Sunday, September 25, 2005

Electronic Commerce or e-Business: Security Measures such as Authentication in Large Companies and SMEs

In order to continue to flourish, EC will need to use education, policies and procedures, training and various types of technology to defend against cyber attacks. And with the widespread availability of free intrusion tools, scripts and the overall interconnectivity on the Internet allowing anyone with minimal computer experience to mount a DoS attack, we can say that EC e-tailers, private and government security firms will have a hard time staying ahead of those attacks. We must note that there are two types of attacks. They can be non-technical and technical attacks. The non-technical attacks come in the form of social engineering. In the non-technical attacks, perpetrators use chicanery and other forms of persuasion to trick people into revealing sensitive information or performing actions that can be used to compromise the security of a network. In the technical attacks, software and system knowledge are used to take over the victim’s computer system.

EC must realize that there are a lot of security risks out there. It was in 2000 when a young Canadian teenager launched his denial-of-service (DoS) attack on some stellar companies as,,, eBay, E*Trade, Yahoo, ZDNet and many other well-known Web sites were inundated with some many Internet requests that legitimate traffic was virtually halted. (Kabay and Walsh 2000). The same month, the Canadian youngster with a codename of “Mafiaboy” was caught. He subsequently pled guilty to committing the 2000 attacks (King, Lee & Wiehland p. 470).

Hackers are after control and access. They want to exploit others’ innocence. They want to get credit for the disruption of EC which in itself is a felony. In the past they used to go almost undetected. These days, with some major companies and universities collaborating on finding new ways to protect the nation’s infrastructures, there may be some hope. National Infrastructure Protection Center (NIPC) and Computer Emergency Response Team (CERT) are working hard to try to protect the nation’s infrastructures, monitor incidence of cyber attacks, analyze vulnerabilities, and provide guidance on protecting against attacks from individual hackers, foreign governments, businesses as in industrial espionage, pirated computer software and other crimes.

Unfortunately, I expect the situation to get worse. As more and more buyers are using their credit cards online, hackers know about the honeynet. They are attracted by the honeypots. They want to disguise their ruse and gimmicks to be able to take a share of the EC’s profits. No wonder that we have seen the wild growth of antivirus companies such as Network Associates (McAfee products) and Symantec’s Norton products. Malicious codes or malware are spreading fears among computer users and EC businesses. There is a whole group of malicious codes known as viruses, worms, macro viruses and macro worms, and Trojan horses. Security becomes very crucial.

According to a survey conducted by Information Security Magazine (Briney and Prince 2002), the security practice of various organizations is very minimal. From small organizations with 10 to 100 computers, medium organizations (100 to 1,000 computers, large organizations (1,000 to 10,000 computers and very large organizations (more than 10,000 computers), IT security is still trying to gain a foothold in the day-to-day activities that impact the organization.

In the end, some of the things that EC sites can do to mitigate such attacks are the implementation of security management. Security must be everybody’s business. They can have a security risk management in place to determine the likelihood of various security attacks. Most importantly, they can use the following: Authentication system, access control mechanism, passive tokens, active tokens, biometric systems, fingerprint scanning, Iris scanning, voice scanning, and keystroke monitoring.

The security attacks range from non-technical to technical attacks, social engineering threats to DoS or DDoS attacks. With the widespread availability of free intrusion tools and scripts and the overall interconnectivity on the Internet, virtually anyone with minimal computer experience can mount a DoS attack. Unfortunately, a successful DoS attack can literally threaten the survival of an EC site, especially SMEs.

No comments: