Chapter II: Learning from Practice

 < Day Day Up > 



Introduction

To learn more about the views and practices of industry practitioners, this chapter outlines the result of an interview with a panel of e-commerce security practitioners who were asked to share their insights, understanding and vision regarding issues related to the practice of e-commerce security. Panel members were chosen based on their experience in the field of e- commerce security and management.

Section I of this interview deals with the issues and challenges of e- commerce security. Issues covered in this section include e-commerce security policies, tactics of hackers and security architecture. In Section II of the interview, the participants were asked to provide suggestions and recommendations regarding current challenges, solutions and future issues facing e-commerce security. Panel participants were asked to answer each of the questions to the best of their knowledge, sharing their practical experiences and understanding regarding e-commerce security with the book's audience.

For the list of panel members and their profiles, see Appendix A at the end of this chapter (pg. 67).

Section I: Issues and Challenges

Q: Does your organization have a formal e-commerce security policy in place?

Naglost:

Being a provider of e-commerce and Internet services to both government and private sector organizations, Berkeley must have a formal e-commerce security policy, as we often create and implement these solutions.

Oliva:

We also have one in place. Our security policy uses established software technologies (firewalls, encryptions, etc.) and formal business practices such as 'know the source' and shredding of unneeded documents.

Thompson:

We have an e-commerce security policy in place, as well.

Arazi:

There is one in place.

Updadhyaya:

We do not have a policy and there is no plan to develop one. Our company does not have the resources to set up and maintain a formal e-commerce security policy. It is something that we want and would love to have, however, it is not feasible at this time. When should others or we adopt one? I think as a company you need to be realistic about when this is implemented. Once your e-commerce venture has started to produce revenue, you can start to spend the resources on developing a formal plan. However, don't be reactive, start making small chunks of plan, target certain areas as you need them. Then combine them, refactor them and use that as the basis of your formal policy once the company is ready.

Thomson:

There is one in place at Beanstream.

Mahmood:

Yes there is one in place at the University of Texas, El Paso.

Seen:

There is currently one under development at Murchison. We found that developing a policy can be a relatively quick procedure-it is the implementation of the policy which requires a commitment of time and effort, and of course, buy in from management and those who control the purse strings of the organization. The benefit of having an ingrained security policy is that it helps focus our attention on one of the key issues in the industry, maintaining and increasing the level of trust people have in e-commerce. This allows us to directly assist our clients in bringing their e-commerce solutions online while still being able to sleep at night.

Q: Is your organization's top leadership supportive of having an e-commerce security policy? And in your opinion, how can e-commerce managers educate and gain support from top management regarding this important issue?

Naglost: Arazi:

Our top leadership is certainly supportive of the e-commerce security policy-we are willing to set aside both time and resources to ensure the policy is adequate in terms of breadth and depth, and is implemented accurately and completely throughout the organization.

Our management is very supportive, understanding the need to have clear policies and procedures on how information is collected and processed, as well as how it is accessed and protected. I believe that e-commerce managers need to employ a dual- aspect process of educating top management about the benefits of having such a policy in place versus the risks of not.

Thompson:

Our organization's top leadership is supportive, too, although, as it is outside of the day-to-day operations of a university, it is up to the management and team members of CECC to develop and explain policies to management to educate them and gain support for important issues and investments in this area.

Oliva:

I would say our top management supports e-commerce security activities as well, though more from a defensive and offensive perspective. E-commerce managers must use accurate business data to show management the financial consequences (revenue losses, recovery costs, litigation costs) of not implementing information and e-commerce security business practices.

Thomson:

We support e-commerce security at all levels in our organization. In my opinion, the easiest way to convince management that they need to address the issue is to simply provide examples of other organizations that have not, and the negative publicity and customer support issues that are generated as a result.

Upadhyaya:

Our leaders fully understand the need to be secure, but we are also fortunate that the MD of the company was UK's digital content forum chair[*] (DCF) for 2002. The biggest motivation for them is liability. As soon as it was explained that taking financial payments over the Internet (even B2C) was not without risk, their ears pricked up. In terms of cost, it is much more efficient to be prepared rather than trying to recover from an attack. Sadly, top-level management see things in the terms of cost, so explaining the potential damage is a sure fast way of getting support.

Mahmood:

Our top management is absolutely aware of the need for an e- commerce security policy, but I think it's important to add that the e-commerce manager should give seminars on the issue. The manager should keep the top management aware of the latest developments and should explain to them why it is important for the company to use e-commerce tools and technologies, and why it is important for the organization to have an e-commerce security policy.

Seen:

The development of our e-commerce security plan has full support from the CEO down; however, in our situation, it was not necessary to 'sell' the benefits of security management-we needed to ensure that the policy would be implemented. This means, for example, that a programmer or administrator could immediately drop what they were working on to attend to a security issue even if it is just the application of a critical patch for a system. It took some resistance from the programmers and administrators to ensure we were allowed to respond this way.

Q: In your opinion, how does your organization deal with the tactics of hackers (e.g., altering files, eavesdropping on transactions, sending viruses and cookies, etc.)?

Naglost:

Berkeley implements a multi-tier system of security to deal with hackers. We implement robust firewalls using the latest technology (both software and hardware) available and ensure all operating systems and server and client applications are up-to- date and have all the required security patches installed. We also implement anti-virus software on all servers and workstations and ensure these are kept up-to-date. Our regular monitoring includes checking server logs, utilizing state-of-the-art server monitoring software to ensure we are alerted to any suspicious activity, and subscriptions to relevant security bulletins to en- sure that we are aware of the latest known e-commerce security threats.

Oliva:

For general information protection we use commercially available software (firewalls, file scans, etc.) to protect desktop PCs and servers from hackers, denial-of-service attacks and zombie attacks. We advised staff not to download files or open e-mails unless they are sure of who sent them (which is the 'know the source' policy). Files are detected immediately if coming from unknown sources.

Thompson:

In our case, those servers that contain client information and applications that are managed by the CECC are housed with a specialist Web-hosting company. The primary responsibility for dealing with the tactics of hackers is therefore passed to this organization.

Arazi:

A2i deals with such tactics by segmenting the IT infrastructure into multiple tiers and having the bare minimum exposed to the Internet. A very strong and closely guarded perimeter network is connected via firewalls to dedicated DMZ networks for the Web servers and application servers, with the database servers further protected in yet another network segment. Sensitive data is encrypted immediately after being processed, and all servers contain only the required applications and have been 'locked down' by applying strict access privileges and constant security monitoring. Application-specific filters and proxies handle in- bound and outbound mail and Web connections to fight spam and viruses. Multiple layers of frequently updated virus software are also used.

Upadhyaya:

Unfortunately we weren't proactive at first. We have been hit a couple of times, but each one has been an education. The first time was the summer of 2001 with a variant of the Code Red worm. When it was detected that we had slowdown on LAN traffic and echoes to our servers were timing out, we realized there was a problem. As our company pretty much only uses Microsoft technologies, we were aware that we were more at risk from OS flaws and worm attacks than some of our other colleagues. It was noticed that our main Web server was defaced, one of our remote transactional database servers was not functioning properly, and our VPNs/WANs were down. All our development servers had been opened up. The clean up was a logistical nightmare! However we succeeded and it changed our approach to worm style attacks. Worms force computer security to be an everyday battle-each day you need to scan the newsgroups for any new patches or updates. Then take the time to deploy them on all relevant machines (though some OS/ products do allow a live update now). With Internet-connected machines, not only do you have to worry about your own systems, you have to worry about other networks on your exchange. When we recovered from the Code Red variant, it still took a while to return to normal service levels, as other infected networks where flooding our ISP's bandwidth. It was an education; it's hard as a small company to devote resources to be purely pre-empt the information militia (the cracker/hacker communities). I think it's the case of 'once stung, twice shy,' however that's not really the most efficient way to behave. I think the key is getting your servers to an acceptable level of secureness, then improving your response time. To improve our response time, we set up external monitoring of our sites, checking both the dynamic and static versions, thus targeting the nature of the attack IIS or SQL server. As soon as there's a problem, an e-mail is sent to the relevant parties and a message is also sent to their cell phones. As all the IT staff have broadband at home, updates or fixes can be done remotely, minimizing the duration of any DoS attacks. Currently we block all ports that we don't need and use NAT to transform some of the obvious ports such as 1433 (Microsoft SQL server). Then we use IP security/filtering at the machine level to block anything the firewall has missed. After the transversal attack, we stopped using default directory structures and placed all websites on a new drive. On the SQL server side, if you can, try and use the Windows Active directory to manage your SQL security. Basically the rule is: when you set up your infrastructure, no matter which platform you use, don't use any defaults. Because once you do, you're giving a clue to any information intruder. Even the most novice, bored 14-year-old hacker with a downloaded PDF manual could find entry into your system if you accept the defaults. Since these changes, transversal attacks to gain access to servers file system have ended. Since then, we are patched to the teeth. We use third-party software from eEye and keep up-to-date with OS patches. However, none of this is innovative, it is reliant on another company discovering a new tactic and then letting the world know.

Thomson:

We made a decision early in our business development that Internet security was not an area of core expertise, so we outsourced it. We use a third-party security firm to monitor our firewall and servers 24 days, seven days a week to attempt to detect and defeat any attempt by unauthorized third parties to gain access to our systems or services.

Mahmood:

It is very difficult and time consuming to stay ahead of the hackers. You can use a number of commercially available tools to stay ahead. This includes any tool that uses SSL to provide end-to-end secure communications. To prevent hackers from getting into the system, you may want to have a firewall installed right outside your intranet. Biometric devices are being used to provide security to the sensitive materials.

Seen:

That is why our number one goal is prevention, obviously. We take an active role in monitoring suspicious activity within the network as a whole and try to limit the potential for a breach. Containment is secondary to our way of thinking-if a hacker gets in, even if they are contained, the damage has been done to our reputation for security. Containment and limiting our exposure are still important, but it is better to never be placed in such a situation to begin with an e-commerce security threats.

Q: In your opinion, how important is the issue of security architecture and what should be covered in system security architecture?

Naglost:

A comprehensive and detailed security architecture is paramount to ensuring that all aspects of the organization's information platform are secured and monitored. The system security architecture should cover all internal systems that the organization manages as well as any external systems that interact directly with the organization. The architecture should include general objectives as well as a complete listing of security processes, policies and services. The physical and logical structures of the information systems should be covered as well as the associated levels of trust between each system.

Oliva:

I would agree that the issue of information security is critical to the success and growth of our business; however, there are limits on what we can afford to invest in. There is no direct financial return from having good security practices-just overhead and avoided costs. In terms of architecture, we believe there are four primary elements:

  1. Wired Systems Security (local and wide area networks, desktops, servers, printers, etc.)

  2. Wired Systems Security (cell phones, palm pilots, Wi-Fi networks, Bluetooth, etc.)

  3. Business Practice Security (superfluous document destruction, unsolicited telephone inquiries, 'know the source,' verify requests twice, not disclosing private information in public places, etc.

  4. Software Applications Security (e-mail, e-commerce, customer support, sales systems, etc., secured at the access point and user authority level).

Thompson:

Security architecture may be the most important element of any e-commerce environment. Public key infrastructure (PKI) and the issues regarding its implementation within an organization are particularly important.

Arazi:

I believe security is a process, not a product. As such, an organization's security architecture is of paramount importance as it serves as the 'roadmap' for navigating the never-ending route toward increased security. Both threats and countermeasures constantly evolve with time and need to be dealt with on multiple levels: those of the individual systems, their connecting network and organizational processes and policies. A good security architecture will cover the specific issues outlined in each level as well as tackle the interfaces between those levels. Additionally, the security architecture must balance.

A balanced security architecture is one that balances cost of implementation with security. Such implementation costs obviously include budget, but usability and flexibility losses or constraints must also be factored in. Users, both internal and external, must not feel hampered by the application of the security policy, and the organization's business goals must always direct security rather than security concerns directing how business is conducted.

Upadhyaya:

Exceptionally, the underlying security of any system will tend to be the most vulnerable, as it doesn't usually get exposed until after an attack. What's needed is:

  1. A set of principles for establishing and maintaining features and mechanisms that protect against interruption and loss to packet-switched network elements, the communication services they provide, and the data they contain and carry.

  2. A testing schema that simulates known hacker tactics.

  3. System-wide authentication methods, that work from page to page (in a Web context).

Thomson:

The architecture of security systems is largely beyond my area of expertise as we outsource that capability. I deal with architecture at the operating system level. We have outsourced Internet security to a third party, Presinet Systems. We knew that security was a very important aspect of our business and that we were not experts in this regard. Having a third party monitor our systems provides our clients with assurance that our network is properly managed and that any issues related to security are handled by experts in this field.

Seen:

For us, a secure, verifiable architecture is a mandatory element of our systems. If someone can look at a system on paper and spot a security flaw or weakness, then it is a case of going back to the drawing board, taking a good hard look at what you've got and trying to pinpoint where the architecture is lacking. Too often, more time is spent trying to 'optimize' an architecture that is fundamentally flawed from a security point of view and should be thrown away. Security should be a by-product of solid design, just as insecurities are by-products of a flawed design.

Mahmood:

The issue of security architecture is very important. It should cover all the security techniques that are available at the present time. It should say how the company's sensitive information can be secured.

Q: How does your organization deal with the issue of consumer/client protection in its e-commerce environment?

Thompson:

We try to provide comprehensive information to the client on all aspects of our e-commerce environment. In our opinion a consumer is in most cases better protected by being well informed. All e-commerce transactions are secured using 128bit SSL encryption. Any transactions are completed using real-time credit card authentication with the financial institution. This reduces the amount of consumer/client information the needs to be stored.

Oliva:

Our e-commerce site is SSL as wellas Verisign secured for extra transaction protection. We have postings to that effect on the site to let customers know our dedication to the security of their information.

Naglost:

Berkeley protects consumers who use its services by implementing both a technical and legal security and privacy framework. We incorporate explicit privacy and security policies and ensure that all consumer data stored by Berkeley is secured at the maximum level. All e-commerce transactions are carried out in a secure environment and, where possible, personal information that is only required by third parties (e.g., credit card details required by transaction gateways) is transferred directly to the third party and is not made accessible to Berkeley.

Arazi:

In addition to the use of SSL and https, we design our systems to encrypt customer information as soon as possible after its receipt, and further use time-limited pseudo-random record ID locators to thwart unauthorized data-mining operations. Whenever possible, servers that store customer-sensitive information are located behind two or more layers of firewall protection, have very restrictive access policies and elaborate logging.

