Академический Документы
Профессиональный Документы
Культура Документы
Judy Rogers Supervisor: Jay Barnes Faculty of Informatics and Design Cape Peninsula University of Technology rogersj@cput.ac.za
Abstract
This paper examines the security needs of the e-commerce enterprises and security services provided by their internet service provider (ISP). The ISP acts as the trusted third party who provides the connectivity for the e-commerce to the Internet. The services provided by the ISP affects all online activity and therefore selecting the correct ISP forms part of an important business strategy. Based upon the findings of the literature review e-commerce security is a complicated project which is still a developmental obstacle.
Keywords. Certificate Authority (CA), Internet Service Provider (ISP), Trust, Digital Certificate, E-commerce
1.
Introduction
Streams of sensitive data are continuously transmitted over the web and it is important for this data to be protected at all costs. Internet security is recognised as the methods used by an organisation to protect its corporate network from intrusion and generally executives face a certain amount of conflict when potential profits outweigh security threats (Hawkins et al., 2000). One of the concerns consumers have is identity theft and they are wary of providing their personal information to untrusted sources (Verisign, 2010; Kesh, 2010). One would like to believe that being security-wise applies to most consumers but the ever rising fraud statistics tells another story. Part of the e-commerce business setup involves selecting an ISP, connecting to the internet, registering a domain and setting up a website. The business involves online business transactions between parties utilising the internet. In consideration of the bricks and mortar establishment of say a shopping complex such as the Victoria & Alfred Waterfront in Cape Town, the services of a security company are obtained and the company is carefully vetted by the business before they are allowed to provide their security services. Compare this to an online business and its security requirements, we find a different scenario and discover a complex interrelationship between several important components such as SLL, digital certificates, certificate authorities (CA) and internet service providers (ISP). Any weakness in a single component can jeopardise the entire security system for the website and expose a large number of customers to vulnerability (Boardman, 2004; Ahmad, 2008; Kshreti, 2010) One of the aspects this research article focuses on is the security interrelationship between the small and medium enterprise e-commerce (SMEEC) and the ISP. An ISP has significant influence on the feasibility and security of an e-commerce business and generally, there appears to be a security trade-off when selecting a single server that hosts multiple sites. The most vulnerable arrangement is the shared server where each enterprise have their own File Transfer Protocol (FTP) account to create backups of data on the same server (Satti, et al., 2000). A number of methods an enterprise may enable to secure their network are among others; firewalls, user authentication, data encryption, key management and digital certificates and three importantant
mechanisms need to secure the e-commerce system are the merchant, transport and client security (Hawkins et al., 2000; Boardman, 2004).
2.
Literature Review
This review is a brief analysis of e-commerce security based on current research. The review must be regarded as a foundation or support to the topic. It investigates the relationship between the SMEEC and the ISP which includes important aspects such as online security and whether the security policies and practices of the ISP are checked and tested. E-commerce security encompasses several technologies and elements including storage and safekeeping of information and maintaining its knowledge-value, networks, data privacy, secure socket layer (SSL), authentication and emails. Security is the key factor that guarantees the model of trust on the success of ecommerce (Ma & Liu, 2010; Jie & Hong, 2010). There are several important areas of security to be considered such as SSL and ISP. A study conducted by the Secure Socket Layer (SSL) Observatory which is part of a foundation called Electronic Frontier Foundation (EFF) in San Francisco, found that browsers retained unused SSL certificates even after
3 of 19 Pages
certificate authorities (CAs) have ceased operations. Further problems where highlighted in a presentation provided by Eckersley & Burns (2010); a large number of SSL sites did not have valid certificates and a large number of organisations have been allowed to act as intermediate CAs without rigorous checks. It is important to understand the concepts of choosing the correct ISP in terms of security and liability. Considerations such as equipment location and ownership, right of access, connectivity and performance issues, ownership and control of data, service agreements, risks and indemnification (Lovell, n.d.).
4 of 19 Pages
and purchase goods or services via a secure online payment system (Simon & Shaffer, 2001) Setting up an e-commerce business involves developing a website, finding and selecting an ISP, access to the internet, registering a domain name and consideration of legal issues. It also relies on a wide range of technologies such as the World Wide Web delivery system, networks, privacy of data, SSL, reliable payment gateway and email (Ma & Liu, 2010; Lovell, n.d.)
5 of 19 Pages
but fortunately this was averted as Comodo announced their master CA private keys in its Hardware Security Modules were not compromised (Skoudis, 2007; Eckersley, 2011; Eigeles, 2005; Paulson, 2010).
6 of 19 Pages
Verisign defines an SSL certificate as a digital computer file or a small piece of code that has a number of functions, i.e. authentication and verification and data encryption. This certificate is most reliable when issued by a trusted CA who has to follow a strict protocol about who may or may not receive an SSL certificate. HTTPS (Hypertext Transfer Protocol Secure) relies on certificates in order to ensure that the website the user is talking to is actually the website they want to talk to and not some person in Bulgaria (Verisign, 2010; Eckersley & Burns, 2010).
7 of 19 Pages
The most vulnerable arrangement is when servers are shared by a numerous companies and each has their own File Transfer Protocol (FTP) account on the same server to update web contents or database.
3.
As a consumer of online goods and services, the author has a particular interest in e-commerce security. Due to the continual rise of online fraud, the author has a valid security concern whether e-commerce websites and ISPs are sufficiently secure to keep senstive data safe such as credit card details and other personal information.
8 of 19 Pages
4.
Research methodology
This paper explores SMEEC knowledge and expertise of computer security and whether they check the security policies and plans of their ISPs. The research gathered for this paper draws on literature from peer reviewed articles and interviews from various respondents to present an overview of computer security knowledge and practices. A review of prior relevant literature is essential for the academic research project which creates a foundation for advancing knowledge, facilitates theory development, uncovers areas where research is needed and contribute to the work (Barlette, 2008 & Okoli et al., 2010).
9 of 19 Pages
the companies. For example, all the companies interviewed consisted of 2 to 5 partners. The respondents undertook to willingly participate in an interview and regarding ethical considerations, a letter of consent was obtained and forwarded to the respondent. In some cases, respondents requested the interview questions for perusal before the interview commenced. All interviewees were assured that all information and/or data gathered would not be made available to anyone who was not directly involved in the study. Further, all data and/or information would be kept in a file that would be password protected and would be deleted at the end of the project. The author futher assured the respondent that all names of people and companies would be anonymous.
The dataset consists of 9 semi-structured interviews with SMEEC and small ISP practitioners. Even though data was drawn from various market sectors such as hotel, art design and electronics, the primary criteria for this research is not sector specific as it is the perception of the author that SMEECs are less likely than their larger counterparts to have checked the security of their ISPs and therefore the target audience was limited to SMEs in and the surrounding central business district of Cape Town. Questions extracted from the literature and considered to be most important, was constructed for the interviews.
10 of 19 Pages
Market sector
Hotel Financial services Art design Furniture Advertising Electronics Accomodation Booking Small company port speed 10Mbps Small company port speed 10Mbps
Area
Sea Point, Cape Town Milnerton CBD, Cape Town CBD, Cape Town Parklands Constantia Claremont Sea Point Durbanville
* Details of sources withheld for confidentiality purposes CBD: Central Business District
5.
Key findings
Category
In-house security
Question
1.1 Who is responsible for security in your company?
Response type
Majority response: the developer. One respondent took complete ownership. Antivirus and/or firewall and/or network protection. One respondent took full ownership. Most respondents were aware of the firewalls and passwords. Two people were well versed.
1.3 Are you aware of the functions of the following security infrastructure: Firewall Password authentication Data encryption Secure socket layer (SSL) Secure e-mail (SMIME) Digital certificate Digital signature Secure electronic transactions (SET)
11 of 19 Pages
2.
2.1 Does your company have an Information Security Plan? 2.2 Does your company have a backup policy? 2.3 Does your company have a Disaster Recovery Plan (DRP)? 2.4 Does your company have an information security policy and if so, do you comply with it? 3.1 Have you had any security issues with your ISP? 3.2 What criteria did you use to choose your ISP? 3.3 What are the expectations for security from your ISP? 3.4 Does your ISP have an Information Security Plan? 3.5 Did you evaluate your ISPs security policy? 3.6 Does your ISP have a backup or DRP and did you inspect and test it? 3.7 Do you share a server with other clients?
The general response for this section all respondents except one did not have any security policies and plans in place. Some kept data backups off site
3.
ISP evaluation
The general response for this section most respondents except one did not have a criteria for choosing their ISP nor did they evaluate policies or security practices. They assumed the ISPs to have good security. None had any security issues with their ISPs. One respondent responded extremely positively in that he had very specific criteria for choosing his ISP i.e. selecting an overseas ISP, power supply, security and cost. He also tested his ISP systems.
Category
E-commerce security
Question
1.1 What is the process if a prospective client wants an e-commerce website from a security prospective? 1.2 What is your security expectations from certificate authorities? 1.3 What pertinent information is checked in the digital certificate such as MD-5 and SSH? 1.4 How do you secure your server information in terms of networks, physical location, patch updates etc? 1.5 How is administrative access controlled to the server? 1.6 How is the server physically protected? 1.7 How is the server monitored?
Response type
Both respondents security measures were generally on par although judging by the responses, one respondents security measures appear to be a bit more stringent than the other.
12 of 19 Pages
2.
2.1 Do you have a backup policy? 2.2 Provide some details of your DRP? 2.3 Do you have an information security plan?
The first respondent did not document any policies, they are verbal and client specific. The second respondent show a clear indication of stringent policy documentation and plans
6.
This study hypothesised that SME e-commerce practitioners do not check their ISPs securities and policies. The research approach was two pronged in that practitioners at each end of the scale were analysed in terms of their security policies and practices. Developing safety regulations and implementation of security techniques is the key factor that guarantees the formation of secure e-commerce systems. The growing proliferation of malware and current security measures taken by ISPs such as not controlling outbound traffic continuous to be a major concern (Parameswaran et al., 2007; Wang et al., 2010; Ma & Liu, 2010). Empirical research is therefore needed to discover what security practices are in place at SME e-commerce and their ISPs and what due diligence e-businesses undertake in terms of their ISP security policies and practices to protect their ecommerce websites. Findings for SMEECs indicate, even though the sampled data was one of convenience, there is a significant amount of people who had an unfavourable concept of internet security and related technologies, policies and evaluating their ISPs in terms of the literature review. General responses that emerged during the interviews; respondents did not take ownership of their own security and generally left matters in the hands of the developer. The criteria for choosing an ISP was limited to recommendation, service delivery with cost being a low priority. The security aspect did not appear to be a primary concern for most respondents. Despite these aspects, all respondents were adamant that a security breach would harm their business when this question was posed.
13 of 19 Pages
However, on a more positive note, the author was gratified to discover one particular e-commerce practitioner was extremely conscientious about securing his business and pedantic about checking his ISP. His responses to all questions were strongly favourable in that he had good knowledge of computer security, related technologies, implementing policies and excellent evaluation of his ISP which including checking and testing their policies. In response to the question regarding criteria used to choose an ISP, one was chosen from the USA. His criteria included power supply, cost, security framework and infrastructure. Findings for ISPs indicate security measures were generally on par, but only one ISP actually documented and continuously updated their policies. They also appeared to have a stronger security infrastructure. In conclusion, the author discovered a significant amount of people are not taking full responsibility and ownership for their security practices and policies and did not think of evaluating their ISPs security practices and policies. Given all these findings it is quite clear that SMEECs are not thinking through the security requirements and policies which generally indicates a lack of awareness of data security and policies.
7.
Some
Convenience sampling is not truly representative to the population as this method was selected due to time constraints and easy reach of target audience. The author attempted at producing a quasi-representative sample through selecting unique market sectors and small companies. There are still a number of areas that needs to be addressed addressed such as analysing the ISPs security policies in greater detail. For a future study, the net of the target audience needs to be widened and possibly use probability sampling as a research technique. A future study would also include drawing some guidelines as to how to select an e-commerce host.
14 of 19 Pages
8.
References
Ahmad, W. (2008). Is Credit Card Fraud a Real Crime? Does it Really Cripple the E-Commerce Sector of E-Business?," ICMECG, 364:370. Available from Emerald database: http://... (Accessed 9 October 2011). Al-Qirim, N. (2004). Electronic Commerce in small to medium-sized enterprises: Frameworks, issues and implications. Idea Group Publishing. Available from: www.kalahari.com [Accessed 1 September 2011]. Barlette, Y. & Fomin, V.V. (2008). Exploring the Suitability of IS Security Management Standards for SMEs. HICCS, pp.308. Available from IEEE database: http://... [Accessed 4 October 2011]. Boardman, K (2004). A critical analysis of electronic commerce security measures. Available from http://www.cs.ru.ac.za/research/g01b0633/ Documents/FinalPaper.pdf com [Accessed 1 June 2011]. Choi, S., Whinston, A. & Stahl, D. (1997). Economics of Electronic Commerce. Macmillan Computer Publishing. Available from: www.amazon.com [Accessed 1 September 2011]. Eckersley, P. & Burns, J. (2010). An Observatory for the SSLiverse Quick overview. In Presentation. Available at: https://www.eff.org/ [Accessed 9 March 2011]. Eckersley, P. Electronic F.F. (2011). Iranian hackers obtain fraudulent HTTPS certificates : How close to a Web security meltdown did we get ? Available at: https://www.eff.org/deeplinks/2011/03/iranian-hackers-obtain-fraudulent-https [Accessed 9 March 2011]. Eigeles, D. (2005). Intelligent authentication, authorization, and administration (I3A). Information Management & Computer Security, 13(5), pp.419-434. Available from Emerald database: http:// . [Accessed 17 May 2011].
15 of 19 Pages
Gritzalis, S. (2005). A good-practice guidance on the use of PKI services in the public sector of the European Union member states. Information Management & Computer Security, 13:379-398. Available from Emerald database: http:// . [Accessed 17 May 2011]. Hawkins, S.; Yen, D.C. & Chou, D.C. (2000). Awareness and challenges of Internet security. Information Management & Computer Security, 8:131-143. Available from Emerald database: http://... [Accessed 22 September 2011]. Jie, Z. & Hong, X. (2010). E-Commerce Security Policy Analysis. ICECE, 27642766. Available from IEEE database: http://... [Accessed 4 September 2011]. Kesh, S. (2002). A framework for analysing e-commerce security. Information Management & Computer Security, 10:149-158. Available from Emerald database: http://... (Accessed 17 May 2011). Kshreti, N. (2010). The Economics of Click Fraud, IEEE Security and Privacy. 8:45-53. Available from Emerald database: http://...[Accessed 9 October 2011]. Lovell, M. (n.d.). E-Commerce: An Introduction, Part 1: Set Up. Available from: http://cyber.law.harvard.edu/olds/ecommerce/setuptext.html September 2011]. Ma, X. & Liu, Y. (2010). Electronic Commerce Technology and its Security Problems. IITSI, 631-634. Available from IEEE database: http://... [Accessed 9 September 2011]. Neuman. L.W. (2003). Social Research Methods: Qualitative and Quantitative Approaches. Pearson Education. Okoli, C. & Schabram, K. (2010). A Guide to Conducting a Systematic Literature Review of Information Systems Research. Available at: http://sprouts.aisnet.org/10-26 [Accessed 9 October 2011]. Paulson, L.D. (2010). How safe are secure websites. Computer Magazine, p17. Available at: http://delivery.qmags.com/d/?cid=1770959&sessionID= [Accessed 4
16 of 19 Pages
9BEE0456BEDB38689DAF4B783&cid=1770959&editionID=16436&platform=A& [Accessed 17 May 2011]. Parameswaran, M., Zhao, X. & Fang, F. (2007). Reengineering the internet for better security. Computer, 40:40-44. Available from IEEE database: http://... [Accessed 3 October 2011]. Rattan, M.V.; Sinha, M.; Bali, V. & Rathore, S. (2010). E-Commerce Security using PKI approach. International Journal, 2:1439-1444. Available at: http://www.enggjournals.com/ ijcse/doc/IJCSE10-02-05-14.pdf [Accessed 13 June 2011]. Roosa, B.S.B. & Schultze, S. (2010). The Certificate Authority Trust Model for SSL : A Defective Foundation for Encrypted Web Traffic and a Legal Quagmire. Intellectual Property, 22:11. Available from Ebscohost database: http://... [Accessed 1 March 2011]. Satti, M.M., Garner, B.J. & Nagrail, M.H. (2000). Information security standards for e-business. Available from: http://www.macquarietelecom.com/whitepapers/ Info%20Security%20 Standards%20e-biz.pdf [Accessed 9 September 2011]. Simon, A.R. & Shaffer, S.L. (2001). Data Warehousing and Business Intelligence for e-Commerce. Morgan Kaufmann Publishers. Available from: http://amazon.com [Accessed 1 September 2011]. Skoudis, E. (2007). Can a certificate authority be trusted? Information Security Magazine, 2-3. Available at: http://searchsecurity.techtarget.com/ sid14_gci1253295_mem1,00.html? [Accessed 1 expert/KnowledgebaseAnswer/0,289625, March 2011]. Soghoian, C. & Stamm, S. (2010). Certified lies: Detecting and defeating government 2011]. interception attacks against SSL. Available at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1591033 [Accessed 14 June
ShortReg=1&mboxConv=searchSecurity_RegActivate_Submit&
17 of 19 Pages
Steven, B.R. & Schultze, S. (2010). The "Certificate Authority" Trust Model for SSL: A Defective Foundation for Encrypted WebTraffic and a Legal Quagmire. Available from Emerald database: http://... (Accessed 1 February 2011). Stevens, M.; Sotirov, M., Appelbaum, J.; Lenstra, A.; Molnar, D., Osvik, DA. & de Weger, B. (2009). Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate. Available at: http://eprint.iacr.org/2009/111.pdf [Accessed 13 June 2011]. Verisign (2010). Beginners guide to SSL certificates. Identity, 1-6. Available at: http://www.verisign.com/ssl/ssl-information-center/ssl-resources/guide-sslbeginner.pdf [Accessed 21 May 2011]. Verisign (2010). Security and Trust - the backbone of doing business over the internet. Available from https://www.verisign.com/static/044242.pdf (Accessed 18 March 2011). Wang, L., Zou, C. & Zang, S. (2010). A Study on the Commerce Security Characteristics for Electronic Business. ICEE, 245-248 Available from: IEEE database: http://... [Accessed 9 September 2011]. Watson, R.T., Berthon, P., Pitt, L.F. & Zinkhan, G.M. (2007). Electronic commerce, the strategic perspective. Creative Commons Attribution 3.0 License. Available at: http://globaltext.terry.uga.edu/userfiles/pdf/electronic%20 commerce.pdf [Accessed 4 September 2011]. Wazan, A.S.; Laborde, R.; Barrere, F & Benzekri, A. (2008).Validating X.509 Certificates Based on Their Quality. ICYCS. 2055-2060 Available from IEEE database: http [Accessed May 25, 2011].
Willis, N. (2010). EFF analyzes SSL certificates and certificate authorities. Available at: https://lwn.net/Articles/399585/ [Accessed 25 May 2011]. *Interviewee names withheld for reasons of confidentiality.
18 of 19 Pages
9.
Definition of Terms
Certificate Authority (CA) an entity that issues digital certificates Digital certificates a form of electronic credentials for the internet EFF international non-profit digital rights advocacy and legal organisation based in the United States Hash function any well-defined procedure that converts a large amount of data into a small datum HTTPS Hypertext Transfer Protocol Secure IE Internet Explorer IP Internet Protocol Localhost a server application running on the users computer MD5 Message-Digest Algorithm Mozilla browser web browser such as internet explorer OID extension object identifier PKI Public Key Infrastructure Revocation an act of recall or annulment RFC1918 a private network that uses private IP address space following the standard set by RFC1918 Rogue certificate a false digital certificate used to secure websites Root certificate either an unsigned public key certificate or self-signed certificate SLL Secure Socket Layer SSH Secure Shell is a network protocol for secure data communications TLS Transport Layer Security USA United States of America Web abbreviated for World Wide Web Windows 7 the latest release of Microsoft Windows X.509 a standard for public key infrastructure
19 of 19 Pages