Noakhal

iSci
enceandTechnol
ogy
Uni
vers
ity
Depar
tmentof
Bus
ines
sAdmi
nis
trat
ion
As
signmenton:
Thebestsecur
it
y
mechani
smi mpl
ementedone-
commerce
Cour
seTi
tl
e:Dat
abas
eManagement
ande-bus
ines
s
Cour
seCode:
311
1

Submi
tteBy: Submi
ttedTo:
Name:
Par
ant
iChakma. FAkt
erAkt
erj
eni
I
D-BKH1
810036F Lect
urer
Ses
sion:
201
7-201
8 Depar
tmentofBus
ines
s
Depar
tmentofBus
ines
s Admi
nis
trat
ion,
Admi
nis
trat
ion, NSTU.
NSTU.
An assi
gnment on t he bes
tsecur
it
y
mechani
sm i
mplement
edone-commerce

I
ntr
oduct
ion:E-commerce (
elect
roni
c commer
ce) or EC i
sthe
processofbuyi ng, sell
ing,and exchangi ngofpr oducts, services,andi nformationvia
comput ernetwor ks,pri
mar i
lythe internet.The obj ecti
vesoft hispaperi stoi dentif
y
obs t
aclesthatfacingthei mplementati
onofe-commer ces ystem andpr ovidi
ngs ecurit
y
soluti
onstopr otectsensit
iveinformati
on.Int hepr acti
calpar toft hepaperpr es
ent sthe
designandi mplement ati
onofs ecur
es i
tethatal low the cus tomer stos earchandbuy
products atanyt i
meandanypl acethrought heI nternet.Alldat aar earchivedands t
ored
i
nt he proposed s ys
tem,s ot hat t
he admi nist
ratorcan eas il
ys earch and r etri
eve
i
nfor mati
on at any ti
me and can make change to them.

Securi
tyi n e-commer ce is a part of the I
nformat i
on Secur
ity Framewor k and i
s
speci
ficall
yappliedtot hecomponent sthataffecte-commer cethati ncl
udeComput er
Securi
ty,Dat asecur
ity.E-commer ceneedshi ghs ecuri
ty component sthataf f
ectthe
needt heendus erthrought hei
rdailypaymenti nteracti
onwithbus i
ness.E-commer ce
requi
redar el
iablei
nfrastr
uctureandf r
amewor kto enableas ecureands uccessf
ule-
commer ce.

Over
view ofE-commer
ceSecur
it
y:Securi
tyi
soneoft
hecr
uci
al
partrestri
ctcustomer sandor ganizati
onsengagi ng wit
he-ecommer ce.Theai m oft
his
paperist o expl
or et he percept i
on ofs ecurityin ecommer ce basi
call
y on asb t ob
(busi
ness-to-busi
nes s
) , bt o c( busi
nes s
-t o-consumer),and c t o c( consumer-t
o-
consumer) or c t o b( consumer -t
o-bus iness) websit
es from bot h cus t
omer and
organi
zati
onalper spectives.Itist het radi
ngori nproductsorservicesus i
ngcomput er
networksli
keInternetoronl ines ocialnetwor ks.HeretheBus i
nessconductedt hroughthe
useofcomput ers,telephones ,faxmachi nes ,barcodereaders,creditcards,automat
ed
tel
lermachines(ATM)orot herelectroni
cappl ianceswi thoutt heexchangeofpaper -
baseddocument sorphysi
callymovi ngt oas hoppi ngmal l.I
tincludesacti
vit
iessuchas
procur
ement , or
der ent
ry, trans
act i
on pr ocessi
ng, onl i
ne payment , authenti
cat
ion,
i
nventorycontrol
,orderf
ulfi
lment,shipment ,andcus tomers upport.Whenabuyerpays
withabankcards wi
pedthroughamagnet ic-str
ipe-r eader
,heors heispar
ti
cipati
ngine-
commer ce.

E-commer ceSecur it
yisapar toft heI nformat i
onSecur i
tyf ramewor kandi ss pecifi
call
y
appliedt ot hecomponent st hataf f
ectecommer ceincl udingofDat as ecur i
tyandot her
widerr ealmsoft heInformationSecur i
tyframewor k.Iti st hepr otecti
onofe-commer ce
assetsf rom unaut hori
zed acces s,us e,al terati
on,ordes tr
uct ion.Dimens ions of e-
commer ce s ecur it
y-Integr
it
y,Non-r epudiati
on,Aut hent icity,Conf i
dent i
alit
y,Pr ivacy ,
Availabil
ity.Ecommer ceoffer sthebanki ngindus trygr eatoppor tunit
y,butal s ocreatesa
setofnew r isksandvul nerabil
itysuchass ecuritythr eats ,hacki ngs.Ther efor eitisan
es s
ent i
almanagementandt echni calrequirementf oranyef fi
cientandef fectivePayment
transactionact i
viti
esovert hei nternet.Duet ot hecons tantt echnol ogicalandbus i
ness
change and r equi r
esacoor dinated mat chofal gorithm and t echnicals olutions.Int hi
s
paperwedi scus s
edwi t
hOver vi
ew ofs ecuri
tyf orecommer ce,var i
ouss tepst opl acean
order ,Securitypur poseinE-commer ce,var i
ouss ecurityiss uesi nE-commer ce,gui deli
nes
fors ecureonl ines hoppinget c.

Ever
yat
rans
act
ionappl
iesont
heE-commer
cehasas
ecur
it
ymeas
ures
.

a.E-commer
cet
rans
act
ionphas
es i
)Inf
ormat
ionphas
e i
i
)Regi
str
ati
onphas
e

i
i
i)Negot
iat
ionphas
e i
v)Paymentphas
e

v)Del
iver
yors
hipmentphas
e

b.Securi
tymeas
ures i
.Acces
scont
rolf
ori
ntegr
it
ychecks i
i
.Secur
econt
ract
i
denti
ficat
ion

i
i
i.Di
git
als
ignat
ures i
v.Encr
ypt
ion

v.Secur
eddel
iver
yoft
hepr
oduct
swi
thi
ntegr
it
ychecks

vi
.Tr
acki
ngoft
hepr
oduct

Plan Plan Plan

text text text

s
ign s
ignat
ure ver
ifi
es
ver
if
y

Senderpr
ivat
ekey Senderpubl
ickey

Fi
gur
e:Publ
ic/
pri
vat
ekeypr
oces
s
Mostoft
hee-commer ceTransact
ionsoccurbet
weenbuyer
sands el
ler
s.Thiski
nd
oft
rans
acti
onsin ecommer
ce i
ncludesr eques
tsforquot
ati
on ofpr
ices,infor
mation,
payment ,delivery oforders,and f i
nall
ys ervices afterr eceiving oft he pr oductt o
customer .Thehi ghdegreeofconf i
denceneededi nt heaut henticit
y,conf i
dentiality,and
ti
mel ydel i
veryofs uchtr
ansact i
onscanbedi ffi
cul ttomai ntainwher et heyareexchanged
overt he I
nternet.One-commer ce t he Pri
vacyand s ecur i
tycanbe vi ewed aset hical
ques ti
ons.Att he s
ame time t he pri
vacyand s ecur
ityar eaat tractsal arge amountof
attention fr
om t he commer cials ectorbecaus ei thast he pot ent i
alto det ermi ne the
succes sorf ailur
e ofmanybus i
nes svent ur
es ,mos tobvi ouslycommer ce activiti
es.I n
onlines hoppingofe-commer cet he paymentf unct i
oni sthekeyi ss
uet oens uret hat,the
cons umer sorbuyersaref as
tandconveni ent,t herethes afetyands ecrecyoft hepar ties
toat r
ansacti
on,whi chr
equiresacompl et
eel ectronictradings ystems .

Advant
agesandDi
sadvant
agesOfE-Commer
ce:
Advant
agesofanE-Commer
ceSecur
it
ySys
tem :
-Buyi
ng24/
7:ever
yonecans
ellandbuyanyt
ime,ni
ghtorday,365daysayear
.

-Decr
ease Trans
act
ion Cos
ts:t
he buy and s
ellf
rom onl
ine s
tor
e,can cut many
unnecess
arycosts
.

-ConductaBusines
sEasi
ly:wedonotneedt ophysicall
yinvolveincompanyorcrowds.
We can buy from ourhous e comf
ort
able and eas i
ly choose goods f
rom var
ious
el
ectr
onical
lypr
ocedur
eswi t
houtmovi
ngaroundphys i
call
y.

-Compari
soninPr
ices
:Everyonecaneasi
lycompar
efeesamongthevari
ouswebs
ites
andusual
lyear
ndis
countsonfeeswhencomparedwi
thnor
malshopfees
.

Di
sadvant
agesofan E-Commer
ce Secur
it
ySys
tem:
Everyonegoodorbadcaneas
il
yopenawebs
ite,andt
her
ear
emanybads
ites
,whi
ch
thei
raimisus
er’
smoney.

-Guar
antee:t
her
ei snoguarant
eef orpr
oductqual
it
y,ordersmightbedamagei
nthe
pos
torthi
ngsmaylookdi
ffer
entonl
inetowhatyouactual
lyrecei
ve.

-Soci
alRelati
onshi
ps:E-commer ce all
ows user
s buyi
ng and s
ell
ing goods wi
thout
geogr
aphi
cli
mitat
ionsbutnosoci
alcontactswi
thotherper
sons.

-Impact:E-commer ceandelectr
onicbusi
nesshavei
mpactonmanydi
str
ict
sofbus
ines
s
fori
nstance,economics
,mar
keting,bus
ines
slawandethi
cs.

-Mar keti
ng:The rai
se ofinformati
on t
echnologiesand computernet
workshasmany
eff
ect si
nbusines
ses peci
all
yinfiel
dofmar ket
ing.Inthi
scase,t
heycandecreas
ecos
tof
operati
onsandcatchnewmar ketsf
orsel
li
ngandt rans
actions
.

E-Commer
ceChal
lenges:
-I
nfr
ast
ruct
ure r
equi
rement
s & Cos
t: E-commerce s
yst
ems r equi
re new
t
echnologi
esthatcantouchmanyofacompany'scorebusi
nessprocesses,ther
efor
e
s
igni
fi
canti
nvestment
sinhar
dwar
e,s
oft
war
e,s
taff
ing,andt
rai
ningisr
equir
ed.

-Val
ue:Busi
nes
sescompani
eswantt
o know t
hatt
hei
rinves
tment
sinE-commer
ce
s
yst
emswi
llpr
oducear
etur
n.
-Divers
ityofpr ovi
ders
:Thedel
iver
yofs er
vicesi
scarr
iedoutbyal ar
genumberof
provi
der
s,s ome of whi
ch ar
e char
itabl
e or non-profi
t or
gani
zat
ions, ot
her
s ar
e
commercial
lyes
tabl
is
hed.

-Sec urit
y:Acompany'
sas s
etsmus tbepr
otect
edagai
nstmis
us e,whet
heracci
dent
alor
mali
ciousbutt
hatpr
otecti
ons houl
dnotcompromis
easite'
susabil
it
yorperf
ormancenor
makei t
sdevel
opmenttoocompl ex.

-Exi
sti
ngSys
tems
:Compani
esneedt
obeabl
etohar
nes
sthef
unct
ional
it
yofexi
sti
ng
appl
icat
ionsint
oEcommer ces
ystemstheref
oreI
nternetE-commercesystemsi
ntegr
ate
exi
sti
ng syst
emsin a mannerthatavoidsdupl
icat
ef uncti
on and mai
ntai
nsusabi
li
ty,
perf
ormance,andr
eli
abi
li
ty.

-I
nter
oper
abi
li
ty:The l
inki
ng oft
radi
ng par
tner
s'appl
icat
ionsi
n or
dert
o exchange
busi
nessdocument sandmustworktogetherwelli
nor
dertoachi
evebusi
nessobj
ecti
ves.
I
nteroperat
ionbetweenbusi
ness
esreducescostsandi
mprovesperf
ormanceandenables
thei
mpl ementat
ionofmoredynamicvaluechai
ns .

-Mul
ti
pler
elat
ions
hipsamongpr
ovi
der
s:TheDepar
tmentpur
chas
ess
ervi
ceson
behalfofcons
umersf
rom many pr
oviderorgani
zat
ionsbutthe agency fr
om whi
ch
ser
vicesar
epur
chas
edi
snotneces
sar
il
ytheagencywhichpr
ovi
desthes er
vices
.

-Governmentaland polit
icalcomplexi
ty:The pr
ovi
derfiel
disnotthe onl
yone
char
acteri
zedbyonlydi
ver
ses t
akehol
der
sandcomplexar
rangement
s.TheGovernment
sect
orits
elfi
sdi
videdal
ongmanylines
.

Secur
it
y obs
tacl
e:I
n E-Commer
ce s
yst
em securi
ty har dwar e,
software,andenvi r
onmentar et hemai ncr i
ticalandvul nerabl epoi nts
.Har dwares ecuri
t y
i
ncludesanydevi cesus edi nr unningt heE-Commer cewebs itel i
kenet wor kdevi ces,web
servers,dat abases erver sandcl i
ent’scomput er.Secur i
ngt henet workwi thapr oper ly
configured f ir
ewal ldevi ce t hati s only al l
owi ng ports needed f oracces si
ng t he E-
Commer cewebs it
ewhi chi sanes s
ent i
alpar tofnet wor ks ecurity.Thewebs er verand
databas e s erver shoul d be i solated f rom ot her net wor ks us i
ng a net wor k DMZ
(demi l
itari
zedzone)t or educepos sibleint r
us i
onf rom compr omi s
edcomput ersonot her
networ ksbehi ndt hef i
rewal l
.A DMZi sas epar at enetwor kaddedbet weenapr otected
networ kand an ext ernalnet wor k,in or dert o pr ovide an addi t
ionall ayerofs ecurity.
Softwar e and r outi
nelyr eleased pat chess houl d be regular l
y updat ed tof i
x hol esi n
securit
y.Webs it
e pages ,wher e conf i
dent iali nfor mati
on isbei ng ent ered,s houl d be
secured wi ths trong crypt ographyal gorithm . The s ecure anE-Commer ce webs iteisa
dynami cpr oces swher enew t hreatscrop-upever yday.Tobui l
das ecureE-commer ce
appli
cat ion,thef oll
owingf i
ves ecuri
tyf eaturesmus tbe:

-Aut
hent
icat
ion:t
o es
tabl
is
h pr
oofofi
dent
iti
esand ens
urest
hatt
he or
igi
n ofan
el
ect
roni
cmes
sageordocumenti
scor
rect
lyi
dent
ifi
ed.

-I
ntegr
it
y:messageshoul
dnotbet
emper
edi
ntr
ans
it.

-Nonr
epudi
ati
on:nonr
epudi
ati
ondoesnotal
low t
hes
enderofames
saget
oref
ute
t
hecl
aim ofnots
endi
ngt
hatmes
sage.

-Acces
scont
rol
:det
ermi
neswhos
houl
dbeabl
etoacces
swhat
.
-Avai
labi
li
ty:r
esour
ces
houl
dbeavai
labl
etoaut
hor
izedpar
ti
esatal
lti
mes
.

Secur
it
yPr
obl
em -TheDi
str
ibut
edDeni
alofSer
vice
(
DDoS)
:Thi
stype ofat
tack makesan at
temptt
o pr
eventl
egi
ti
mat
e us
ersf
rom
accessi
ngs omeservicesorresour
ces,whi
chtheyareeli
gibl
ef or
.DDoSat t
ackaf
f ectt
he
avai
labi
li
tyofs i
tet o user
sass erveri
soverwhel
medwi thf akereques
tsgeneratedby
att
ackers.Noactualdamagei sdonetothevi
cti
msite.

-SQLI njecti
on:Because t he presentencr yption protecti
on onlycan guar antee the
securi
ty ofdat atransmi t
ting on the internet,butcannotcheck t he contentofdat a
contentf i
ll
edbyt heus er,ands entt ot hewebs erver.Iftheat t
ackerhasf i
ll
edt hedat a
thatinclude the vici
ous SQL quer yi nstr
uction int he web page f orm,t hes e query
i
ns t
ructi
ont ogetherwithHTMLf i
le wil
ldr i
llthrought he f i
rewalland r
eachatt o web
server.Whenitisexecut edont hes erver,thevitalinf
ormat ionwillbecompr omised.

-Pri
ceMani pulat
ion:Thet otalpayablepri
ceoft hepurchas
edgoodsi sstor
edina
hi
ddenHTMLf i
eldofadynami call
ygenerat
edwebpage.Inthisat
tackanat t
ackercanuse
a web appli
cati
on proxy tos i
mply modifythe amountt hatis payable,when thi
s
i
nfor
mat i
onf l
owsf r
om theus er'
sbrowsertothewebs er
ver.Thefinalpayablepr
icecan
bemanipulat
edbyt heattackertoavalueofhischoi
ce

.-Ses si
onHi j
acki
ng:Sessionhi j
acki
ngr eferstot akingcontrolofausersessi
onaft
er
successf
ull
yobt ai
ning orgenerati
ng anaut henticati
ons es
sionID.The at
tackermostl
y
usesbruteforceorreverseengineeredsessi
onI Dst ogetcontrolofl
egi
ti
mat euser
’sweb
appli
cati
ons ess
ionwhil
et hats
es si
onissti
lli
npr ogress.

-Cross-sit
es cri
pt( XSS):Cr oss-si
tes cri
pti
ng usesknown vul nerabi
li
ti
esin web-based
appli
cati
ons ,t
heirservers,orplug-ins ys
temst heyr el
yon.Expl oi
ti
ngoneoft hese,t
hey
foldmalici
ouscontenti ntothecont entbeingdeliveredfrom t
hecompr omi sedsi
te.When
theresulti
ngcombi nedcont entarrivesatt hecl i
ent-si
dewebbr owser,ithasallbeen
deli
veredf rom thet r
usteds ource,andt husoper atesundertheper missi
onsgrantedto
thatsyst
em.

Secur
it
y Sol
uti
ons t
o pr
otect an E-Commer
ce
Sys
tem:Al
lsecur
it
ysol
uti
onsneedt
obegi
nwi
thapol
icy.Sens
iti
vei
nfor
mat
ioncannot
bef ull
ypr otectedunlesst heident i
tyofwhati stobepr otectedi sestabli
shedandt he
meansofpr ot ect
iondet ermined. Onewayi stovisuali
zet hear chi
tectur
easdepi cted
andt omapoutapr otections t
ructureplanf oreachcomponent .Bas i
call
y,thatishow e-
commer ce securi
tyispract i
sedt oday.Inordert oachievethisgoalofpr ovidingend-t o-
ends ecuri
ty,anor gani
zationmus taddressallhosts
,systems,applicati
ons,andnet working
devices. The concer nf orinfrastr
ucture protecti
on needst o be bal anced with user
convenience.Whencr eating as ecuri
typol i
cy,therei sar equir
ementt o balance easy
accessi
bili
tyofi nformationwi thadequat emechani s
mst oident i
fyaut hori
zedus ersand
ensuredat aintegri
tyandconf identi
ali
ty.Somebas icsecuri
typol i
cyques ti
onst hatmus t
beans weredar e:

!
"Whatcomponent saremos tcriti
calbutvul nerable?! "Whati nf
ormati
oni sconfi
dential
andneedst obeprotected?!"Howwi l
lconfidentiali
tybeens ur
ed?!"Willtheconfi
dential
i
nformationbeencrypted?!"Whoi sauthor
izedt oacces sormodi f
yinf
or mati
on?!"What
aut
hent i
cat
ionsys
tem s hould be used?!"Whati ntrusi
ondet ecti
onsys t
emss hould be
i
nstal
led?!"Whohasaut hor
ityandr esponsi
bili
tyf ori nst
all
ingandconfiguri
ngcri
ti
cale-
commer ce i
nfr
ast
ructur
e?!"Whati
nci
denthandl
ingmeas
uresshouldbeinplace?!
"What
plansneedtobeinplacetoens
urecont
inui
tyormini
mum di
srupt
ionofservi
ce?

I
tisexpectedthattheout
comeofansweri
ngt
heaboveques
tionswi
llbeas
ecur
it
ypol
icy
wit
h,atleast
,thefoll
owi
ngchar
act
eri
sti
cs:

!
"Thepol
icyi
scl
earandconci
se

!
"Thepol i
cyhasbuil
tinincent
ivest
omot i
vat
ecompl i
ance!
"Complianceisver i
fi
ableand
enfor
ceable !"Systemshavegoodcont r
olforl
egit
imateus
e:acces
s ,aut
hentication,and
aut
horizati
on !"Thereisregul
arbackupofal
lcri
ti
caldata!
"Thereisadi sas
terr ecovery
andbus i
nessconti
nuit
yplan

The s
ecuri
tyofs ensi
ti
ve information such ascr edi
tcardf r
om at
tackersmus tget
hi
ghest pri
ori
ty and every precauti
on mus t be taken t
o ens ur
esecuri
ty of onl
ine
tr
ansact
ionsthr
oughcreditcardbyi ncl
udingthef ol
lowingsolut
ions:

-Per
sonalFi
rewal
ls:When connect
ing ourcomput
ert
o a net
wor
k,i
t becomes
vul
nerabl
etoat t
ack.Aper
sonalfi
rewal
lhel
psprot
ectourcomput
erbyl
imi
ti
ngt
het
ypes
oftr
affi
cini
ti
atedbyanddi
rectedtoourcomput
er.

-Secur
eSocketLayer(
SSL)
:Secur
eSocketLayeri
sapr
otocolt
hatencr
ypt
sdat
a
betweent hes hopper
'scomputerandthes i
te'
sser ver.WhenanSSL-pr otect
edpageis
requested,thebr owseri
denti
fi
est hes
erverasat rus t
edent i
tyandinit
iat
esahandshake
topassencr ypti
onkeyinfor
mat i
onbackandf ort
h.Now,ons ubsequentrequest
stothe
server
,t heinformati
onflowi
ngbackandf or
thisencr ypted.

-Di
git
al Si
gnat
ures and Cer
ti
fi
cat
es: Di
git
al s
ignat
ures meet t
he need f
or
authent
icationandi nt
egr i
ty.Aplaintextmes sageisrunt hroughahas hf uncti
onandgi ven
avalue:themes s
agedi gest.Thisdigest
,t hehashf unctionandt heplaintextencrypted
withthereci pi
ent'
spublickeyi ssenttot herecipi
ent.Ther ecipi
entdecodest hemes sage
withtheirprivatekey,andr unsthemes s agethrought hes uppli
edhashf uncti
ontot hat
the mess age digestvalue r emainsunchanged.Ver y often,t he message isalsot i
me
stampedbyat hi
rdpartyagency,whi chprovidesnon-r epudiation.

-WebSer
verFi
rewal
l:A webserverorwebappl
icat
ionf
irewal
l,ei
therahar
dwar
e
applianceors oft
war es olution,ispl acedinbet weent hecl i
entendpoi ntandt heweb
applicati
on.Web appl i
cation fir
ewal lsprotectcar dholderdat a because al lweb l ayer
traff
icisinspectedl ookingf ortraffi
ct hatismeantt oexpl oitknownvul nerabili
ti
esaswel l
aspat ternsthatmays ugges tazer odayexpl oitbeinglaunchedagai nsttheappl i
cati
on.A
fi
rewal lensurest hatr eques tscanonl yent ert he s
ys t
em f rom specifi
ed por ts,and in
somecas es,ensurest hatallacces sesar eonl
yf rom certainphysicalmachines .Acommon
techniquei stos etupademi li
tari
zedzone( DMZ)us ingt wof ir
ewalls
.Theout erfir
ewal l
haspor t
sopent hatal l
ow ingoing andout going HTTP r equests.A secondf irewallsit
s
behindt heE-Commer ces ervers.Anot hercommont echniqueus edinconj unctionwi t
ha
DMZi sahoneypots erver.Ahoneypoti ss ourceplacedi nt heDMZt of oolt hehacker
i
nt othinkinghehaspenet r
atedt hei nnerwall
.

-Pas
swor
d pol
ici
es:Ensure thatpassword pol
ici
esar
e enf
orced f
ors
hopper
sand
i
nternalusers.Theyensurethatpas swor
dsaresuff
ici
entl
ys t
rongenoughs ot hatthey
cannotbeeas i
lygues
sed.-I ns
tal
lingRecentPat
ches:Soft
warebugsandvul nerabi
li
ti
es
arediscover
edever yday.Eventhoughmanyoft hem ar
ediscover
edbys ecur
ityexperts,
rat
hert hanhackers,t
heymays ti
llbeexploi
tedbyhackersoncetheybecameapubl i
c
 knowledge.That'
swhyi tisimpor tantt
oi nstal
lalls oft
war e patchesass oon ast hey
becomeavailabl
e.-Int
rusi
onDet ecti
onandAudi t
sofSecur i
tyLogs :Oneoft hes ecuri
ty
str
ategi
esistopreventatt
acksandt odetectpot enti
alattackers.Thishelpsunderstand
thenatureofthesys
tem'straf
fic,orasastarti
ngpoi ntforli
ti
gat i
onagainsttheattackers
.
Wes houldal
solockanyatt
empt edunaut
horizedacces stothes ystem.

Techni
calObs
tacl
es
a.Theneedt
ohaveapr
ivat
enet
wor
ksandi
nfr
ast
ruct
uref
ors
ell
erandbuyer
.

b.Robber
iesofbankaccount
sthr
ought
hecomput
er.

c.Tool
sfors
oft
war
edevel
opmentar
econs
tant
lychangi
ngandqui
ckl
y.

d.Thel
ackofs
ecur
it
ysys
tem orconf
idencei
nthet
rans
act
ions
.

e.Lownumber
sofI
nter
netus
ersbecaus
eofhi
ghpr
iceswi
thal
owi
ndi
vidual

i
ncome.

Non-Techni
calObs
t es-Hi
acl ghi
mpl
ement
ati
oncos
ts-Fearofpr
ovi
dingper
sonal
data-Theinabi
li
tyoftheconsumertos
eet heproductvi
sual
lybef
orebuyi
ngitonl
ine.-
The pr
oli
fer
ati
onofcommer ci
alfr
aud - The l
ow levelofawarenes
sand knowl
edge
aboutt
heE-commer ce.

ThePr
opos
edSys
tem -Thepr
opos
eds
yst
em pr
esent
sthes
olut
ionagai
nsts
ecur
it
y
obs taclet hate-commer ces ystem f acedwhenus ing s ensiti
vei nformat ion.Thes it
ei s
des i
gnedandt hei mpl ement ati
onal lowst heus erstos ear chandbuypr oduct sthrought he
I
nter net .Al ldat aar es ecur edands toredi nthepr opos eds ystem,s othatt headmi nist
rator
caneas ilys ear ch,r etri
eve and change i nformat i
onatanyt i
me.The pr opos ed s ystem
usingI nt erneti nt hei mpl ement ati
onwhi chisal mos tuniver salaccesst her eforet hes iteis
protect edagai ns tmi sus e,whet heracci dent alormal ici
oust hrough t heus eofmul t
iple
secur itys tr
at egies( suchasus ernameandpas swor d)t opr eventunaut horizedacces s,and
provi des afetyagai ns tthei ntruders.Thes ens iti
vei nfor mat i
oni sencr ypt edt opr eventa
mal i
ci ousat tackon t he s ystem.The pr opos ed s ystem hasbeen des igned wi th online
searchandbuyofel ect ronicpr oduct sass howni nf i
gur e2.Theus ercanacces stot heE-
commer ces ys tem homaget obuyapr oductbyus inghi sVi sa-ID.Af tert heus erent ers
theVI SA_I Dt hes ystem wi llchecki tt hi
sI Di scor rectornot .Incasei t'st r
uet hes ystem
redirectt heus ert opur chas epageel set hes ys t
em wi llshow mes saget hatt hisIDi snot
cor r
ect .I npur chas e page t he userwi l
lent ert he quant i
tyand conf ir
m t he pur chasing
proces s.Af tert hatt hes ystem wi l
lchecki fther ei senoughquant i
tyi ns toreandenough
amountofmoneyi nVI SAt ocompl et ethepur chas epr oces s.TheDat abas ei sdesignedby
usingWAMPs er verass howni nfigure3andi tcons i
stoff ourtables.

Select Visa cont

ains
pro balance
Ened
truc
ust
er name Enter item
andvi
sai
d quanti
ty and
Conver
t vi
sual i
d Nomat
ch Stores cont
ains
toMDS select
ed i
tem
quanti
ty
Compar
e MDS has
hwi
tht
he
st
oredi
ndat
a
 No
Sel
lthes
elect
ed
Vi
ewal
lpage i
tems

End

Fi
gur
e:E-commer
ces
yst
em des
ign
Tabl
e(1
):I
temst
abl
e
Fi
eldname Fi
eldt
ype Fi
elddes
cri
pti
on
I
D i
nteger I
Dofi
tem
Code t
ext Codeofi
tem
I
TName Var
iabl
echar
act
er Nameofi
tem
P-I
D i
nteger I
D of pr
oduct t
hat
t
heit
em r
elat
edto
Qt
y i
nteger Quanti
ty ofi
tem i
n
st
ore
Pr
ice i
nteger Pr
iceofi
tem
Des
c Var
iabl
echar
act
er Des
cri
pti
onofi
tem

Tabl
e(2)
:Pr
oductTabl
e
Fi
eldname Fi
eldt
ype Fi
eldDes
cri
pti
on
P-i
d i
nteger Pr
oducti
d
P-name i
nteger Pr
oductname
P-no t
ext Pr
oductno

Tabl
e(3)
:Sel
lTabl
e
Fi
eldname Fi
eldt
ype Fi
eldDes
cri
pti
on
s
-id i
nteger Sel
lid
I
tid t
ext i
tem i
d
 U-i
d Var
iabl
echar
act
er Us
eri
d
pr
ice i
nteger Pr
iceofi
tem
qt
y i
nteger Quant
ityofi
tem
T-pr
ice i
nteger Tot
alpr
iceofs
ell
dat
e Var
iabl
echar
act
er Dat
eofs
ell

TABLE(
4):
User
stabl
e

Fi
eldname Fi
eldt
ype Fi
eldDes
cri
pti
on
i
d i
nteger Us
eri
d
Name Var
iabl
echar
act
er Us
ername
pas
s t
ext Us
erpas
swor
d
emai
l t
ext Us
eremai
l
gender Var
iabl
echar
act
er Us
ergender
Vi
sai
d t
ext Us
ervi
sai
d
char
ge i
nteger Vi
sachar
ge
addr
ess Var
iabl
echar
act
er Us
eraddr
ess
age i
nteger Us
erage

Cur
rentPr
act
ice :
Toal argeext ent ,cur r
ente-commer ce s ecur
itypr acti
cei srightlybas edonans wer ing
thet ypesofques tionslis t
edabove.Thepr oblem,however ,isthatt hi
skindofappr oachi s
adhoci nt hes ens ethati tus uallyent ai
lsprovidi
ngonl ytechnical(softwareandhar dwar e)
answer s.Thi sus ual l
yt ranslatesi nto acquiri
ng sophi st
icated servers,firewalls oftwar e,
i
nt r
us iondet ections ystems ,obt ai
ningdi gi
talcerti
ficates,etc.What wer efertoast he
“lates tgizmo”dr ivenappr oach.Whi l
et hereisnothingwr ongwi thinstal
li
ngt hesedevi ces ,
the impl icitf alse as sumpt i
on ist hats ecur i
tyri
skpr oblemscan be mi nimized byt hat
appr oach.Smal landmedi um s izedbus inessesaretheoneses peciallyatr i
sk.Wecont end
thatr egar dlessofhow s ophi s
ticatedt hes oftwareandhar dwar edevi cesmi ghtbe,r iski s
notf ull
yaddr es sedwi t
houtas ystematicriskassess mentandr iskmanagementpr oces s.
Theweaknes soft hisadhocappr oachs temsf r
om t hef actthatmanyt r
adi t
ionalsecur i
t y
par
adi
gmsar
einef
fect
iveagai
nstWebt
hreat
s.

Pr
opos
edFr
amewor
k
Themai nthes
isoft hi
spaperisthate-busi
nesssecuri
tycanonl ybeef f
ect
ivei
fitis
regar
dedaspar tofanoverallcorpor
ateinf
ormat
ions ecuri
tyris
kmanagementpoli
cy.
Forthatpur
poseasix-st
agesecur
it
ymanagementstrategyisproposed:
16

St
age1
:Devel
opacor
por
ater
iskcons
cious
nes
sandr
iskmanagementcul
tur
e.Devel
op
managementf
ocus
.

St
age2:Per
for
m at
hor
oughr
iskas
ses
smentoft
hewhol
ebus
ines
s.I
dent
ifyandr
ank
r
isksbas
edont
hreat
s,vul
ner
abi
li
ti
es,cos
tandcount
ermeas
ures
.

St
age3:Devi
seas
yst
emat
icr
isk-managementbas
ede-bus
ines
ssecur
it
ypol
icy.

St
age4:Putr
iskcont
rolmechani
smsi
npl
ace.I
mpl
ementt
echnol
ogi
calbes
tpr
act
ices
withregardtoe-bus i
nes sinfr
astr
uctur
ecomponent s:cli
ents
,ser
vers
,networks
,syst
ems
andappl i
cati
ons,andt ransportmechanism.Whi l
ethisisbasedonGAO ( 1999a,
b),the
practi
cesoft heorganizati
onss ur
veyedbyt heGAO l ackthekeycomponentadvocated
here,namely,thei
mpl ement ati
onofbes tpr
acti
ces.

St
age 5: Fol
low s
yst
emat
icr
isk as
ses
smentand r
isk managementpr
ocedur
es t
o
deter
minet helevelofri
skafterimplement
ingthebestpr
act
icesoneachcomponent
.
I
nsureres
idualr
iskoflowprobabi
li
tybuthi
ghcostevent
sandmanagetheres
t.

St
age6:Moni
torandaudi
tdi
ffus
ionofr
iskmanagementcul
tur
e,pol
icyi
mpl
ement
ati
on
andenf
orcement
,andr
evi
seasneeded.

I
mpl
ement
ingBes
tPr
act
icesi
nSecur
ingE-Commer
ce
I
nfr
ast
ruct
ure
Thisaspectofs ecuri
typol icyi swher evul nerabil
itiesarehandl ed.Vul nerabil
it
yi soften
the fir
s tt hing t o addres s,s i
nce t hat is wher et he or gani
zat i
on and t he s yst
em
administr
at ortendt ohavet hemos tcontrol.Thisist heareaofs ecur i
tyr i
skmanagement
thatisprincipall
yat echnol ogyi ssue.Eachcomponenthast obeaddr essedwithavi ewt o
i
mpl ement ing a compl ete e-bus inesss ecurei nfrastr
ucture.Not able element sint hat
str
ategywi l
lincludePKIcr ypt ographyanddi git
alsignaturet echnology,appl i
edviaSecur e
SocketsLayer( SSL)di gitalcer tifi
catest o provide t he authenticati
on,dat ai ntegr
ity,
pri
vacyandavai labi
li
tyneces saryf ore-bus i
ness.Thi siswher et hes ys t
em information
securi
tyof fi
cercangooveracheckl i
s tofwhati sneces saryandwhatt heor ganizat
ion
has.At ypicalchecklistwil
li nclude:

· physi
calpr
otect
ionforcomputer
s· networksys
temsmanagement· emailcont
rol
s
ecurit
y·networkssecur
it
y·fir
ewalls·Encr
ypti
on ·PKI·i
nci
denthandl
ing

·antivi
russof t
war e·digitalcer
tif
icate·strongauthent
icat
ion·acces
scontr
ol·audit
and t
racing software · backup and dis
ast
err ecover
y· biometr
icsoft
war
e · wi
rel
ess
communi cat
ionss ecur
ity

Att
he moment
,bus
ines
sesar
e us
ing var
ious(
somet
imesver
ypoor
)pr
oxi
esf
orbes
t
practi
cesass ubsti
tutef orover allsecuritys t
rategy.Ther ei sno s yst
emat i
ci ndus t
ry
standardf ordoi ngitandt her ear enoknownbes tpr acticesforor ganizationst omodel
theirstr
at egies.Sof arthecl oses tonecomest obes tpr acti
cesar et hepr acticesofs o
call
ed“l eadingor ganizati
ons ”.Thes ear eor gani
zationst hatares i
gnificantlyaheadoft he
restint ermsofi mplement ingr obus ts ecurit
ys ystems 17.Whi l
et hos epr acti
cesmaybe
exempl ary,theymaynotneces s
ar i
lyearnt het i
tl
eofbes tpracti
ceswhens ubjectedt oan
objecti
ver i
gorousanal ys
is.Thet ypeofbes tpracti
cest hati sadvocat edher eisonet hatis
notonl yi mpr essi
ve initsdes i
gnand i mpl ementat i
onbutone t hatcanbe anal yticall
y
provent o be optimal,s i
mi l
art ot he processofanal yticall
ypr oving opt i
malcodi ng in
softwaredevel opment .

I
mpl ement i
ngef fecti
vee-commer ces ecur
ityisadynami cpr ocess.
Thet echnologyi schangi ngver yf astands o aret het hreatsand
vul
nerabili
ti
es .Creati
ngas ecuri
tyandr iskmanagementcul tureisa
sl
ow proces s.Iti
sneces s
aryt ocreateanef f
ectivemoni toring for
example, Counterpane, http:/
/www. counterpane.com/ pr-
l
loydsqa.html;InsureTrust.
com,ht tp:/
/www.insuretr
us t
.com/[ Apri
l1,
01].and feedbacks ystem inor dert o determine the efficacyof
eachoft hese
Summar y and Concl usion : The pr oblem of
i
nf ormation s ecurityi nt oday’s net wor ked wor l
di s pr esented
toget herwithcur rentcommons olutionsappl iedt os olveit.Itis
arguedt hatt hepur elytechnologicalappr oachi snots uff
ici
entt o
producet r
ustormi ni
mizer i
sks oast ocaus ecompani esandt hei
r
cli
ent stoconducte-bus inesswithconf i
dence.Ar i
skmanagement
appr oachispr es ented.Ther eisalreadyevi dencet hatt hemar ket
willwel come t his approach.Iti st her efore nots urpris
ing that
i
ndus t
ryforecas tgroupsar ebeginningt opr edictthat“news ecuri
ty
mar kets willemer ge,exi st
ing mar ket s wi l
levol ve,and l egacy
secur i
tyenvironment swillmatureandt akeonnewl ife”.
Two pr erequis
ites are necessar
yi nfort his new appr oach to
becomeef fecti
ve:ani ndustr
ys t
andar dneedst obes etf orwhat
consti
t utesbes tpracti
cesine-businesssecurit
y,andanew t ypeof
“Certi
ficationAut hori
ty”wil
lhavet obei nst
itutedt ocer t
ifythatan
organization conf or
mst othe setofbes tpr actices.Thes e bes
t
practi
cesandt heircerti
fi
cati
onwillthenbecomet hes t
andar dupon
whichmar ketpr i
cesfore-businessinsur
ancewi llbes et.
Ref
erence :
googl
e.com