E-Commerce A/601/7313 LEVEL 3 LO3 - Understand the effects of e-commerce on society Learning Outcome (LO) The learner will: Pass The assessment criteria are the pass requirements for this unit. The learner can: 1 Know the technologies required for an ecommerce system P1 Describe the technologies required for e-commerce 2 Understand the impact of e-commerce on organisations P2 Explain the impact of introducing an ecommerce system to an organisation M1 - Describe how organisations promote their business using ecommerce 3 Understand the effects of e-commerce on society P3 Explain the potential risks to an organisation of committing to an ecommerce system M2 - Explain solutions for the potential risks of using e-commerce 4 Be able to plan ecommerce strategies P4 Review the regulations governing e-commerce P5 Examine the social implications of ecommerce on society P6 Plan an e-commerce strategy Scenario Criteria Tasks 1 2 3 4 5 Merit For merit the evidence must show that, in addition to the pass criteria, the learner is able to: Distinction For distinction the evidence must show that, in addition to the pass and merit criteria, the learner is able to: D1 - Compare the benefits and drawbacks of e-commerce to an Organisation M3 - Provide annotated planning documentation for your e-commerce strategy 6 7 8 9 10 D2 - Evaluate your e-commerce strategy Assessment P3 - Understand the effects of e-commerce on society Learners need to understand the potential risks for e-commerce systems, which should be set initially as research activities. Learners could brainstorm risks and then discuss as a group to identify risks that they may not have considered and look at the different aspects and implications of each. M2 – Understand the solutions for the potential risks of using ecommerce The learners could then be encouraged in small groups to further research risks allocated to them to see if they can find an example of when the risk has happened or may have been avoided, as well as find a solution or preventative method. The small groups/pairs could then be encouraged to provide feedback to the main group. Scenario Criteria Scenario Tasks Criteria 1 Tasks 2 3 41 5 2 6 37 8 4 95 106 Assessment 7 8 Assessment P3 - The assessment criterion P3 could be evidenced by the use of a report, leaflet or presentation delivered by the learner that could be supported by tutor observation and/or recorded evidence. The learner is required to explain the potential risks to an organisation of committing to an e-commerce system, this could relate to the business mentioned under assessment criterion P2. The learner must consider all risks identified in the teaching content. M2 - The merit criterion M2 could be evidenced by the learner providing a detailed explanation of the risks identified under assessment criterion P3, and must give examples to support their evidence and where possible relating these to organisations and individuals that have had these issues. Learners are also required to provide at least a range of solutions or preventative methods for each of the risks outlined for assessment criterion P3. Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment Computer hacking is the practice of modifying computer hardware and software to accomplish a goal outside of the creator’s original purpose. People who engage in computer hacking activities are often called hackers. Since the word “hack” has long been used to describe someone who is incompetent at his/her profession, some hackers claim this term is offensive and fails to give appropriate recognition to their skills. Computer hacking is most common among teenagers and young adults, although there are many older hackers as well. Many hackers are true technology buffs who enjoy learning more about how computers work and consider computer hacking an “art” form. They often enjoy programming and have expert-level skills in one particular program. For these individuals, computer hacking is a real life application of their problemsolving skills. It’s a chance to demonstrate their abilities, not an opportunity to harm others. Since a large number of hackers are self-taught prodigies, some corporations actually employ computer hackers as part of their technical support staff. These individuals use their skills to find flaws in the company’s security system so that they can be repaired quickly. In many cases, this type of computer hacking helps prevent identity theft and other serious computer-related crimes. Computer hacking can also lead to other constructive technological developments, since many of the skills developed from hacking apply to more mainstream pursuits. For example, former hackers Dennis Ritchie and Ken Thompson went on to create the UNIX operating system in the 1970s. This system had a huge impact on the development of Linux, a free UNIX-like operating system. Shawn Fanning, the creator of Napster, is another hacker well known for his accomplishments outside of computer hacking. Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment Hacking has many negative effects; Personal information may be leaked, Intellectual Property could be stolen, and lives can be ruined. There is no effective way to eliminate cracking. Any security measure put out will be circumvented sooner or later (as an example, see the iPhone 3G unlock). So the only way to keep unwanted criminals out is to keep your software up-to-date and protected from the outside world, i.e. firewalls. Cracking isn't always bad. Some people crack software or security in order to learn how to prevent it. There is a difference between good and bad though; White hat hackers vs. Black hat hackers. Hacking can take many forms and the infiltration level can vary from curiosity to espionage. Levels of hacking are usually only detected after the fact. Setting systems on Subnet masks is useful but not foolproof, firewalls involve degrees of encrypted security from 8bit to 64bit but can still be accessed. We all know the story of the Norad hack from the movie War Games but how close to the truth is hacking. Governments have set up agencies like CIPAV or US-CERT to determine hacking and security threats to governmental systems but businesses are less prepared. For information look at: http://www.wired.com/threatlevel/2009/04/fbi-spyware-pro/ For a detailed explanation see: http://technet.microsoft.com/hiin/magazine/2005.01.anatomyofahack(en-us).aspx Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment Scenario Criteria Tasks 1 2 Most networks today are built on what is called the eggshell principle: hard on the outside and soft on the inside. This means that if an attacker can gain a foothold onto the network, the rest of the network protections will usually fall like dominoes. Once inside, the most difficult part is often to figure out what to attack next and where to go for the really juicy bits of information. It does not have to be this way. With the proper techniques, we as network administrators can achieve two crucial objectives: to make it much more difficult to gain a foothold in the first place and to make it much more difficult to use that foothold to get anywhere else on the network. 3 4 5 6 7 8 9 10 Assessment P3.1 - Potential risks to an organisation - Viruses Europe has Entered a ‘Cyber Cold War’ (Source: NATO, FBI, McAfee & Serious Organized Crime Agency) China Most Actively Spying, but with 120 Other Countries ! NATO Said that All 26 of its Member Countries Have Been Targeted by Cyber-Attacks (e.g.: Estonia) Georgia’s Government Websites Fall Victim to CyberAttacks (DDoS & Defacements) … “Too Sophisticated for Amateurs !” Tibetan Government Web Site Injected with Malicious Source-Code Palin’s Yahoo Account Hacked in Less then 45 Minutes Using Password Reset Functionality Web Defacers Hacked into CERN Website of the LHC (Large Hadron Collider) UK Minister Confirms Cyber-Terrorists Attempting to Take Out the National Grid (Aug ’08) Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment P3.1 - Potential risks to an organisation - Viruses Viruses have been the bane of IT and companies since networks were introduced into companies for business transactions. Remember that all computer viruses have been created by someone for a purpose, whether it is to annoy, destroy, deliberately bring down a company or website. computer virus n. A computer program that is designed to replicate itself by copying itself into the other programs stored in a computer. It may be benign or have a negative effect, such as causing a program to operate incorrectly or corrupting a computer's memory. All viruses are different so they all act in a different way and have a different purpose. On Symantec the threats are defined daily according to the possibility of risk and the exploit a virus takes advantage on in its attack. http://www.symantec.com/norton/secu rity_response/threatexplorer/index.jsp P3.1 - Task 1 – Define and explain the potential risk to an organisation’s e-commerce system from hacking attacks and viruses. Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment P3.2 - Potential risks to an organisation - Phishing Phishing is an e-mail fraud method in which the perpetrator sends out legitimatelooking emails in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well known and trustworthy Web sites. Those frequently spoofed by phishers include PayPal, eBay, MSN, Yahoo, BestBuy, and America Online. A phishing expedition is a speculative venture: the phisher puts the lure hoping to fool at least a few of the prey that encounter the bait. Phishers use a number of different social engineering and email spoofing ploys to try to trick their victims. In one typical case before the Federal Trade Commission (FTC), a 17-year-old male sent out messages purporting to be from AOL that said there had been a billing problem with recipients' AOL accounts. The e-mail used AOL logos and contained legitimate links. If recipients clicked on the "AOL Billing Center" link, they were taken to a spoofed AOL Web page that asked for personal information, credit card numbers, personal identification numbers (PINs), social security numbers, banking numbers, and passwords. This information was then used for identity theft. The Trojan infects and then waits for the victim to visit his or her bank Information is gathered by injecting additional fields into the genuine bank web page as it loads in the browser. No fake web sites are used. The SSL connection between client and bank is valid (padlock is shown and certificate chain is OK) Classical Anti virus software did not detect this threat Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment P3.2 - Potential risks to an organisation – ID Theft Identity Theft - In today’s society, people have a more common way to buy and shop using credit cards instead of cash. They purchase goods and services online instead