Thomson:

We use a combination of technologies to protect consumer information within our technical infrastructure. We protect data streams by a combination of SSL, VPN and PGP technologies. Sensitive e-mail information is sent using PGP. Access to merchant information is controlled by organization name, user name and password. We provide the ability to limit access to certain functions by IP address and/or GEO-IP mapping.

Seen:

The usual steps are taken to protect the confidentiality of users in our systems. Obvious steps are things like ensuring basic database security measures are in place (this means NO default installs), only collecting data that is absolutely necessary, making sure a credit card number is never stored but rather passed directly to the processing gateway, things like that. The benchmark is often a subjective one; we ask ourselves, 'Would we put our details in here?' and if you can't be confident of the security of your own system, why should other users trust it? I cannot stress enough, however, the basic steps are the most important ones to take.

Mahmood:

Yes, the consumer information protection is very, very important. If the consumer does not have confidence in your security system, they will not do business with you. The latest survey on this issue indicated that security is the number one reason as to why a lot of people do not shop online. We use SSL to secure transactions to protect sensitive client information.

Upadhyaya:

Customer/client confidence is fundamentally the most important issue in any e-commerce transaction. Without protecting that, you have no business. In many ways, the transaction security of a site can be compromised such as spoofing or sniffing. In the cases of spoofing and sniffing, our preferred technique is to use data encryption or signed data for the transaction.

Q: How does your organization deal with the issue of protecting consumer/client identity during an electronic agreement?

Naglost:

Berkeley ensures the protection of consumer identity during an electronic agreement by collecting only relevant and required information and then affording these details the same high level of security as its own corporate data. Consumers' identities remain anonymous when there is no requirement to ascertain or record their identities.

Oliva:

At this time, due to a lack of legal clarity about their validity, we have not started to use electronic identity software for legal agreements-we still use signed (paper) documents and do not use e-documents. Electronic identity software enables the user to transmit their legal signature in an encrypted, indisputable file format. The advantages are clear and numerous to businesses competing on a 24x7 global basis. Dramatic decreases in paperwork shipping costs, immediate approval for legal documents regardless of client or attorney location, around-the-clock customer purchase and approval capability, and reduced paperwork are all real advantages of digital signatures. The software tools were built and tested several years ago, and are ready for immediate use. The major issue concerning electronic identity software involves legal acceptance. To date, no significant legal guidelines have been developed that permit corporate or public agency acceptance of a digital signature in lieu of a signed paper document. In short, due to legal and financial risk, no one wants to be the 'pioneer' in the use of digital signatures. Should a future court ruling adversely impact digitally signed legal or financial documents, it is highly probable that organizations could face substantial damages. The trigger for full business and government acceptance of digital signatures will be court cases that build a precedence of legal opinion that with proper safeguards, electronic identity software holds the same legal weight as paper documents. Until such legal activities have occurred - hopefully in the next five years-we advise clients to continue to request approvals made on paper documents.

Arazi:

We endeavor to design and implement systems where customers are required to log in once and be validated, after which a unique, non-linear, time-limited, pseudo-random session ID is generated for their session or transaction. A master, highly secure 'authentication server' then stores this information. After successful validation and throughout the entire transaction, customer information is then referred to by this unique identifier rather than by information pertaining to their identity, such that the customer/client identity is completely anonymized to most servers and applications handling the transaction, with each system/application only processing the fields of information it has been authorized for.

Thompson:

All e-commerce transactions at CECC are secured using 128-bit SSL encryption. Any transactions are completed using real-time credit card authentication with the financial institution. This reduces the amount of consumer/client information that needs to be stored.

Upadhyaya:

For us, in terms of non-capture of client information during a transaction, when the client fills in a payment form and submits the data, their details are not sent straight away. What actually happens is that a secure link is set up between the client's browser and our merchant. An encryption code is requested and received, which then wraps the transaction details before leaving the client software.

Thomson:

Any information that we store as a result of an electronic agreement is encrypted. The systems storing the information themselves are housed in a high-security data center. We also deploy the technology solutions listed in Q5 during the agreement. The authentication services that we deploy in order to authenticate parties during an agreement do not display any confidential customer information. Our system scores the results of various decisions, and it is only that score that is ever displayed to a merchant or the client.

Mahmood:

My organization protects the consumer/client by using digital certificates to verify identity. Digital certificates clearly identify the person that you are dealing with. They prevent fraud because they will prevent a fraudulent person from assuming someone else's identity and causing all kinds of mischief.

Seen:

Obviously, overall, we need to balance consumers' rights to privacy with the need to ensure that suitable audit trails are maintained in case of accusations of fraud, detection of a compromise, etc. Murchison ensures that the minimum information necessary is collected and that it is secured within a database that does not directly face the Internet during the processing of payments and transactions.

Q: In your opinion, what measures can a business take to make consumers/clients feel at ease regarding the level of security protection of a business's e-commerce system?

Mahmood:

Use digital certificates in conjunction with SSL.

Arazi:

A business must cause customers to feel comfortable and confident about the business, the manner in which transactions are conducted, and what is done with information that is collected from customers. Unfortunately, what the customers feel have very little to do with what technical precautions are taken. I have found that registration with certification authorities such as eTrust and VeriSign make customers feel safer because the names are recognizable. A privacy policy is helpful as well.

Oliva:

As has been noted, businesses can provide 'evidence' that permits the customer to check for him or herself that a transaction is secure. This can be done through the software verifiers mentioned (such as the Verisign seal) along with membership in various trade groups that clarify a website complies with the very few industry security standards.

Thomson:

I, too, think that one of the best measures a merchant or service provider can adopt in order to provide consumer confidence in e-commerce systems are industry best practices such as the Visa AIS program, WebTrust, Verified by Visa, etc. The merchant can leverage the brand recognition of these programs and have a very good security and privacy baseline to work from.

Naglost:

Businesses must provide clear, simple and easily accessible information regarding their security policies and procedures to all consumers using their e-commerce systems. They must demonstrate their level of security protection by providing relevant information to consumers and by providing avenues for consumers to validate this information with a third party (security service provider and/or government organization).

Seen:

And certainly not by touting their systems as 'unhackable' or otherwise as we have seen some companies do in recent times. I think the biggest comfort factor in online transaction is giving consumers a name-a real life contact person-even if it is only via e-mail. Customers tend to get suspicious when they are expected to divulge sensitive data on a Website that has no tangible links to a real-world entity. If they feel that they have someone to hold accountable, it makes trusting that person to protect their data just a little bit easier.

Upadhyaya:

It is also important to avoid the number of jumps between servers-it makes clients nervous. Your client is going to wonder what information is being sent back and forth. The best way is to try and provide that full solution without using a third party. However, again, make sure that a reputable company has assured your site.

Thompson:

  1. Clearly explain each stage of a transaction to the client and how the information they supply will be used.

  2. Ensure that technical issues are explained clearly.

  3. Provide links to external information on security issues wherever appropriate. For example, providing a logo and link to the Verisign website if that particular certificate authority isincluded on the organization's SSL certificate. Whenever a client/consumer is asked to provide information, be it personal, postal, credit card or otherwise, the following should be explained: how the information will be used; how long the information will be kept and for what purposes; and will the information be made available to any third parties? At the beginning of a transaction, it should be explained in clear terms how the information being provided is secured in transit and in storage (if applicable).

