce Security-A Lifecycle Approach”, Sadhana, vol.
         30, Parts 2&3, April/June 2005, pp. 119-140.
 [18].   Atul kahate, “Cryptography and Network Security”, TMH, New Delhi, pp. 4-10,2006.
 [19].   Singh, M. P. , “Introduction to web semantics, The Practical Handbook of Internet Computing”, pp29-
         1-29-13, Chapman & Hall/CRC2005, 2005
 [20].   O. SamySayadjari, “Multilevel Security: Reprise,” IEEE Security and Privacy, vol. 3, no. 5, 2004.
 [21].   Vijay Arputharaj J and Dr.R.Manicka Chezian, “Data Mining with Human Genetics to Enhance Gene
         Based Algorithm and Dna Database Security”, International Journal of Computer Engineering &
         Technology (IJCET), Volume 4, Issue 3, 2013, pp. 176 - 181, ISSN Print: 0976 – 6367, ISSN Online:
         0976 – 6375.
 [22].   V.Srikanth and Dr.R.Dhanapal, “Ecommerce Online Security and Trust Marks”, International Journal
         of Computer Engineering & Technology (IJCET), Volume 3, Issue 2, 2012, pp. 238 - 255,
         ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375.
 [23].   Abhishek Pandey, R.M.Tugnayat and A.K.Tiwari, “Data Security Framework for Cloud Computing
         Networks”, International Journal of Computer Engineering & Technology (IJCET), Volume 4,
         Issue 1, 2013, pp. 178 - 181, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375.
 [24].   M. Karthikeyan, M. Suriya Kumar and Dr. S. Karthikeyan, “A Literature Review on the Data Mining
         and Information Security”, International Journal of Computer Engineering & Technology (IJCET),
         Volume 3, Issue 1, 2012, pp. 141 - 146, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375.

                                                      180

								
To top