Chapter Three: E-Security

3.1. Security on the NET

• The internet offers tremendous cost savings and productivity gains, as well as significant
opportunities for generating revenue, to the business.

• However, along with the convenience and easy access to information come new risks.
• Among them is the risk that valuable data or information may be lost, stolen, corrupted,
or misused.

•Information recorded electronically, and available on networked computers, is more

vulnerable (easily affected) compared to the same information being printed on paper and
locked in a file cabinet.

•To protect that electronic information’s which is on the network, effective and adaptable
electronic security mechanisms must be used.

•E-security means the laws and technologies involved in keeping information secure. In
other words it is a system’s ability to protect all parties from frauds, due to interception of
online transmission and storage.
 3.1.1. Network and Website security risk

A. Network Security

• Network security is the guard against no visible intrusion (simply

entering) into their computer systems and the theft of data,
passwords, credit card numbers, and so forth by electronic means.

• In simple terms network security is the protection of other

unauthorized users not to use the network itself.

• There are different types of network securities that businesses or

people created to protect their network:
 Cont…

I Private Networks: it secures LAN systems that were closed to

outside access. Only computers that were actually connected to the
private network by wires could access the information there.

• The only real concern was that someone with access to the system,
such as an employee, might violate the system security, copy
information, and remove it from the business’s promises without
authorization.
II Virtual Private Networks (VPNs): software- generated extensions
of a firm’s real private network using secure 3rd-party vendors’
services and encryption systems.

III Digital Signatures: are different devices used to authenticate the

sender of data. They are used for confirmation purpose.
 Cont…
IV Encryption system: is a system that scrambles (mixing) data that are
sent over the internet.

• The technological basis for a growing number of popular encryption

systems today is referred as public-key-cryptography.

• The system relies on two keys or codes for encrypting (locking) and
decrypting (unlocking) data transmitted by a sender to a receiver.

• Each party has a pair of keys, one of which is publically available and
the other of which is private. Both codes are needed to encode and
decode data.

• The sender uses the receiver’s public key to encrypt a message, and the
receiver uses its private key to decrypt the message.
 Cont…

V Secure Electronic Transaction (SET): is an encryption process

developed by Master Card, Visa, IBM, Microsoft, and Netscape
that prevents merchants from ever actually seeing any transaction
data, including the customer’s credit card number. See
www.setco.org

VI Digital Wallets: are devices that store customer information, such

as a customer’s name, address, credit card numbers, and so forth,
and enter this information automatically when the consumer shops
online.
• This not only saves time by not requiring the consumer to input the
same data each time another transaction takes place at a different
web site, but also authenticates the buyer.
 Cont…
B. Website Security
• It is a protection of websites of an organization from hackers (using information
within computer without permission) which may decrypt the services or alter the
contents of the site, which may be embarrassing to the organization.

• Apart from performance reasons, there are a variety of security reasons to attempt
to isolate the services onto dedicated host (mass) computers. There are two ways or
models in separation of services:

1.The “Deny all” model: suggests turning off all services and selectively enabling
services on a case by case basis as required. This can be done at the host or network
level, as appropriate. It is more secure than allow-all model. However, more work
and a better understanding of services is required to successfully implement deny all
configuration.

2. The “Allow all” model: it is based on the logic of simply turning on all services,
usually with default at the host level; and allowing all protocols to travel across
network boundaries, usually with the default at the router level. This model is much
easier to implement, but is generally less secure than deny all model.
 Common Risks/attacks and prevention methods on network

1. Denial of Services:
• The denial of service attack bringing the network to a state in which it can no
longer carry legitimate users’ data.
• The two common weaknesses that these attackers exploit in carrying out the
attack on a site are:

 Attacking routers- designed to cause it to stop forwarding packets, or forward

them improperly.

 Flooding the network with extraneous traffic- involves the broadcast of flood
packets.

• Prevention for denial of services

 Clear-text password
 Cryptographic checksum- protect against replay attacks
 Encryption
 Cont…

2. Sniffing
• It uses network interface to receive data intended for other machines in the
network.

• Sniffing data from the network leads to leakage of several kinds of information
that should be kept secret for a computer network to be secure such as password,
financial account number, and confidential/sensitive data.

• Although, computer systems mask (cover) the password when the user types in
on the screen, they are often sent as clear text over the network. These passwords
can be easily seen by any internet sniffer.

• Prevention for sniffing

 Understand the devices and organizing them in appropriate configuration.
 Encrypting all the message traffic on the network
 Segmenting by LANs
 Kerberos/rlogin- that prevents intruders from capturing the actions of user, after
 Cont…
3. Spoofing
• Spoofing is a technique in which the attacker tries to assume the identity of another user
or system for transacting with the victim’s/destroyed site.

• The common type of attacks are carried out by ARP spoofing, IP spoofing and DNS
spoofing.

i. Address Resolution Protocol (ARP) spoofing: is used to determine the hardware

address of a machine whose IP address is known.

ii. IP spoofing: if the burglar, anywhere on the internet, can spoof IP packets, then it can
effectively impersonate a local system’s IP address.

iii. Domain Name System (DNS) spoofing: DNS names are easier to remember and are
most often used instead of IP addresses. If the domain name is known by the hackers,
they are in a position to offer wrong transaction.

• To prevent spoofing firewalls play key role, in addition we will take certain precautions
against spoofers such as update of our computer system, filtering best and effective
 Cont…

Firewalls
• A firewall is a controlled access point between security domains, usually with
different levels of trust.

• It acts as a gateway through which all traffic to and from the protected network.
• It helps to build a wall between one part of a network and another part.

• The unique characteristic about this wall is that there needs to be way for some traffic,
with particular characteristics, to pass through carefully monitored doors (gateways).

• The difficult part is establishing the criteria by which the packets are allowed or
denied access through the doors.

• Firewalls can be a highly effective tool in implementing a network security policy if

they are configured and maintained correctly.

• The level of security that a firewall provides can vary depending on the level of
security required on a particular machine.
 3.1.2 Security and E-Mail

• E-mail is an internet application that offers the ability to exchange

messages among users on computers.

• It is widely used network based application and demand for more

authentication and confidentiality.

• To secure the e-mail proper secrecy of username and password is

the key and essential tool.
 3.2. E-Business Risk Management

• In every organization there are certain risks which may hinder the daily activities
not to be effective and efficient. In electronic documents there are also risks
which need proper management. To manage that theft, damage, virus, software
damages, and other risks organizations must take the following protection
mechanisms:
 Back-up and recovery
 Take system off the network
 Establishing policy, rules and procedures of e-risk management
 Permanent monitoring and supervision must be there
 Up to date hardware and software usage
 Do not leave your computer for everyone
 Avoid disclosing any information about your password and user name.
 Contact professional as soon as the problem occurred.
Procedures of risk management in technology
1. Risk planning process
2. Evaluating the technology available