Security & Trust In EBusiness Transactions
A Paper Prepared for Proceedings Jamaican institution Of Engineers 2012
Prepared By Dr. Wayde Marr
August 31, 2012
Acknowledgements
I wish to thank the four IT professionals Mr. David Pusey, Mr. Kirk Tyrell, Mr. James Arscott and Ms.
Kay Wilson-Kelly for participating in the qualitative study relating to the state of e-Security in Jamaica.
This information provided the necessary insight to enable a better understanding of the efforts and
measures underlying the state of e-Security in Jamaica.
ABSTRACT
In recent years organizations of all types: for-profit, non-profit, private, public, government or non-
government have all adopted the tenets of e-commerce as an integral part of their standard operating
practice. They have adopted this technological approach to doing business because it provides advantages
for greater efficiency in processing transactions, thereby reducing the necessity for physical facilities and
human resources in manually processing data associated to these transactions.
Organizations have, however, found that strategies of encouragement have not resulted in the desired
speed of adoption of doing business online, and have resorted to some form of coercion by way of process
discrimination, whereby online transactions are given priority over manual transactions. To the extreme,
some organizations have removed the option of conducting business through manual transactions. The
Internal Revenue Services of the United States federal government has already mandated that unless there
are extra-ordinary reasons, tax preparers will no longer have the option to submit manual tax filings after
the year 2012.
It is evident that infrastructure readiness, social preparedness and culture are all direct causes for the
slowness of adoption and growth of e-business. The culture of suspicion has led the common man to
distrust institutions that have shifted diametrically from the age old mantra of the “customer is always
right” to one where institutions appear to have the ability to yield unlimited powers in the application of
fees and charges, make unauthorized levies, hide critical information, misuse information, etc. Such
apparent abuse of consumers has contributed to a state of mistrust and suspicion. This is not only a
technological issue, but also a social one whereby clients are asked to give up control of their most prized
possession (ie. their personal information) to a system that has, on occasions, proven to be vulnerable to
technical and other breaches.
This paper discusses many of the technical and operational issues related to security in e-transactions, and
analyzes strategies currently employed to temper the widely held perception that e-transactions are a risky
undertaking. It also discusses some of the steps that several Jamaican organizations have taken in securing
transactions in a real sense, while building consumer trust.
1.0 INTRODUCTION
E-Business is now identified as the main driver for future growth in any Business by extending
reach - exposure to potential customers outside of its local boundaries; and richness – provision of
detailed and timely product and service information to its constituents. Although the growth rate in E-
business transactions is expected to continue its upward climb, challenges to this robust growth rate
continues to be impacted by fear that sensitive information will be used in a manner that exposes
stakeholders to present and future dangers through direct financial harm, and harm to personal and
professional reputation and legal exposure.
The purpose of the paper is threefold: a) to show the steps that any organization must take to
secure sensitive information; b) to provide an indication of the security threats that form part of the e-
business landscape, and c) the responsibility that organizations owe its stakeholders in securing customer
information and transactions; and the extra-ordinary security measures that are being undertaken to ensure
sustainability and growth in e-business.
Several models of e-Business Security reflect the fundamental requirements of security. These
typically involve a set of inter-related components that act in accordance with each other to provide a
sturdy, secure system. A significant feature of the model is that each component may adequately function
and act independently on its own, however, it is not until they all act in concert with each other, creating a
single robust system in which security is best sustained.
The E-Business Security Requirements System Model ( Gardiner, 2003) builds on Pfleegers
Security Model (Pfleeger & Pfleeger, 2002) of three inter-related pillars, namely Integrity,
Confidentiality and Availability.” By adding two additional components, Authentication and Non-
Repudiation, Gardiner builds on the on the original work of the Pfleegers, to develop his own ”Five
Diamonds of Security” model.
The strategies employed by organizations are many times dictated by legal obligations, best
practices for the industry and the organization‟s sense of obligation to its stakeholders. Industry experts
agree that although security threats cannot be negated, there are significant benefits in having a plan that
seeks to minimize business risks thus reducing losses from theft, fraud, lost time, embezzlement, etc.
while reducing legal costs and protecting the reputation of the organization.
2.0 PRINCIPLES OF E-SECURITY
In developing a strategy for securing e-business transactions and information, we must first
understand some of the fundamentals as related to security design, including both the physical
infrastructure and logical security systems architecture (topology).
2.1 The security Infrastructure
According to KnowledgeLeader (2012), best practices related to infrastructure design
dictate the use of a three tier architecture utilizing three separate components; namely the Web Server, the
Application Server and the Database server. At minimum, a security layer is placed between the
untrusted network (the internet) and the organization‟s applications and sensitive data. The security layer
then provides the necessary screen or filter between stakeholders and the organization.
The security layer consists of a layer of services referred to as a Demilitarized Zone (DMZ)
sandwiched by two Firewalls (front end and back end). The term DMZ, according to Ewens and Hoppe
(2007), comes from the geographic buffer zone that was set up between North and South Korea,
following the UN “police action” in the early 1950‟s.
2.1.1 Firewalls
Chaffey (2009) describes firewalls as “a specialized software application
mounted on a separate server at the point where the company is connected to the
internet.” He further states that the purpose of firewalls is to prevent unauthorized access
to the organization‟s assets.
In his article, Chapple (2012) stated that in a multi-tiered system, the front-
end/back-end topology is used where the user interacts with a front-end presentation
server, and where that server in turn interacts with the back-end one. This topology
dictates that a firewall should be placed between the internet and the web server and also
between the web server and the organization‟s email server (Figure 1).
2.1.2 Demilitarized Zone
According to Ewens & Hoppe(2007), the purpose of the DMZ (demilitarized
zone) is to prevent outside access to the organization‟s data. A number of servers are
placed within the DMZ, such as E-Mail, FTP and Web Application Servers.
They describe the DMZ as a computer host or small network inserted as a
"neutral zone" between a company's private network and the outside public network. It
prevents outside users from getting direct access to a server that has company data. A
DMZ is an optional and more secure approach to a firewall and effectively acts as a
proxy server as well. Acting as a proxy, the server plays the role as an intermediary for
requests from clients seeking resources from other servers.
Figure 1 - source - Chaffey (2009)
In a typical DMZ configuration for a small company, a separate computer (or
host in network terms) receives requests from users within the private network for access
to Web sites or other companies accessible on the public network. The DMZ host then
initiates sessions for these requests on the public network. However, the DMZ host is not
able to initiate a session back into the private network. It can only forward packets that
have already been requested.
Users of the public network outside the company can access only the DMZ host.
KnowledgeLeader (2012) states that the firewall must be configured to allow
connections to the web server only on ports and services required for business reasons,
and should reside on its own segment, separate and distinct from other servers. The Web
server hosts the organization‟s web pages so these could be served to the outside world.
However, the DMZ provides access to no other company data. In the event that an
outside user penetrated the DMZ host's security, the Web pages might be corrupted but
no other company information would be exposed.
Figure 2 - source Chaffey (2009)
Based on the sensitivity of the data, organizations may choose to add another
level of security by placing another back-end firewall between the Organization‟s email,
FTP and Intranet server, and the sensitive databases (figure 2).
2.2 The Security Requirements Model (A Taxonomy Of Computer Security)
The five components (or diamonds) of the Gardiner model include integrity, confidentiality,
availability, authentication and non-repudiation.
2.2.1 Integrity
Integrity requires "safeguarding the accuracy and completeness of information
and processing methods" (ISO IEC 17799, 2000). Menezes, et. al ( as cited in
GGardiner, 2012) postulates that from a practical point of view maintaining integrity
involves the capability to detect any unauthorized insertion, deletion and substitution of
data by any unauthorized party. Gardiner ( 2012) further added that the attribute of
authentication plays a critical role in defining integrity in E-Business transactions.
2.2.2 Confidentiality
Confidentiality requires that there should be no unauthorized access to data (ISO
IEC 17799, 2000) while it is being either transmitted or stored by an information system
(Lawrence et al, 2000). In other words, the assurance that information is not accessible
by unauthorized individuals.
2.2.3 Availability
Availability means that Information System (IS) assets of data and services are
available to those who have authorization to access them (Chin, 1999: ISO IEC 17799,
2000). Availability demands that systems are operational and functional at any given
moment. Albion (2012) defines “Access Control” as ensuring that users access only
those resources and services that they are entitled to access and that qualified users are
not denied access to services that they legitimately expect to receive (ie. Denial Of
Service).
2.2.4 Authentication
Authentication ensures that individuals are who they claim to be. This requires
that the identity of any parties involved in a transaction or exchange using an IS can be
verified so that each party can be sure that the others are indeed who they purport to be
(Rowley, 2002). Authentication plays a vital role in the success of E-Business
transactions where buyers and sellers alike are skeptical about transmitting important
information over open networks (Gardiner, 2012).
2.2.5 Non-Repudiation
Non-Repudiation requires that the sender of a message cannot deny sending the
message and that the receiver of a message cannot deny receiving the message (Deitel et
al, 2001).
In E-Business non-repudiation is vital to ensuring that legitimate business
transactions are honored and not refuted by any of the parties involved (Turban et al,
2002). Consider for example the potential loss in shipping and handling costs if upon
delivery of several large orders the customers involved denied placing the orders and
refused to accept the goods invoiced (Kesh et al, 2002).
In her contribution to the SearchSecurity website, Rouse,( 2008) states that non-
repudiation may be defined as the assurance that someone cannot deny something.
Typically, she suggests, “nonrepudiation refers to the ability to ensure that a party to a
contract or a communication cannot deny the authenticity of their signature on a
document or the sending of a message that they originated.”
Designers mimic the use of signatures which form the basis of the non-
repudiation process used within the physical environment, by employing digital
signatures within the digitial or virtual environment. Rouse (2008) states that:
On the Internet, a digital signature is used not only to ensure that a
message or document has been electronically signed by the person that
purported to sign the document, but also, since a digital signature can
only be created by one person, to ensure that a person cannot later deny
that they furnished the signature.
Since no security technology is absolutely fool-proof, some experts warn
that a digital signature alone may not always guarantee nonrepudiation. It
is suggested that multiple approaches be used, such as capturing unique
biometric information and other data about the sender or signer that
collectively would be difficult to repudiate.
Email nonrepudiation involves methods such as email tracking that are
designed to ensure that the sender cannot deny having sent a message
and/or that the recipient cannot deny having received it.
In summary of his work, Gardiner (2012) states that the new model recognizes that each
of the identified requirements may exist to some extent in isolation, but only in the area where
each of the requirements overlap with one another, that the security requirements of E-Business
are most likely to be preserved. He however concedes that the model is still quite simplistic, as it
does not identify any single security requirement as being more or less significant than any other.
3.0 THREATS
The following section follows up on our understanding of the e-business security landscape by presenting
an overview of the various techniques and vulnerabilities exploited by threat agents to violate the
principles of the physical security infrastructure and the security topology.
3.1 Intercepted Data Transmission
A limited list of the threat techniques includes Intercepted Data Transmissions, Password
Cracking, Social Engineering, Exploitation of Application Software, and Malicious Code Attacks
and Denial Of Service.
Gardiner quotes Whyte ( 2001) as defining the use of intercepting data transmission as a
technique used by threat agents whereby they intercept data transmissions that take place over an
insecure channel such as the Internet using a special network probing device or a workstation
with a network card that is configured to operate in promiscuous mode. “Sniffer” type products
use these measures to harvest passwords, source and destination addresses, information on digital
certificates, etc. Information is then used to gain unauthorized access by sneaking through
firewalls and into a system. This threat seeks to defeat the core aspects of confidentiality,
integrity and authentication.
3.2 Password Cracking
Password cracking is a term used to describe methods of gaining unauthorized access to
passwords. This can be achieved through a variety of technical and non-technical means.
Techniques vary from using information from intercepting data transmissions, as described
above; “password scripting”, described by Pfleeger & Pfleeger, 2002) as the writing of scripts
with the intention of impersonating the user by using several possible variations of the user‟s
name in conjunction with a dictionary; “password guessing”, by seeking to exploit the
carelessness of users who choose weak passwords in order to make them more memorable; or
simply by exploiting the carelessness of users to safeguard the confidentiality of their passwords.
3.3 Social Engineering
Social Engineering is an attempt to exploit any weaknesses in the organizations security
policy, paying particular attention to deficiencies that exist regarding end user awareness of
security policy and procedures (Winkler, 1997:Guttman et al, 1997:Mitnick, 2003). Threat agents
have long discovered that when it comes to enterprise security, employees are the weakest link.
(Davidoff, 2012) states that “Rather than hammering away at servers in a company‟s DMZ, many
attackers now take an easier route to compromising an organization – sending employees alluring
phishing emails in order to steal credentials or drop a malicious payload.”
3.4 Systems Configuration
Gardiner (2012) states that the exploitation of systems configuration arises from using
vulnerabilities due to how the system was configured, or due to bugs in the system. The Center
for the Protection of National Infrastructure, CPNI (2012) states that secure configurations
“prevent attackers from exploiting services and settings that allow easy access through networks
and browsers”.
Dalton & Choo ( 2001) warns that once the threat agent has compromised one component
of a system, this agent may use this to attempt to launch a staged attack across the authorized
interfaces that exist between this component and other trusted components in the system.
3.5 Applications Software
Hackers exploit the vulnerabilities in Application Software to breach security. In the
August, 2010 publication, ComputerWorldUK, Keizer (2010) reported :
An unpatched problem with Windows applications is much worse than first
thought, with hundreds of programs, not just 40, vulnerable to attack, according
to a Slovenian security company.
"It was a shocking surprise," said Mitja Kolsek, CEO of Acros Security. "It
appears that most every Windows application has this vulnerability." Yesterday,
Kolsek said that Acros has been digging into a new class of vulnerabilities for
months, has found more than 200 flawed applications harbouring more than 500
separate bugs, and reported its findings to Microsoft more than four months ago.
In other words, the problem is much more widespread than Moore let on. "We
examined a bunch of applications, more than 220 from about 100 leading
software vendors, and found that most every one had the vulnerability," said
Kolsek. Acros built a specialised tool to help its researchers pinpoint which
applications were vulnerable.
3.6 Malicious Code (Viruses and Trojans)
The objective of malicious code attacks is to damage systems or the data that these
systems contain. Marchany & Trott (2002) stated that earlier attempts focused attacks on the
server (where data was stored), and later to the networks feeding into the server. However, as
counter measures became more sophisticated, these threat agents have shifted their attention to
the client side. They suggest that this is where most network security architectures collapse.
Webopedia (2012) defines a computer virus as “a piece of code that is loaded onto your
computer without your knowledge and runs against your wishes. Viruses can also replicate
themselves. A simple virus that can make a copy of itself over and over again is relatively easy to
produce. Even such a simple virus is dangerous because it will quickly use all available memory
and bring the system to a halt. An even more dangerous type of virus is one capable of
transmitting itself across networks and bypassing security systems. It was also suggested that a
worm was a special type of virus that replicated itself and used memory, but did not attach itself
to other programs.
