Introduction

Technology is still under development in Saudi Arabia and has not reached the advance level as its reached in UK and USA. Therefore Internet Security is still a main as well as a major issues to most businesses and organisations in Saudi Arabia.

Media hype surrounding the topic of Internet security can scare the general public, as the novice users. The continual talk of the latest virus alerts, which have corrupted thousands and stories of teenagers hacking into networks and stealing numerous information's such as personal details, credit card details other details which relates to different institution, is enough to put anyone off the idea using their personal details over the Net. All this media hype needs to be addressed to see if it is just that, or is there a ground for all this sensationalism.

The chances to actually undergo extensive research and establish leads and ideas that I have not come across before about Internet Security, it is a major challenge for me and I feel that by conducting this research it will broaden my knowledge about Internet Security and also make people understand the aspects of Internet Security which they haven't come across before.

Abstract

This dissertation looks at the question: ‘Is The Internet Secure'?. Where secure is defined as ‘secure enough to trade or pass information' via the Internet. With the constant media hype of Internet Security, it felt that this title to be one of interest and appealed. Therefore, research include, determining what types of organisations are present on the net, and categorising them into several groups. Studying past literature to determine all possible threats on the Internet and then to discuss possible solutions to these threats.

As society is in the information revolution, in which the Internet is the main channel for distribution, this area of research is related to each and every one of us. Internet trading is a common practice amongst the new age. However, this is a subject that needs to be addressed to see whether all this ‘Media Hype' is just that, or is their just grounds for concern.

With the number of users on the Internet growing daily, and businesses becoming completely dependant on technology, serious issues of vulnerability need to be looked at. To ensure that no gaps appear in the security aspects of Internet, which will in turn trap the new users. Conclusions where made by in viewed and researched based companies.

This research aims to provide the reader with a deeper understanding of Internet Security. The Internet is a medium that will be a part of future generations, and it is paramount that it is managed correctly and to ensure it does not have devastating consequences for those involved in its operation. The research carried out draws the conclusion, that the Internet is not a secure for trading, and that a regulatory body is required or a more structured policing.

Therefore more actions from organisations are needed as well as from the government. Future research can concentrate on data recovery methods, application methods and interviewing in more depth and on a longer scale.

Acknowledgement

Chapter Outline

Chapter1:

The introductory of this chapter starts with the definition of I.T security. It follows on with what the aims and objectives are and the methodology followed during the fact - finding exercise. The chapter outlines the scope and the limitations of the project.

Chapter 2:

This chapter describes how the internet was formed and how it has developed. Finally it highlights the key developments of the internet throughout its early life cycle, and the growth of its user base.

Chapter 3:

Defines the types of businesses that trade on the net categorising them into several divisions, which are further explained in the appendix. This chapter also talks about on-line banking and how to purchase over the Internet.

Chapter 4:

Starts by discussing the potential threats of viruses, how they work and how they spread. It also discusses what different authors believe to be the main threats of the Internet. It also talks about all the potential threats and briefly defines each one.

Chapter 5:

Discusses the potential answers to the security issues, broadly discussing all of the security applications available. The chapter introduces computer security as well as the different application.

Chapter 6:

The fact finding stage highlights the responses gained from the organisations, which were interviewed. The findings were incorporated into graphs to illustrate the answer.

Chapter 7:

To conclude this study, the author discusses what the project aims were, how the findings were achieved and why came to this conclusion. A SWOT analysis was also carried out to assist the conclusion.

Appendix:

Any information that did not fit in the thesis, which the author felt important, is included in the appendices. There are also other documents and information, which has been referenced in the dissertation in the appendices.

I.T security as defined in this dissertation is the practices, procedures, applications and services which ensure a security breach or loss of use of a computer system does not occur. Security provides protection for IT system resources from human action. The security products, services and procedures used will aim to protect any hardware or data in the system.

1 Introduction

Media hype surrounding the topic of Internet security can scare the general public, as the novice users. The continual talk of the latest virus alerts, which have corrupted thousands and stories of teenagers hacking into networks and stealing numerous information's such as personal details, credit card details other details which relates to different institution, is enough to put anyone off the idea using their personal details over the Net. All this media hype needs to be addressed to see if it is just that, or is there a ground for all this sensationalism.

1.1Human Action

Human-inspired security breaches are defined as accidental or deliberate, passive or active attacks, which result in the loss or damage of I.T system hardware, software or data. This can come in many guises, as the following shows:

  • Viruses - where a program is placed on a system with the intention of corrupting its processing.
  • The theft of data.
  • Hacking - deliberately gaining unauthorised access to a computer system.
  • The invasion of privacy, through the unauthorised disclosure of data and breaches of data protection legislation.
  • Sabotage - interfering with the processing of a system, such as the placing of a ‘clone machine'.

1.2The Key areas of I.T Security

I.T security involves a number of key areas. The most important of these are introduced under the following headings.

1.2.1E-Commerce

E-Commerce (Electronic Commerce) enables measures to secure web merchants sites from external hacking and intrusion, with the aim to develop secure online transactions. E-Commerce requires the means to engage in electronic transactions without the fear that credit card details and bank details could get into the wrong hands. These involve, for example, the use of secure payment servers and secure software servers.

1.2.2Network Security

The aim of network security is to create a secure environment in which the users can send classified information and business applications solely to those people that they wish to receive them, preventing others from accessing the data. This is an issue of increasing concern, given the growing importance of networks to companies. This aspect of security tends to resolve around using network management and security software tools, and developing network security policies.

1.2.3Virus Protection

To prevent computer viruses from infecting I.T systems, companies use anti-virus software and alert systems.

The requirements for information security as well as the type of products and services used to have undergone a major transformation since 1995. The need for security has widened, where traditionally it was confined mainly to governments, protecting classified data, financial institutions and protecting messages with monetary value, today most medium-sized to large organisations require information security.

The growth of computer networks, group working and mobile working, and the subsequent need to communicate with contacts outside the organisation, has made I.T systems more open to external forces and more vulnerable to internal action. Today, security is demanded to handle communications through the internet, intranet, extranet and Virtual Private Networks (VPNs). All of these technologies use common, standardised networking protocols and such networks are exposed to greater security threats than before.

In a modern computer network, employees share information with each other, and companies share information with their suppliers, partners and customers. This calls for a more sophisticated security system, which is more comprehensive and flexible than the products and services used in the past, and which can be deployed to a large number of users in a consistent, manageable and secure fashion.

1.3Aims and Objectives

  • Introduce and provide an overview of the development of the Internet. How it was started and how it works.
  • Identify the diverse nature of businesses that trade on the Internet, their roles and their functions.
  • Identify and disseminate the literature available on threats inherent in the use of the Internet including viruses and secure transmission of data.
  • Identify and discuss the appropriate solutions for any potential threats for internet security.
  • Evaluate and conclude the arguments, to discuss potential ways of enforcing a suitable security policy for web-based companies.

1.4Methodology

Information for this study was gathered from journals, books, Internet sources and certain company documentation pertaining to Internet security. The best form of methodology for this type of research would be to use Quantitative and Qualitative analysis as well as the use of secondary sources, as mentioned.

Quantitative research was used to gain rich information, basically finding out the ‘experts' opinions from the relevant areas of expertise, for the research. The qualitative research consisted of a questionnaire with open ended and some closed questions. The main aim of this questionnaire was to elaborate on the author's literature review, basically agreeing or disagreeing with the literature presented on this study. For the quantitative aspect of the research a short structured questionnaire was designed, this consisted of closed questions, which would give a statistical look to the fact-findings chapter. This questionnaire was distributed in Preston and Jeddah (Kingdom of Saudi Arabia). Closed question questionnaires were used to obtain the awareness of the issues presented, to gain views, beliefs and attitude to these. The questionnaires were designed to ensure easy reading, therefore overcoming any confusion on the respondent's behalf. Questions were explained to ensure complete reliability in their responses

1.5Limitations and scope of Dissertation

As Internet Security is a very large topic, this author has limited his research to the following:

  • Types of businesses on the web, categorising them in several areas.
  • Discussing threats that past authors identified.
  • Discussing possible solutions to these threats that past authors identified.
  • Carrying out a first hand fact-finding excersing to either agree with the literature or disagree.
  • Setting out the key differences.
  • Summarising the thesis and presenting the findings.

2What is the Internet and how it started

The revolution in computer networking has made it possible for personal computers able to communicate with each other. This chapter is about the Internet and basically a history of its beginning. It provides a comprehensive view of literature regarding factors that promote e-commerce and aid the new era of online banking. The scale of the Internet is awesome and therefore more and more people are connecting to the net. Statistics continues to grow on a daily basis at an alarming rate. People from all walks of life, not just the scientist, teachers and computer experts use the Internet.

2.1Origins of the Internet

The Internet has its roots in a network set up by the United States Department of defence in the early 1970's (Ellsworth 1994). This network (ARPANET) was a collection of four computers. By 1996 the Internet was a collection of over 50,000 networks. The methods they slowly developed included a ‘Protocol' (which is a computer language) allowing dissimilar computer systems to communicate, and a method that routed data through multiple communication paths using groups of data with their own destination addresses built in packets. Prior to this technology, even with machines that were compatible, the used had physically carry magnetic tapes and insert them into another machine in order to transfer data from one computer to another. With the new technology, a computer simply has to put its data into envelope called an Internet Protocol (IP) packet, and ‘address' the packet correctly to send a message on the network. The philosophy was that every computer on the network could talk to any other computer.

2.2NSF Developments

In the late 1980's the National Science Foundation (NSF), started expanding its own NSFNET using the technology developed by ARPANET.”(Krol 192). Five supercomputer centres at major universities were created, and connections were used for e-mail, and for transferring data and information between sites. This created a communications problem, they needed a way to connect their centres together and to allow the clients of these access.

“In response, the NSF built its own network based on ARPANET Internet Protocol (IP) technology. “(Eraase 1994) it connected these centres with telephone lines. Since the telephone lines were paid for the mile, it was obvious that each university could not be connected to a supercomputing centre, due to financial constraints. They instead created regional chains of networks, with each university being connected to its neighbours, at the top of this chain there was a connection to the super computer. Eventually any computer was able to communicate with any other computer by forwarding the conversation through its neighbours.

2.3Internet Created

The NSF agreed to commercial exploitation and on-line service sprang up. “CompuServe, the first of these, started in 1970 and fifteen years later claimed 3.2 million users in 20 countries. It was part owned by commercial relationships with the German group Bertelsmann and the French group Hachette” (Winston 1998). Prodigy belonged to IBM and Sears claimed 1.4 million users. His ‘World Wide Web' was open for business in 1992. Meanwhile a commercial Internet Exchange had been established in 1991.

Large multinational corporations have been on the Internet for years, although their access has been limited to research and engineering departments. In 1992, many of the restrictions on commercial use began to change. In fact, there are already more commercial sites on the Internet than educational and research sites combined, according to statistic, commercial addresses now comprise of 51% of the network domains. The Internet is made up of over 25,000 networks that can transfer data via many routes. However, it is near enough impossible to pin down any exact numbers concerning its size due to the fact its growth is unparalleled by any other industry. Ghosh 1998 states that the Internet has been adopted faster than any other technological development.

2.4The use of the Internet

Between 1993 and 1998, more than 100 million users of the Internet were estimated, and the number of sites of the WWW has grown from 130 to 4.3 million sites. As of June 1999, the Internet user's population has been placed at around 170 million people. It has been forecasted that the number users will reach 350 million by 2005 worldwide.

In simple terms, the Internet allows millions of people all over the world to communicate and to share. “The Internet is the first global forum and the first global library” (Hahn and Stout 1994). Commercial businesses are the fastest growing segment of the Internet, you can gather information communicate and actually transact business on the Internet. Here are a few reasons why businesses are using the internet:

  • E-mail is a low cost method for maintaining communication at all levels.
  • Messages can be exchanged in minutes.
  • E-mail is a domain for sharing information and is said to be one of the most important productivity packages around.
  • The Internet allows businesses to be in touch with different branches and work teams at other locations.

This creating a virtual community in which people are able to communicate on a daily basis.

Using the Internet many organisations are able to bring a global edge to home grown businesses. For many companies, the use of the Internet creates a level playing field; smaller businesses can create an image on the network to compete with larger businesses.

“Many corporations use the Internet to keep a check on the rate of emerging and new technologies, and the market response to these technologies” (Ellsworth 1994). The public information and discussion groups available on the Internet provide insight and feedback that is hard to get in any other manner. Here people from all levels of industry, exchange information on marketing research and technological developments. Having the most up-to-date information about your markets and your products allows you to keep or increase your competitive edge.

In a business where the concept of getting closer to the customer prime, the internet is becoming increasingly important as well. Internet sales, where customers are sought and served on-line through Gophers and variety of virtual storefronts, are also becoming more popular. Customers can be and are sought before the sale and supported after sale. Companies are able to do actual product sales transactions on the Internet. In addition, in some cases it is possible to deliver the product via the Internet, as with software and information. Many companies have been using the Internet for the transmission of data. The major financial institutions in the world use the Internet extensively for exchanging information and files. Corporate users are now responsible for the transfer of the largest portion of data.

2.5The World Wide Web

“The WWW is the newest information resources to the Internet” (Krol 1992). It is based on technology called Hypertext Mark-up Language (HTML). Hypertext is a method of presenting information where selected words in the text can be expanded at any time to provide other information about the word. These words are actually links to other documents, which may be text, picture or sound format. The presentation of information on the web is much friendlier that traditional methods and the interface provides for a user -friendly environment. “The combined with the ability to use any of the Internet's tools within the web has been a catalyst for the rush to get on the Internet” (Ellsworth 1994).

The WWW can be defined as a global, interactive, dynamic, cross platform, distributed, graphical, hypertext information system that runs over the Internet and is available globally (Lemay 2000 Online).

In the early 1990's the advent of the World Wide Web on the Internet represented the tuning point for electronic ecommerce by providing an easy to use technology solution to the problem of information publishing and dissemination. The web made electronic commerce a cheaper way of conducting business and enable more diverse business activities.

The WWW infrastructure is built around the following:-

  • Web sites: A web site is a collection of web pages maintained by a college, university, government, agency, company or individual.
  • Web age: A web page is document on the web. Web pages can include text, pictures, sound and videos.
  • Web server: A web server is a computer connected to the Internet that makes web pages available to the world.
  • The Wold Wide Web is a dynamic structure, and due to the popularity of this new phenomenon it is expanding rapidly. The reason for it being so popular is the fact that information can be made available to anyone anywhere in the world in a matter of minutes (Kalakota, Whinston. 1997 p.145).
  • What types of businesses are trading on the web

Business is changing. The way we do business is changing. The electronic commerce revolution is upon us, and perhaps represents the greatest single change to the way in which business operates. Companies of all sizes are now working together to establish their position and create opportunities in this world.

The Internet phenomenon has result in a major shift in the way organisations do business, and how they intend to proceed in the future. Many organisations now realise that without an e-commerce strategy they will not survive. This realisation has affected, and will continue to affect business relationship of all sizes.

  • E-Commerce

E-Commerce (Electronic Commerce) is the buying and selling of goods and services on the Internet, especially the World Wide Web. In practice, this term and a newer term, e-business are often used interchangeably. For online retail selling, the term e tailing is sometimes used.

E-Commerce can be divided into:

  • E-tailing or “Virtual Storefronts” on web sites with online catalogues, sometimes gathered into a “Virtual mall”.
  • The gathering and use of demographic data through web contacts.
  • Electronic Data Interchange (EDI), the business - to -business exchange of data.
  • E-mail and fax and their use as media for reaching prospects and establish customers (for example, with newsletters).
  • Business-to-Business buying and selling.
  • The security of business transactions.

Electronic messaging technologies streamline business processes by reducing paperwork and increasing automation. (Kalakota, Whinston. 1997 p.54).

E-Commerce today, is a very wide area of study due to its phenomenon growth and thus, can be described as an umbrella concept, which will continue to grow. Therefore incorporating a variety of disciplines and can be described as following path of a hierarchical structure.

Recent technology has increased the capacity of e-commerce transactions, resulting in noticeable paradigms in a number of daily transactions. There are unforeseen benefits not only to businesses, but also consumers, the government and even on a global trade level.

The technology that is responsible for taking e-commerce to a global stage is the Internet. There are also other factors that have affected the growth of e-commerce, for example, the availability of hardware at affordable costs, as well as the increased power and ease of use of operating systems and software.

With the prices of computer hardware and network equipment falling, e-commerce is seen as one of the strategic investments in line with marketing goals of most business, to stay competitive, improve productivity and to deliver quality services.

Commonly, e-commerce is associated with the buying a selling of information, products and services via computer networks. It is also known as the paperless exchange of electronic information, whether it is by electronic data interchange (EDI), electronic funds transfer or other similar technologies methods.

