Identify areas of security risk

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Identify areas of security risk faced by web-based companies and discuss the extent to which this risk could be mitigated.

1. Introduction

With the worldwide choice of the Internet, electronic commerce is widely expected to be one of most useful and helpful commercial platforms for the coming decades, for instance online shopping websites eBay and Amazon. Nielsen/Net rating, a global internet and market researching organization announced that the growth of the top 10 worldwide websites users increased by 45 percent in 2006, from 46.8million to 68.8 million (Bausch & Han, 2006:1). However, new technologies drive criminals and hackers to find ingenious ways to access valuable data and private information, for long term application, customers would not use the websites which are filled with lurking formidable factors; they will choose a more secure system. Because of the call for a safe e-dealing environment is growing, web-based companies should use approach of protection to defend or reduce the risks and attacks.

In order to understand the impact of web security, firstly this essay will explore the causes of different potential dangers from the electronic business such as content management risk, passwords authorization cracking, hijacked links and related sites. Secondly, some general protection ways and special process such as SSL and electronic payment will be introduced and illustrated.

2. Risk analysis of electronic commerce

To begin with, risk and danger analysis are considered as a crucial method to identify the potential exposure and threats in the web based commerce. On one hand, the content management risk plays an important role in risk analysis. Biro (2009) highlighted that content from computer virus, well known threats, unauthorized alteration and destruction need to be considered, and it means each new websites open a window for attackers, unless the company could control or even reduce the content management risk. For example, according to Wang (2007) the IT manager could select an official service platform that is made for use in many departments as a standard. Nevertheless, it is not a perfect solution, for the reason that the company may spend a lot of money on some small or unnecessary websites. On the other hand Biro (2009) mentioned three probable critical ways which might cause significant losses in over the websites; they are hijacked links, passwords, authorization cracking and related sites. Firstly it is easy to understand the concept of hijacked links, when a consumer opens a web URL, he or she might connect to some attractive but not safe links which may contain hijack program or process. Biro (2009) concluded that a seemingly harmless website URL contains a different types of methods in which a perpetrator may manipulate the system in consideration of getting the buyers' information and data. At the same time as reported by Bisel (2007) clients must to have a clear understanding of their threat model because of adversaries will try to attack any unprotected system at its weakest link. In the second place lack of passwords and authorization are individuals' Achilles' heel when they doing online shopping. Wang (2007) highlighted that unauthorized access and theft of proprietary information lead to financial loss of $40,104,542 in 2004. Biro (2009) shows one generally known instance of hacking is criminals and hackers use default administration information to obtain the valuable data or passwords. It is easy to bypass the passwords by using HTML codes, for instance, authentication JavaScript is being removed, a local drive and viewing source is being run from (Biro.T, 2009; 11). In addition, an attacker will be enabled to initialize and potentially manipulate and view important documents by poorly configured content management. Lastly, Vaidyanathan and Mautone (2009) noticed that a lot of poorly designed related websites might contain hidden fields that contain personal information, sessions and private accounts. As a result, hackers might access these data and obtain valuable information. What's more Biro (2009) proposed that many related websites which were opened by customers and clients would represent difficult-to-control and an unseen area of lurking risks. Consequently, if there were not a suitable solution, the personal data could be hacked and companies business might be reduced in that circumstance.

3. Methods of protection

3.1 General ways

As websites have become major channels for interacting and selling with clients and customers, it is inevitable that web-based companies should be responsible for an efficient and safe electronic business environment. There are some general ways to fight back, first of all an improved permission or security management would be considered and used in cyber security. According to Biro (2009) a company must pay attention to manage its content, a usual way is to use suitable security software where security management is needed to be managed. By using monitoring and auditing, users and their system could be double checked. Wang (2007) noticed that software technology for example UDDI, XML, SOAP, and WSDL provide a circumstance for business tasks including dealings to clients and dealings to dealings transaction. Secondly, Biro (2009) also proposed another important method which was widely used in web security, monitoring the gates. Hackers and criminals could be attracted by an unprotected web server, which is the most usual feature in effective attacks. However, it is useless to shut down all the gates, as a result monitoring work plays a crucial role in blocking the temptation and risks. Biro (2009) defined that the key of monitoring work is to recognizes needed for secure consistently review and perform the fundamental audits and platform management. In addition, Cisco's suggested that a system of security connections checklist would be a good beginning to providing a safe electronic business environment. For instance, poses questions such as:' who used to access your personal assets?'As the characteristics mentioned above the general methods of defending are easy to implement, they should be the best choice for the beginning protection.

3.2 SSL in e-commerce

With a clear understanding of the danger, threats and factors which are faced by web-based companies, numbers of personal computer tools and security technologies have been made to reduce web security risks. However, with the development of hacking technologies, sometimes general protection technologies are not enough for some web-based companies. Secure Sockets Layer (SSL) is a cryptographic process that is build on web browser and widely used in e-payment (Zhao, 2009; 401). As one of the most available security technologies for e-commerce, its most significant characteristic is that it makes two entities who cannot communicate with each other face by face using confidentiality, endpoint authentication and message tools to do online businesses. This model has been used extensively in electronic business. The concept of SSL is easy to understand, clients and customers could visit a company's website that he or she has never been known before, and they might use their credit card to do an online shopping, that would not lead to a loss with SSL. The basically aim of SSL is protecting personal credit and information, Bisel (2009) illustrated some issues that SSL faced to, for example merchant's identity could be determined through their certificate authority by the customers. However, most of time merchant doesn't care whether the owner of the credit card is not the same person who providing the credit card information. They only focus on valid credit card information. As a result, customers would be misled by malicious merchant. Due to such problems in e-commerce, both merchant and buyers should use SSL to provide a secure to log in network. Defined by Wang (2007), SSL transactions use client authentication seldom, as a consequence only the server need to be authenticated in most cases. In case of the client might has a certificate, the server only communicate with the customer's certificate, it means there would not be any way to ensure that the people take the certificate are the people to whom the certificate was concerned. Furthermore, Bisel (2009) reported that SSL only prevented loss from data hacking while in electronic transit. Nevertheless, two more factors need to be mentioned, according to Bisel (2009) SSL has no limitation to social engineering, and at the same time SSL makes little contribution to protect the TCP/IP projects, to some extent SSL could save a lot of time from calculation, it makes the protection work more efficient. More outside forces and lurking risks might impact security in web-based companies' businesses. As Camp (1999) highlighted SSL role meet the three security goals: confidentiality, authentication and integrity. Then SSL might be an efficient and valuable weapon in commercial security arsenal. It might be an appropriate solution to business needs.

3.3 The concept of electronic payments (Cryptography and PKI)

Electronic payment is a critical factor for successful electronic commerce. However, Tsiakis (2005) noticed that established interpersonal relationships and any prior private contact should be occurred without by transactions in electronic commerce. Threats could be created by this lack of interpersonal trust. Before an efficient solution was chosen to construct a safe transaction way by using electronic cash, previous works on electronic cash might not fit for the property of fair exchange. In order to guarantee the privacy and integrity of the data, Tsiakis (2005) highlighted cryptographic solution were developed in response to demands of deal, it would efficiently implement and establish both trust and security on online environment. A feature of cryptographic techniques is that it applied to the proposed payment scheme are safe enough containing randomized partially signature scheme (Shi and Ding, 2009; 589-598). Two forms represented cryptography, one is named secret key cryptographic or symmetric, and it uses some common key for both decryption and encryption. The other one is called asymmetric or cryptography, which is using a private and a public key to transform plaintext into cipher text. Digital signature is one of the Public Key Cryptography's products. Tsiakis (2005) defined that digital signature method included the reverse program of the encryption. In the first place the personal data is changed by professional codes with the private key of customers or anyone who decodes them. Furthermore the identity of the sender is proved after a public key decoding the data from private key. This is a typical digital signature that could solve the problem of impersonation and tampering. On the other hand Shi and Ding (2009) stated the other popular solution named PKI (Public Key Infrastructure) could address the trust problems inherent in business models. Different to other cyber technical mechanisms, as cryptography scopes are used to make sure few specific things happen. In order to establish connections and clear the parties, PKI provide a mean for both data decoding in transit and trusted digital ID. In that circumstance, it would not be a problem if web-based companies verify the ID of parties exchanging data over websites.

4. Restriction and prospect

Each way has advantages and drawbacks; general security ways have already been developed by researchers and engineers, it could guarantee merchants' investment. However, it might do nothing if newest hacking technologies were developed. SSL role has full functions; nevertheless it is not as fast as general ways. On the other hand the concept of electronic payment is best solution in protection ways, though it is the most expensive choice. Looking forward to a safe business environment in the following decades, web-based companies should choose a most suitable method to protect their and customers' interest. Their choices depend on their different situations.

5. Conclusion

To avoid the company's significant losses in e-commerce, web-based company should use efficient methods of protections and process. In the area of risk analysis this essay identifies the current and potential hazard such as content management risk, related sites, passwords authorization cracking and hijacked links which cause serious losses in electronic business. For long period application, customers and clients would access websites which are filled with lurking formidable factors. In order to reduce the risks, some general ways of protection and approaches of SSL, electronic payment are used to block risks and virus. As mentioned, due to the characteristics from benefits and drawbacks, different types of secure ways should be used to protect the valuable data and information. Risks and potential losses would be avoided by using methods of protection and solutions in electronic businesses. However, there might be some limitations in some protecting processes or programs, so a clearly understanding of a companies' situation could lead to the most suitable choice. In the future, the trend of using e-commerce would have a geometric increase, and the Internet would also be filled with tremendous marketing and dangerous potential. Consequently, web-based companies should concentrate on how to decrease potential losses.

6. Bibliography

Bausch, N. and Han, B. (2006) 'Web Security and Privacy: An American Perspective', The Information Society, 15: 4, 249 -256

Biro, T. (2009). A window of the world? Network Security. 2, 11-13.

Bisel, L. (2007). The Role of SSL in Cybersecurity. IT Professional, 9/2, 22-25.

Shi, L. and Ding, C, L. (2008). An incentive-based electronic payment scheme for digital content transactions over the Internet. Journal of Network and Computer Applications, 589-598.

Tsiakis, T. and Sthephanides, G. (2005). The Concept of Security and Trust in Electronic Payments. Computer and Security, 24, 10-15.

Wang, P. (2007). A fuzzy outranking approach in risk analysis of web service security. Cluster Comput, 10, 47-55.

Zhao, W. and Liu, R. (2009). A Scheme to improve security of SSL. Proceedings of the 2009 pacific-asia conference on circuits, communications and system, 401-404