Introduction to Computer Security, Internet, E-commerce and E-governance with

reference to Free Market Economy

Definition, Threats to security, Government requirements, Information Protection and
Access Controls, Computer security efforts, Standards, Computer Security mandates
and legislation, Privacy considerations, International security activity.
Conceptual Framework of E-commerce: governance, the role of Electronic Signatures
in E-commerce with Reference to Free Market Economy in India.

Textbooks
1. Debby Russell and Sr. G.T Gangemi, "Computer Security Basics (Paperback)”, 2ndEdition, O’ Reilly
Media, 2006. Computer Security Basics - Google Books
2. Cyber Laws and IT Protection, Harish Chander, PHI, 2012
Introduction to computer Security

computer security, the protection of computer systems and information from

harm, theft, and unauthorized use. Computer hardware is typically protected by
the same means used to protect other valuable or sensitive equipment.
The security precautions related to computer information and access address four
major threats:
(1)theft of data, such as that of military secrets from government computers;
(2)vandalism, including the destruction of data by a computer virus;
(3)fraud, such as employees at a bank channeling funds into their own accounts;
and
(4)invasion of privacy, such as the illegal accessing of protected personal financial
or medical data from a large database. Continues…
The laws make it a crime to reveal personal information gathered
during business.
 Health Insurance Portability and Accountability Act (HIPAA)
 Family Educational Rights and Privacy Act (FERPA)

The organizations which provide assistance w.r.to attacks over internet:

 Defense Advanced Research Projects Agency (DARPA)
 Computer Emergency Response Team (CERT)

Information Sharing and Analysis Centers (ISACs) help in developing

the best practices for protecting critical infrastructures and minimizing
vulnerabilities.
Continues…
Computer crime is an act performed by a knowledgeable computer user,
sometimes called a "hacker," that illegally browses or steals a company's or
individual's private information. Sometimes, this person or group of individuals
may be malicious and destroy or otherwise corrupt the computer or data files.
Examples:
• Child pornography - Making, distributing, storing, or viewing child pornography.
• Click fraud - Fraudulent clicks on Internet advertisements.
• Copyright violation - Stealing or using another person's Copyrighted material
without permission.
• Cracking- Breaking or deciphering codes designed to protect data.

Continues…

Ref : What is Computer Crime? (computerhope.com)

 Confidentiality, Integrity, Availability (CIA)

Computer and Network security is build on 3-pillars, C-I-A.

Confidentiality - preventing the disclosure of data to unauthorized parties.

Also keep the identity of authorized parties involved in sharing and holding data
private and anonymous.

Often confidentiality is compromised by cracking poorly encrypted data, Man-in-

the-middle (MITM) attacks, disclosing sensitive data.

Standard measures to establish confidentiality include:

1. Data encryption
2. Two-factor authentication
3. Biometric verification
4. Security tokens Continues…

5
Integrity Availability
Availability is making sure that authorized
Integrity refers to protecting parties are able to access the information
information from being modified by when needed.
unauthorized parties.

Standard measures to guarantee

Standard measures to guarantee availability include:
integrity include:

1. Cryptographic checksums 1. Backing up data to external drives

2. Using file permissions 2. Implementing firewalls
3. Data backups 3. Having backup power supplies
4. Data redundancy
Continues…

6
Identification, Authentication, Authorization and Accountability
These are other terms but part of CIA model
Identification describes a method of ensuring that a user is the
entity it claims to be. Identification can be provided with the use
of a username or account number.
Authentication Prove you are XYZ, using multifactor
authentication like password, biometric, passport, ID etc.
Authorization What are you allowed to access?
Accountability (also referred as Auditing)
Trace an action to a User’s Identity
Prove Who/what a given action was perform by (non-repudiation)
Threats to Security
Vulnerability – weakness in a system
Threat – possible danger to the system
Countermeasures – techniques for protecting the system
Vulnerabilities
 Physical Vulnerabilities – intruder breaks into buildings & equipment/server
room
 Natural Vulnerabilities – computers vulnerable to natural disasters (fire, flood,
earthquakes, power loss) and environmental threats.(Dust, humidity, uneven
temp.)
 Hardware and software Vulnerabilities
 Media Vulnerabilities – Damaged backup media
 Communication Vulnerabilities - interception
 Human Vulnerabilities – poorly trained administrator Continues…
Threats
 Natural and physical threats – threats related to fire, flood, power failures
and other disasters.
Can’t prevent such disasters but can be detected quickly using fire alarms,
sensors etc.
 Unintentional threats – ignorance creates dangers
More information is compromised, corrupted or lost through ignorance
 Intentional threats – outsiders and insiders

Countermeasures
 Computer security
 Communication security
 Physical security
Government requirements
The computer vendors who want to sell lot of work
stations to govt., they are forced to build security into
those products.
- Most govt. agencies specify security requirements along
with the operational requirements.
- The seller need to use encryption to protect stored and
transmitted data.
- Information protection : govt. agencies need to protect
sensitive info. from theft, modification, data breaches
and need to ensure integrity of the information.
Information Protection and Access Controls
Access control is a security technique that regulates who or what can view or use resources in a
computing environment. It is a fundamental concept in security that minimizes risk to the business or
organization.
There are two types of access control: physical and logical. Physical access control limits access to
campuses, buildings, rooms and physical IT assets. Logical access control limits connections to
computer networks, system files and data.
Physical access control can be limited by access card readers, auditing and reports to track employee
access to restricted business locations and proprietary areas, such as data centers. Some of these
systems incorporate access control panels to restrict entry to rooms and buildings, as well as alarms
and lockdown capabilities, to prevent unauthorized access or operations.
Logical access control systems perform identification authentication and authorization of users and
entities by evaluating required login credentials that can include passwords, personal identification
numbers, biometric scans, security tokens or other authentication factors. Multifactor authentication
(MFA), which requires two or more authentication factors, is often an important part of a layered
defense to protect access control systems.

Ref: What is Access Control? (techtarget.com)

Access control methods:
Computer security efforts
In early 1950s, TEMPEST (the process of protecting
sensitive equipment from emanating electromagnetic
radiation (EMR) that may carry classified information)
- standards that strive to prevent outright data theft.
- 1960s – Department of Defense, National Institute of standers and technology or
NIST, national security agency first initiated public awareness of security.
- 1967, DoD studied threats to computer systems and information
- Later Defense Advanced Research Projects Agency (DARPA) worked on identifying
vulnerabilities and threats and introduced methods to safeguard systems and
controlled access to defense computer systems, networks and information.
- 1970, Security controls for computer systems –a document is published, which is
landmark in the history of computer security
Tiger Teams – In 1970s, first time emerged on computer
scene.
These teams where govt. and industry sponsored teams of
crackers.
They attempt to break down systems, security patches, flaws.
- Sponsored by DoD
- Penetration testing
Standards for secure Systems
National Bureau of standards (NBS) , also known as the National
Institute of standards and Technology (NIST), responsible for the
development of all kinds of standards.
- NBS sponsored conference on computer security in collaboration
with ACM.
- Required attention in three areas w.r.to:
- Policy : What security rules should be enforced for sensitive info?
- Mechanisms : What h/w and s/w mechanisms are needed to
enforce the policy?
- Assurance : What need to be done for mechanisms to support
the policy even when the system is subjected to threats?
National Computer Security Center (NCSC)
The Center was founded with the following goals:
• Encourage the widespread availability of trusted computer systems
• Evaluate the technical protection capabilities of industry- and government-
developed systems
• Provide technical support of government and industry groups engaged in
computer security research and development
• Develop technical criteria for the evaluation of computer systems
• Evaluate commercial systems
• Conduct and sponsor research in computer and network security technology
• Develop and provide access to verification and analysis tools used to develop and
test secure computer systems
• Conduct training in areas of computer security
• Disseminate computer security information to other branches of the federal
government and to industry
Computer Security mandates and legislation

Laws typical aim is to protect information.

