Management and Innovation of

E-Business
1

10. 0 Security
Issues In
the
Digital
Environment

Copyright © 2015 William Toh V2.0 November 4, 2015

 Learning Objectives
2

⚫ Identify and explain the major security threats.

⚫ Explain security protocols and practices.
⚫ Distinguish between technical and human and
organisational security threats.
⚫ Discuss the strategic nature of security
polices.
⚫ Distinguish between the various authentication
technologies and discuss their strengths and
weaknesses.

Copyright © 2015 William Toh V2.0 November 4, 2015

 Concepts
3

⚫ Goals of e-business security

⚫ Technological dimensions of security
⚫ Threats and attacks
⚫ Human and organisational dimensions of security
⚫ Managing e-business strategy
⚫ Information security policies
⚫ User authentication

Copyright © 2015 William Toh V2.0 November 4, 2015

 Essential Reading
4

⚫ Chaffey, D. E-business and e-commerce

management. (Harlow: Financial Times/Prentice
Hall, 2009) fourth edition [ISBN 9780273719601]
 Chapter 11, pp.652−75.
⚫ SG
 Chapter 10

⚫ Adams, A. and A. Sasse ‘Users are not the enemy’,

Communications of the ACM 42(12) 1999,
pp.40−46.
⚫ West, R. ‘The psychology of security’,
Communications of the ACM 51(4) 2008,
pp.34−40.
Copyright © 2015 William Toh V2.0 November 4, 2015
 Introduction
5

⚫ E-business security deals with the matter of planning

and managing security within and around computer
systems in e-business contexts
⚫ E-business security involves both technical and
social issues
 Technical: ICT technologies for protecting
information security such as firewalls, passwords,
smartcards, digital signatures, virus protection
 Social: User awareness, user-friendliness and ease of
use, learning curve, additional overheads

Copyright © 2015 William Toh V2.0 November 4, 2015

 Definition of Information Security
6

⚫ Protection of digital assets

 Prevention of unauthorised access

 Detection of unauthorised access

 Reaction to unauthorised access

⚫ Difference from physical security

 Difficulty of detecting security compromises

⯍ We still “possess” information even if it has been compromised

 Hackers can be thousands of miles away when they perpetuate
crimes

Copyright © 2015 William Toh V2.0 November 4, 2015

 IS Security Functions …
7

⚫ Key functions:
 Distinguishing the good guys from the bad guys
 Granting access to authorized users
 Denying access to unauthorized users
 Recording all valid and invalid access for detection and
reaction purposes

⚫ Some security questions:

 WHAT are the assets to be protected
 WHY do the assets need to be protected
 WHO is permitted to access the assets
 HOW and how long are assets to be protected
 WHEN can assets be accessed

Copyright © 2015 William Toh V2.0 November 4, 2015

 Security Issues In the Digital
Environment
9

Goals of
IS Security

Copyright © 2015 William Toh V2.0 November 4, 2015

 Key Goals
10

⚫ Confidentiality
 Prevention of unauthorized disclosure of information

⚫ Integrity
 Prevention of unauthorized modification of information

⚫ Availability
 Prevention of unauthorized withholding of information

⚫ Non-repudiation
 Prevention of repudiation by creators or users of access to
information
⚫ Authenticity
 Guarantee that transactions are made by genuine authorized
users
Copyright © 2015 William Toh V2.0 November 4, 2015
 Confidentiality
11

⚫ Prevention of unauthorized disclosure of information

⚫ Keeping information secret
 Ensure that information is accessible only to authorised users
 Secrecy: For organisations, strategic reasons
 Privacy: For individuals, personal reasons

⚫ Factors
 Time (how long must information be kept confidential?)
 Number of authorised entities
 Location of authorised entities

⚫ Techniques
 Cryptography (symmetric/asymmetric)
⯍ Issues: Cipher strength, Key strength, Key distribution, Key
storage
⚫ Examples
 VPN, SSL/TLS (HTTPS), S/MIME, WIFI WPA
Copyright © 2015 William Toh V2.0 November 4, 2015
 Integrity
12

⚫ Prevention of unauthorized modification of information

⚫ Preservation of originality
 Ensure that received info is exactly the same as what was sent

⚫ Must detect any type of modification

 Malicious/intentional (eg. 3rd party fabrications by hackers)
 Accidental (eg. Channel noise, transcription errors)

⚫ Factors
 Medium (eg. wired, wireless)
 Number of hops
 Self-correcting protocols (eg. TCP/IP vs UDP)

⚫ Techniques
 Message Digests/Hashes (digital fingerprints of messages)

⚫ Examples
 SHA-2, MD5

Copyright © 2015 William Toh V2.0 November 4, 2015

 Availability
13

⚫ Prevention of unauthorized withholding of information

⚫ System must be reliable
 Resources must be available for authorized users when needed.