    At the conclusion of a transaction it should be made clear what the client/consumer should expect to receive and what the process for fulfilling the transaction will be. "In the next few minutes you will receive an e-mail receipt to the address you specified. You can keep track of the progress of your order at the following address http://www ... using your username/pass- word."

Q: In your opinion, do you believe that self-regulation regarding consumer/client protection in an e-commerce environment is adequate or is government involvement needed? What should be included in any regulations regarding consumer/client protection?

Oliva:

After 10 years of industry resistance to even minimal regulations, it is clear that government involvement will be required to enforce even token protection levels for all Internet transactions. This is in large part due to a lack of customer mandates for security and incredible bickering over which standards are'best.' In terms of regulations, all e-commerce and/or financial transactions should be secured through software encryption and/or biometric identification to deter theft or illegal use. This could be as simple as adding one hundred extra bytes of identification data to each transaction.

Naglost:

In fact, federal and international government organizations must be involved in the development and enforcement of regulations regarding consumer protection. These regulations must include specific details covering the rights and responsibilities of the businesses providing the goods/services, consumers and any other intermediaries who are involved in facilitating the e- commerce transaction. The regulations must be enforceable across national/international borders.

Thompson:

One outcome of additional government regulation regarding consumer/client protection in the e-commerce environment would be the introduction of additional costs in ensuring compliance. Self-regulation is therefore preferable from a business perspective. However, many consumers are not fully informed and, without adequate regulation/safeguards, they may be exposed to unacceptable risks in an e-commerce environment. Positive public perceptions about the degree of security offered through e-commerce continue as an important element in consumer/ client uptake. What should be introduced in terms of regulations remains unclear.

Seen:

The big question is, 'Which government is going to regulate consumer protection in e-commerce?' We have already seen the battle for jurisdiction on the Internet played out a few times. Consumer protection is important and regulation is a noble idea, but there is no way that it can be achieved globally in a uniform fashion. I believe that while self-regulation may not be adequate, it is better than no regulation at all.

Upadhyaya:

But, self-regulation is only effective if all parties adhere to the resolution. Industry standards bodies and ombudsman regulatory enforcers would help protect consumer interest. As of August 21, 2002, the UK's Department of Trade and Industry (DTI) set out regulations intended to boost consumer confidence. The regulations also contain requirements about any e-mail advertisement and enable a recipient of an unsolicited advertisement to identify it without opening it.

Thomson:

I don't think that self regulation is viable simply because we have seen the wide range of security solutions that vendors and merchants deploy, many of which are unsuitable. Having said that, I do not think that government regulation is the answer either. In Canada and the UK (two markets that we serve), government has set standards for the protection of personal information and consumer privacy, but they are unevenly applied and enforcement only really occurs when there is a complaint or information breach. I believe that the best regulatory routes are perhaps industry benchmarks and standards such as the Visa AIS program. Enforcement is easier to control and standards can be set specific to the merchant or service provider risks.

Mahmood:

Well, we can try self-regulation for awhile and see whether that works. If that does not work, the government will have to be involved.

Arazi:

I believe that a balance between the two is ideal, such as a nongovernmental committee in which business, finance, government, legal and technology professionals have rotating and time-limited seats. This committee should issue guidelines and have authorized inspectors conduct acceptance testing, similar to the way the ISO 9001 standard is implemented.

Q: What are the issues of secure payments that your organization has to deal with in its e-commerce environment?

Oliva:

The issues we have encountered are the same everyone has: fraud, mistakes in credit card account numbers, spoofing, etc. We receive credit card payments through a secured transfer with Verisign that filters most of these out. We make bank wire transfers through encrypted websites and transaction-specific Web cookies.

Naglost:

Maintaining privacy and security of credit card details has been Berkeley's primary concern. Where possible, Berkeley facilitates a direct transaction between the consumer and transaction gateway, ensuring that only the required parties have access to the credit card details. This solution, however, is not always possible-especially when working in our capacity as an intermediary e-commerce organization that manages order processing involving automated faxing of customer orders to a non- technology focused business. This process, although being as secure as any standard fax transmission, does raise additional privacy and security concerns that must be made clear to all parties.

Thompson:

Our dilemma is whether to use real-time transactions through a third-party vendor or provide the secure transactions through our own environment and process the credit cards manually. This is an issue when low transaction volumes are concerned, as most third-party vendors charge a monthly fee as well as a pertransaction fee.

Upadhyaya:

We have been quite lucky on this aspect. So far, we have not experienced any fraud or interception of payment details. So again, in terms of being proactive, we are reserving technical resources until the threat arises.

Arazi:

We have only dealt with EDI and credit-card based payments. With EDI, the financial framework is typically pre-arranged and thus there is less chance of fraud, and the 'value' of any information obtained via unauthorized means is drastically diminished. Thus far, credit card payments have been accepted via secured HTTP forms and have been validated offline. Once validated, only the card type and last four digits are retained by the e-commerce systems, with the customer being prompted to either use the authorized card (without inputting its information again) or adding a new credit card, in which case the validation cycle repeats again. Only the actual payment server would store the full credit card information, and this information would always be encrypted on a highly secure server.

Thomson:

A primary task is the ongoing maintenance and evaluation or platforms and software to ensure that security patches are installed and known security holes closed. We constantly have to deal with nuisance attacks (port scans, small scan DOS, probing) and the subsequent blacklisting of IPs and/or ISP notification. We also have to devote R&D time to evaluate and adopt new industry standards and services such as VbV and SecureCode in order to meet our obligations to our financial partners and clients.

Mahmood:

Our biggest concern at UT-El Paso is client identity-making sure that the client cannot say that he did not order something when he indeed ordered that product or service...the security of the transactions while it is taking place.

Seen:

At Murchison, we operate an in-house credit card gateway and process the most online payments in the state, so it is vital for us to stay on top of security in respect to both sides of online payment processing. Foremost for us is ensuring that the gateway machine has a high level of availability and cannot be compromised in any way. The key is ensuring that we are vigilant in applying OS patches and provide proper firewall protection. From a front-end perspective, we ensure that transactions are only accepted from selected hosts, with proper authority, keys, certificates, etc., to negate any chance of spoofing or replay attacks.

Q: How does your organization deal with the issues of retaining e-commerce skilled personnel? What kind of attracting/retaining program(s) is in place for the proper staff?

Oliva:

Good question! We have had to train our staff in e-commerce security practices through a combination of online classes and on-the-job training. We recruited people eager to attend this training program and who had the proper system administration experience.

Intelligent Decisions LLC encourages staff members to continue their professional education through a combination of online and on-ground classes offered through commercial providers such as the IEEE, ISSA, The Chubb Institute, CISCO and the Northern Virginia Community College. Topics include data encryption, information assurance, firewall management and enhancement, network management, biometric authentication, 'white hat' network security methods and GISRA (U.S. Government security standards). All staff members have most of these skills when hired, but they must constantly update them through seminars, classes, conferences and literature review.

Thompson:

Since being established in 1998, CECC has achieved the greatest success in attracting and retaining staff by drawing staff from the student population of the University of Ballarat and then supporting staff as they develop their e-commerce skills. The integration of and retention of staff engaged through more traditional recruitment methods has been less successful.

Thomson:

We are located in a market where there are a number of well- trained e-commerce employees (two universities and two colleges), predominately small technology companies (wage costs are therefore at the low end of the scale) and where quality of life is an important factor. As a result, there is always availability of staff at reasonable rates. Once we have employed and trained staff, we try and retain them by focusing on flexible work hours, a positive work environment, a team-based approached to work and ongoing training. Having said that though, finding good e- commerce security staff that don't have a criminal record is very difficult in our market!

Naglost:

Berkeley provides a number of incentives to retain its e-commerce skilled personnel. This involves flexible working schedules, payment mechanisms and company ownership. We utilize a number of key recruitment agencies, with whom we have formed strong partnerships, to attract quality staff. By providing flexibility regarding working location and remuneration, we have been able to achieve excellent overall retention.

Seen:

We have no formal programs in place. As a small organization, we have low staff turnover, so this is perhaps not as big a problem as in other enterprises. The downside is that there is a large chunk of institutional knowledge tied up in individual staff. Ongoing efforts to document and cross-train others helps to address this.

Arazi:

We do not have any special retention programs. We have not had to deal with high turnover of skilled IT personnel and as such did not develop any special retention programs. I have heard of problems in other organizations, but I feel those were endemic to those particular organizations and unrelated to the specific skills of the personnel in question. To retain good staff, I would recommend that the organization recognize their value, compensate them appropriately, work with them to solve problems (rather than lay blame for problems) and create an inquisitive work environment where each individual is able to pursue challenges and gain exposure to new ideas, technologies and processes, both within the organization and outside of it.

Upadhyaya:

It may sound tragic, but at the moment the UK e-commerce employment market is at a low. Staff say it is because they have jobs! We all have colleagues/friends that are unemployed at the moment. I'm sure this policy is short sighted and as soon as the market picks up, labor turnover will rise. I think when the time comes, a stake in the company is all that can really be offered.

Q: How does your organization deal with the issues of interoperability (maintaining reliable exchange of information with corporate information systems)?

Seen:

Generally, we do not deal with solutions that interface with corporate systems. Our target market is the SME sector, and as such, the solutions we offer are self-contained online storefronts. Theoretically, a customer needs no other software to operate their online business. In practice, however, our consumers tend to prefer exporting reports to third-party accounting software through an intermediate format such as CSV or XML.

Oliva:

As a small company, this is not a problem for us. However, for our large customers, this is a major issue. They use a combination of trusted system software and protocols, limited network access, and manually approved data transfers to move mission- critical data back and forth between field and corporate systems.

Thompson:

We do not have a great deal to do with this, as a vast majority of our business is online and we do not provide procurement services.

Upadhyaya:

When we embark on a data-sharing exercise, we normally send a consultant to meet with the IS department of the target company. And it is their task to come up with data transformation rules and compromises. We then get a sample data export or snapshot of the database to test our data mediation.

Thomson:

Part of our competitive advantage is the fact that our solutions bridge the gap between banking platforms (inflexible) and merchant financial systems. Our systems and solutions are all Web based and accessible using IS or Netscape, and we deploy a wide range of Java, C++ and CGI-based APIs to try and bridge as many platforms as possible. Our solutions are designed in such a way that they layer integration into the business system. All of our core products run on their own independent platforms and it is only the front and back end hooks that need to be customized to a specific system.

Arazi:

Interoperability is very important for A2i, yet we strive to maintain the minimum amount of copies of sensitive information. Pseudo-random IDs are used to transfer information between systems, with the recipient system then requesting the information from the secure server that holds the master copy of the information. If authorized, the information is sent to and used by the recipient server for the requisite task, after which the master server is updated, if applicable. In addition to ease of interoperability, this also provides high security, granularly regulated access and reduced likelihood of multiple copies of the same information being out of synchronization.

Mahmood:

My organization uses state-of-the-art technology in the area.

Naglost:

Berkeley deals with interoperability by utilizing industry standard information systems and architectures, and by creating systems and processes that facilitate simple integration between disparate systems and organizations. The benefits Berkeley IT realizes from these systems are wide and varied, and include the ability to obtain a single viewpoint of all company interactions with the customer/partner/competitor and to streamline the training and development overhead for new and existing employees and partners. Berkeley IT has also seen major improvements in the management of customer relations, as all disparate information is integrated and accessible to all employees.

Q: In your opinion, what are the technology limitations in assisting an organization in providing a total security environment in e-commerce systems?

Thompson:

These days there are not many technological limits in regard to e-commerce systems. Most problems arise from retaining skilled staff and other organizational issues. Systems need to be able to evolve and adapt to new security technologies as they become available.

Mahmood:

A lot of technologies including security technologies are still evolving.

Arazi:

And I would agree that there are no significant technological limitations. In addition to a large body of literature and reference works on the subject, there are sufficient numbers of personnel, software and hardware packages (including open-source ones) available. These resources should allow any organization that is capable of developing an e-commerce system to also integrate the requisite security programs, precautions and procedures. Thus, the question becomes one of motivation, since the ability is obviously there.

Oliva:

In terms of technology, data encryption is available and easy to use, and Internet transaction security has passed what happens in the non-Internet world (restaurants and retail stores, for example). The limitations are more investment cost and business process driven than anything else-if you have the money to spend, you can do a really good job at protecting yourself and your customers.

Thomson:

I find that as we develop mostly under Windows architectures and deal with clients with very high availability requirements, the single greatest limitation we see is the lack of 'hot fixes' for security updates and patches. In most cases, systems must be taken offline in order to successfully apply a patch, and it can take 30 minutes of support time in order to properly reboot and re-establish a platform.

Seen:

Our biggest technical limitation is the reliance on vendors to provide timely patches to proprietary systems. It is often said that a chain is as strong as its weakest link. It makes it all the more difficult to reinforce the weak link when you need to rely on someone else to do this.

Naglost:

And wouldn't you agree that e-commerce security environments are usually limited by existing or inferior technology systems that are either not designed to allow additional security mechanisms to be implemented or have serious and inherent security flaws that cannot be rectified by external security mechanisms?

Upadhyaya:

Fundamentally, the problem is that the underlying technologies that we use can never be fully tested until they are unleashed on the real world. Who knows what security flaws will emerge in your operating system, Web server, database server, etc., until someone has tried to hack/exploit it? Because of this, we can never be totally safe, and if we wait for our software to become impenetrable, we will lose our competitive edge.

Q: In your opinion, what are the organizational and managerial limitations in providing a total security environment in an e-commerce system?

Naglost:

The major organizational and managerial limitation in providing a total security environment in an e-commerce system is the willingness of management to commit both funding and other resources to implement security systems-especially when this implementation results in major changes to both information system configuration and general business processes and practices. The organizational culture can also hamper this implementation if staff are unwilling to facilitate the process.

Thomson:

Lack of awareness of security issues is the single greatest problem that we see. In most cases business managers don't know what they don't know and therefore simply adopt solutions that they deem to be the most cost effective without understanding the full impact or risks of their decisions. At the moment there seem to be competitive certification processes for security specialists which further complicates the consulting and tendering process. We find that most companies are reactive rather than proactive with security measures. They undertake analysis and action after they have experienced a security breach and have done little in advance to prepare or plan for a security incident. Even after an assessment has been made, many firms fail to make the assessment process an ongoing one.

Upadhyaya:

I would add, fear and budget. On one end of the spectrum we fear the attack and what we don't understand. Then, ironically on the other, a budget forces us to buy non-industry standard protection devices such as poorly documented firewalls that lead to misunderstandings and even more security flaws.

Arazi:

Certainly, management is often interested in the 'bottom line,'i.e., the financial aspects of the business and the amount of profit generated by the e-commerce system. It is therefore best to build the case for a security policy and implementation as one that will have significant upside and a large downside if done wrong or not at all. Once the initial barriers have been cleared, it is best to explain why certain things happen, rather than just how, to the personnel that develop, implement, support, maintain and manage the e-commerce system. With this understanding, they will prove to be assets, often suggesting technical and managerial improvements to security policy.

Thompson:

But often the decision makers are not those with the operational knowledge of the options in relation to the security environment or in e-commerce systems.

By not having in-depth operational knowledge of e-commerce security, decision makers are handicapped when dealing with their own technical staff. Information technology by its nature changes so quickly that a person with management responsibilities would find it impossible to keep abreast of new developments and technologies. This creates an information gap between managers and technical staff, which in turn makes it hard for the decision makers to ensure that standards are being adhered to and that recommendations made by technical staff, are the correct ones. This is not a unique problem and is best dealt with by proper staff management and training.

Oliva:

My list of organizational limitations would include:

  1. Utilizing multiple systems requiring multiple passwords

  2. Partial customer service capabilities due to segregated access to customer information

  3. Changing passwords every seven to 10 days

  4. Retraining on security procedures every 90 days Managerial limitations would include:

  5. Limited information access vs. trying to increase user productivity through open access

  6. Need-to-know access management cost vs. trusting all users

  7. Funding user education and awareness classes on a very frequent basis

  8. Funding investments in hardware and software without revenue return

  9. Funding real-time response teams for hacker and virus attacks

Mahmood:

I think we all need to admit, though, that there is no such thing as total security environment. If hackers want to break into systems, they can find a way. We must try our best to stay ahead of the hackers.

Q: During the past several years, many organizations have been questioning the actual dollar returns on their investments on information technology-related security programs. In your opinion, how can organizations measure returns in their investment in e-commerce security-related programs? How has your organization accomplished this goal?

Naglost:

Information technology-related security programs should never be measured in terms of actual dollar returns. Just like physical office security or personal security, information technology- related security programs are a necessary business operating expense that limits the possibility of information technology compromise or destruction. It is this information technology compromise or destruction that may have catastrophic 'actual dollar' consequences to the organization if its information technology is left unprotected. Organizations can measure the returns in their investment in e-commerce security-related programs by gathering feedback from their existing customer base and internal employee base on their perception and real experience of the organization's e-commerce security. Berkeley IT has accomplished this goal by directly and regularly surveying both our employees and customers on our existing e-commerce security-related programs. We also involve industry security experts to formally assess our security programs. From this feedback we can gauge our successes and failures, and can work toward improving the overall level of security across the entire organization. If your customers, employees and industry experts are satisfied with your e-commerce security and you are not experiencing security compromises, then chances are you are doing it the right way!

Oliva:

At Intelligent Decisions LLC, we calculate the return on investment two ways:

(a) The intangibles are: direct operating costs not incurred due to having IT security processes and technology in place that stop DoS (denial of service) attacks, reduce the impact of worms and viruses, and unauthorized access or theft of data through the network. We compute our 'savings' based on work activities we do not perform.

(b) The direct returns comprise new business, return business and referrals due to our success in keeping our information safe and secure, and satisfying contractual and ethical obligations involving our customers' data. We accomplish e-commerce security through a variety of approaches including digital certificates, trusted access authentications and firewalls. These capabilities, in turn, allow us to build a business based on successful performance, trust and mature, software tools.

Thompson:

CECC has minimized the dollars spent on e-commerce by implementing freely available OpenSource solutions wherever possible. OpenSource software provides small organizations with cost-effective e-commerce security without compromising the robustness of the solution achieved. Measuring the returns on investment is vastly easier when the initial investment is only in terms of staff time. One breach of security could cost an organization its reputation and have a massive impact on revenues. CECC therefore believes this staff time investment is critical.

Arazi:

Rather than looking at positive numbers, an organization would have to evaluate how much it stands to lose if no investments are made in IT security. When considering the purchase of an alarm system for a vehicle or a home, one does not calculate the profit but rather the potential losses without the alarm in place. Similarly, it is difficult, if not impossible, to quantify an organization's net gains or losses, but a consensus exists that news stories about an organization being 'hacked into' and customer data or credit cards stolen are certainly undesired and often very damaging. We have accomplished this goal by attempting to measure the negative effects of not implementing proper security policies, measures and procedures. The results spoke for themselves.

Thomson:

We view risk management and security as an 'insurance policy.' It is something that cannot easily be quantified in terms of a 'return on investment' but can be justified if you consider the cost vs. analysis. The negative publicity and loss of confidence associated with a security incident are more than offset by the cost vs. benefit analysis. In my city, a local grocery store recently experienced their own version of a comparable incident. The store discovered that they had an employee that tested positive for Hepatitis A. The grocery store had a contingency plan in place, and they quickly issued a press release outlining the concern and announcing that they had destroyed the produce that the staff member was responsible for handling. A plan for testing all staff was also announced. The net result was a very positive consumer response and media exposure for a relatively small investment. Had they tried to conceal the incident or not been prepared, the results would have been significantly different!

Upadhyaya:

That's right, because in financial terms, you need to look at your security as opportunity cost. Firstly, without any strategic security planning/implementation, your organization will waste time, energy and resources surviving in a reactive state, that is draining and destroying the inventiveness of your IT department. This will have an effect on your competitive advantage, as your department spends more time dealing with issues as they arise, rather than having time to consider R&D or improving existing systems. Thus, your organization will continue to hobble along with costly security inefficiencies that could have been eliminated with investment in e-commerce-related problems. We were like this two to three years ago-we looked at all the man hours spent being reactive to security issues. We then multiplied that time by the chargeable hourly rate for each member involved in resolving the problems, and then time wasted by other staff in the organization due to outages. We then compared that with the cost of e-commerce security programs! All this was without looking at how the outages were affecting our image with clients and potential clients. The bottom line is that the cost of not having a secure e-commerce-related program is much higher than having one.

Mahmood:

Thus, organizations should focus on doing a good job in measuring qualitative benefits?

Seen:

Absolutely. Simply put, measuring the return is difficult, as it usually involves measuring losses which have not occurred. What we have done is look at past issues which have occurred and assessed what our exposure would have been if security measures had not been in place. For example, with the Slammer worm, we determined that our security policy saved us from a potential loss of bandwidth and excess traffic charges, and allowed us to maintain service. In this case, there were two main parts of our policy which came into play: proactive security, in the form of filtering network traffic to the SQL server, and reactive security, in the timely application of patches for SQL Server when they were first released. Certainly, the time and effort invested in applying patches and configuring our firewall was, at a conservative estimate, one fifth of the potential loss if our SQL server had been infected by the worm.

Q: In your opinion, what role should government play in protecting consumer/client rights and privacy in e- commerce transactions?

Naglost:

Government should legislate and enforce regulations that unequivocally protect consumer rights and privacy in e-commerce transactions. It is the responsibility of all government organizations at both the federal and international level to work together to ensure regulations are implemented and enforced, and are not affected by national boundaries.

Mahmood:

That's right. You have to admit, the laws are a little behind in the e-commerce area.

Thomson:

I disagree about government. I think that the government should not be playing a major role in regulating e-commerce transactions. The legislation in Canada and the UK that protects consumer privacy and the confidentiality of information on a broad scale (not just e-commerce) is a good idea, but attempting to regulate individual businesses will become manpower intensive and not yield the results they want. At this point I believe that industry regulation is the best measure.

Thompson:

But governments play an important role as an information provider and may be able to effectively disseminate information that will protect consumer/client rights in relation to privacy in e-commerce transactions.

Upadhyaya:

Similar to an earlier question, the government should be involved in a way that doesn't infringe on the information freedoms of the Internet, but not be powerless to help the consumers. There already are models forming around the globe at the moment-the information regime of China, America's recent laws regarding national security and digital information, and the UK's attempt to please homegrown surfers. Each a different angle, but none to an overwhelming success. Fifty percent of consumers still feel uneasy about e-commerce transactions.

Seen:

I believe that the role government should play should be equivalent to the role governments play in traditional commerce transactions. There are many rules and regulations that can equally be applied to e-commerce transactions as there are to those conducted by phone, fax or e-mail. Increasingly, this situation is becoming more complex because of the ability for the average user to import goods simply by making a purchase online. Government cannot be expected to mandate particular security measures, such as 128-bit SSL sessions, etc. It is up to the marketplace to regulate this itself and refuse to deal with those businesses which do not comply.

Arazi:

I believe that capitalist forces will eventually dictate this rather than any attempt of government intervention. If a certain business can provide a competitive (presumed or real) advantage over another as a result of better protections, that business shall prevail. The customers will decide.

Oliva:

This will continue to be a battleground for years to come, due to the difficult balancing of business access and financial commerce against customer privacy rights. The government should propose standards that form a 'trust agreement' between businesses and customers that provide these minimal levels of bilateral security:

  1. Identity authentication of both the seller (company) and customer. Both parties must have confidence they know who the other is.

  2. Information that is exchanged must be safe from theft or corruption by unauthorized parties while in transit (probably through the Internet) between them.

  3. After receipt of data between parties, business process safeguards must protect customer information from unintended disclosure to third parties or unintended use.

  4. The last step, but hard to accept, is for businesses to pay customers for the use of their information through 'opt-in' choices. However, this creates yet another set of security questions about keeping those identities safe from unauthorized use.

Section II: Challenges, Solutions and Future Issues Facing E-Commerce Security

Q: In your opinion, what are 3-5 current challenges facing practicing e-commerce professionals in modern organizations in dealing with e-commerce security?

Naglost:

  1. The ever-increasing number of hackers who have the skill to penetrate e-commerce security systems.

  2. The growing number of new applications that utilize unique security methods, each with its own inherent security flaws.

  3. The requirement to integrate with external systems that often use disparate architectures and information systems.

Oliva

  1. Obtaining management support and respect of their skills and importance to the business.

  2. Continuously investing in professional education required to stay ahead of the criminal community.

  3. Educating users and obtaining their cooperation in basic security practices such as not sharing passwords, changing passwords and blabbing about private information in public.

  4. Walking a fine line between 'locking out' all users of company data vs. keeping systems open to customers, suppliers, and employees by utilizing the inherent security abilities of automated systems.

  5. Complying with ever-changing and always conflicting govern- mental laws and regulations.

Thompson:

  1. Lack of client expertise - clients are often unable to adequately assess alternatives based on e-commerce security, so decisions are made based on factors such as price, company location, etc.

  2. Cost

  3. Pace of change and degree of redundancy

Arazi:

  1. Security is often regarded as a non-profit-generating expense and is therefore not given sufficient funds.

  2. Security is often taken for granted. It is almost totally ignored until the very end of the specification and implementation phases, after which it is added as an afterthought, if at all.

  3. Lack of understanding that securing an e-commerce system is an ongoing process that must start with the initial specification and continue through every day the production e-commerce system is functional.

Upadhyaya:

  1. In recent years, e-commerce has attracted interest from businesses and consumers alike which has caused growth in the number of B2C transactions. Even so, I doubt that e-commerce will reach its full potential until customers perceive that the risks of doing business electronically have been reduced to a tolerable balance.

  2. Consumers may have justifiable concerns about control, authorization, confidentiality, transaction integrity and anonymity.

Thomson:

  1. The nature and type of threat is constantly changing, and it takes considerable time and effort to identify and address the risks.

  2. Businesses are becoming more and more dependant on their information systems, and the impact of any potential attack or outage continues to increase.

  3. Technology solutions are becoming increasingly complex, and identifying and resolving security risks at the application level is becoming more difficult.

Mahmood:

  1. The challenge to stay ahead of the hackers

  2. The need to deal with integrity threats and necessity threats (DOS)

  3. Dealing with Web server threats and database threats

Seen:

The biggest challenge is still education. Educating non-technical clients about what measures must be taken to make a good-faith effort to protect the consumer. Also, consumers need to be educated about where to put their credit card number and where not to put it.

Other challenges include the frightening prospects of systematic identity theft. Given that e-commerce sites collect private and often confidential client data, they can present a prime target for skilled groups who aim to perpetrate these crimes. In the case that an attack is motivated by the opportunity to steal data rather than gain a financial advantage, it is difficult to detect when such an attack has occurred; there are no balance sheets recording who has accessed what data.

Q: What are 3-5 solutions that you can recommend to practicing e-commerce professionals in managing e- commerce security effectively?

Naglost:

  1. Adopt a continuous learning approach to e-commerce security including consistent, periodic investigation and research of online, lecture and periodical-based material to ensure maximum exposure to all current and emerging issues.

  2. Plan and document all systems-especially the overall security architecture. This will ensure that all areas of security are covered. Discuss the architecture in simple terms with management and gain top-level support for the overall plan.

  3. Implement reliable, tested and industry standard solutions where possible and ensure sufficient business processes are developed to facilitate the overall security objectives.

  4. Use e-commerce security specialists to assist with the development, implementation and testing of your security systems to ensure complete and comprehensive solutions.

Oliva:

  1. Know your users, customers and suppliers in order to be able to isolate strange activities without delay.

  2. Plan for the worst-case security breech scenario and implement proactive processes and tools to stop it from happening, if possible.

  3. Train management about what is possible and impossible for you to do. They need to know how they can help you succeed.

  4. Be realistic when developing budgets-don't ask for the sky but don't ask for tools that can't protect the company's data assets.5. Use common sense in enforcing security regulations and restrictions.

Thompson:

  1. Ensure that technical issues are explained clearly

  2. Provide links to external information on security issues wherever appropriate

  3. Partner with like organizations to reduce the costs, share knowledge and aggregate to secure more sustainable outcomes

Arazi:

  1. Increased awareness in all levels of the organization will greatly boost security. Overall security will increase as different departments see that IT, business and management have 'bought in' to the need for security and are diligently working on solutions.

  2. Decision makers, designers and implementers within an organization must be educated to think in a security-conscious manner when performing their duties. Once this happens, business decisions will drive technological specifications that will evolve into secure implementations of e-commerce systems, to the benefit of all.