-protection of classified or sensitive information
Legislation mandating computer security practices by federal agencies and con-
tractors. The idea of this legislation is that organizations that process classified or
sensitive unclassified government information must be careful to protect that
information from unauthorized access.
-computer crime
Legislation defining computer crime as an offense and extending other regulations
to cover thefts and other abuses carried out by computers and other new
techniques. In addition to federal policies, virtually all U.S. states have enacted
their own legislation prohibiting computer crime and abuse.
-Privacy
Legislation protecting the privacy of information maintained about individuals
(e.g., health and financial records). Another consideration for computer privacy is
the practice of merging records from multiple, seemingly benign databases into
profiles that may reveal devastating amounts of information about an individual.
Privacy Considerations
The ability to collect and manage information doesn't necessarily confer the right
to save, analyze, and publicize that information, but several recent attacks suggest
that this is occurring.
In one high profile case, an airline was approached and asked to turn over the
records of millions of passengers who had purchased tickets for trips on the airline.
Apparently the purpose was to combine the flight plans of customers with other
data available commercially, such as reports from credit bureaus, and determine
which fliers may fit the profile of a terrorist.
This is feasible only if you can rapidly combine information from several different
databases, and that, in the view of many, represents a massive invasion of privacy.
International security activity
International security, also called global security is a term which refers to the measures
taken by states and international organizations, such as the United Nations, European
Union, and others, to ensure mutual survival and safety. These measures include military
action and diplomatic agreements such as treaties and conventions. International
and national security are invariably linked. International security is national security or
state security in the global arena.
Conceptual Framework of E-commerce:
governance
The conduct of business and business transactions of any kind between parties on internet and
cyberspace is e-commerce.
These business transactions occur either as business-to-business (B2B), business-to-consumer (B2C
), consumer-to-consumer or consumer-to-business.
E-commerce platforms and vendors
An e-commerce platform is a tool that is used to manage an e-commerce business.
E-commerce platform options range in size from ones for small businesses to large
enterprises.
• Alibaba
• Amazon
• Chewy
• eBay
• Etsy
• Overstock
• Newegg
• Rakuten
• Wal-Mart Marketplace
• Wayfair
Vendors offering e-commerce platform services for
clients hosting their own online store sites include the
following:
• BigCommerce
• Ecwid
• Magento
• Oracle NetSuite Commerce
• Sales force Commerce Cloud (B2B and B2C options)
• Shopify
While starting a business on the new Internet or cyber space, the
and following points must be considered practically followed in
order to establish a viable and profitable business.
• A thorough preparation of investigation
• Agreements have to be made
• should be aware about the problems peculiar to the business and
the kind of transactions the businessman is going to enter with
the other parties.
• It is advisable to take a legal advice before starting the business so
that all the formalities of the contracts are in writing, with proper
signatures of the parties,
• New business can be started as a single owner proprietary
business, partnership business with the firm name.
Growth and Development of E-commerce

• The advantages and the scope of publicity of the business through e-

commerce is so wide that a page of a e-commerce or business on the
World Wide Web (www) can reach the surfers very fast in any part of the
world.
• The advantages of cyberspace are that its scope has no territorial
boundaries. And the cost and speed of messages of transactions on the
net is almost entirely independent of physical location.
• The messages can be transmitted from one physical location to any other
location without degradation, decay, or substantial delay.
• The power to control activity in the cyberspace has only the most
tenuous connection to physical location.
Definitions of E-commerce

 The World Trade Organisation defines e-commerce as, "e-commerce is

the production, distribution, marketing, sales or delivery of goods and
services by electronic means.“
 The Organisation for Economic Co-operation and Development (OECD)
defines, "e-commerce as commercial transactions, involving both
organisations and individuals, that are based upon the processing and
transmission of digitized data, including text, sound and visuals images.
 The Department for Promotion of Industry and Internal Trade FDI
(DPIIT), Policy, 2017 states that "e-Commerce means buying and selling
of and services, goods including digital products.”
 According digital and electronic network" (MeitY), "e-Commerce to the
Ministry of Electronics and Information Technology is a type of business
model, or segment of a larger
Various Modes of E-commerce

Generally, e-commerce operates on broad characterizations through four

modes which are as follows
Advertising, sale, lease or license of tangible products Ex: Books,
machinery, buildings, land, vehicles
• Advertising, sale, lease or license of intangible products Ex: IPR,
copyrights, goodwill, patent, e-newspaper, online storage.
 • Advertising, sale, lease or license of services Ex: online ticket booking,
online games, online banking
• Advertising, sale, lease or license of tangible products over the
internet is the electronic counterpart of our traditional order systems.
Mechanism Involved in the Operation of Internet