  • Overview of E-Commerce

E-Commerce, evolved as early as the days of Alexandra Bell, followed by the launch of terrestrial television and radio communications. However recent developments in technology have increased the efficiency in commerce and have placed e-commerce under the spotlight. During the mid 20th century, the channels through e-commerce took place were telephone networks, the television and the radio. In their infancy they impressed businesses and consumers, so did EDI in the early 1970's and now at present the Internet has bought back the same feelings.

Below is an illustration of a generic framework for electronic commerce (Kalakota, Whinston.1997) The figure 1 below is an illustration of the e-commerce overview.

Electronic Commerce

B2A

B2C

C2A

B2B

The Internet

Telephone

Fax

The Internet

Telephone

Fax

Cable Satellite, and Digital TV

Telephone

Fax

The Internet including EDI, marketing, purchasing and e-mail

Collaborative

Work Groups

EDI via Internet

Telecomm uniting

Electronic Funds Transfer

E-Mail

Video Conferencing

Telephone

Fax

Figure 1

  • Types of E-commerce

E-commerce covers five main categories that are listed below:

  • Business to Business (B2B)
  • Business within Business (BWB)
  • Business to Administration (B2A)
  • Consumer to Administration (C2A)
  • Business to Consumer (B2C)

These are discussed in detail in Appendix 3 titled Types of Web Traders.

The introduction of e-commerce has facilitated consumer to business transactions, customers learn about products through electronic purchasing. From a consumer perspective electronic commerce facilitates for the following:

  • Social Interaction. Electronic Commerce enables consumers to communicate with each other through electronic mail, video conferencing and news groups.
  • Personal Finance Agreement. Use electronic means to manage personal finance and management using the online banking tools
  • Purchasing Products and Information. Allows consumer to find online information about exiting and new products and services.

(Kalakota, Whinston. 1997 p.139)

The explosion in Internet traffic has created other problems. Mostly worryingly, there are continuing fears that many companies offering financial services online are not providing a secure environment to clients and customers.

  • Purchasing on the Web

The Internet and the World Wide Web have dramatically changed the way consumers seek and use information online.

Whether they are shopping for Information or shopping for goods and services on-line, today's consumers must learn how to manage the resources (Kelley, B & Weibke, J. 2003).

Most attention on e-commerce has focused on business-to-business transactions and analysts say the surging electronic business-to-business market is about to explode.

On-line purchasing systems promise to streamline operations, save time and cut the costs of businesses drowning in order processing. Most buying over the Internet focuses on indirect materials, also known as non-production goods or maintenance, repair and operations.

Typically, such applications let any employee order through managed access rights, non-production supplies and service from an on-line catalogue using on a web server. They simplify the process of buying day-to-day items such as office equipments, PCs and other electrical goods to run the company. According to a recent study carried out by Forrester Research (2000) has suggested that the on-line commerce will raise form £657 billion in 2002 and reach the figure of £6.8 trillion in 2004. The statistics suggested that more customers are shopping day by day and revenue is increasing for on-line shoppers. The view is supported by Swazey (1999) who believes that the on-line shoppers spend more time on-line shopping than normal high streets shoppers and the amount of money spent rises with the amount of time spent on-line. The view point of Swazey (1999) is similar to Ghosh (1998) as he states that the “On-line shoppers tend to get carried away within the comfort of their own home”. However the above viewpoint have contrast in bearing to an article (Computer Fraud & Security, Sept 2000, p.2) that seemed to suggest that although it may seems like everyone is on-line, but it's not true.

  • Internet Banking

Internet Banking is no longer a novelty. Banks have long ceased being worried about trading via the web, and instead have embraced the newest delivery channel with enthusiasm. All clearing banks, including the connected building societies, now offer Internet based banking services and all will have an online current account in place. Some, including Barclays, Woolwich, Abbey National and HSBC have developed other channels of delivery including digital TV and mobile phone banking service. All e-banks promise busy current account users speed and convenience. There are no counter queues in cyberspace and e-banks are open 24 hours a day, seven days a week. On-line banking customers can check their balances, view recent transactions, transfers funds, set-up standing orders and direct debits and also option to pay bills on line.

In the past, the banking industry was chiefly concerned with asset quality and capitalisation, if the bank was performing well along these dimensions than the banks would be profitable. Today performing well on asset quality and capitalisation is not enough. (Kalakota, Whinston.1997 p.30)

The Internet is a medium that provides a new dimension and introduces much opportunity especially for banks; the main advantages are outlined as follows:

  • Enable innovation
  • Cost savings
  • Increased customer base
  • Enable mass customisation
  • Marketing and communication
  • Developments of non core business

In a report issued by the BE Agency (2000), it states that the experts believe that the slump in high street banking due to deregulation can be revived by this new medium e-commerce, offering the potential of reviving or at least halting the decline, by raising customer service standards, increasing the choice of retail financial products, reducing the charges and giving customers a more convenient way to manage their money.

It is agreed with Patterson (2000) that the banks will have to go online, his reasons being as to why banks have to adopt this new medium is “in short answer to win over new customers” it is easier to leave it at that, but also the factors he has also said that it will also promote this new medium are lower cost of account servicing, cross selling opportunities, customer relations and because they have to.

Customers can now deal with their accounts personally at any time from anywhere in the word for any reason. Customers can also have the same facility to compare and contrast the products and services of a multitude of banks and choose one that meets their requirements. Knowing how safe is it to use the website and conduct transactions on-line is one of the most important issues. On-line privacy security the most important issues for all Internet users for now and years to come. Consumer's worry about companies may misuse their personal information such as identity theft, credit card details theft and virus attack virtually affect all areas of Internet use. (E-Marketer, 2002 Online)

It is important to remember that the Internet Banking is still at an early stage of developments, therefore the appearance; features and functions are continuously evolving (Foley and Jayawardhena, 2000)

The above statement is important and it is agreed that the Internet Banking is a new medium and inevitably will have many problems occurring in future. The argument is also supported by Gordan (2001) suggests that the biggest fear of using on-line banking is a fear of intruders hacking into you personal and financial information.

  • Threats on the Internet

This chapter will discuss the threats on the Internet, from viruses to corporate raiders. This chapter will detail in all potential hazards of the Internet. Starting with viruses it will continue to discuss other threats.

  • What is a ‘Virus'?

Computer viruses are called viruses because they share some of the traits of biological viruses. A computer virus passes from computer like a biological virus passes from one human to another. Traditional computer viruses were first prevented in the late 1980's, and were due to several factors.

The first factor was the spread of personal computers (PCs). Prior to the 1980's, home computers were non-existent or they were toys. Real computers were rare and ‘experts' locked them away for use only. During the 1980's, real computers started to spread to businesses and homes because the popularity of the IBM PC (1982) and the Apple Macintosh (1984). By the late 1980's PCs were widespread in businesses and homes.

The second factor was the use of the computer ‘bulletin board'. People could dial up a bulletin board with a modem and download programs of all types. Bulletin boards led to the precursor of the virus known as Trojan Horse.

The third factor that led to the creation of viruses was the floppy disk. In the 1980's programs were small size and you could easily fit the operating system, word processor and some documents onto a floppy disk. Many computers didn't have hard disks, therefore when it was switched on the operating system and all other system information was uploaded from the floppy disk.

The above figure 2 was part of the questionnaire and also facts and figures can also be view at www.securitystats.com

  • How computer Viruses and Worms work

Computer viruses shows us how unknowingly vulnerable we are, but also it shows how sophisticated and interconnected human beings have become. For example, the “Melissa” virus, which became a worldwide phenomenon in March 1999, was so powerful that it forced Microsoft and a number of other very large software companies to completely turn off their e-mail system until the virus could be contained. The “ILOVEYOU” virus in 2000 had a similar devastating effect. This is quite impressive when you consider how simple the Melissa and ILOVEYOU viruses are.

Sources on ILOVEYOU viruses can be found in article Thursday, 4 May 2000, 19:04 GMT 20:04 UK at http://news.bbc.co.uk/1/hi/uk/736080.stm

  • What is a ‘Worm'?

A Worm is a computer program that has the ability to copy itself from machine to machine. Worms move around and infect other machine through computer networks and can expand from a single copy incredibly fast.

The danger of a worm is that it can allow a variety of attacks to over the Internet (Garfinkell & Spafford, 1996). Slade (1996) also agrees with this statement and states that a well-crafted worm can look for vulnerable computer machine embed it in them and wait to launch a synchronised denial of service (DOS).

Worms use up computer time and network bandwidth when they are replacing, and they often have some sort of evil intent. The Code Red worm is expected to slow down Internet Traffic when it begins to replicate itself. Each copy of the worm will scan the Internet for Windows NT or Windows XP servers that do not have the proper anti virus software to protect their computers. Each time it finds an unsecured server, the worm will copy itself to that server. The new copy will then begin to scan also for other servers to infect. Depending on the numbers of unsecured servers, this worm could conceivably create hundreds of thousands of copies.

  • Security: Threats on the Internet

Attacks on the security of a computer system or network are best characterised by viewing the functions of the computer system as providing information. Generally there is a flow of information from a source, such as a base file to a destination then to a user.

Below is diagram, which illustrates and shows how the security threat created.

Information Destination

Information Source

Security Threat: Interruption (source: Stallings, 1995) Figure 3

Interruption: An asset of the system is destroyed or becomes unavailable or unusable. This type of attack is on the Privacy. Destination of a piece hardware, such as a hard disk, the obstruction of a communication line, or to bring to halt the file management system, are all examples of this type of attack.

Information Destination

Unauthorised Agent

Information Source

Security Threat: Modification (Source: Stallings, 1995) Figure 4

Modification: An unauthorised party not only gains access to, but also hinders or tempers with this information or asset. This is an attack on Integrity. Examples of this include, changing values in a data file, alerting program so that it performs differently, and modifying the content of the message that is being transmitted on the network.

Information Source

Unauthorised Agent

Information Destination

Security Threat: Interception (Source: Stallings, 1995) Figure 5

Interception: An unauthorised party gets hold of the information, without the knowledge of the recipient. This type of attack is on Confidentially. The unauthorised party can be a program, a person, or a computer. Examples include wiretapping to capture data in a network, and the illicit copying of files and programs.

Information Destination

Information Source

Unauthorised Agent

Security Threat: Fabrication (Source: Stallings, 1995) Figure 6

Fabrication: An unauthorised party inserts counterfeit objects into the system. This is an attack on Authenticity. Examples may include the insertion of false messages in a network or the addition of records to a file.

According to Daniel Amor, (E-Business ®evolution, 2000) there are four main areas of attack, in which the most threats on the Internet can be classified. They are follows:

  • Loss of Data Integrity - Information is created, modified or deleted by intruder.
  • Loss of Data Privacy - Information is made available to unauthorised persons.
  • Loss of Service - A service breaks down due to the action of a ‘Hacker'.
  • Loss of Control - Authorised persons use services in an uncontrolled way (Amor 1999).

According to V Alunja 1996, these are the threats to network security, which can be classified into three general areas:

  • Unauthorised access to the information
  • Unauthorised modification of the information
  • Unauthorised denial of service.
  • Active Attacks

These attacks involve modification of the data stream and can be sub divided into four main categories they are as follows: (Stallings, 1999)

  • Masquerade
  • Reply
  • Modification
  • Denial of Service

Masquerade: Takes place when one entity pretends to be another entity. Authentication sequences can be captured and replayed after a valid authentication sequence has taken place, therefore enabling an authorised entity with few privileges to obtain extra privileges by impersonating an entity with those privileges.

Replay: Involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorised effect.

Modification: Simply means that some portion of a legitimate message is altered or those messages are delayed or recorded, to produce an unauthorised effect.

Denial of Service: Prevents or slows down the normal use or management of communications facilities. This attack may have a specific target. Another form of service denial is the disruption of a network, either by disabling the network or by overloading it with messages so as to degrade performance (Stallings, 1996). Breaches have occurred on sites such as Yahoo.com and Ebay.com, which involved DOS attacks these denial customers gaining an on-line service to the websites (Jolo, 2003).

Ghosh (1998) also agrees with the view of Jolo (2003) and states that the DOS attacks have been called the ultimate Internet security nemeses. Active attacks present the opposite characteristics of passive attacks. Devargas (1993) agrees with Stalling (1996) and he too talks about passive attacks and intentional hackings in his research. Devargas also talked about denial service attacks and replay, claiming that these were malicious attacks, which needed to be detected quickly in order to limit the damage.

All of these writers point to the main three areas of concern, which can categories most of the above mentioned attacks, they can be expressed as the following:

  • Confidentially; Hacking, tapping, masquerading and eavesdropping.
  • Integrity; Corruption due to line noise or deliberate intervention, repudiation of transactions, or modification and disruption of data.
  • Availability: Requires that the computer system assets be available to authorised parties when needed, stolen passwords, imitating legitimate users etc.
  • Natural and Physical Threats

These are threats that imperil every physical plant and piece of equipment. You cannot always prevent such disasters, but you can find out quickly if one occurs (with fire alarms, temperatures gauges and surge protectors). You can minimise the chance that the damage will be severe (i.e. sprinkler systems). You can institute policies that guard against hazards posing special dangers to computers, i.e. smoking or spillage of drink. You can also plan for disaster by backing up critical data off-site and by arranging for the use of a backup system that can be used if emergency does occur. (Cheswick 1995)

  • Unintentional Threats

These are the dangers that ignorance brings, for example, a user or a system administrator who is not inadequately trained or who hasn't read documentation or does not understand the importance of following security procedures. A user might drop a disk, or might try to use a database package to perform a simple up date, and inadvertently wipe out a file. A system administrator might become the super user and change the protection on the password file or on critical system software. Much more information is corrupted and lost through lack of knowledge than through malice Cheswick (1995).

  • Intentional Threats

These are threats with intent that security products are in place to protest against. The villains come in two varieties: Outside threats and Inside Threats. Some types of attacks are feasible only for certain types of attackers. For example a casual ‘Browser' is not likely to intercept decipher electromagnetic emanations, or perform a determined cryptographer analysis. The attacks can typically be warranted only by so called ‘High grade attackers' who have substantial resources, in terms of computing power, money, time and personnel behind them.

  • Outside Threats Could Include

Foreign Intelligence Agents (FIA), Products using TEMPEST technology or sophisticated encryption device are most appropriate at installations. Where attacks on classified information are a realistic threat.

Terrorists,Attacks on the World Trade Centre, University computers centre, Military defence service, recruiting centres and Court buildings are all from the terrorists. The government worries about computer terrorism, as do airlines, oil companies and other major business organisations that protect information, which is vital to national interests.

Criminal, Computer crime is lucrative, and unlike many other types of crimes, can be carried out in tidy, anonymous electronic fashion. The goal may be outright theft or embezzlement or it may be extortion of some kind.

Corporate Raiders, More and more corporations rely on computers, network connections, and electronic mail. Corporate records, memos, and informal messages have become more vulnerable that ever to attack by competitors Cheswick (1995).

  • What is a Hacker?

A Hacker is someone, who can solve problems, overcome limits and can adapt electronically (Raymond, 2000).

Hackers built the Internet. Hackers made the UNIX operating system what it is today. Hackers made the World Wide Web work. If you are part of this culture, if you have contributed to it and other people in it know who you are and call you a ‘Hacker'.

There is another group of people who loudly call themselves hackers, but in real they aren't. These people who get a so-called fun in breaking or hacking into computers and phone systems. The real hackers call these people ‘Crackers' and they don't want to associate with them. Hackers differentiate themselves according their beliefs that they build things and break things in terms of breaking into system.

Since the Internet is built on a loosely connected network of millions computers providing easy access to anyone security information can be difficult to ensure. So if your internal computer networks accesses the Internet there is no 100 percent assurance that the secure way to safeguard yourself from a dedicated hacker (Rosen, 2003 p132).

However the study by Middleton (2000) also states that the hackers are getting increasingly difficult to track, due to the fact that they have worked out that by breaking geo-political boundaries, and jumping to the target from terrorist countries, a law enforcement agency will get no help to track down the source of the attacks.

The statement shows that hackers are wising up to higher levels of security being adopted by organisations and law enforcement agencies, and the problem of security with e-commerce facilities will continue for a very long time in future.

However, Cluley (2000) claims that there are very few viruses that are groundbreaking or have huge devastating impact, hackers mainly relay on internal user gullibility. This statement also supports Davis's (2000) who also claims that the threat is internal as well as external. Therefore more attention has to be given to internal process in order to prevent external threats.

  • Security: The Possible Answers

In todays rapidly changing environment it is important for businesses to stay in line with all new developments so that it can be beneficial to the company, in terms of competitiveness and functionality. For example with the arrival of the Internet, it was seen as a way of promoting and selling products at a reduced costs, with the ability of selling or communicating on an international level. This development changed the whole way that businesses practice their day-to-day process.

But the problem with the Internet is related to the important issues of security. This is because the Internet acts as a universal platform that can be accessed from almost anywhere in the world, which invites potential computers hackers to view any personal and confidential information.