  3. 'Hands-on' management, that is, security professionals must rely on themselves as well as on others while recommending policy and implementing it. Much like doctors or mechanics, one must practice and personally experience the subject rather than just read theoretical material about it.

Upadhyaya:

  1. Thin-clients offer greater reliability and increased security. All data and applications held centrally and not on desktop...greater security and control of user access to network, applications and data...no risk to infect desktop with viruses or 'snooping' programs, and high server protection against hacking and intrusion.

  2. Self-hosting. What I mean is, do not share your server with other companies. It is common sense: if you have the infrastructure to be able to provide e-commerce solutions, then spend your budget on your own box

  3. Encrypt your databases, be more proactive and protect your client's data. Implement detailed security policies that only grant access to certain applications and IP addresses.

Thomson:

  1. Adopt industry best practices on the protection of confidential information.

  2. Outsource security monitoring and risk management if it is not a core business competency and internal resources are lacking.

  3. Treat security and risk management as an ongoing task rather than a one-time evaluation or certification.

  4. Don't overlook the weakest link in the organization (typically staff) when developing a security policy. There is no point building a steel door for a tent!4. PGP signing e-mail...slow uptake, very small early adopter market share. The biggest problem in our industry with this is that we all use secure thin clients to gain access/register with our online banks/e-commerce retailer. Then our passwords are sent back to us in a plain-text e-mail. Do not do that-it is very silly and pointless. Never send any sensitive information in plain text.

Mahmood:

  1. Digital certificates

  2. Using SSL

  3. Using firewalls

Seen:

  1. Be aware of developments in security, not just in e-commerce, but in computing generally. Keep abreast of the security flaws that are being exploited, evaluate vulnerability whenever necessary and act immediately. There are many options for security training with a range of organizations that can offer formal training in security and loss-prevention techniques. Alongside these courses, there is plenty of scope for exploring usenet groups and other forums in which security-oriented discourse takes place.

    Vendor-independent mailing lists like CERT Advisories or Bugtraq provide an objective method of tracking developments in security issues and can be a useful addition to mailing lists and announcements published by software and OS vendors/developers. This is an industry-wide issue, it is important to track current security issues in many fields of IT, but the high exposure of e- commerce sites makes this even more crucial.

  2. Think critically. Actively try to pick holes in the systems under development. Take the 'black hat' approach and try and spot where and how you would do the most damage to a system.

  3. Know how to respond if the worst happens. Know who must be contacted in the event that the worst occurs. Depending on the compromise, this may include banks, financial institutions, merchant service providers, and of course, clients and consumers directly affected. Develop an internal 'damage control' plan and review this regularly in light of new security threats. Just going through this process will help to keep security foremost in everyone's minds.

Q: What are 3-5 future challenges that will be facing practicing e-commerce professionals in modern organizations in dealing with e-commerce security?

Naglost:

  1. The security threats will not only come from external sources but as local staff become more technologically advanced, internal threats will become a major factor.

  2. The integration of multiple organizations' e-commerce systems will become commonplace, and the ability to ensure a high level of security within this multi-organizational system will be paramount.

  3. E-commerce security in the mobile arena will increase as m- commerce increases rapidly over the next decade. E-commerce professionals will have to be able to understand m-commerce security requirements and integrate these into their existing e- commerce security environments.

Oliva:

  1. Blocking increasingly sophisticated attacks from organized international criminal elements (cyber criminals and terrorists).

  2. Overlapping and conflicting laws and regulations from international, federal and state governments making it difficult to not be in violation of someone's laws all of the time.

  3. Minimizing liability for financial damages when an accidental breech of information or trust occurs-lawyers will want to extract maximum penalties from all parties, even if an unavoidable situation happened.

  4. Meeting the always-increasing expectations of customers, staff, management and suppliers for 'airtight' security, all the time, for free.

Thompson:

  1. E-commerce professionals acting in isolation will find it increasingly difficult to keep up to date and to ensure that their organization is adequately prepared to deal with all issues associated with e-commerce security.

  2. While e-commerce security will be a continuing issue, it may become more difficult for e-commerce professionals to convince their organizations to invest, to address e-commerce security issues.

  3. The issue of public perception will continue to impact on perceptions of e-commerce security. In the absence of some coordinated effort by e-commerce professionals, media organizations are likely to continue to focus on 'horror stories' rather than promoting stories of organizations successfully dealing with e- commerce in terms of security or other areas.

Arazi:

  1. Improved hacking techniques - Cyber-crime is on the rise, and thus cyber-criminals are constantly evolving to employ better penetration and attack methods. This is especially true as e- commerce systems proliferate, thus increasing the potential 'reward' for a successful breach.

  2. Increased financial pressure - As businesses, especially technology-related ones, become more concerned with the financial 'bottom line,' they will try to cut costs wherever possible. This may lead to a situation where e-commerce security will not be allocated the resources required for a proper implementation and ongoing maintenance and upgrades, or to a scenario where security will be integrated into an organizational division that may not know enough about the threats.

  3. Increased bureaucracy - As legislation and regulation of e- commerce environments increase, situations may arise where implementations of security systems may, temporarily or permanently, be affected by laws and other rules and regulations. This may cause certain implementations to become very cumbersome.

Upadhyaya:

  1. Emerging mobile technologies and the security implications involved such as reduced bandwidth and processing overhead.

  2. Dissemination of technologies within the information militia (the cracker/hacker communities), for example distributed attacks like DoS and brute force key cracks.

  3. Complying with future regulations, bringing your current information/e-commerce solution in line with legislation.

  4. The need to encapsulate future communication standards such as building 'future-proof' security measures.

  5. Embracing new and old forms of private data encryption, e.g., PGP, etc.

Thomson:

My future challenges are largely the same as the current challenges with the addition of: Government regulation creating further paperwork and workload for businesses who already adopt best practices.

Mahmood:

  1. To help customers understand the security protocol

  2. To make sure that customers feel safe doing business online

  3. To make it as easy as possible to shop online

Seen:

  1. In my company, we are working toward developing decentralized, peer-to-peer e-commerce systems. In the P2P realm, most of the conventional thinking regarding e-commerce security gets thrown out the window. Issues of mutual trustworthiness, nonrepudiation, etc., are challenges that professionals in the sector must face. Given the tremendous promise for P2P in e- commerce, I have no doubts that we will see increasing coverage of these issues in the future.

  2. Another challenge we face is the 'commoditization' of e- commerce solutions. When a consumer can walk into a department store and buy an 'e-commerce in a box' solution, it devalues the hard work and effort that goes into developing a tailored, secure product. E-commerce professionals need to value-add in every way possible if they are to continue to justify their existence for all but the largest of projects.

  3. Finally, I can see connected mobile devices experiencing a resurgence along with the spread of true 3G capability in the cellular network. Mobile and ubiquitous computing devices will offer the potential for anywhere, anytime e-commerce transactions. I can see many challenges and opportunities in tailoring high-availability e-commerce systems to this marketplace.

[*]The DCF was created to develop the digital content sector by forming a two-way conduit between industry and government to gather views and input into policy- making practices (www.dcf.org.uk).



 < Day Day Up > 



E-Commerce Security. Advice from Experts
E-Commerce Security: Advice from Experts (IT Solutions series)
ISBN: 1591402417
EAN: 2147483647
Year: 2003
Pages: 106

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net