All machines connected to a network are generally identified by their

Internet Protocol (IP) numbers and Internet also has its own IP number.
The devices communicate with each other through the IP number
system.
The format and transmission of data is through several protocols. The
common protocol used on the Internet is Transmission Control
Protocol/Internet Protocol (TCP/IP). The data portion of packet be
encrypted for better security.
Packets are made to take the shortest route to the destination
Type of Players in E-commerce
According to an Australian Government Publishing Service titled "Tax and the
Internet", Canberra, 1997, the following important players are involved in
commercial transactions on the Internet
 The Network Provider
 The Internet Service Provider (1SP)
 The User
 The Website
 The Payment Providers
 The Payment System Provider
 The Software Architects
 The Advertiser
 The Content Provider
 The back-end systems.
Salient features of the new consumer protection Act, 2019:
Law on ECommerce and consumer protection
Some changes are taken place after introduction of online or e-commerce in
the consumer protection act, 1986.
Following are the features of Consumer Protection Act, 2019:
1. Def. of Consumer – person who “ buys any goods” and “ hires or avails of
any service”, but not a person who obtain goods for resale or commercial
purpose.
2. Def. of e-commerce – in consumer protection act, 1986 was silent on online
commercial transactions. IT Act, 2000 also not provided adequate framework.
But consumer protection act, 2019 defined e-commerce as “ buying or selling
of goods or services including digital products over a digital or electronic
network”
3. Specification of ‘Rights of Consumers’ – The Act expressed rights of
consumers under Section 2(9) of the Consumer Protection Act, 2019
4. Establishment of the Central Consumer Protection Authority (CCPA) :
Sections 10-27 of CPA, 2019
5. Key Concept of ‘Product Liability’ : Under Section 2(34) of CPA, 2019 –
responsibility of a product seller or manufacturer or service.
6. Def. of ‘Electronic Service Provider’ : Under Section 2(17) of CPA, 2019 –
the person provides technologies to enable a product seller to engage in
advertise/ sell goods/services to a consumer include online marketplace or
online auction sites.
7. Def. of ‘Misleading Advertisement’: An advertisement which falsely
describes the product or service.
8. Establishment of Consumer Dispute Redressal Commission: Sections 28 –
73 provides setting up of a Consumer Dispute Redressal Commission (CDRC).
9. Special Provisions on offences and penalties Under CPA 2019: Sections 88
– 93 regarding misleading advertisements, - fines with imprisonment.
10.Introduction of Mediation as an alternate Dispute
resolution mechanism: : Under Section 2(25) of CPA
2019 defined termed mediation – the process by which
a mediator mediates the consumer disputes. Sections
74-81 – resolve the consumer dispute faster without
approaching commission
• Web Development and Hosting Agreements
• Web Hosting
• The Problem of Internet Jurisdiction
• Illustrative Cases about cyberspace Jurisdiction
Web Development and Hosting Agreements
Web development and hosting relationship
encompass a broad range of substantive
relationship
• File conversation
• Web design
• code development
• system integration website
• Back-end system
Web Hosting

Web hosting in the generic description can encompass a number of different

relationships described in the following
 Collocation occurs when the customer locate customer Owned servers
at the provider's facility.
 In the typical hosting relationship, the provider (as opposed to the
Customer) provides the servers.
 Co-branding is a popular technique which has been used to expand he
scope of a customer website
 Outsourcing is increasingly becoming popular. Outsourcing occurs when a
customer outsources one or more functions of its website to a third party
provider.
Type of Websites

For the purposes of jurisdiction websites can be divided into two groups:
Passive and Interactive Sites: These sites provide information in a read
only format.
Interactive Sites: These encourage the browser to enter information
identifying the browser and/or providing background on the browser's
interest or buying habits.
 The Role of Electronic Signatures in E-commerce with
Reference to Free Market Economy in India

