E-Commerce Security

Dr. Ramdas Sonawane

Head,
Department of Statistics & Computer Applications,
Ness Wadia College of Commerce, Pune
 Cryptogram
 Cryptography is a method of protecting information and
communications through the use of codes, so that only those for whom
the information is intended can read and process it.
 The original message is called plaintext and the disguised message is
called ciphertext. The final message, encapsulated and sent, is called
cryptogram.
 The process of transforming plaintext into ciphertext is called
encryption.
 The reverse process turning ciphertext into plaintext is called
decryption.
 A cryptogram is word puzzle featuring encrypted text that the user
decrypts to reveal a message of some sort.
 Data encryption standards

 The DES (Data Encryption Standard) algorithm is a symmetric-key block cipher

created in the early 1970s by an IBM team and adopted by the National Institute
of Standards and Technology (NIST).
 The algorithm takes the plain text in 64-bit blocks and converts them into
ciphertext using 64-bit keys.
 Advantages of DES

 Input messages of 64 bits can be encrypted using 64 bit key.

 DES is hard to attack.
 It is faster as compared to other encryption algorithms.
 It has high level of security.
 It is completely specified and easy to understand.
 It is adoptable to different applications.
 Applications of DES

 DES algorithm was made mandatory for all financial transactions by

the US government.
 High speed in ATM
 Used for secure video teleconferencing.
 Used routers and remote access servers
 Certificate

 A certificate is an electronic file that holds a public key, identifies the owner of
the key and provides the signature to assure that the key does indeed belong to
the identified person
 Certificate authority
 A trusted person or organization with the power to create and sign certificate
 An individual completes the certificate request with the data and public key and
send it to a certificate authority
 The authority verifies the authenticity of data and, if the response is positive,
produces a certificate that is sent to the applicant signed with the private key of
the authority
 The applicant can now send the certificate to another individual in order to be
authenticated and to give public key
 The verification of the identity is conducted by checking the signature on the
certificate from a certificate authority that makes available its public key.
 Ensuring electronic security
 Train Your Workforce
 Organizations can use a security awareness training program to educate their employees
about the importance of data security. Many organizations begin by creating a team to
create a strategic plan for the security awareness training program. The team should
include executive management as well as initiative leaders.
 The team can begin developing programs to educate the organization’s workforce. This
training should consist of digital security best practices and phishing testing. Digital
security writer recommends that the program should address drivers of malicious
behaviour to mitigate the risk of insider threats
 Ensuring electronic security
 Embrace a Data-Centric Security Strategy
 Mobile, the Internet of Things (IoT) and the cloud have dissolved the traditional
boundaries of the network. As such, organizations now need to approach network security
from a more holistic and strategic viewpoint. Information security expert urges
organizations to specifically embrace a data-centric approach through which they develop a
strategic understanding of what data they have and how valuable that data is to their
business operations.
 Once they have an idea of what data they have, organizations should protect their data by
doing encryption the right way. They should also look to the Center for Internet Security’s
Control 10 – Data Recovery Capabilities. As part of their implementation of this Control,
organizations should develop a robust data backup strategy and test that strategy and their
backups often.
 Ensuring electronic security
 Implement Multi-Factor Authentication (MFA)
 Many of us are quick to change our login credentials following the public disclosure of
a data breach. But by then, it could be too late. As Tripwire Principal Security
Researcher Travis Smith noted in another blog post for The State of Security, many
victimized businesses don’t detect a data breach (if at all) until hundreds of days later.
That gives attackers plenty of time to compromise those exposed accounts before
anyone knows what happened.
 Acknowledging that threat, organizations should take additional steps to shore up their
users’ business accounts against compromise. They can do so by following the
requirements of the Centre for Internet Security’s Control 4 – Controlled Use of
Administrative Privileges and using multi-factor authentication (MFA) for all
administrative account access. They should also encourage users to implement MFA
across their personal web accounts.
 Ensuring electronic security

 Set Strict Permissions for the Cloud

 As organisations increasingly migrate their workloads to the cloud, they need to lock
down their cloud-based data. Human error has already been responsible for the exposure
of numerous AWS S3 (Amazon Web services) buckets. In many of those incidents, a
misconfiguration was responsible for exposing the personal information of millions of
customers.
 To prevent another AWS S3 breach, organizations should strategically use ACLs to grant
read/write permissions to certain AWS accounts and/or predefined S3 groups. Security
personnel should subsequently audit those accounts and their levels of access to ensure
the principle of least privilege. They should not necessarily apply default permissions to
their cloud-based data; in fact, they could choose to grant read-only access to a few
system manager-specific s3 buckets
 Ensuring electronic security
 Exercise Vigilance for Patch Management
 Organizations can strengthen the security of their data by patching vulnerabilities
through which malicious actors could gain access to their network assets. They can do
this by formulating a patch management program through which they test patches before
they deploy them on their production systems. No test can cover every possible system
configuration, so organizations should follow Tripwire VERT Senior Security
Researchers guidance and conduct their patch testing on a best-effort basis.
 Organizations’ engagement with a security fix doesn’t end after they’ve implemented it.
Indeed, they need to follow up a patch’s deployment by scanning their system to confirm
that the vulnerability is no longer present. This step will reveal if the patch has addressed
the vulnerable components and if organizations need to take additional measures to
remediate the vulnerability.
 E-locking

 An electronic lock is a locking device which operates by means of

electric current. Electric locks are sometimes stand-alone with an
electronic control assembly mounted directly to the lock. Electric
locks may be connected to an access control system, the advantage
of which include; key control, where keys can be added and
removed without re-keying the lock cylinder; fine access control,
where time and place are factors; and transaction logging, where
activity is recorded. Electronic locks can be remotely monitored and
controlled, both to lock and to unlock.
 Authentication methods in E-locking
 Numerical codes, passwords and passphrases
The most common form of electronic lock uses a keypad to enter a
numerical code or password for authentication. Some feature an audible
response to each press. Combination lengths are usually between four and
six digits long
 Security tokens
Another means of authenticating users is to require them to scan or "swipe"
a security token such as a smart card or similar, or to interact a token with
the lock. For example, some locks can access stored credentials on a
personal digital assistant (PDA) or smartphone, by using infrared, Bluetooth,
or NFC data transfer methods.
 Authentication methods in E-locking
 Biometrics
 Some electronic locks take advantage of technologies such as fingerprint scanning,
retinal scanning, iris scanning and voice print identification to authenticate users.
 RFID
 Radio-frequency identification (RFID) is the use of an object (typically referred to as an
"RFID tag") applied to or incorporated into a product, animal, or person for the purpose
of identification and tracking using radio waves. Some tags can be read from several
meters away and beyond the line of sight of the reader. This technology is also used in
some modern electronic locks. The technology has been approved since before the
1970s but has become much more prevalent in recent years due to its usages in things
like global supply chain management and pet microchipping.