Security has long been seen as a major issue in the adoption of Internet Technology in the enterprise. As networks have grown and connected to the Internet, so has the haunting of the hacker, on managers responsible for both delivering information within the organisation and to its partners, and protecting it from unauthorised outsiders.

  • Firewalls

A Firewall is a form of access-control technology that prevents unauthorised access to information resources by placing a barrier between an organisations networks and an unsecured network (e.g. Internet). A firewall is also used to prevent the unauthorised export of proprietary information from a corporate network. In other words, a firewall functions as a gateway, controlling traffic in both directions.

There are three basic types of Firewalls:

  • Packet Filters
  • Circuit Level Gateways and
  • Application Gateways

There is also a Hybrid Firewall, which can be a combination of all three above. Firewalls have been called ‘The Protector' of corporate networks. They provide digital protection associated with the rapid growth of Internet working and commercialisation of the Internet. Ghosh (2001) states that the firewalls are the first line defence against malicious users, placed between the computer network to be protected and the network that is considered a threat. However, the number of security incidents arising from Internet connects strongly suggests that not enough people are using them properly Zwicky (2001).

Internet

Internet Network

Firewall

Figure 7

Generally, firewalls are configured to protect against unauthenticated interactive logins from the ‘Outside' world. This is more than anything can help prevent vandals from logging into machines on the internal network. More elaborate firewalls block traffic from the outside to the inside, but permit users on the inside to communicate freely with the outside. The firewall can protect you against any type network borne attack.

Firewalls are also important since they can provide a single ‘Choke Point' where security audit can be imposed. Unlike in a situation where someone dialling in with a modem is attacking a computer system, the firewall can act as an effective ‘Phone Tap' and tracing tool.

  • What can a Firewall not do?

Firewalls cannot protect against attacks that do not go through firewall. Many companies that connect to the Internet are very concerned about proprietary data leaking out of the company through that route. Unfortunately for those concerned, a magnetic tape can just as effectively be used to export data. Firewall policies must be realistic, and reflect the level of security in the entire network.

Firewalls cannot protect very well against things like viruses. In general, a firewall cannot protect against data-driven attack (attacks in which something is mailed or copied to an internal host where it is then executed). This form of attack has occurred in the past against various versions of send mail. Goncalves (1999)

At their simplest, firewalls consist of software which blocks access to internal networks from the Internet. While legitimate traffic such as email is allowed in to the mail server, programs such as search engine spiders or FTP clients cannot access machines inside the safe boundary of the firewall.

  • Encryption

Encryption is the art of storing information on paper or anywhere else in a form, which it allows only authorised personnel to understand and use it. If an unauthorised person were to look at the information he or she would only see sequences of meaningless characters and symbols. An encryption system is what is used to accomplish cryptography. An encryption system is used to translate the stored information (that looks like gibberish) into useful and meaningful information (Decryption), like text or a picture. Stallings, (1996)

An encryption system is designed so that the process of converting the encrypted information is allowed only fewer than two conditions. The first of these conditions is usually that the person attempting to decrypt the information must have the encryption system, which in modern terms is likely to be a specially designed computer system.

The other condition is that the person must also have a piece of information called the encryption key. This is a piece of information that will be presented to the encryption system when the information is being encrypted and decrypted. If a piece of information has been encrypted with one key and a person attempts to decrypt the information with another key, the encryption system will not be able to make sense of the information. Therefore the output of the encryption system will be meaningless.

  • Public Key Infrastructure Solutions

The use of public-key based security systems requires considerable care in design and management. The security of the entire system is ultimately guaranteed by the security of the key used for signing certificates at the top (commonly called the roof) of the public key infrastructure. Here specialised hardware can play a useful role.

Normally, all keys that are accessed by the server are held at some point in the main memory of the server, where they are potentially vulnerable to attack (for example, in a server core dump). A higher degree of protection is desirable for the most valuable keys.

A specialised hardware cryptographic module for storing and protecting the signing keys to provide an answer. The keys are stored in a strongly encrypted format. When loaded for signing, the keys are decrypted and loaded into the memory of the secure cryptographic module, which then performs all the signing operations on behalf of the server. The keys are never revealed in their unencrypted form to the server, so even an intruder manages to access the network the keys will remain safe. Physical design features of the module further assist security; tamper-resistant enclosures and advanced manufacturing techniques protect the keys from the physical attack.

The signing of digital certificates is also a computation-intensive process, so it makes sense to consider combing some kind of hardware acceleration of cryptography within the key storage module. This way, keys are rapidly handled within a secure environment and no processing bottleneck is introduced, even when a high transaction throughput is required. Stallings (1996)

  • Digital Certificates

Digital Certificates - A digital certificate servers as an electronic substitute for sealed envelope or your signature when you send messages across the Internet. Your Digital ID resides securely in your browser or e-mail software and allows you to digitally sign and encrypt your email. A digital signature is unique personal signature specially created for use over the Internet. It is designed to perform the same function as the traditional handwritten signature in the normal world.

  • Digital Signatures

A certificate is a special computer file that securely identifies a person or organisation on the Internet. Digital certificates can be very valuable for shopping, banking and other transactions over the Internet.

Digital certificates encrypt data using secure sockets layer (SSL) technology, an industry-standard developed by Netscape. This provides data encryption, server authentication, message integrity, and optional client authentication for TCP/IP connections. SSL is built into all major browsers (e.g. Internet Explorer and Netscape) and web servers.

SSL comes in two strengths, 40-bit and 128 bit session keys. The longer the key, the tougher it is to crack the encryption code. Most browsers support 40-bit SSL sessions, and the latest ones, including Netscape Communicator 4.0 enables users to encrypt transactions in 128-bit sessions-trillions of times stronger than 40-bit session.

With the new level of technology developed security is still perceived to be major risk, this statement is supported by Middleton (2000) who also states that new devices bring inherent risk to the future, i.e. new technology aiding business process will also provide an easier and more equipped level of technology for hackers to use. Moore (2000). Levels of technologies for hackers to use. Moore (2000) also predicts that the ever-increasing level of technology will increase the level of attacks putting customers and organisations at risk.

Gartner (2000) also predicts that the security will continue to be a major issue as long as the Internet exists; he claims that the “Criminals will employ a method of fraud or theft that involves duplicating small transactions million times”.

The reason Gartner (2000) states this scandals will take place due to the lack of adequate preparation and the increased base of skilled Internet experts (Hackers). He continues to state that cyber crime will explode in coming years increasing by 1,000 to 10,000 percent by the end of 2008.

The view to ill prepared websites and the ever growing number of hackers. Middleton (2000) states that the organisations are still losing to unseen enemies, i.e. Hackers, Bugs and viruses as managers fail to realise the possible threat, he continues to say, “security in the year 2000 was the year that wasn't as far as security is concerned”.

The love bug proved that no organisation is secure enough as many companies were caught off guard, Middleton (2000) continues to state “no matter as to the level of technology deployed by organisations, cyber criminals are still finding their way through”.

Security is a major concern but the evolution of this medium is still hard to believe, something that is perceived to be so insecure but still expanding at a rapid pace.

  • Finding

A total 40 Lancashire based organisations took part in a questionnaire, which consisted of both open and closed questions. The questionnaire can be found in the appendices of this dissertation labelled appendix 2. Certain questions on the questionnaire were asked to compare and contrast what the present literature is saying. The results show a good insight into Internet Security. But it should also be noted that the results could be seen as been partial and unreliable as the respondents are only Lancashire based, this may deem to be unreliable as the quota was not totally random, as well as not representing all of the I.T world's options. Apart from this the results are shown below.

The first graph shows the variation of companies who took part in this questionnaire.

Figure 8

This graph shows the majority of the respondents were of the business to consumer and for the business-to-business categories. This also shows that the majority of the respondents were from the trading background, in either e-commerce or business-to-business solutions.

The next graph shows if the information held within the organisation is worth protecting or not. It probes the companies to identify if they hold valuable information or not. The graph shows that 28 of the 40 organisations felt that they had information worth investing in.

Figure 9

The next graphs sets out whether the forty organisations have a security management policy or not. It shows that out of the forty organisations probed 30 of them do not have the security policy in operation. Showing that they have not really looking into some form of plan and policy to protect their sites and information.

Figure 10

The following graph shows the reason for having a security management policy, the main response being ‘ a good business practice'. 50% of the respondents claimed it being a good business practice. With 17.5% claiming the policy to help ‘reassure' customers in using their sites.

Figure 11

The following graph gives the reader an insight into the issue of reviewing security policies. 68% of the respondents were unsure when the security policy is reviewed. With only 12.5% of the respondents reviewing after their site was breached.

Figure 12

The following graph shows that 47.5% of the respondents questioned admitted to their site being breached, all stating that their sites had been breached in a mixture of malicious and non-malicious nature. As expected some of the respondents refused to answer the question of whether their site had been breached or not.

Figure 13

The following graph was taken from the computing magazine dated November 2002. This graph shows that the number of hackings reported have increased by early 50% a year since 2000. This shows that there is a major issue with Internet Security, and that this issue needs to be addressed.

Figure 14

The following graph shows that the most feared attacks by the companies and organisations questioned. The main feared attacks being internal attack, viruses and interception of data, all in respective order.

Figure 15

The following graph shows the most used application for Internet Security. The main applications being used are; having an Intranet, Virus control and use of Firewalls, respectively.

Figure 16

  • Cause of Network Security Problems

After interviewing an Internet Security Officer of a large multinational organisation, it was given the following insight into Internet Security. There are three main reasons for network security threats:

  • Technology Weakness
  • Configuration Weakness
  • Policy Weakness
  • Technology Weakness

Each networking and computing technology has inherent security problems, they are explained in the following:

  • Operating System Weakness
  • TCP/IP Weakness
  • Network Equipment Weakness
  • Configuration Weakness

Even the most secure technology can be misused, exposing security problems. They are detailed below:

  • Insecure default settings within products
  • Misused network equipment
  • Insecure user accounts
  • Misused Internet Services
  • Policy Weakness

A poorly defined or improperly implemented and managed security policy can make the best security and network technology ripe for security abuse. Problems are detailed next page:

  • Lack of awareness of being attacked
  • Lack of written security policy
  • Security incident and disaster recovery procedures are not in place
  • Internal policies
  • Logical access control to network equipment is not applied
  • Lack of business continuity
  • Software and Hardware installation and changes do not follow the policy

There are people who are eager, willing, qualified a sometimes compensated to take advantages of each security weakness and to continually discover and exploit new weakness.

  • Conclusions

The phrase Internet Security conjure up many visions in ones head, this topic far greater details to carry out a through appraisal than can be covered by this thesis. Therefore, I have attempted to concentrate on certain key issues relating to Internet Security in order to remain within the confines of the original brief.

The Internet and the evolution of technology in general have increasingly changed the way we think, work and play. The changes bought on by the Internet and Technology increases at an ever-increasing pace, as do the side effects of all technology growth, which leads to adverse security threats to the net. The prime reason for the lack of security on the web is the advancement of technology. As a result the Internet is always in a catch up mode, since security has always developed as a quick fix or cure rather than prevention, as the On-line organisations drive the Internet. The explosive growth of the WWW has felt the Internet with major security issues.

The issues mentioned in chapter 4 of this research the most alarming one appears to be the ‘Hackers'. With the average numbers of hacking being reported on the increase by nearly 50% year on year, this is an issue, which requires drastic and urgent attention by both the industry and government. The organisations interviewed 35 of the 40 feared the threat posed by internal workers. As resentful network deficiencies, there can be all kinds of ‘Hacker' and as technology improves so does the threat of technology, which can overcome security applications.

The latest FBI report studies that two-third of corporate network attacks originate from inside a company and the theft of confidential information equates to £103 million a year Computing (2002). Despite this many security policies focus on shoring up the perimeter defences, while ignoring the internal threat.

Another main issue, which needs to be addressed is the fact that the most organisations interviewed, do not have a security management policy. Which in actual fact can be the web based company's downfall. The reason being that all web based companies should have some kind of contingency plan in case of any unauthorised intrusion. The number of 40 organisations, which were interviewed, 75% has claimed that there information worth protecting. These are the same organisations, which of 75% have no security policy in place. Of these same companies 27.5% have had their web site breached. These are alarming statistics, which would worry all their potential clients.

According to the Computing (2002) computer crime and security survey undertaken by the UK Computer Security Institute, 85% of 538 security staff questioned had detected some kind of breach during the last year. While 64% acknowledged having lost memory as a result. About 40% of companies reported that their systems had been breached, as well as 94% saying that they had detected viruses on their networks. Some 90% of those suffered from vandalism, 13% admitted to the theft of information transaction and a further 8% experienced financial fraud. The figures do not make for comfortable reading, however they do agree with the results shown in

Chapter 6 of this research, that there are a serious holes in Internet Security. All these statistics keep on confirming and reinforcing previous studies concluding , ‘the Internet is not as safe as portrayed'. More needs to be done by both the organisations who trade on the web and by the government.

Firewalls and similar security applications are important network tools, however the problems arise with configuration and IP address management. No matter which Firewall is implemented , a firewall is only good as it's configuration, it is essential that risk assessment of company assets, threats, vulnerabilities and safeguards are carried out. In summary, security threats have never been greater and simple firewall will not be enough top protects your data. Security is now the number one priority for many chief information officers. Each and every web based company needs an in-house security department whose main focus should be security policies and protection of important data.

In concluded to this research it has been discovered that the media hype surrounding the Internet has justified grounds. The Internet is far from being safe, and needs better regulation and more thorough security policies needs to be implemented by trading companies. These security issues need to be addressed as a matter of priority.

Novice users are at threat when using the Internet as they can be seen as being vulnerable, as they do not know how to protect their information, therefore more literature is also needed when protecting these types of users.

The government has set up an agency, whose main aims are to combat all aspects of computer crime. The national hi-tech crime unit is a step forward by the government. However the government still has a long way to go before they are in control of the computer crimes.

  • SWOT analysis of the Internet Security in terms of this dissertation.
  • Strengths
  • In today's economy, information is the most valuable asset an organisation possesses. Protecting and securing that information is vital for an organisation's long-term survival.
  • I.T systems are increasingly of strategic importance to companies. They run mission critical applications and as a consequences, a branch of security or computer downtime is a serious threat to company's operations.
  • The security of data, its confidentiality, integrity and availability, is the key management concern in today's fast moving and increasingly computer world.
  • Weaknesses
  • Viruses are on the increase, they are becoming stronger and faster, hence the name ‘super virus'.
  • Many UK businesses - especially smaller operations are still ignorant of security issues, 75% of the companies interviewed have no security management policy.
  • Terrorists' activities against the Internet and Internet based companies are on the increase.
  • Many commentators have accused the security industry of scarce tactics in trying to increase security system sales, which has alienated some potential buyers. Technologies are on the increase but are the security applications parallel to this increase?
  • There is large number of ‘security experts' operating in the market, many of who cannot deliver the level of security promised. This is damaging the reputation of legitimate players in the market.
  • Opportunities
  • UK based companies could be made more aware of the need for I.T and Internet security, without being alienated by heavy-handed marketing programmes.
  • There are opportunities to expand the market for integrated security products, which are of growing importance given the increasing demand from companies for network security.
  • Threats
  • The rise of more powerful computers will make it easier to break into network systems.
  • With the high number of attacks coming from internal personal, this is an issue that must be considered by all organisations.
  • Organisations need to address security issues with a more head on nature, other wise they will be breached and this will cost them more in the long run.
  • Critical Reflection

In completion of this research, the author realises that the contents may appear to be broad and descriptive nature, where not one aspect of Internet security is unearthed in full depth. The aim of this dissertation has been to inform the reader of the major downfalls of Internet Security and to elaborate on what potential solutions are available to counter these shortcomings. However, in starting this research does introduce the reader into ‘What the Internet is' and how it was started and works'. It also discusses the different types of businesses operating o the Internet today, categorising each of these businesses into its own grouping, and sets out how they differ from each other. It analyses the literature available on what are the potential hazards of the net, distinguishing what different authors believe are, and the main threats on the Internet today.

It goes on to discuss what applications are available to counter these threats. But in saying this, appropriate action is needed, where in house experts plan and implement these applications with the greatest of care, ensuring all passages are firmly closed unless needed. The research caries first hand fact - finding exercise where the ‘experts' are consulted and ask their opinions, to elaborate on the literature review. These ‘experts' give their beliefs and views on the subject areas, where they are allowed to discuss their experiences on the Internet Security and what they think is the best way forward in countering these shortcomings.

An evaluation of the main differences between the literature and the fact - finding exercise has been made a logical conclusion has been derived. In doing this the author has learnt that a strong policy is needed which needs to be continuously monitored and amended when required, to ensure that the smooth operations are always maintained.

  • Future Work

Future work can include any of the above-mentioned applications, where the application is looked in greater depth, to understand what can be done and how to maintain high levels of security. Other subject areas can include disaster recovery. To improve this work, large scale and more in depth interviews can be taken. Comparing the different e-commerce sites can also be a possible subject area., where payment methods and encryption can be looked at in more depth, to allow the reader more understanding in payment solutions available. Also a look at future security applications, which are being developed in white-collar firms, would also be an area of interest.

Bibliography

Amor, the E-business Evolution, 2000, HP Professional.

Cluley, (2000). Security a problem? [Internet] available from: http://www.vnunet.com/serach ?q=banks+security&pager.offset=10

Davies, (2000). Banks Security Breaches Mostly Internals, Says Experts [Internet] available from: http://www.vnunet.com/news/103865

Devargas, (1993). Network Security. NCC Blackwell

Ellsworth and Ellsworth, (1994). Marketing on the Internet, Second edition, Wiley Publications.

E-marketer, (2002). E-privacy and security report [Internet] available from: http://www.emarketer.com/ereports/rprivacy_security/welcom .html

Foley, P. Jayawardhena, C. (2000) Changes in the Banking Sector, The Case of Internet Banking in the UK. VOL.10, no.1, pp.19-31.

Gartner, (2001). Online Banks Rapped over Security [Internet] available from: http://www.vnunet.com/news/1112308

Ghosh, AK, (1998). E-Commerce and Security: weak links best defence, protecting your system from vulnerabilities in browsers, servers, secure protocols, and firewalls. Canada, John Wiley and Sons.

Gordon, B. (2001). Banking Online with Peace of Mind [Internet] available from: http://www.vnunet.com/security

Kalakota, R. Whinston, A.B. (1997). Electronic Commerce A Managers Guide. USA, Addison Wesley Longman, Inc.

Lemay, M. (2000). Online Banking hangs in the Balance [Internet] available from: http://www.vnunet.com/features/1115227

Middleton, J. (2000). Still Losing Against an Unseen Enemy [Internet] available from: http://www.vnunet.com/features/1115278

Moore, (2000). Consumers Still Fear Web Rip-Offs [Internet] available from: http://www.vnunet.com/news/1115658

Patterson, (2000). Changes in the Banking Sector [Internet] available from: http://www.vnunet.com/news/1115446

Raymond. E, (2000). What is Hacker [Internet] available from: http://www.tuesdeo,org/~esr/faqs/hacker-howto.html

Roase. A. (2000). The E-Commerce Question and Answer Book. Broadway, New York. AMA Publications.

Stallings, (1996). Network Security, 2nd Edition. Prentice Hall.

Winston, Media, Technology & Society, (1998).

Zwicky, (2001). Building Internet Firewalls.

Computing Magazines, various from dated 2000 to 2006.

Computer Fraud and Security issue date September 2003.

IT weekly, various from dated March 2002 to August 2006.

http://search.bbc.co.uk/cgi-bin/search/results.pl?scope=all&tab=all&recipe=all&q=Internet+security+fear

http://search.bbc.co.uk/cgi-bin/search/results.pl?tab=all&go=homepage&scope=all&q=Intranets

www.securitystats.com

www.ibm.com

www.google.com (used for materials and articles to support this research).

Appendix 1

Dissertation Proposal

Introduction

Media hype surrounding the topic of Internet security can scare the general public, as the novice users. The continual talk of the latest virus alerts, which have corrupted thousands and stories of teenagers hacking into networks and stealing numerous credit card details, is enough to put anyone off the idea of using their personal details on the net. All this media hype needs to be addressed to see if it is just that, or is there grounds all this sensationalism.

I.T. security as defined in this dissertation is the practices, procedures, applications and services, which ensure a security breach or loss of use of a computer system does not occur. Security provides protection for IT systems resources from human action. The security products, services and procedures used will aim to protect any hardware or data in the system.

Human - inspired security breaches are defined as accidental or deliberate, passive or active attacks, which result in the loss or damage of IT system hardware, software or data. This can come in many guises, as the following shows:

  • Viruses - where a programme is placed on a system with the intention of computing it's processing.
  • The theft of data.
  • Hacking - deliberately gaining unauthorised access to a computer system.
  • The invasion of privacy, through the unauthorised disclosure of data and breaches of data protection of legislation.
  • Sabotage - interfering with the processing of a system, such as the placing of a ‘time bomb'.

By studying undergraduate degree in Business Information System and Management and currently studying Msc Business Management, the author has some knowledge and understanding of how the Internet operates as well the awareness of computer security issues. Through the course of the dissertation the author will provide accurate information on Internet Security problems and to conduct research at improving the security of existing systems.

Aim:

‘Is the Internet Secure?'

Objectives:

  • Introduce and provide an overview of the development of the Internet. How it was started and how it works.
  • Identify the diverse nature of the businesses that trade on the Internet, their roles and their functions.
  • Identify and disseminate the literature available on threats inherent in the use of the Internet including viruses and secure transmission data.
  • Identify and discuss the appropriate solutions for any potential threats for Internet security.
  • Evaluate and conclude the argument, to discuss potential ways of enforcing a suitable security policy for web-based companies.

Methodology

Information for the study will gather from journals, books, Internet sources and certain company documentation pertaining to Internet security. The best form of methodology for this type of research would be to use Quantitive and Qualitive analysis as well as the use of secondary sources, as mentioned.

Quantitative research will be used to gain rich information, basically finding out the ‘expert' opinions from the relevant areas of expertise, for the research. The qualitive research will consist of a questionnaire with open ended and some closed questions.

“A major advantage of the interview is its adaptability; a skilful interview can follow up ideas, probe responses and investigate motives and feelings. Which other methods of retrieving the information can never do” (Bell, J. 1999).

For the Quantitive aspect of the research a short structured questionnaire will be designed, this will consist of closed questions, which would give a statistical look at the fact-findings chapter. This questionnaire will be distributed in Lancashire. Closed question questionnaire will be used to obtain the awareness of the issue presented, to gain views, beliefs and attitude to these. The questionnaire will be designed to ensure easy reading, thus overcoming any confusion on the respondent's behalf; questions will be explained to ensure complete reliability in their responses.

Limitations

As the Internet Security is a very large topic, the author will limit his research to the following:

  • Types of Businesses on the web, categorising them in several areas.
  • Discussing threats that past authors have identified.
  • Discussing possible solutions to these threats that past authors have identified.
  • Carrying out a first hand fact-finding exercise to either agree with the literature or disagree.
  • Setting out the key differences.
  • Summarising the thesis and presenting the findings.

The authors realise that the research will broad and descriptive, but to counter this in depth interviews have been conducted to analyse the expert's opinion on the discussed subjects.

Bibliography

Bell, J. (1999), Doing your research Projects, Third Edition, St Edmundsbury Press Ltd, Bury St Edmunds, Suffolk.

Appendix 2

Internet Creation and Timeline

  • The Internet idea was conceived in the early 60's by the US department of defence. The original name for the Internet given was ARPANet (ARPA stands for Advanced Research Project Association). The aim of this computer network was to be nuclear proof. Simple communication networks were chained point-to-point with each place on the network dependant on the link before it. If one point in the network were blown up, the whole network would become useless. American scientists conceived the idea for a new kind of communication network; one that was not organised point-to-point but instead was set up more like a fish net. This structure could allow information to find its own path through the network even if a section had been destroyed.
  • In 1969, researchers at four US university campuses create the first host of the ARPANet connecting Stanford Research Institute, UCLA, UC Santa Barbara, and the University of Utah. ARPANet is a success from the very beginning. Although originally designed to allow scientists to share data and access remote computers, email quickly becomes the most popular application. ARPANet becomes a kind of electronic post office and a discussion place for scientists.
  • In 1971, ARPANet grows to 23 computer hosts connecting universities and government research centres.
  • In 1973 ARPANet becomes international with connections to University College of London and the Royal Radar Establishment in Norway.
  • In 1974 the first commercial version of ARPANet appeared.
  • In 1979 the first USENET newsgroup is established where users from all over the world can take part in a discussion group about any subjects i.e. politics, science etc.
  • In 1981 ARPANet has 213 hosts and a new host is added approximately every 20 days. The ARPANet starts to move away from its military and research roots.
  • In 1982 the word ‘Internet' is used for the first time.
  • In 1987 the number of Internet hosts is over 10,000. The personal computer and network ready to servers' industry boom allows companies and some individuals to join the Internet.
  • By 1989 the first problem of security emerges. On November 1988, a network “Worm” temporarily disables about 6,000 of the 60,000 Internet Hosts. The CERT (computer Emergency Response Team) was formed to serve as a focal point for the computer security concerns of Internet users. The CERT charter is to work with the Internet community to facilitate its response to computer security events involving Internet Hosts, to take proactive steps to raise the community's awareness of computer security issues, and to conduct research targeted at improving the security of existing systems.
  • In 1990 the “Internet” is definitely decided upon. The number of hosts exceeds 300,000. The NSF (National Science Foundation) lifts the restrictions on commercial use of the Internet. Companies jump on the opportunity to promote themselves through a new communication network.
  • In 1991 Tim Berners-Lee, a scientist of the CERN in Switzerland, writes the first piece of code of the World Wide Web. This new technology combines words, pictures and sounds on web pages. It is a new way of publishing information on the Internet and is very user-friendly (pretty Good Privacy) is released by Philip Zimmerman. This program allows users to encrypt files to send through the Internet.
  • In 1992 the number of hosts exceeds 1,000,000. Traffic on the Internet expands at a 341% annual growth rate.
  • Netscape Communications Corp was formed in 1994. This Company distributes a web browser and is becoming the biggest company of the Internet. Its main products are web browsers, Netscape Navigator.
  • In 1995, the WWW becomes the most popular service on the Net. Hong Kong polices all but 1 of the colony's Internet providers in search of a Hacker. 10,000 people are left without Net access. The JAVA and JAVA script languages are spread on the Internet are inserted into the Web browsers. Authors of these languages claim they are highly secure, but several university students find bugs of security in their computer systems.

Appendix 3

Types of Web Traders

  • Business-to-Business (B2B)

The Business-to-Business category is the most widely type of e-commerce that is in operation today. The total percentage of 60% of all electronic commerce is business to business. In time this will be seen as the birthplace of e-commerce, as and when the other categories start playing an important role in everyday transactions. This category was established many years ago and takes the form of using traditional electronic data interchange over private value added networks.

Smaller sized businesses are now breaking into the market resulting from the barriers to entry being lowered due to growth in technology. The technology has seen a noticeable shift from the more expensive traditional EDI over private networks at a fraction of the cost.

This category of e-commerce is known as electronic interaction between business such as supplier and retailer.

  • Business within Business

This category of e-commerce refers to the electronic processes, which takes place within an organisation. It is effectively used in large or geographically dispersed companies.

With the aid of the Internet's infrastructure, it is possible to set up an Internet. An Internet can be used to enhance internal communication by enabling employees to send electronic mail, communicate via video conferencing and bulletin boards. Also, electronic publishing on the intranet enables companies to disseminate business information such as business plans, product designs over a secure and private medium.

The business to administration category covers the transactions that take place between companies and government organisations. For example, in the USA the details of forthcoming government procurements are published over the Internet and companies can respond electronically. Transactions such as VAT returns and the payments of corporate taxes will be increased in efficiency and effectiveness. The UK government is not far behind, they originally announced in year 2001 that they will make 25% of government service which already ahs been done in fact its been increased.

  • Consumer to Administrations

The Consumer to Administration category at present has not fully developed. However, it aims to extend the electronic interactions from the business to consumer and business to administration categories, which will widen the horizons such as social security payments, and self assessed tax forms.

  • Business to Consumer

The Business to Consumer category is a debatable channel for ordinary citizens to purchase goods over the Internet and is known as Electronic Retailer. Currently consumer confidence in electronic retailing is weak due to low level of understanding and lack of trust in security payment technology. Building trust among consumers is a complicated task, therefore making necessary to keep a regulatory framework.

Business to Consumer, meaning that the primary focus is toward consumer not other businesses, even though a B2C company may sell to resellers or other business as a small portion of their revenue. Retailers are typically B2C companies while manufactures and wholesalers are typically B2B companies.

Appendix 4

Glossary

A brief glossary of some Security and Internet related words:

ARPANet Advanced Research Projects Agency Network-

An American computer network that was installed to link together establishments that were working on government research so that information ca be easily exchanged. ARPANet is an example of a WAN (Wide Area Network).

Authentication

The act of verifying the identity of an entity such as computer server or user. This is one of several elements of computer security. A common form of authentication employs a user name and password to identify a user. Digital certificates are often used to authenticate the identity of computer servers and are widely used for authentication in electronic commerce.

Back - Up

A second copy of your work if something goes wrong with the hardware upon which your files are stored. The Computer Centre backs-up all the work on the file servers every night, so you do not have to worry about this, it is already done for you. Computer Machine, which can be, process data and output results in a manner, which has been specified previously, frequently used to mean “Electronic Digital Computer”. A machine for transferring boring clerical operations into boring manual operations.

Crackers

People who do not associate and spend their whole time trying to break into peoples computer systems. Normally these kind of people can be extremely vindictive. They don't normally damage system beyond getting into the system itself, but some can cause malicious damage to a computer system. Not to be confused with hackers as crackers normally follow “recipe books” provided by those with more knowledge than them.

Digital Certificate

A set of information, stored in a file on a computer, issued and downloaded via the Internet from a trusted party (most often a “Certificate Authority”) that allows a user to confirm that a third party is in fact who that party claims to be, and not an impostor.

Electronic Data Interchange (EDI)

The Computer-to-Computer communication of documents using standard data formats. Standard formats ensure that different agencies can exchange data without modifying their computer systems.

E-mail (Electronic Mail)

Originally, the idea of electronic mail was that, using your computer connected to the telephone network via modem, you could leave messages at a central computer, from where thy could be collected by other users.

Encryption

In the context of Electronic Data Interchange (EDI) involves transforming data using a mathematical algorithm into a form that is unreadable except to a person who has been trusted with the key needed to decrypt the Data.

Firewalls

A Firewall is used to allow legitimate traffic from part of the network to another, whilst preventing unauthorised traffic.

Intranet

An intranet is like the Internet but access to the facilities is restricted to one company or organisation. The technology is just the same as the Internet. Users can access the web pages, send e-mails and transfer files and it is a very useful way of sharing information amongst employees.

Internet

A large “network of networks” that originated from the United States Department of Defence's Advanced Research Projects Agency Network (ARPANet) during the cold war. It provided a network originally between DoD (Department of Defence) sites and the universities undertaking research for the DoD. It then grew rapidly to become the network, which is in place today. A large network that has links and gateways into other networks, so becoming extremely well interconnected.

Appendix 5

Letter and Questionnaire

Dear Sir / Madam,

I am a student at University of Central Lancashire and am currently studying Msc Business Management.

As part of my postgraduate degree I am conducting a research (Dissertation) on ‘Is the Internet Secure'

Please find enclosed a questionnaire. I would be extremely grateful if you could take part in this fact-finding exercise. I can assure you that any form of response obtained from yourselves will be handled in the strictest of confidence purely for academics research, and no organisations or individuals will be mentioned.

Please do not hesitate to contact me on the above details givens in regards to more information needed.

Once again thank you for your time and assistance.

Yours sincerely,

Questionnaire

I am a student at University of Central Lancashire and am currently studying Msc Business Management. As part of my postgraduate degree I am conducting a research (Dissertation) on ‘Is the Internet Secure'

This questionnaire is for the purpose of dissertational information gathering, it will be handled with the strictest of confidence, and only the reasoning behind your answers will be used in this project.

Q1 What is the nature of your business?

Business to Business

Business to Consumer

Business with Business

Business to Administration

Consumer to Administration

Q2 Is the Business Information you hold worth protecting?

Yes

No

Q3 Do you hold personal details of your Clients?

Yes

No

If yes, what security systems do you have in place?

Q4 Does your organisation have a Security Management Policy in Place?

Yes

No

If yes, Please give details of the Security Management Policy

Q5 What are the key factors were considered when implementing this policy?

Q6 Does your business systems include an Intranet?

Yes

No

If Yes, does your clients have access to the Intranet?

Yes

No

Q7 Has you Web Site or Intranet been Breached?

Yes

No

If Yes, by whom it was breached? How was it breached? What was the impact on your organisation and what counter action was taken to try and avoid future breaches?

Q8 Has your Web Site or Intranet been attacked by Viruses or Worms?

Yes

No

If so, has this affected your business and what was the impact?

Q9 Has your Internet Security been tested to see how effective it is?

Yes

No

If Yes, How and by whom it was tested?

Q10 Is your Security Policy moving at the same speed as technology advancements?

Yes

No

Q11 How often is the policy reviewed, upgraded to keep up with emerging technologies?

Q12 Which application do you feel is the best for your company policy and why?

Q13 A lot has been said by the possible threats of today's environment. What are your personal views on who are these threats? Who do you feel are the top five threats to your organisation?

1

2

3

4

5

Q14 What would be your advice on having a secure site and Intranet for the starters?

Q15 Finally, how do you convince your customers that your site is safe and secure enough to use?

Once again thank you for your time and assistance.