Objective: legal recognition for transactions carried out by means of

electronic data interchange.
• The centuries old means of documenting transaction and creating
signature on paper documents is fast changing with the rapid
technological development we witness these days.
• Electronic signatures is the need of the hour in order to profitably
carry out e-commerce and business in the globalised free market
economy across the world.
Basic Laws of Digital and Electronic Signature in India
Under the IT Act, 2000,Section 3 provides
Authentication of electronic records
(1) Subject to the provision of this section, any subscriber may
authenticate an electronic record by affixing his digital signature.
(2) The authentication of the electronic record shall be effected by
the use of asymmetric crypto system and hash function which
envelop and transform the initial electronic record into another
electronic record
(3) Any person by the use of a public key of the subscriber can verify
the electronic record.
(4) The private key and the public key are unique to the subscriber
and constitute a functioning key pair.
• By the IT (Amendment) Act, 2008, the law has been provided with another Section
3A which provides for as follows:
(1) Notwithstanding anything contained in Section 3, but subject to the provisions of
sub-section (2), a subscriber may authenticate any electronic record by such
electronic signature or electronic authentication technique which (a) is
considered reliable; and (b) may be specified in the Second Schedule.
( 2) For the purposes of this section, any electronic signature or electronic
authentication technique shall be considered reliable if
(a) the signature creation data or the authentication data are uniquely tied to
the user and not linked to others, ensuring data integrity and user
authenticity in the digital context.
(b) the signature creation data or the authentication data were, at the time of
signing, under the control of the signatory or, as the case may be, the
authenticator and of no other person;
(c) any alteration to the electronic signature made after affixing such signature
is detectable
(d) any alteration to the information made after its authentication by electronic
signature is detectable; and
(e) it fulfils such other conditions which may be prescribed.
(3) The Central Government may prescribe the procedure for the purpose of
ascertaining whether electronic signature is that of the whom it is person
by purported to have been affixed or authenticated.
(4) The Central Government can add or remove electronic signatures or
authentication techniques in the Second Schedule through an official
notification in the Official Gazette. However, only reliable and trustworthy
methods are allowed to be listed in the Second Schedule. This ensures that
only credible electronic signatures and authentication techniques are
recognized and used.
(5) Every notification issued under sub-section(4) shall be laid before each
House of Parliament
Authentication of Digital Signatures and Electronic
Records
Section 3 of the IT Act, 2000, provides information about
The digital signature is created in two different steps
• First, the electronic record is Converted into a
message digest by using a mathematical function
known as hash function which digitally freezes the
electronic record thus ensuring the integrity of the
content
• And secondly, the identity of the person affixing the
digital signature is authenticated through the use of
a private Key which attaches itself to the message
digest and which can be verified by any person who
has the public key corresponding to such private key.
Authentication of Electronic Signatures and Electronic
Records
Section 3A of the IT Act, 2008, provides for the procedures
for electronic signatures-electronic records and the
authentication of electronic signatures and electronic
authentication technique.
Any electronic signature or electronic authentication
technique shall be considered reliable if the signature
creation data or authentication data are within the
context in which they are used and linked to the
signatory or the authenticator and to no other person.
UNCITRAL: Model Law on Electronic Commerce, 1996
The United Nations Commission on International Trade
Law (UNCITRAL) has Suggested the Model Law on e-
commerce to be followed by all the countries in the
world.
Article 7 of the UNCITRAL Model Law provides: Where
the law requires a signature of a person only if
(i)Person is approved
(ii)Person is authenticated and reliable
UNCITRAL: Draft Rules of November, 1998
The UNCITRAL (Draft Rules of November, 1998) on electronic signatures
make a clear distinction between electronic signatures, enhanced
electronic signature and digital signature.
Article 1 of the UNCITRAL (Draft Rules of November, 1998) provides the
following
‘Electronic Signature' means data in electronic form that is either
physically affixed to or logically connected with a data message.
'Enhanced electronic signature’ means an electronic signature which is
created, and can be verified through the use of a security procedure at
the time it was made.
‘Digital Signature' means an electronic signature created by transforming
a data message using a message digest function,
The Concept of Hash Function
• Hash function is used in both creating and verifying
a digital signature.
• A hash function is a mathematical process based on
a algorithm which creates a digital representation
or compressed form of the message, often referred
to as a 'message digest or 'fingerprint' of the
message in the form of a 'hash value or hash result'
of a standard length which is usually much smaller
than the message, but nevertheless substantially
unique to it.
Authentication and Verification of Electronic/Digital Signatures
To give authenticity to a electronic/digital signature the verifier must have access
to the signer's public key and also should provide the assurance that it
corresponds to signer's private key.
In this connection, it is found that Trusted Third Parties (TTP's) or the CAS have a
very significant role to play.
The complete process of creating an electronic/digital signature and verifying it has
to accomplish certain essential attributes and effects which are required of a
signature for many legal purposes.
 signer authentication
 message authentication
 affirmative act
 efficiency
Private Key Escrow and Key Recovery Systems
An Escrow is an arrangement under which something
is placed on deposit with the trusted third party,
but may be accessed by third parties under certain
conditions.
Main reason of Escrow
If employee suddenly resigns by telling private key
If heirs die.
Different Approaches of Digital Signatures
prescriptive approaches of Digital Signature
criteria Based Approach
signature-enabling Category Approach: