Security & Trust In EBusiness Transactions

A Paper Prepared for Proceedings Jamaican institution Of Engineers 2012

Prepared By Dr. Wayde Marr

August 31, 2012

Acknowledgements

I wish to thank the four IT professionals Mr. David Pusey, Mr. Kirk Tyrell, Mr. James Arscott and Ms.

Kay Wilson-Kelly for participating in the qualitative study relating to the state of e-Security in Jamaica.

This information provided the necessary insight to enable a better understanding of the efforts and

measures underlying the state of e-Security in Jamaica.

ABSTRACT

In recent years organizations of all types: for-profit, non-profit, private, public, government or non-

government have all adopted the tenets of e-commerce as an integral part of their standard operating

practice. They have adopted this technological approach to doing business because it provides advantages

for greater efficiency in processing transactions, thereby reducing the necessity for physical facilities and

human resources in manually processing data associated to these transactions.

Organizations have, however, found that strategies of encouragement have not resulted in the desired

speed of adoption of doing business online, and have resorted to some form of coercion by way of process

discrimination, whereby online transactions are given priority over manual transactions. To the extreme,

some organizations have removed the option of conducting business through manual transactions. The

Internal Revenue Services of the United States federal government has already mandated that unless there

are extra-ordinary reasons, tax preparers will no longer have the option to submit manual tax filings after

the year 2012.

It is evident that infrastructure readiness, social preparedness and culture are all direct causes for the

slowness of adoption and growth of e-business. The culture of suspicion has led the common man to

distrust institutions that have shifted diametrically from the age old mantra of the “customer is always

right” to one where institutions appear to have the ability to yield unlimited powers in the application of

fees and charges, make unauthorized levies, hide critical information, misuse information, etc. Such

apparent abuse of consumers has contributed to a state of mistrust and suspicion. This is not only a

technological issue, but also a social one whereby clients are asked to give up control of their most prized

possession (ie. their personal information) to a system that has, on occasions, proven to be vulnerable to

technical and other breaches.

This paper discusses many of the technical and operational issues related to security in e-transactions, and

analyzes strategies currently employed to temper the widely held perception that e-transactions are a risky

undertaking. It also discusses some of the steps that several Jamaican organizations have taken in securing

transactions in a real sense, while building consumer trust.

1.0 INTRODUCTION

E-Business is now identified as the main driver for future growth in any Business by extending

reach - exposure to potential customers outside of its local boundaries; and richness – provision of

detailed and timely product and service information to its constituents. Although the growth rate in E-

business transactions is expected to continue its upward climb, challenges to this robust growth rate

continues to be impacted by fear that sensitive information will be used in a manner that exposes

stakeholders to present and future dangers through direct financial harm, and harm to personal and

professional reputation and legal exposure.

The purpose of the paper is threefold: a) to show the steps that any organization must take to

secure sensitive information; b) to provide an indication of the security threats that form part of the e-

business landscape, and c) the responsibility that organizations owe its stakeholders in securing customer

information and transactions; and the extra-ordinary security measures that are being undertaken to ensure

sustainability and growth in e-business.

Several models of e-Business Security reflect the fundamental requirements of security. These

typically involve a set of inter-related components that act in accordance with each other to provide a

sturdy, secure system. A significant feature of the model is that each component may adequately function

and act independently on its own, however, it is not until they all act in concert with each other, creating a

single robust system in which security is best sustained.

The E-Business Security Requirements System Model ( Gardiner, 2003) builds on Pfleegers

Security Model (Pfleeger & Pfleeger, 2002) of three inter-related pillars, namely Integrity,

Confidentiality and Availability.” By adding two additional components, Authentication and Non-

Repudiation, Gardiner builds on the on the original work of the Pfleegers, to develop his own ”Five

Diamonds of Security” model.

The strategies employed by organizations are many times dictated by legal obligations, best

practices for the industry and the organization‟s sense of obligation to its stakeholders. Industry experts

agree that although security threats cannot be negated, there are significant benefits in having a plan that

seeks to minimize business risks thus reducing losses from theft, fraud, lost time, embezzlement, etc.

while reducing legal costs and protecting the reputation of the organization.

2.0 PRINCIPLES OF E-SECURITY

In developing a strategy for securing e-business transactions and information, we must first

understand some of the fundamentals as related to security design, including both the physical

infrastructure and logical security systems architecture (topology).

2.1 The security Infrastructure

According to KnowledgeLeader (2012), best practices related to infrastructure design

dictate the use of a three tier architecture utilizing three separate components; namely the Web Server, the

Application Server and the Database server. At minimum, a security layer is placed between the

untrusted network (the internet) and the organization‟s applications and sensitive data. The security layer

then provides the necessary screen or filter between stakeholders and the organization.

The security layer consists of a layer of services referred to as a Demilitarized Zone (DMZ)

sandwiched by two Firewalls (front end and back end). The term DMZ, according to Ewens and Hoppe

(2007), comes from the geographic buffer zone that was set up between North and South Korea,

following the UN “police action” in the early 1950‟s.

2.1.1 Firewalls

Chaffey (2009) describes firewalls as “a specialized software application

mounted on a separate server at the point where the company is connected to the

internet.” He further states that the purpose of firewalls is to prevent unauthorized access

to the organization‟s assets.

In his article, Chapple (2012) stated that in a multi-tiered system, the front-

end/back-end topology is used where the user interacts with a front-end presentation

server, and where that server in turn interacts with the back-end one. This topology

dictates that a firewall should be placed between the internet and the web server and also

between the web server and the organization‟s email server (Figure 1).

2.1.2 Demilitarized Zone

According to Ewens & Hoppe(2007), the purpose of the DMZ (demilitarized

zone) is to prevent outside access to the organization‟s data. A number of servers are

placed within the DMZ, such as E-Mail, FTP and Web Application Servers.

They describe the DMZ as a computer host or small network inserted as a

"neutral zone" between a company's private network and the outside public network. It

prevents outside users from getting direct access to a server that has company data. A

DMZ is an optional and more secure approach to a firewall and effectively acts as a

proxy server as well. Acting as a proxy, the server plays the role as an intermediary for

requests from clients seeking resources from other servers.

Figure 1 - source - Chaffey (2009)

In a typical DMZ configuration for a small company, a separate computer (or

host in network terms) receives requests from users within the private network for access

to Web sites or other companies accessible on the public network. The DMZ host then

initiates sessions for these requests on the public network. However, the DMZ host is not

able to initiate a session back into the private network. It can only forward packets that

have already been requested.

Users of the public network outside the company can access only the DMZ host.

KnowledgeLeader (2012) states that the firewall must be configured to allow

connections to the web server only on ports and services required for business reasons,

and should reside on its own segment, separate and distinct from other servers. The Web

server hosts the organization‟s web pages so these could be served to the outside world.

However, the DMZ provides access to no other company data. In the event that an

outside user penetrated the DMZ host's security, the Web pages might be corrupted but

no other company information would be exposed.

Figure 2 - source Chaffey (2009)

Based on the sensitivity of the data, organizations may choose to add another

level of security by placing another back-end firewall between the Organization‟s email,

FTP and Intranet server, and the sensitive databases (figure 2).

2.2 The Security Requirements Model (A Taxonomy Of Computer Security)

The five components (or diamonds) of the Gardiner model include integrity, confidentiality,

availability, authentication and non-repudiation.

2.2.1 Integrity

Integrity requires "safeguarding the accuracy and completeness of information

and processing methods" (ISO IEC 17799, 2000). Menezes, et. al ( as cited in

GGardiner, 2012) postulates that from a practical point of view maintaining integrity

involves the capability to detect any unauthorized insertion, deletion and substitution of

data by any unauthorized party. Gardiner ( 2012) further added that the attribute of

authentication plays a critical role in defining integrity in E-Business transactions.

2.2.2 Confidentiality

Confidentiality requires that there should be no unauthorized access to data (ISO

IEC 17799, 2000) while it is being either transmitted or stored by an information system

(Lawrence et al, 2000). In other words, the assurance that information is not accessible

by unauthorized individuals.

2.2.3 Availability

Availability means that Information System (IS) assets of data and services are

available to those who have authorization to access them (Chin, 1999: ISO IEC 17799,

2000). Availability demands that systems are operational and functional at any given

moment. Albion (2012) defines “Access Control” as ensuring that users access only

those resources and services that they are entitled to access and that qualified users are

not denied access to services that they legitimately expect to receive (ie. Denial Of

Service).

2.2.4 Authentication

Authentication ensures that individuals are who they claim to be. This requires

that the identity of any parties involved in a transaction or exchange using an IS can be

verified so that each party can be sure that the others are indeed who they purport to be

(Rowley, 2002). Authentication plays a vital role in the success of E-Business

transactions where buyers and sellers alike are skeptical about transmitting important

information over open networks (Gardiner, 2012).

2.2.5 Non-Repudiation

Non-Repudiation requires that the sender of a message cannot deny sending the

message and that the receiver of a message cannot deny receiving the message (Deitel et

al, 2001).

In E-Business non-repudiation is vital to ensuring that legitimate business

transactions are honored and not refuted by any of the parties involved (Turban et al,

2002). Consider for example the potential loss in shipping and handling costs if upon

delivery of several large orders the customers involved denied placing the orders and

refused to accept the goods invoiced (Kesh et al, 2002).

In her contribution to the SearchSecurity website, Rouse,( 2008) states that non-

repudiation may be defined as the assurance that someone cannot deny something.

Typically, she suggests, “nonrepudiation refers to the ability to ensure that a party to a

contract or a communication cannot deny the authenticity of their signature on a

document or the sending of a message that they originated.”

Designers mimic the use of signatures which form the basis of the non-

repudiation process used within the physical environment, by employing digital

signatures within the digitial or virtual environment. Rouse (2008) states that:

On the Internet, a digital signature is used not only to ensure that a

message or document has been electronically signed by the person that

purported to sign the document, but also, since a digital signature can

only be created by one person, to ensure that a person cannot later deny

that they furnished the signature.

Since no security technology is absolutely fool-proof, some experts warn

that a digital signature alone may not always guarantee nonrepudiation. It

is suggested that multiple approaches be used, such as capturing unique

biometric information and other data about the sender or signer that

collectively would be difficult to repudiate.

Email nonrepudiation involves methods such as email tracking that are

designed to ensure that the sender cannot deny having sent a message

and/or that the recipient cannot deny having received it.

In summary of his work, Gardiner (2012) states that the new model recognizes that each

of the identified requirements may exist to some extent in isolation, but only in the area where

each of the requirements overlap with one another, that the security requirements of E-Business

are most likely to be preserved. He however concedes that the model is still quite simplistic, as it

does not identify any single security requirement as being more or less significant than any other.

3.0 THREATS

The following section follows up on our understanding of the e-business security landscape by presenting

an overview of the various techniques and vulnerabilities exploited by threat agents to violate the

principles of the physical security infrastructure and the security topology.

3.1 Intercepted Data Transmission

A limited list of the threat techniques includes Intercepted Data Transmissions, Password

Cracking, Social Engineering, Exploitation of Application Software, and Malicious Code Attacks

and Denial Of Service.

Gardiner quotes Whyte ( 2001) as defining the use of intercepting data transmission as a

technique used by threat agents whereby they intercept data transmissions that take place over an

insecure channel such as the Internet using a special network probing device or a workstation

with a network card that is configured to operate in promiscuous mode. “Sniffer” type products

use these measures to harvest passwords, source and destination addresses, information on digital

certificates, etc. Information is then used to gain unauthorized access by sneaking through

firewalls and into a system. This threat seeks to defeat the core aspects of confidentiality,

integrity and authentication.

3.2 Password Cracking

Password cracking is a term used to describe methods of gaining unauthorized access to

passwords. This can be achieved through a variety of technical and non-technical means.

Techniques vary from using information from intercepting data transmissions, as described

above; “password scripting”, described by Pfleeger & Pfleeger, 2002) as the writing of scripts

with the intention of impersonating the user by using several possible variations of the user‟s

name in conjunction with a dictionary; “password guessing”, by seeking to exploit the

carelessness of users who choose weak passwords in order to make them more memorable; or

simply by exploiting the carelessness of users to safeguard the confidentiality of their passwords.

3.3 Social Engineering

Social Engineering is an attempt to exploit any weaknesses in the organizations security

policy, paying particular attention to deficiencies that exist regarding end user awareness of

security policy and procedures (Winkler, 1997:Guttman et al, 1997:Mitnick, 2003). Threat agents

have long discovered that when it comes to enterprise security, employees are the weakest link.

(Davidoff, 2012) states that “Rather than hammering away at servers in a company‟s DMZ, many

attackers now take an easier route to compromising an organization – sending employees alluring

phishing emails in order to steal credentials or drop a malicious payload.”

3.4 Systems Configuration

Gardiner (2012) states that the exploitation of systems configuration arises from using

vulnerabilities due to how the system was configured, or due to bugs in the system. The Center

for the Protection of National Infrastructure, CPNI (2012) states that secure configurations

“prevent attackers from exploiting services and settings that allow easy access through networks

and browsers”.

Dalton & Choo ( 2001) warns that once the threat agent has compromised one component

of a system, this agent may use this to attempt to launch a staged attack across the authorized

interfaces that exist between this component and other trusted components in the system.

3.5 Applications Software

Hackers exploit the vulnerabilities in Application Software to breach security. In the

August, 2010 publication, ComputerWorldUK, Keizer (2010) reported :

An unpatched problem with Windows applications is much worse than first

thought, with hundreds of programs, not just 40, vulnerable to attack, according

to a Slovenian security company.

"It was a shocking surprise," said Mitja Kolsek, CEO of Acros Security. "It

appears that most every Windows application has this vulnerability." Yesterday,

Kolsek said that Acros has been digging into a new class of vulnerabilities for

months, has found more than 200 flawed applications harbouring more than 500

separate bugs, and reported its findings to Microsoft more than four months ago.

In other words, the problem is much more widespread than Moore let on. "We

examined a bunch of applications, more than 220 from about 100 leading

software vendors, and found that most every one had the vulnerability," said

Kolsek. Acros built a specialised tool to help its researchers pinpoint which

applications were vulnerable.

3.6 Malicious Code (Viruses and Trojans)

The objective of malicious code attacks is to damage systems or the data that these

systems contain. Marchany & Trott (2002) stated that earlier attempts focused attacks on the

server (where data was stored), and later to the networks feeding into the server. However, as

counter measures became more sophisticated, these threat agents have shifted their attention to

the client side. They suggest that this is where most network security architectures collapse.

Webopedia (2012) defines a computer virus as “a piece of code that is loaded onto your

computer without your knowledge and runs against your wishes. Viruses can also replicate

themselves. A simple virus that can make a copy of itself over and over again is relatively easy to

produce. Even such a simple virus is dangerous because it will quickly use all available memory

and bring the system to a halt. An even more dangerous type of virus is one capable of

transmitting itself across networks and bypassing security systems. It was also suggested that a

worm was a special type of virus that replicated itself and used memory, but did not attach itself

to other programs.

SearchSecurity (2012) defines a Trojan horse as “ a program in which malicious or

harmful code is contained inside apparently harmless programming or data in such a way that it

can get control and do its chosen form of damage, such as ruining the file allocation table on your

hard disk.

An article on the internet security company‟s website F-Secure (2012) reported that the

trojan horse, „Back Orifice‟, “allows an intruder to monitor and tamper with Windows 95 and

Windows 98 computers over the Internet. There is no easy way for a computer user to know the

attack is taking place, and there is no easy way to stop the attack once Back Orifice has installed

itself on the computer.”

3.7 DENIAL OF SERVICE

SearchSoftwareQuality(2012) states, “ A denial of service (DoS) attack is an incident in

which a user or organization is deprived of the services of a resource they would normally expect

to have. In a distributed denial-of-service, large numbers of compromised systems (sometimes

called a botnet) attack a single target.” The most common kind of DoS attack is simply to send

more traffic to a network address than the data buffers can accommodate.”

This type of attack is meant to defeat the core aspect of Availability.

4.0 MITIGATION TECHNIQUES

The mitigation techniques are simply e-business security strategies designed to protect the integrity of the

business network and its internal system, while also ensuring that transactions between the business and

authorized partners are secured.

Several of the chief mitigation techniques used in e-business security include firewalls, encryption

technologies, security protocols, intrusion detection systems, anti-virus protection and honey pots.

4.1 Firewalls

The firewall is the main tool in protecting the organization‟s internal network. Firewalls act like

security guards, allowing only authorized external users access to the protected network.

OIT (2012) states that “firewalls allow or block network traffic between devices based upon rules

set up by the firewall administrator. Each rule defines a specific traffic pattern you want the

firewall to detect and the action you want the firewall to take when that pattern is detected.” It

was specially noted that a firewall can only operate on communications traffic that physically

passes through it, and has no impact on traffic between devices on the same "side" of the firewall.

In explaining the general operation, OIT (2012) states that:

When the firewall receives a request from a device on one side to communicate

with a device on a different side, it compares information about the request

against each firewall rule in sequence until a match is found. The following

information is considered:

The network address of the device initiating the communication

("source") is compared against the list of sources contained within the

rule.

The network address of the device whose services are requested

("destination") is compared against the list of destinations contained

within the rule.

The service being requested (e.g., Web, mail, file transfer, terminal

session, etc.) is compared against the list of services contained within the

rule.

Additional rules may be coded to determine whether specific types of communication

should be permitted passage through the firewall.

4.2 Encryption

Encryption technology works by coding and scrambling messages so that they cannot be accessed

or understood by unauthorized parties. Using encryption all messages are encrypted using an

encryption algorithm in conjunction with an "encryption key" and can only be decrypted using a

matching "decryption key", thereby preventing access by unauthorized third parties who do not

possess the keys pertaining to the messages being transmitted (Laudon & Laudon, 2002).

Currently, there are two main varieties of encryption available for protecting the confidentiality of

E-Business information. These are private key encryption and public key encryption:

4.2.1 Private Key Encryption

According to Chaffey (2009 ), the Private key (symmetric) encryption involves

both parties having an identical (shared) key that is known only to them. Only this key

can be used to encrypt and decrypt messages. The secret key has to be passed from one

party to the other before use in much the same way as a copy of a secure attaché case key

would have to be sent to a receiver of information. This approach has traditionally been

used to achieve security between two separate parties, such as major companies

conducting EDI. Here the private key is sent out electronically or by courier to ensure it

is not copied.

With respect to e-Commerce, this is not a practical option for the following

reasons:

a. high risk of confidentiality breach during the sharing of the

secret key between purchaser and merchant key

b. control of key is lost once shared

c. a merchant would also have to manage many customer keys

4.2.2 Public Key Encryption

Public Key Infrastructure (PKI), utilizing public key encryption, is considered a

far more practical approach to encryption and has continued to gain wide spread use and

acceptance in e-commerce transactions. Unlike symmetric encryption, asymmetric

encryption does not require the sharing of a “secret” key; but allow partners to use a

related, but different key to encode and decode messages. The other aspect is to ensure

that the person using the code is who the person claims to be (authentication). This is

achieved through the use of trusted intermediaries called certificate authorities (CAs)

who perform this verification and issue a certificate that both acts as a valid copy of a

public key of an individual or organization, and provides identification information.

Using PKI a user receiving a message uses the CA's public key to decrypt the

certificate that accompanies the message. This verifies that the CA issued the certificate

and enables the receiver to send an encrypted reply using the sender's public key

available in the certificate. An example of a popular CA is Verisign Inc. (Laudon &

Laudon, 2002).

Chaffey (2009) describes how public-key encryption is used in a typical e-

commerce transaction:

a) A customer can place an order with a merchant by automatically

looking up the public key of the merchant and then using this key to encrypt the

message containing their order.

b) The scrambled message is then sent across the Internet and on

receipt by the merchant is read using the merchant‟s private key.

In this way only the merchant who has the only copy of the private key can read

the order. In the reverse case, the merchant could confirm the customer‟s identity by

reading identity information such as a digital signature encrypted with the private key of

the customer using their public key.

4.2.3 Secure Sockets Layer

A commonly used encryption technique for scrambling data as it is passed across

the internet from a customer‟s web browser to a merchant‟s web server is the secure

sockets layer protocol (SSL). Not only is the data encrypted during the transaction, but

also as the details are held on the computers at either end of the transaction.

In utilizing SSL, the server sets up a secure connection at the request of the

client; the client and server then negotiate symmetrical keys to encrypt and decrypt the

message. These keys are valid only for that session and remain valid only for the

duration of the transaction.

4.2.4 Honey Pots

Sans Institute (2003) describes Honey Pots as fake computer systems that are set

up as "decoys", and are used to collect data on intruders. This "decoy" appears to contain

operating system vulnerabilities that make it an attractive target for hackers. A Honey

Pot, loaded with fake information, appears to the hacker to be a legitimate machine.

While it appears vulnerable to attack, it actually prevents access to valuable data,

administrative controls and other computers. Deception defenses can add an

unrecognizable layer of protection.

As long as the hacker is not scared away, system administrators can now collect

data on the identity, access and compromise methods used by the intruder. Honey Pots

are set up to monitor the intruder without risk to production systems or data.

The concept of a Honey Pot is to learn from the intruder's actions. This

knowledge can now be used to prevent attacks on the "real" production systems, as well

as diverting the resources of the attacker to the “decoy” system.

Because of the nature of honey pots, there are a number of advantages with

respect to mitigating attacks. Honey pots will cause an intruder to spend energy on a

system that causes no harm to production servers. Also, if an attacker has any notion that

he is attacking a honey pot, then fewer intruders will invade a network that is known to

monitor and capture their activity in detail. Significant confusion may also result due to

the bogus data Honey Pots provide to attackers..

From the perspective of the administrators, Honey Pots provide valuable data on the

methods and patterns used to attack systems whether through internal or external

intruders.

5.0 GOVERNMENT’S ROLE

Governments play several important roles in the encouragement and facilitation of e-commerce.

These roles include being active participants in eCommerce, facilitators in building the necessary

technical infrastructure and legal/regulatory framework, and provide necessary reassurance to its citizens.

Blakely & Matsuura (2001) states that government, “through online transactions, provide

different types of services to their citizens and others, ranging from relatively simple informational

transactions to the issuing of licenses, payment of taxes and fines, issuing permits, etc. etc. As the largest

user of goods and services, governments are able to better leverage their scale through better price points

in the purchase of goods and services. Firsthand experience in eCommerce activities provides valuable

information to government officials who must take a collaborative approach with their private sector

partners to improve the service. They further state that this role will ensure that rules and regulations

legislated by governments will be far more balanced and reasonable since they will also be governed by

these rules and regulations in their capacity as participants in e-commerce activities.

Marchi (2010), in his address to the United Nations, stated that governments had the

responsibility to create the right environment for the use and development of ecommerce both

domestically and internationally. The role of governments in this regard, he stated, should be to provide

access to new technology and not to impede their development.

One chief area of involvement argued by Blakely & Matsuura (2001) is to ensure a reliable,

robust and secure telecommunications network. They state that “ when governments wish to provide their

citizens ….. or others outside their national boundaries – with ready access to information or wish to

facilitate the conduct of online transactions with those governments, access to them (and by their

citizens/customers) to fast, robust, and reliable telecommunications networks become critical.”

One of the drawbacks to widespread adoption to e-commerce is the vulnerability (real or

imagined) that citizens experience due to a feeling of exposure and a lack of control of sensitive

information once this information has been placed in cyber space. Citizens therefore look to governments

for protection in terms of ensuring privacy and subsequently related security of that information.

Consumers expect and assume that the laws and regulations that protect them in the physical (or brick and

mortar) world will apply in the virtual world. However, many have found that the existing legal

framework does not necessarily apply, and that laws need to be written or updated to effectively offer the

protection needed. Currently this is matter that is treated differently by different governments.

Ackerman & Davis (nd.) writes “Some people consider privacy to be a fundamental right; others

consider it to be a tradable commodity”. They further state that “In the US, privacy is largely a matter of

economics; with the admonition that caveats emptor is the rule for consumers. Once data are provided by

an individual to an ecommerce or anyone else, all rights to that data is lost.” On the other hand, they

write “Europeans must unambiguously give consent after being informed as to why the information will

be used …….. Unlike in the US, European customers can have incorrect or unlawfully processed data

corrected, blocked, or erased, and consumers can even require that third parties who have seen the

incorrect data be notified.”

The August 2002 draft Discussion Paper, A Jamaican Ecommerce Blueprint, prepared for the

Commonwealth Secretariat and the Government of Jamaica, reported that a number of significant

legislative changes had to be effected to facilitate the development of ecommerce in Jamaica. These

included digital signatures and authentication, the Evidence Act, The Sale of Goods Act and the Privacy

Act.

Since 2002, Jamaica has made strides on the legal front and has enacted The Electronic

Transaction Act. The Act, authorized by L.N. 11/2010 states as its object:

a. facilitate electronic transactions by means of reliable electronic documents;

b. promote the development of the legal and business infrastructure to implement

secure electronic commerce;

c. eliminate barriers to electronic commerce resulting from uncertainties over

writing and signature requirements;

d. promote public confidence in the integrity and reliability of electronic documents

and electronic transactions, in particular through the use of encrypted signatures

to ensure the authenticity and integrity of electronic documents;

e. establish uniformity of legal rules and standards regarding the authentication and

integrity of electronic documents;

f. facilitate electronic filing of information with Government Agencies and

statutory bodies and to promote efficient delivery of Government services by

means of reliable electronic documents.

6.0 DEVELOPING POLICIES AND PLANS ( E-SECURITY STRATEGY)

Industry experts agree that the only certainty to the issue of e-Business security is that no system

is absolutely secure. The reality is that the state of the industry is inundated by security breaches; and it is

only a matter of time that every organization will be threatened or breached, and on numerous occasions.

Presentation – Richard Hollis - eCrimeWales 2010

In his presentation at the eCrimeWales summit in 2010; Richard Hollis, CEO of Orthus Ltd.

opined that organizations must develop a structured and perpetually ongoing approach to the development

of security policies and procedures. This approach begins with an analysis of the assets being protected

and implications of failure. Additionally, the analyst should be informed on the state of the industry,

security measures being taken by other companies, partners and competitors; best practices and the legal

requirements.

Furthermore, security analysts should carry out a risk assessment inclusive of identifying the

assets of value to the organization while determining threats to each asset. Secondly, security analysts

must quantify the probability of these threats being exploited; thirdly, calculate the impact of each

incident on the organization, and finally, implement cost effective measures to mitigate (or minimize) the

impact of the threats.

Based on extent (cost and probabilities); a policy manual ought to be developed to decide the

course of action related to each eventuality. These documented actions will fall into any of the following

categories:

Accept the threat

Avoid the threat

Reduce the threat

Transfer the threat

Negate the threat

With respect to best practices, organizations are encouraged to document and revisit security

questions/answers religiously because security threats are in a constant state of change; hence actions (

preemptive and reactive actions ) must also be as dynamic. In closing, Hollis suggested that as part of the

process, organization should let answers drive decisions; start with best practices; continual reassessment

and change and finally, we should not expect to stick to decisions in perpetuity, but rather, stick to the

process.

Presentation – Dan Haagman eCrimeWales 2008

In his presentation at the eCrimeWales summit, 2008, ethical hacker Dan Haagman explained that

the function of ethical hackers is similar to other hackers, except that their objective is not based on

criminal intent, but to provide information to experts in computer forensics, the investigative team and

law enforcement. Their efforts serve to assist security administrators to better inform strategies in

protecting their various networks.

Haagman suggested that instead of rushing to purchase the latest security appliances, software,

etc., analysts should take their time to better understand what they are trying to protect, the business itself,

and what goes on. Critically, they should attempt to determine how attackers get access or retain access to

their networks.

Hackers threaten a system either because you are the target of the attack, or they plan to use your

system as the staging ground to launch attacks on other systems. How do they gain access? Security

administrators continue to focus on fortifying their architecture making it increasingly less vulnerable to

unauthorized access. As a consequence, hackers have shifted their attention to the vulnerabilities in

applications. Their success can be seen in the stats where 5 of every 7 attacks occur through exploiting

vulnerabilities in applications.

Haagman suggests that a major weakness is that computer applications are vulnerable because the

testers do not test applications effectively. The large majority of testers do not use the same mindset of a

hacker; which is to “break” the application to discover its vulnerability. Instead, they test these programs

to function in processing set tasks. Once broken, hackers will search the internet looking for the same

application (developed by the same vendor) and utilizing the same algorithm to break into other systems.

The opportunity that applications present is that they have been authorized to communicate with sensitive

data that may reside behind firewalls; and as such could be hacked to request and harvest sensitive data.

In some instances hackers elevate their own privileges to continue to increase access; and leave malware

on the server in order to retain access.

The function of a firewall is not to deny access to an e-commerce system, since it is expected that

many “unauthorized” users (especially in a retail business) are expected to interact with the organization.

Firewalls should therefore be regarded as probability reduction devices or security filters that mitigate

breaches through the reduction of exposure by limiting the number of open ports. The main vulnerability

of firewalls is that they are either configured incorrectly or the rules and policies are not effectively

managed. A common weakness in large systems arises as the security base of the firewall becomes eroded

because multiple individuals/teams adjust the rules and policies without the necessary communication

among themselves. Therefore an adjustment to suit one area exposes another.

In summarizing, Haagman recommends that the matter of protection should be addressed sensibly

and not through some knee-jerk reaction. He opines, “Never feel that your business does not have

anything to offer a hacker; know your business, educate yourself to the best practices and latest

techniques and threats; and configure your firewalls with the knowledge of what you are trying to reduce

the probability of. “

7.0 STATE OF E-SECURITY IN JAMAICA (A QUALITATIVE STUDY)

As part of a qualitative analysis, a survey was conducted among several Information Technology

professionals from the Banking, Insurance and Services industry in Jamaica. The following is a direct

synopsis of these findings:

Although slow to the party, Jamaica now offers a number of e-Services including E-Banking -

transfer of funds electronically between accounts, bill payments, and checking of account balances. In

terms of the Insurance industry; Individual Life clients can view policy details on line and pay their

premiums using a credit card. Pension clients can view their pension statements on line ( this would detail

their pension contributions and accumulated funds) and also make Electronic Health Claim submissions.

Some Government agencies offer services such as tax payments, RGD offer services for access to

documents such as birth certificates, marriage certificates, death certificates, etc. These are only examples

of the types of e-services available; however, most e-transactions on offer in Jamaica appear to involve

financial transactions.

The respondents aired a number of specific security concerns as related to breaches. A major

concern relates to phishing and where undisciplined users are lured to fictitious sites that are

“supposedly” legitimate web portals for the financial institutions. The one most common concern with

respect to security breaches is the unauthorized access to customer accounts, personal health records and

identity theft. The risks are however not all from external breaches, but there are significant internal risks

from unauthorized users gaining confidential information; for example accumulated fund values for a

client. Another risk is the disclosure of beneficiary information to funds or proceeds of a claim.

Regarding security measures, James Arscott stated that “some companies have antivirus/anti-

malware software, but many times it is outdated. The only other security they have in place is a firewall,

which is sometimes poorly configured, outdated and not monitored. Most consider Intrusion

detection/prevention unnecessary. Most have no formally documented policy regarding use/misuse of

network/IT resources. Many ignore Intellectual Property rights.” He also indicated that the use of

unauthorized software on a system can jeopardize the security of that system.

In response to the question related to considerations given in the design of a secure system,

several measures were identified, namely: limiting the number of person(s) who have physical access to

an individual‟s work station, the use of updated anti-malware software and virus scanners; install personal

firewalls; avoid certain websites and applications and run software patches where necessary; keep self

informed about the latest developments/news on security; and ensure a two-tiered security system such as

user name and password, followed by challenge questions which have to be answered based on stored

information provided by the end-user.

In most instances, organizations tend to be more reactive than proactive, typically employing

software patches and purchasing anti-malware. The financial institutions are exceptions however. They

are more conscious and make greater efforts to familiarize themselves with industry standards and most

times make significant efforts to comply (partly because they are forced to, by external requirements).

The Bank Of Jamaica has also attempted to regulate same, including credit unions. In many financial

institutions, network vulnerability tests are conducted frequently ; corrective and preventative measures

are put in place such as intrusion detection systems along with the hardening of the firewall on a regular

basis.

How concerned are these experts to internal breaches? …. They agree that these types of

breaches are often overlooked, as more efforts are concentrated on external threats. Many people regard

policies/security measures as unnecessary and a nuisance. Because of this, they are reluctant to

implement measures. Managers are especially guilty, always seeking exceptions, thereby leading to

breakdown of said rules.

Final Comments

The experts accept that nefarious activities are always occurring in cyber space but for the

Jamaican environment; they are not widely reported. Where stories have been reported of e-fraud,

financial institutions have effectively taken the lead to compensate victims who have suffered from credit

card fraud, identity theft, etc. This action is helpful in allaying some of the fears of existing and potential

eCustomers.

However, one of the major concerns of non-reporting is the danger where IT professionals and

decision makers fall into a false sense of security and complacency; reflected by a lack of urgency in

developing secure systems. Many organization do not place the issue of data theft or abuse as a high

priority item as they believe that their data isn‟t of interest to anyone else. There is also the lack of

understanding that a security breach does not necessarily mean that you are the target, but that your

computers could be used to launch attacks on others. In such cases, you become complicit and equally

responsible for any damages to others!!

The amount of money that is budgeted to security is directly related to the level of concern or

threat level that is perceived. For this reason, lack of education, and the shroud of secrecy and non-

reporting of breaches play into the decisions taken in limiting the funding needed to implement highly

secure systems.

Ms. Wilson-Kelly concludes that Jamaica is far ahead with its implementation of technology and

ought to be proactive with security in e-business. She warns that “ in our zest to gain competitive

advantage over competitors that we do not expose our clients to unnecessary risks.”

References

Albion.com (2012). Computer Security: A Practical Definition. Retrieved from

http://www.albion.com/security/intro-4.html

Ackerman, M.S. & Davis, D. (nd) Privacy and Security Issues in E-Commerce, New Economy Handbook,

retrieved from http://econ.ucsb.edu/~doug/245a/Papers/ECommerce%20Privacy.pdf

Chaffey, D. (2009) “Security Design for E-Business” - E-Business and E-Commerce Management, Prentice Hall,

Essex, England

Blakely C.J. & Matsuura J.H. (2001). E-Government: An Engine To Poer E-Commerce Development. The

Proceedings of the European Conference on E-Government. Dublin, Ireland

Chapple, M. (2012). Front-End/Back-End Firewall vs. Chassis-Based Firewalls. Retrieved from

http://www.searchsecurity.techtarget.com/answer/Front-end-back-end-firewalls-vs-chassis-based-

firewalls

CHIN, S-K. (1999) “High Confidence Design for Security”, Communications of the ACM, 44 (7), pp. 33-37.

CPNI (2012). Critical Controls, The Center For The Protection Of National Infrastructure. Retrieved from

http://www.cpni.gov.uk/advice/cyber/Critical-controls/in-depth/critical-control3/

Dalton, C. And Choo, T.H. (2001) “An operating Systems Approach to Securing E- Services”, Communications

of the ACM, 44 (2), pp. 58-64.

Davidoff, S. (2012). How to prevent phishing attacks with social engineering tests. Retrieved from

http://www.Searchsecurity.techtarget.com/tip/How-to-prevent-phising-attacks-with-social-engineering-

tests

Deitel, H.M., Deitel, P.J. And Steinbuhler, K. (2001) e-Business & e-Commerce for Managers, Prentice Hall,

New Jersey, USA.

E.T.A. (2010) Electronics Transactions Act. Retrieved from

http://www.moj.gov.jm/sites/default/files/laws/Electronic%20Transactions%20pgs.%201-34.pdf

Ewens, L. & Hoppe, H. (2007) “Definition of DMZ” , Search Security retrieved from

http://searchsecurity.techtarget.com/definition/DMZContributor(s):

F-Secure(2012) Back Orifice. Retrieved from http://www.f-secure.com/v-descs/backori.shtml

Gardiner, B. (2003). E-Business Security in RAG Order. Retrieved from

http://www.comp.dit.ie/rfitzpatrick/MSc_Publications/2003_Bryan_Gardiner.pdf

Guttman, E., Leong, L. And Malkin, G. (1999) RFC 2504 “Users' Security Handbook”, The Internet Society,

Available From: http://www.faqs.org/rfcs/rfc2504.html, Accessed [10/03/2003].

Hollis, R. (2010). Video: Presentation at eCrimeWales Summit 2010. Retrieved from

http://www.youtube.com/watch?v=gw74naSuT3o

Keizer, G. (2010). Hundreds Of Windows Applications Vulnerable To Attack. Computer World UK. Retrieved

from http://www.computerworlduk.com/news/security/3236271/hundreds-of-windows-apps-vulnerable-

to-attack/?intcmp=in_article;related

Kliem, R.L. And Ludlin, I.S. (1997) Reducing Project Risk, Gowler Publishing Ltd, England.

ISO IEC 17799. (2000) “Information technology – Code of practice for information security management”,

International Organisations of Standardisation.

KnowledgeLeader (2012). E-commerce Security Best Practice Guidelines. Retireved from

http://www.knowledgeleader.com

Kesh, S., Ramanujan, S. And Nerur, S. (2002) “A framework for analyzing e-commerce security”, Information

Management & Computer Security, 10 (4) pp. 149-458.

Laudon, K.C. And Laudon, J.P. (2002) Management Information Systems – Managing the Digital Firm, Prentice

Hall, New Jersey, USA.

Lawrence, E., Corbit, B., Fisher, J., Lawrence, J. And Tidwell, A. (2000) Internet Commerce, John Wiley & Sons,

Milton, Australia.

Marchany, R.C. & Tront, J.G. (2002). E-Commerce Issues. Proceedings of the 35th Hawaii International

Conference on System Sciences. IEEE 0-7695-1435-9/02

Marchi, S. (2001). Speaking Notes: Challenges Of The New Economy. Plenary Session IV. World Services

Congress 2001, Hong Kong. Retrieved from

http://www.publications.parliament.uk/ld199900/ldselect/ldeucom/95/9511.htm

Menezes, A., Van Oorschot, P And Vanstone, S. (1997) The Handbook of Applied Cryptography, CRC Press.

Mitnick, K.D. (2003) “Are you the Weakest Link?” Harvard Business Review, 81 (4), pp. 18-20.

OIT (2012). Office of Information Technology, Princeton University. Retrieved from

http://www.princeton.edu/itsecurity/technical/firewalls/how-firewalls-work/

Pfleeger, C.P., And Pfleeger, S.L. (2002) Security in Computing, Prentice Hall, Upper Saddle River, New Jersey.

Rouse, M. (2008) Definition Of Nonrepudiation. Retrieved from

http://searchsecurity.techtarget.com/definition/nonrepudiation

Rowley, J. (2002) E-Business: principles and practice, Palgrave, Hampshire, United Kingdom.

Sans Institute(2003). Retrieved from http://www.sans.org/reading_room/whitepapers/attacking/honey-pots-

honey-nets-security-deception_41

SearchSecurity, (2102). Definition Trojan Horse. Retrieved from

http://searchsecurity.techtarget.com/definition/trojan-horse

SearchSoftwareQuality(2012). Denial Of Service. Retrieved from

http://searchsoftwarequality.techtarget.com/definition/denial-of-service

Turban, E., King, D., Lee, J., Warkentin, M. And Chung, H.M. (2002) Electronic Commerce A Managerial

Perspective, Prentice Hall, New Jersey, USA.

Webopedia (2012) – Definition of Virus Retrieved from http://www.webopedia.com/TERM/V/virus.html

Whyte, W.S. (2001) Enabling e-Business:Integrating Technologies, Architectures and Applications, John Wiley

& Sons, Chichester, England

Winkler, I.S. (1995) “Social Engineering: The Only Real Test of Information Systems Security Plans”,

Computers & Security, 14 (7), pp. 609