⚫ Need to protect
 Computing systems used to process and store information
 Communications channel

⚫ Factors
 Single points of failure
 System redundancy (hardware, leased lines)

⚫ Techniques
 Prevention of denial-of-service (DOS) attacks
 DDOS – distributed DOS
⯍ Hard to decide on whether DDOS is happening
⯍ Hard to distinguish genuine users from robots

Copyright © 2015 William Toh V2.0 November 4, 2015

 Non-Repudiation
14

⚫ Prevention of repudiation by creators or users of

information
⚫ Denial of receipt of a message by the recipient
⚫ Denial of transmission of a message by the
sender
⚫ Factors
 Opportunism
⚫ Techniques
 Digital signatures

Copyright © 2015 William Toh V2.0 November 4, 2015

 Authenticity …
15

⚫ Guarantee that transactions are made by genuine

authorized users
⚫ Need to verify credentials provided by entities to
prove that they are who they claim to be
⚫ Credentials can be:
 Something you possess (eg. Tokens like ATM cards)
 Something you know (eg. Passwords)
 Something you are or you do (eg. Biometrics)

Copyright © 2015 William Toh V2.0 November 4, 2015

 Security Issues In the Digital
Environment
18

Attacks
&
Threats

Copyright © 2015 William Toh V2.0 November 4, 2015

 Threats & Attacks …
20

⚫ Denial of service attacks

 Flood a system with so many requests that it overloads and
fails
⚫ Web page hijacking (eg. Cross-site scripting)
 Redirect web users to fake or malicious websites

⚫ Phishing
 Pretend to be an official email/website to try acquire
information (eg. Passwords)
 Related to web page hijacking and trojans

⚫ Botnets
 Use viruses to hijack and control large numbers of
networked
computers to send spam or conduct DDOS
Copyright © 2015 William Toh V2.0 November 4, 2015
 … Threats & Attacks
21

⚫ Malware
 Malicious, self-installing and self-replicating software
 May be very difficult to detect or uninstall
 Includes

⯍ Adware which pushes unwanted advertisements

⯍ Spyware which spy on users’ surfing behavior or steal passwords
⯍ Unwanted toolbars
⯍ Viruses which does damage as they spread by stealing information,
corrupting or deleting files
⯍ Worms are similar to virus but can spread without human
intervention, consuming lots of bandwidth
⯍ Trojan horses which pretend to perform a desirable
function but in
fact grants system access to unauthorised users
⯍ Rootkits which enable backdoor/superuser access to
Copyright © 2015 William Toh V2.0 November 4, 2015
computers
 Security Issues In the Digital
Environment
24

Managing
E- Business Security

Copyright © 2015 William Toh V2.0 November 4, 2015

 Importance of E-Business Security
25

⚫ Information security is a central managerial challenge for

every e-business
 It is a business, legal and ethical requirement!
⚫ Common types of security breaches
 Theft of identity or intellectual property, online fraud, DOS

⚫ Consequences of security breaches can be very severe

 Real or potential financial losses
 Loss of intellectual property or customer data
 Negative publicity, damage to reputation or national security
 Loss of trust of customers or suppliers
 Competitive disadvantage
 Law suits by customers or suppliers
 Reduced organisational viability

Copyright © 2015 William Toh V2.0 November 4, 2015

 Security Issues In the Digital
Environment
34

IS
Security
Policies

Copyright © 2015 William Toh V2.0 November 4, 2015

 IS Security Policy
35

⚫ Managers of e-businesses must see information security

as being vital to their organisations
⚫ A clear, comprehensive and consistent information
security policy must be designed, documented and
communicated to all staff
 Clearly states management’s commitment to the implementation,
maintenance and improvement of its IS security management system
 Should be broadly in line with international standards (eg. ISO
27002-2005)
⚫ While security policies demonstrate good planning, the
execution or implementation of these policies is equally
important!
 Companies must enforce the policies at all times.

Copyright © 2015 William Toh V2.0 November 4, 2015

 Components of IS Security Policies …
36

⚫ Personal usage of information systems

 Articulate employees’ rights and responsibilities when using the
organization’s information systems.
⚫ Disclosure of information
 Highlight the restrictions regarding the disclosure or use of
information that employees have access to.
⚫ Physical security of infrastructure and information
 Articulate how infrastructure and information resources should be
protected from security threats or environmental hazards.
 Disaster-recovery plans to ensure business continuity.
⚫ Recovery from violations and breaches of security
 Articulate the steps to be taken to recover from a breach or violation
and the recording and forensics of such security incidents.
⚫ Prevention of viruses and worms
 Articulate the use of antivirus software and the treatment of email
attachments and sharing of information with external partner.

Copyright © 2015 William Toh V2.0 November 4, 2015

 … Components of IS Security Policies
37

⚫ User access management

 Clearly articulate how staff’s access to information is assigned.
 Should be based on business and security requirements.
⚫ Mobile computing
 Articulate the rules regarding the use of computers, laptops away from
traditional working environment, or the use of personal devices (BYOD) within
the enterprise network.
⚫ Internet access
 State the rules for internet access, eg. restrictions on browsing, and other online
activities such as social media.
⚫ Software development and maintenance
 Effective security controls and procedures to be included in all new systems.
⚫ Encryption
 State how encryption should be used when accessing insecure/public networks.
⚫ Contingency and continuity
 State how contingency plans are written, tested, maintained, revised and
implemented.

Copyright © 2015 William Toh V2.0 November 4, 2015

 Security Issues In the Digital
Environment
40

Common
IS Security Issues

( Chaffey Chap 11. pp652 -

75 )

Copyright © 2015 William Toh V2.0 November 4, 2015

 Website Security Risks
41

⚫ Validation of input and output data

⚫ Direct data access
⚫ Data poisoning
⚫ Malicious file execution
⚫ Authentication and session management
⚫ System architecture and configuration
⚫ Phishing
⚫ Denial of service
⚫ System information leakage
⚫ Error handling

Copyright © 2015 William Toh V2.0 November 4, 2015

 Computer Viruses
42

⚫ Boot-sector viruses
⚫ Worm
⚫ Macro-viruses
⚫ E-mail attachment viruses
⚫ Trojan viruses
⚫ Hoax e-mail viruses

Copyright © 2015 William Toh V2.0 November 4, 2015

 Protecting against Viruses
43

⚫ Anti-virus software
 Tool to protect systems from viruses.

⚫ Managed e-mail services

 Scan emails before they are received and sent.

⚫ Monitoring of electronic communications

 Monitoring of staff e-mails and websites

⚫ Acceptable-use policy
 Statement of acceptable practices by management

⚫ Scanning software
 Identifies email or webpage access that breaches company guidelines

⚫ Filtering software
 Blocks specified content or activities

Copyright © 2015 William Toh V2.0 November 4, 2015

 Email Policies
44

⚫ Email is an essential business communication tool.

⚫ Controls introduced to
 Minimise the volume of spam (unsolicited e-mail)

 Improve internal business e-mail

⯍ Only send essential e-mails to inform or act upon.

 Protect external business e-mail
⯍ Use encryption as necessary
 Use of Personal e-mail (friends and family)
⯍ Official addresses should not be allowed to send personal emails.
⯍ Personal addresses should not be used to send official emails.
⯍ Email attachments must be checked before opening
⯍ Create guidelines, disciplinary procedures, control and training.

Copyright © 2015 William Toh V2.0 November 4, 2015

 Spam
45

⚫ 75% of e-mails were spam or virus-related

⚫ Spammers sends out millions of emails often from
botnets of infected PCs.

Copyright © 2015 William Toh V2.0 November 4, 2015

 Combating Spam
46

⚫ Reduce the risk of your addresses being harvested

 Reduce the number of email addresse published.

⚫ Educate staff not to reply to spam

 Replying will only confirm your email address to spammer.

⚫ Use spam filters

⚫ Peer-to-peer blocking services
⚫ Use blacklist services
 Lists of known spammers reported to Spamhaus Project.

⚫ Use whitelist services

 Receive email only from a list of bona fide e-mail addresses.

⚫ Ensure anti-virus software and blocking is effective.

Copyright © 2015 William Toh V2.0 November 4, 2015
 Hacking
47

⚫ Hacking refers to the process of gaining

unauthorized access to computer systems.
⚫ Hacking for monetary gain is usually aimed at
identity theft where personal details and credit
card details are accessed for the purpose of fraud.

Copyright © 2015 William Toh V2.0 November 4, 2015

 Social Engineering
48

⚫ Exploit human behaviour to gain access to computer

security information from employees or individuals.
⚫ Often involves tricking people into breaking normal
security procedures.
⚫ Examples:
 Try to get personal information of users in order to
impersonate as them to their friends to gain their trust.
 Personal information may also be used to reduce the time
taken to guess passwords.
 Call victims and pretend to be an official bank manager
trying
to fix their account problems.
Copyright © 2015 William Toh V2.0 November 4, 2015