SearchSecurity (2012) defines a Trojan horse as “ a program in which malicious or
harmful code is contained inside apparently harmless programming or data in such a way that it
can get control and do its chosen form of damage, such as ruining the file allocation table on your
hard disk.
An article on the internet security company‟s website F-Secure (2012) reported that the
trojan horse, „Back Orifice‟, “allows an intruder to monitor and tamper with Windows 95 and
Windows 98 computers over the Internet. There is no easy way for a computer user to know the
attack is taking place, and there is no easy way to stop the attack once Back Orifice has installed
itself on the computer.”
3.7 DENIAL OF SERVICE
SearchSoftwareQuality(2012) states, “ A denial of service (DoS) attack is an incident in
which a user or organization is deprived of the services of a resource they would normally expect
to have. In a distributed denial-of-service, large numbers of compromised systems (sometimes
called a botnet) attack a single target.” The most common kind of DoS attack is simply to send
more traffic to a network address than the data buffers can accommodate.”
This type of attack is meant to defeat the core aspect of Availability.
4.0 MITIGATION TECHNIQUES
The mitigation techniques are simply e-business security strategies designed to protect the integrity of the
business network and its internal system, while also ensuring that transactions between the business and
authorized partners are secured.
Several of the chief mitigation techniques used in e-business security include firewalls, encryption
technologies, security protocols, intrusion detection systems, anti-virus protection and honey pots.
4.1 Firewalls
The firewall is the main tool in protecting the organization‟s internal network. Firewalls act like
security guards, allowing only authorized external users access to the protected network.
OIT (2012) states that “firewalls allow or block network traffic between devices based upon rules
set up by the firewall administrator. Each rule defines a specific traffic pattern you want the
firewall to detect and the action you want the firewall to take when that pattern is detected.” It
was specially noted that a firewall can only operate on communications traffic that physically
passes through it, and has no impact on traffic between devices on the same "side" of the firewall.
In explaining the general operation, OIT (2012) states that:
When the firewall receives a request from a device on one side to communicate
with a device on a different side, it compares information about the request
against each firewall rule in sequence until a match is found. The following
information is considered:
The network address of the device initiating the communication
("source") is compared against the list of sources contained within the
rule.
The network address of the device whose services are requested
("destination") is compared against the list of destinations contained
within the rule.
The service being requested (e.g., Web, mail, file transfer, terminal
session, etc.) is compared against the list of services contained within the
rule.
Additional rules may be coded to determine whether specific types of communication
should be permitted passage through the firewall.
4.2 Encryption
Encryption technology works by coding and scrambling messages so that they cannot be accessed
or understood by unauthorized parties. Using encryption all messages are encrypted using an
encryption algorithm in conjunction with an "encryption key" and can only be decrypted using a
matching "decryption key", thereby preventing access by unauthorized third parties who do not
possess the keys pertaining to the messages being transmitted (Laudon & Laudon, 2002).
Currently, there are two main varieties of encryption available for protecting the confidentiality of
E-Business information. These are private key encryption and public key encryption:
4.2.1 Private Key Encryption
According to Chaffey (2009 ), the Private key (symmetric) encryption involves
both parties having an identical (shared) key that is known only to them. Only this key
can be used to encrypt and decrypt messages. The secret key has to be passed from one
party to the other before use in much the same way as a copy of a secure attaché case key
would have to be sent to a receiver of information. This approach has traditionally been
used to achieve security between two separate parties, such as major companies
conducting EDI. Here the private key is sent out electronically or by courier to ensure it
is not copied.
With respect to e-Commerce, this is not a practical option for the following
reasons:
a. high risk of confidentiality breach during the sharing of the
secret key between purchaser and merchant key
b. control of key is lost once shared
c. a merchant would also have to manage many customer keys
4.2.2 Public Key Encryption
Public Key Infrastructure (PKI), utilizing public key encryption, is considered a
far more practical approach to encryption and has continued to gain wide spread use and
acceptance in e-commerce transactions. Unlike symmetric encryption, asymmetric
encryption does not require the sharing of a “secret” key; but allow partners to use a
related, but different key to encode and decode messages. The other aspect is to ensure
that the person using the code is who the person claims to be (authentication). This is
achieved through the use of trusted intermediaries called certificate authorities (CAs)
who perform this verification and issue a certificate that both acts as a valid copy of a
public key of an individual or organization, and provides identification information.
Using PKI a user receiving a message uses the CA's public key to decrypt the
certificate that accompanies the message. This verifies that the CA issued the certificate
and enables the receiver to send an encrypted reply using the sender's public key
available in the certificate. An example of a popular CA is Verisign Inc. (Laudon &
Laudon, 2002).
Chaffey (2009) describes how public-key encryption is used in a typical e-
commerce transaction:
a) A customer can place an order with a merchant by automatically
looking up the public key of the merchant and then using this key to encrypt the
message containing their order.
b) The scrambled message is then sent across the Internet and on
receipt by the merchant is read using the merchant‟s private key.
In this way only the merchant who has the only copy of the private key can read
the order. In the reverse case, the merchant could confirm the customer‟s identity by
reading identity information such as a digital signature encrypted with the private key of
the customer using their public key.
4.2.3 Secure Sockets Layer
A commonly used encryption technique for scrambling data as it is passed across
the internet from a customer‟s web browser to a merchant‟s web server is the secure
sockets layer protocol (SSL). Not only is the data encrypted during the transaction, but
also as the details are held on the computers at either end of the transaction.
In utilizing SSL, the server sets up a secure connection at the request of the
client; the client and server then negotiate symmetrical keys to encrypt and decrypt the
message. These keys are valid only for that session and remain valid only for the
duration of the transaction.
4.2.4 Honey Pots
Sans Institute (2003) describes Honey Pots as fake computer systems that are set
up as "decoys", and are used to collect data on intruders. This "decoy" appears to contain
operating system vulnerabilities that make it an attractive target for hackers. A Honey
Pot, loaded with fake information, appears to the hacker to be a legitimate machine.
While it appears vulnerable to attack, it actually prevents access to valuable data,
administrative controls and other computers. Deception defenses can add an
unrecognizable layer of protection.
As long as the hacker is not scared away, system administrators can now collect
data on the identity, access and compromise methods used by the intruder. Honey Pots
are set up to monitor the intruder without risk to production systems or data.
The concept of a Honey Pot is to learn from the intruder's actions. This
knowledge can now be used to prevent attacks on the "real" production systems, as well
as diverting the resources of the attacker to the “decoy” system.
Because of the nature of honey pots, there are a number of advantages with
respect to mitigating attacks. Honey pots will cause an intruder to spend energy on a
system that causes no harm to production servers. Also, if an attacker has any notion that
he is attacking a honey pot, then fewer intruders will invade a network that is known to
monitor and capture their activity in detail. Significant confusion may also result due to
the bogus data Honey Pots provide to attackers..
From the perspective of the administrators, Honey Pots provide valuable data on the
methods and patterns used to attack systems whether through internal or external
intruders.
5.0 GOVERNMENT’S ROLE
Governments play several important roles in the encouragement and facilitation of e-commerce.
These roles include being active participants in eCommerce, facilitators in building the necessary
technical infrastructure and legal/regulatory framework, and provide necessary reassurance to its citizens.
Blakely & Matsuura (2001) states that government, “through online transactions, provide
different types of services to their citizens and others, ranging from relatively simple informational
transactions to the issuing of licenses, payment of taxes and fines, issuing permits, etc. etc. As the largest
user of goods and services, governments are able to better leverage their scale through better price points
in the purchase of goods and services. Firsthand experience in eCommerce activities provides valuable
information to government officials who must take a collaborative approach with their private sector
partners to improve the service. They further state that this role will ensure that rules and regulations
legislated by governments will be far more balanced and reasonable since they will also be governed by
these rules and regulations in their capacity as participants in e-commerce activities.
Marchi (2010), in his address to the United Nations, stated that governments had the
responsibility to create the right environment for the use and development of ecommerce both
domestically and internationally. The role of governments in this regard, he stated, should be to provide
access to new technology and not to impede their development.
One chief area of involvement argued by Blakely & Matsuura (2001) is to ensure a reliable,
robust and secure telecommunications network. They state that “ when governments wish to provide their
citizens ….. or others outside their national boundaries – with ready access to information or wish to
facilitate the conduct of online transactions with those governments, access to them (and by their
citizens/customers) to fast, robust, and reliable telecommunications networks become critical.”
One of the drawbacks to widespread adoption to e-commerce is the vulnerability (real or
imagined) that citizens experience due to a feeling of exposure and a lack of control of sensitive
information once this information has been placed in cyber space. Citizens therefore look to governments
for protection in terms of ensuring privacy and subsequently related security of that information.
Consumers expect and assume that the laws and regulations that protect them in the physical (or brick and
mortar) world will apply in the virtual world. However, many have found that the existing legal
framework does not necessarily apply, and that laws need to be written or updated to effectively offer the
protection needed. Currently this is matter that is treated differently by different governments.
Ackerman & Davis (nd.) writes “Some people consider privacy to be a fundamental right; others
consider it to be a tradable commodity”. They further state that “In the US, privacy is largely a matter of
economics; with the admonition that caveats emptor is the rule for consumers. Once data are provided by
an individual to an ecommerce or anyone else, all rights to that data is lost.” On the other hand, they
write “Europeans must unambiguously give consent after being informed as to why the information will
be used …….. Unlike in the US, European customers can have incorrect or unlawfully processed data
corrected, blocked, or erased, and consumers can even require that third parties who have seen the
incorrect data be notified.”
The August 2002 draft Discussion Paper, A Jamaican Ecommerce Blueprint, prepared for the
Commonwealth Secretariat and the Government of Jamaica, reported that a number of significant
legislative changes had to be effected to facilitate the development of ecommerce in Jamaica. These
included digital signatures and authentication, the Evidence Act, The Sale of Goods Act and the Privacy
Act.
Since 2002, Jamaica has made strides on the legal front and has enacted The Electronic
Transaction Act. The Act, authorized by L.N. 11/2010 states as its object:
a. facilitate electronic transactions by means of reliable electronic documents;
b. promote the development of the legal and business infrastructure to implement
secure electronic commerce;
c. eliminate barriers to electronic commerce resulting from uncertainties over
writing and signature requirements;
d. promote public confidence in the integrity and reliability of electronic documents
and electronic transactions, in particular through the use of encrypted signatures
to ensure the authenticity and integrity of electronic documents;
e. establish uniformity of legal rules and standards regarding the authentication and
integrity of electronic documents;
f. facilitate electronic filing of information with Government Agencies and
statutory bodies and to promote efficient delivery of Government services by
means of reliable electronic documents.
6.0 DEVELOPING POLICIES AND PLANS ( E-SECURITY STRATEGY)
Industry experts agree that the only certainty to the issue of e-Business security is that no system
is absolutely secure. The reality is that the state of the industry is inundated by security breaches; and it is
only a matter of time that every organization will be threatened or breached, and on numerous occasions.
Presentation – Richard Hollis - eCrimeWales 2010
In his presentation at the eCrimeWales summit in 2010; Richard Hollis, CEO of Orthus Ltd.
opined that organizations must develop a structured and perpetually ongoing approach to the development
of security policies and procedures. This approach begins with an analysis of the assets being protected
and implications of failure. Additionally, the analyst should be informed on the state of the industry,
security measures being taken by other companies, partners and competitors; best practices and the legal
requirements.
Furthermore, security analysts should carry out a risk assessment inclusive of identifying the
assets of value to the organization while determining threats to each asset. Secondly, security analysts
must quantify the probability of these threats being exploited; thirdly, calculate the impact of each
incident on the organization, and finally, implement cost effective measures to mitigate (or minimize) the
impact of the threats.
Based on extent (cost and probabilities); a policy manual ought to be developed to decide the
course of action related to each eventuality. These documented actions will fall into any of the following
categories:
Accept the threat
Avoid the threat
Reduce the threat
Transfer the threat
Negate the threat
With respect to best practices, organizations are encouraged to document and revisit security
questions/answers religiously because security threats are in a constant state of change; hence actions (
preemptive and reactive actions ) must also be as dynamic. In closing, Hollis suggested that as part of the
process, organization should let answers drive decisions; start with best practices; continual reassessment
and change and finally, we should not expect to stick to decisions in perpetuity, but rather, stick to the
process.
Presentation – Dan Haagman eCrimeWales 2008
In his presentation at the eCrimeWales summit, 2008, ethical hacker Dan Haagman explained that
the function of ethical hackers is similar to other hackers, except that their objective is not based on
criminal intent, but to provide information to experts in computer forensics, the investigative team and
law enforcement. Their efforts serve to assist security administrators to better inform strategies in
protecting their various networks.
Haagman suggested that instead of rushing to purchase the latest security appliances, software,
etc., analysts should take their time to better understand what they are trying to protect, the business itself,
and what goes on. Critically, they should attempt to determine how attackers get access or retain access to
their networks.
Hackers threaten a system either because you are the target of the attack, or they plan to use your
system as the staging ground to launch attacks on other systems. How do they gain access? Security
administrators continue to focus on fortifying their architecture making it increasingly less vulnerable to
unauthorized access. As a consequence, hackers have shifted their attention to the vulnerabilities in
applications. Their success can be seen in the stats where 5 of every 7 attacks occur through exploiting
vulnerabilities in applications.
Haagman suggests that a major weakness is that computer applications are vulnerable because the
testers do not test applications effectively. The large majority of testers do not use the same mindset of a
hacker; which is to “break” the application to discover its vulnerability. Instead, they test these programs
to function in processing set tasks. Once broken, hackers will search the internet looking for the same
application (developed by the same vendor) and utilizing the same algorithm to break into other systems.
The opportunity that applications present is that they have been authorized to communicate with sensitive
data that may reside behind firewalls; and as such could be hacked to request and harvest sensitive data.
In some instances hackers elevate their own privileges to continue to increase access; and leave malware
on the server in order to retain access.
The function of a firewall is not to deny access to an e-commerce system, since it is expected that
many “unauthorized” users (especially in a retail business) are expected to interact with the organization.
Firewalls should therefore be regarded as probability reduction devices or security filters that mitigate
breaches through the reduction of exposure by limiting the number of open ports. The main vulnerability
of firewalls is that they are either configured incorrectly or the rules and policies are not effectively
managed. A common weakness in large systems arises as the security base of the firewall becomes eroded
because multiple individuals/teams adjust the rules and policies without the necessary communication
among themselves. Therefore an adjustment to suit one area exposes another.
In summarizing, Haagman recommends that the matter of protection should be addressed sensibly
and not through some knee-jerk reaction. He opines, “Never feel that your business does not have
anything to offer a hacker; know your business, educate yourself to the best practices and latest
techniques and threats; and configure your firewalls with the knowledge of what you are trying to reduce
the probability of. “
7.0 STATE OF E-SECURITY IN JAMAICA (A QUALITATIVE STUDY)
As part of a qualitative analysis, a survey was conducted among several Information Technology
professionals from the Banking, Insurance and Services industry in Jamaica. The following is a direct
synopsis of these findings:
Although slow to the party, Jamaica now offers a number of e-Services including E-Banking -
transfer of funds electronically between accounts, bill payments, and checking of account balances. In
terms of the Insurance industry; Individual Life clients can view policy details on line and pay their
premiums using a credit card. Pension clients can view their pension statements on line ( this would detail
their pension contributions and accumulated funds) and also make Electronic Health Claim submissions.
Some Government agencies offer services such as tax payments, RGD offer services for access to
documents such as birth certificates, marriage certificates, death certificates, etc. These are only examples
of the types of e-services available; however, most e-transactions on offer in Jamaica appear to involve
financial transactions.
The respondents aired a number of specific security concerns as related to breaches. A major
concern relates to phishing and where undisciplined users are lured to fictitious sites that are
“supposedly” legitimate web portals for the financial institutions. The one most common concern with
respect to security breaches is the unauthorized access to customer accounts, personal health records and
identity theft. The risks are however not all from external breaches, but there are significant internal risks
from unauthorized users gaining confidential information; for example accumulated fund values for a
client. Another risk is the disclosure of beneficiary information to funds or proceeds of a claim.
Regarding security measures, James Arscott stated that “some companies have antivirus/anti-
malware software, but many times it is outdated. The only other security they have in place is a firewall,
which is sometimes poorly configured, outdated and not monitored. Most consider Intrusion
detection/prevention unnecessary. Most have no formally documented policy regarding use/misuse of
network/IT resources. Many ignore Intellectual Property rights.” He also indicated that the use of
unauthorized software on a system can jeopardize the security of that system.
In response to the question related to considerations given in the design of a secure system,
several measures were identified, namely: limiting the number of person(s) who have physical access to
an individual‟s work station, the use of updated anti-malware software and virus scanners; install personal
firewalls; avoid certain websites and applications and run software patches where necessary; keep self
informed about the latest developments/news on security; and ensure a two-tiered security system such as
user name and password, followed by challenge questions which have to be answered based on stored
information provided by the end-user.
In most instances, organizations tend to be more reactive than proactive, typically employing
software patches and purchasing anti-malware. The financial institutions are exceptions however. They
are more conscious and make greater efforts to familiarize themselves with industry standards and most
times make significant efforts to comply (partly because they are forced to, by external requirements).
The Bank Of Jamaica has also attempted to regulate same, including credit unions. In many financial
institutions, network vulnerability tests are conducted frequently ; corrective and preventative measures
are put in place such as intrusion detection systems along with the hardening of the firewall on a regular
basis.
How concerned are these experts to internal breaches? …. They agree that these types of
breaches are often overlooked, as more efforts are concentrated on external threats. Many people regard
policies/security measures as unnecessary and a nuisance. Because of this, they are reluctant to
implement measures. Managers are especially guilty, always seeking exceptions, thereby leading to
breakdown of said rules.
Final Comments
The experts accept that nefarious activities are always occurring in cyber space but for the
Jamaican environment; they are not widely reported. Where stories have been reported of e-fraud,
financial institutions have effectively taken the lead to compensate victims who have suffered from credit
card fraud, identity theft, etc. This action is helpful in allaying some of the fears of existing and potential
eCustomers.
However, one of the major concerns of non-reporting is the danger where IT professionals and
decision makers fall into a false sense of security and complacency; reflected by a lack of urgency in
developing secure systems. Many organization do not place the issue of data theft or abuse as a high
priority item as they believe that their data isn‟t of interest to anyone else. There is also the lack of
understanding that a security breach does not necessarily mean that you are the target, but that your
computers could be used to launch attacks on others. In such cases, you become complicit and equally
responsible for any damages to others!!
The amount of money that is budgeted to security is directly related to the level of concern or
threat level that is perceived. For this reason, lack of education, and the shroud of secrecy and non-
reporting of breaches play into the decisions taken in limiting the funding needed to implement highly
secure systems.
Ms. Wilson-Kelly concludes that Jamaica is far ahead with its implementation of technology and
ought to be proactive with security in e-business. She warns that “ in our zest to gain competitive
advantage over competitors that we do not expose our clients to unnecessary risks.”
References
Albion.com (2012). Computer Security: A Practical Definition. Retrieved from
http://www.albion.com/security/intro-4.html
Ackerman, M.S. & Davis, D. (nd) Privacy and Security Issues in E-Commerce, New Economy Handbook,
retrieved from http://econ.ucsb.edu/~doug/245a/Papers/ECommerce%20Privacy.pdf
Chaffey, D. (2009) “Security Design for E-Business” - E-Business and E-Commerce Management, Prentice Hall,
Essex, England
Blakely C.J. & Matsuura J.H. (2001). E-Government: An Engine To Poer E-Commerce Development. The
Proceedings of the European Conference on E-Government. Dublin, Ireland
Chapple, M. (2012). Front-End/Back-End Firewall vs. Chassis-Based Firewalls. Retrieved from
http://www.searchsecurity.techtarget.com/answer/Front-end-back-end-firewalls-vs-chassis-based-
firewalls
CHIN, S-K. (1999) “High Confidence Design for Security”, Communications of the ACM, 44 (7), pp. 33-37.
CPNI (2012). Critical Controls, The Center For The Protection Of National Infrastructure. Retrieved from
http://www.cpni.gov.uk/advice/cyber/Critical-controls/in-depth/critical-control3/
Dalton, C. And Choo, T.H. (2001) “An operating Systems Approach to Securing E- Services”, Communications
of the ACM, 44 (2), pp. 58-64.
Davidoff, S. (2012). How to prevent phishing attacks with social engineering tests. Retrieved from
http://www.Searchsecurity.techtarget.com/tip/How-to-prevent-phising-attacks-with-social-engineering-
tests
Deitel, H.M., Deitel, P.J. And Steinbuhler, K. (2001) e-Business & e-Commerce for Managers, Prentice Hall,
New Jersey, USA.
E.T.A. (2010) Electronics Transactions Act. Retrieved from
http://www.moj.gov.jm/sites/default/files/laws/Electronic%20Transactions%20pgs.%201-34.pdf
Ewens, L. & Hoppe, H. (2007) “Definition of DMZ” , Search Security retrieved from
http://searchsecurity.techtarget.com/definition/DMZContributor(s):
F-Secure(2012) Back Orifice. Retrieved from http://www.f-secure.com/v-descs/backori.shtml
Gardiner, B. (2003). E-Business Security in RAG Order. Retrieved from
http://www.comp.dit.ie/rfitzpatrick/MSc_Publications/2003_Bryan_Gardiner.pdf
Guttman, E., Leong, L. And Malkin, G. (1999) RFC 2504 “Users' Security Handbook”, The Internet Society,
Available From: http://www.faqs.org/rfcs/rfc2504.html, Accessed [10/03/2003].
Hollis, R. (2010). Video: Presentation at eCrimeWales Summit 2010. Retrieved from
http://www.youtube.com/watch?v=gw74naSuT3o
Keizer, G. (2010). Hundreds Of Windows Applications Vulnerable To Attack. Computer World UK. Retrieved
from http://www.computerworlduk.com/news/security/3236271/hundreds-of-windows-apps-vulnerable-
to-attack/?intcmp=in_article;related
Kliem, R.L. And Ludlin, I.S. (1997) Reducing Project Risk, Gowler Publishing Ltd, England.
ISO IEC 17799. (2000) “Information technology – Code of practice for information security management”,
International Organisations of Standardisation.
KnowledgeLeader (2012). E-commerce Security Best Practice Guidelines. Retireved from
http://www.knowledgeleader.com
Kesh, S., Ramanujan, S. And Nerur, S. (2002) “A framework for analyzing e-commerce security”, Information
Management & Computer Security, 10 (4) pp. 149-458.
Laudon, K.C. And Laudon, J.P. (2002) Management Information Systems – Managing the Digital Firm, Prentice
Hall, New Jersey, USA.
Lawrence, E., Corbit, B., Fisher, J., Lawrence, J. And Tidwell, A. (2000) Internet Commerce, John Wiley & Sons,
Milton, Australia.
Marchany, R.C. & Tront, J.G. (2002). E-Commerce Issues. Proceedings of the 35th Hawaii International
Conference on System Sciences. IEEE 0-7695-1435-9/02
Marchi, S. (2001). Speaking Notes: Challenges Of The New Economy. Plenary Session IV. World Services
Congress 2001, Hong Kong. Retrieved from
http://www.publications.parliament.uk/ld199900/ldselect/ldeucom/95/9511.htm
Menezes, A., Van Oorschot, P And Vanstone, S. (1997) The Handbook of Applied Cryptography, CRC Press.
Mitnick, K.D. (2003) “Are you the Weakest Link?” Harvard Business Review, 81 (4), pp. 18-20.
OIT (2012). Office of Information Technology, Princeton University. Retrieved from
http://www.princeton.edu/itsecurity/technical/firewalls/how-firewalls-work/
Pfleeger, C.P., And Pfleeger, S.L. (2002) Security in Computing, Prentice Hall, Upper Saddle River, New Jersey.
Rouse, M. (2008) Definition Of Nonrepudiation. Retrieved from
http://searchsecurity.techtarget.com/definition/nonrepudiation
Rowley, J. (2002) E-Business: principles and practice, Palgrave, Hampshire, United Kingdom.
Sans Institute(2003). Retrieved from http://www.sans.org/reading_room/whitepapers/attacking/honey-pots-
honey-nets-security-deception_41
SearchSecurity, (2102). Definition Trojan Horse. Retrieved from
http://searchsecurity.techtarget.com/definition/trojan-horse
SearchSoftwareQuality(2012). Denial Of Service. Retrieved from
http://searchsoftwarequality.techtarget.com/definition/denial-of-service
Turban, E., King, D., Lee, J., Warkentin, M. And Chung, H.M. (2002) Electronic Commerce A Managerial
Perspective, Prentice Hall, New Jersey, USA.
Webopedia (2012) – Definition of Virus Retrieved from http://www.webopedia.com/TERM/V/virus.html
Whyte, W.S. (2001) Enabling e-Business:Integrating Technologies, Architectures and Applications, John Wiley
& Sons, Chichester, England
Winkler, I.S. (1995) “Social Engineering: The Only Real Test of Information Systems Security Plans”,
Computers & Security, 14 (7), pp. 609