of at a store. Instead of going to the bank people have online bank accounts. We have the convenience and opportunity to purchase goods from around the world, to pay our bills at two o'clock in the morning, or to check our bank statement from home. Technology has brought about tremendous advances but technology has also advanced the common criminal. This type of criminal steals someone's identity in order to commit fraudulent acts through Phishing, bin rummaging, telephone scams and hacking. Thieves are on the look out for our personal information so they can obtain credit cards, bank loans, pay bills, take out mobile phones and more by using our identity. Victims of identity theft suffer from damaged credit reports, drained bank accounts and even a criminal record. Some identity thieves will give your personal information when they are arrested. This causes embarrassment to you as it creates a criminal record. Often victims of identity theft do not find out they have been victimised until they receive their bank statement or credit card statement in the post or when they are turned down for a loan or flat rental. Click here for examples P3.2 - Task 2 – Define and explain the potential risk to an organisation’s ecommerce system from Fraud and Phishing scams and ID Theft. Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment P3.3 - Potential risks to an organisation – Piggybacking Over half of UK internet users have admitted using other people's WiFi networks to piggyback onto the internet. It is estimated that 54 per cent of respondents had used someone else's wireless internet access without permission. Even Google. Many internet-enabled homes fail properly to secure their wireless connection with passwords and encryption, allowing passers-by and neighbours to 'steal' their internet access. Although most businesses have security measures in place to protect their Wi-Fi networks, the protections a lot of companies take is too light to stop a determined piggy-backer. Piggy backing occurs when a user with a laptop or Wi-Fi connection connects to an unprotected network server. Routers can be protected by a WEP key or WPA protection through 16 or 32 bit encryption and network protocols. But a lot of modems made by the same company have the same initial password to connect to the routers administrative functions or have no WEP or WPA protection set, allowing a user to connect and download without restrictions in the same way a user could user an unprotected Wi-Fi hotspot. The worst case scenario is an external user connecting not just to the internet through the Wi-Fi but to the network, allowing a user access and control over stored files leading to deletion, corruption and industrial espionage. Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment P3.3 - Potential risks to an organisation – DDos Denial-of-service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack: ◦ consumption of scarce, limited, or non-renewable resources ◦ destruction or alteration of configuration information ◦ physical destruction or alteration of network components Consumption of Scarce Resources Computers and networks need certain things to operate: network bandwidth, memory and disk space, CPU time, data structures, access to other computers and networks, and certain environmental resources such as power, cool air, or even water. Network Connectivity Denial-of-service attacks are most frequently executed against network connectivity. The goal is to prevent hosts or networks from communicating on the network. An example of this type of attack is the "SYN flood" attack described in http://www.cert.org/advisories/CA-1996-21.html In this type of attack, the attacker begins the process of establishing a connection to the victim machine, but does it in such a way as to prevent the ultimate completion of the connection. In the meantime, the victim machine has reserved one of a limited number of data structures required to complete the impending connection. The result is that legitimate connections are denied while the victim machine is waiting to complete bogus "half-open" connections. You should note that this type of attack does not depend on the attacker being able to consume your network bandwidth. In this case, the intruder is consuming kernel data structures involved in establishing a network connection. The implication is that an intruder can execute this attack from a dial-up connection against a machine on a very fast network. (This is a good example of an asymmetric attack.) Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment P3.3 - Potential risks to an organisation – DDos Bandwidth Consumption An intruder may also be able to consume all the available bandwidth on your network by generating a large number of packets directed to your network. Typically, these packets are ICMP ECHO packets, but in principle they may be anything. Further, the intruder need not be operating from a single machine; he may be able to coordinate or co-opt several machines on different networks to achieve the same effect. Consumption of Other Resources In addition to network bandwidth, intruders may be able to consume other resources that your systems need in order to operate. For example, in many systems, a limited number of data structures are available to hold process information (process identifiers, process table entries, process slots, etc.). An intruder may be able to consume these data structures by writing a simple program or script that does nothing but repeatedly create copies of itself. Many modern operating systems have quota facilities to protect against this problem, but not all do. Further, even if the process table is not filled, the CPU may be consumed by a large number of processes and the associated time spent switching between processes. Consult your operating system vendor or operating system manuals for details on available quota facilities for your system. Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment P3.3 - Potential risks to an organisation – DDos Using Your Own Resources Against You An intruder can also use your own resources against you in unexpected ways. One example is described in http://www.cert.org/advisories/CA-1996-01.html In this attack, the intruder uses forged UDP packets to connect the echo service on one machine to the charged service on another machine. The result is that the two services consume all available network bandwidth between them. Thus, the network connectivity for all machines on the same networks as either of the targeted machines may be affected. P3.3 - Task 3 – Define and explain the potential risk to an organisation’s e-commerce system from DDos attacks and Piggybacking. Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment Page Jacking or Spyware is software that collects and transmits user specific behaviour and information, with or without permission. Sometimes, permission to collect and transmit is assumed to have been given simply by the act of installing software or loading a Web page. Like ads, data collection can be okay if done with consent or for a reasonable purpose. For example, software that transmits user specific information for the legitimate purpose of confirming eligibility for updates or upgrades should not be classed as spyware. Programmers are entitled to ensure that their software is not being pirated, and that the users of pirated software are not receiving the same benefits as legitimate users. Pagejacking and Spyware is a type of software intrusive camera that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's personal computer. Sometimes, however, spywares such as keyloggers are installed by the owner of a shared, corporate, or public computer on purpose in order to secretly monitor other users, registering key presses and passwords. While the term spyware suggests software that secretly monitors the user's computing, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of personal information, such as Internet surfing habits and sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software and redirecting Web browser activity. Spyware is known to change computer settings, resulting in slow connection speeds, different home pages, and/or loss of Internet connection or functionality of other programs. Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment CoolWebSearch, a group of programs, takes advantage of Internet Explorer vulnerabilities. The package directs traffic to advertisements on Web sites including coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alters the infected computer's hosts file to direct DNS lookups to these sites. HuntBar, aka WinTools, was installed by an ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other spyware programs—an example of how spyware can install more spyware. These programs add toolbars to Internet Explorer, track browsing behaviour, redirect rival references, and display advertisements. MyWebSearch has a plug-in that displays a search toolbar near the top of a browser window, and it spies to report user search-habits. MyWebSearch is notable for installing over 210 computer settings, such as over 210 MS Windows registry keys/values. Beyond the browser, it has settings to affect Outlook, email, HTML, XML, etc. Zango (formerly 180 Solutions) transmits detailed information to advertisers about the Web sites which users visit. It also alters HTTP requests for rival advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies. Zlob trojan, or just Zlob, downloads itself to a computer via an ActiveX codec and reports information back to the company. Some information can be the search-history, the Websites visited, and even keystrokes. More recently, Zlob has been known to hijack routers set to defaults. P3.4 - Task 4 – Define and explain the potential risk to an organisation’s e-commerce system from Spyware attack. Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment Choosing a secure password is one of the easiest and least expensive ways to guard against unauthorized access. Unfortunately, too many people prefer to use an easy-to-remember password. If your password is obvious to you, however, it may also be easy for a hacker to figure out. The following guidelines for selecting passwords should be part of your organisation’s security policy. It is especially important for network administrators to choose difficult passwords, and also to keep passwords confidential and to change them frequently. Tips for making and keeping passwords secure include the following: ◦ Always change system default passwords after installing new programs or equipment. For example, after installing a router, the default administrator’s password on the router might be set by the manufacturer to be “1234” or the router’s model number. ◦ Do not use any word that might appear in a dictionary. Hackers can use programs that try a combination of your user ID and every word in a dictionary to gain access to the network. This is known as a dictionary attack, and it is typically the first technique a hacker uses when trying to guess a password (besides asking the user for her password). Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment ◦ Do not use familiar information, such as your name, nickname, birth date, anniversary, pet’s name, child’s name, spouse’s name, user ID, phone number, address, or any other words or numbers that others might associate with you. ◦ Make the password longer than eight characters—the longer, the better. Some operating systems require a minimum password length (often, eight characters), and some might also restrict the password to a maximum length. ◦ Choose a combination of letters and numbers; add special characters, such as exclamation marks or hyphens, if allowed. Also, if passwords are case sensitive, use a combination of uppercase and lowercase letters. ◦ Change your password at least every 60 days, or more frequently, if desired. If you are a network administrator, establish controls through the NOS to force users to change their passwords at least every 60 days. If you have access to sensitive data, change your password even more frequently. Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment ◦ Do not write down your password or share it with others. ◦ Do not reuse passwords after they have expired. ◦ Use different passwords for different applications. For example, choose separate passwords for your e-mail program, online banking, remote access connection, dial-up connection, and so on. That way, if someone learns one of your passwords she won’t necessarily be able to access all of your secured accounts. Password guidelines should be clearly communicated to everyone in your organization through your security policy. Although users might grumble about choosing a combination of letters and numbers and changing their passwords frequently, you can assure them that the company’s financial and personnel data is safer as a result. No matter how much your colleagues protest, do not back down from your password requirements. Many companies mistakenly require employees only to use a password, and don’t help them choose a good one. This oversight increases the risk of security breaches. P3.5 - Task 5 – Define and explain the potential risk to an organisation’s e-commerce system from losing or inadequate use of Passwords. Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment Returns – All purchases on the Internet except food have a cooling off period under the Distance Sale Regulation. This will apply if: you bought certain goods and services which the law says aren't covered by a cooling-off period you're a business buyer you bid for something in an online auction you bought from a private individual you agreed for a service, such as broadband, to start straight away. This depends on when the trader gives you certain information. It is not uncommon for users in shop to buy things for an occasion and then return them after use for a full refund. On the internet this is more difficult to police and more difficult to confront. In a high street shop they can check it there and then. The 7 day cooling off period needs to take into consideration the time it takes to post and return, in theory from the moment the user declares that they are returning it then the period comes to an end. Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment If you bought any of the following goods or services, you will not have an automatic right to a cooling-off period: something personalised or made-to-order something perishable - for example, food or flowers newspapers or magazines a CD, DVD or computer software where the security seal has been broken something bought by bidding through an online auction something that’s price is dependent on changes in the financial market -for example, central heating oil a new service that starts immediately - for example, paying for access to a website accommodation, transport, catering and leisure services to be delivered on a specific date - for example, train tickets, hotel and restaurant bookings, taxis and theatre tickets gaming, betting or lottery services timeshare agreements something where the trader has informed you before finalising the contract in writing or email that you will not be allowed to cancel once the service has begun. Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment Payments – People generally do not trust payment systems on line, the added security often adds to these problems rather than alleviated the issue. Having an amazon account, playing apps and accidently tapping for more fruit drop lives can rack up an automatic bill. Buy now in e-bay commits the user to buy but still has a back out clause. There are thousands of cases on the internet of children running up bills on their parents online accounts, of children accidently buying goods off e-bay. Similarly keeping track of payments and how much money spent is easier on the high street because the payments are more personal Click on the images on the right for examples. P3.6 - Task 6 – Define and explain the potential risk to an organisation’s e-commerce system from Payments and Return issues. Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment P3.7 - Task 7 - Create a table listing all the various types of threats to the an e-commerce system and their data. In a second column, describe in detail the nature of the threat. Threats to Company Data Nature of the Threat Risk of Damage Impact and response A Virus Attack External attack running the risk of corrupting data. Medium to data, High to Customer Account Information Payment and Returns issues Identity Theft of a Staff Member External Piggybacking on Network Successful Hacking attempt Successful Denial of Service Attack Loss of control through Spyware and Malware Password Theft Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment A firewall is a security-conscious router that sits between the Internet and your network with a single purpose: preventing external attacks. The firewall acts as a security guard between the Internet and your Network. All network traffic into and out of the system must pass through the firewall, which prevents unauthorised access to the network. Some type of firewall is a must-have if your network has a connection to the Internet, whether that connection is broadband, T1, or some other high-speed connection. Without it, sooner or later a hacker will discover and breach your unprotected network. You can set up a firewall using two basic ways. The easiest way is to purchase a firewall program, which is basically a self-contained router with built-in firewall features like one Alarm or Sophos. Most firewall appliances include a Web-based interface that enables you to connect to the firewall from any computer on your network using a browser. You can then customise the firewall settings to suit your needs. Alternatively, you can set up a server computer to function as a firewall computer (SSL). The server can run just about any network operating system, but most dedicated firewall systems run Linux. Whether you use a firewall appliance or a firewall computer, the firewall must be located between your network and the Internet, firewall is connected to a network hub, which is, in turn, connected to the other computers on the network. The other end of the firewall is connected to the Internet. As a result, all traffic from the LAN to the Internet and vice versa must travel through the firewall. Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment SSL (Secure Sockets Layer) is a method of encrypting TCP/IP transmissions – including Web pages and data entered into Web forms - en route between the client and server using public key encryption technology. If you trade stocks or purchase goods on the Web, for example, you are most likely using SSL to transmit your order information. SSL is popular and used widely. The most recent versions of Web browsers, such as Firefox and Internet Explorer, include SSL client support in their software. If you have used the Web, you have probably noticed that URLs for most Web pages begin with the HTTP prefix, which indicates that the request is handled by TCP/IP port 80 using the HTTP protocol. When Web page URLs begin with the prefix HTTPS (which stands for HTTP over Secure Sockets Layer or HTTP Secure), they require that their data be transferred from server to client and vice versa using SSL encryption. HTTPS uses the TCP port number 443, rather than port 80. After an SSL connection has been established between a Web server and client, the client’s browser indicates this by showing a padlock in the lower-right corner of the screen in the browser’s status bar, in the URL textbox, or elsewhere. Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment Each time a client and server establish an SSL connection, they also establish a unique SSL session, or an association between the client and server that is defined by an agreement on a specific set of encryption techniques. An SSL session allows the client and server to continue to exchange data securely as long as the client is still connected to the server. An SSL session is created by the SSL handshake protocol, one of several protocols within SSL, and perhaps the most significant. As its name implies, the handshake protocol allows the client and server to authenticate (or introduce) each other and establishes terms for how they will securely exchange data. For example, when you are connected to the Web and you decide to open your bank’s account access URL, your browser initiates an SSL connection with the hand shake protocol. M2.1 - Task 8 – Define and explain how Firewalls and SSL security can protect information on an organisation’s e-commerce system. Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment A digital certificate is a password-protected and encrypted file that holds an individual’s identification information, including a public key. In the context of digital certificates, the individual’s public key verifies the sender’s digital signature. An organisation that issues and maintains digital certificates is known as a CA (certificate authority). For example, on the Internet, certificate authorities such as VeriSign will, for a fee, keep your digital certificate on their server and ensure to all who want to send encrypted messages to you (for example, an order via your e-commerce site) that the certificate is indeed yours. The use of certificate authorities to associate public keys with certain users is known as PKI (public key infrastructure). Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment Encryption refers to the process of translating plain text information into a secret code so that unauthorized users can’t read the data. Encryption isn’t new. Secret agents have long used codebooks to encode messages, and breaking the code has always been one of the top priorities of counter-intelligence. Both Windows 2000 Server and Windows Server 2003 have a feature called Encrypted File System, or EFS for short, that lets you save data on disk in an encrypted form. This prevents others from reading your data even if they manage to get their hands on your files. Encryption is especially useful in environments where the server can’t be physically secured. If a thief can steal the server computer (or just its hard drive), he or she may be able to crack through the Windows security features and gain access to the data on the hard drive by using low-level disk diagnostic tools. If the files are stored in encrypted form, however, the thief’s efforts will be wasted because the files will be unreadable. All forms of encryption use some sort of key to encrypt and decrypt the data. In World War II and Cold War spy movies, the key is a codebook that has a list of code words or phrases that match up to real words or phrases. Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment ◦ The most basic type of data encryption, called synchronous data encryption, uses numeric keys that are used to apply complex mathematical operations to the source data in order to translate the data into encrypted form. These operations are reversible, so if you know the key, you can reverse the process and decrypt the data. For example, suppose that the encryption technique is as simple as shifting every letter of the alphabet up by the value of the key. Thus, if the key is 3, then A becomes D, B becomes E, etc. The message “Elementary, my dear Watson” becomes “Hohphqwdub, pb ghdu Zdwvrq.” This message is incomprehensible, unless you know the key. Then, reconstructing the original message is easy. The actual keys and algorithms used for cryptography are much more complicated. Keys are typically binary numbers of 40 or 128 bits. The classic dilemma of cryptography is this: How can I securely send the key to the person with whom I want to exchange messages? The answer is you can’t. You can’t encrypt the key, because the other person would need to know the key in order to decrypt it. That’s where public key encryption comes into play. Public key encryption is a technique in which two keys are used: a private key and a public key. The keys are related to each other mathematically. Either of the keys can be used to encrypt the data, but the encryption process isn’t completely reversible: You have to have the private key in order to decrypt the data. Other Methods include: ◦ transposition - characters switched around ◦ Substitution - characters replaced by other characters Cryptography serves 3 purposes: ◦ Helps to identify authentic users ◦ Prevents alteration of the message ◦ Prevents unauthorised users from reading the message Encryption Keys ◦ Sent with, sent after, kept on network of user and client. Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment The best way to protect your network from virus infection is to use an antivirus program. These programs have a catalogue of several thousand known viruses that they can detect and remove. In addition, they can spot the types of changes that viruses typically make to your computer’s files, thus decreasing the likelihood that some previously unknown virus will go undetected. The two best known antivirus programs for Windows are Norton AntiVirus and McAfee’s VirusScan. The people who make antivirus programs have their fingers on the pulse of the virus world and frequently release updates to their software to combat the latest viruses. Because virus writers are constantly developing new viruses, your antivirus software is next to worthless unless you keep it up to date by downloading the latest updates (Dat files). The following are several approaches to deploying antivirus protection on your network: You can install antivirus software on each network user’s computer. This technique would be the most effective if you could count on all your users to keep their antivirus software up to date. Because that’s an unlikely proposition, you may want to adopt a more reliable approach to virus protection. Managed antivirus services place antivirus client software on each client computer in your network. Then, an antivirus server automatically updates the clients on a regular basis to make sure that they’re kept up to date. Server-based antivirus software protects your network servers from viruses. For example, you can install antivirus software on your mail server to scan all incoming mail for viruses and remove them before your network users ever see them. Some firewall appliances include antivirus enforcement checks that don’t allow your users to access the Internet unless their antivirus software is up to date. This type of firewall provides the best antivirus protection available. M2.2 - Task 9 – Define and explain how Antivirus software, Encryption and Digital Certificates can protect information on an organisation’s e-commerce system. Antivirus Scenario Criteria Digital Certificate Tasks 1 2 3 4 5 6 7 Encrytption 8 9 10 Assessment Since the Internet first went public in 1992 there has been case after case of attack, breaches, viruses, and incident and even with new technologies, improved security, SSL, cloud computing and biometrics, the problems continue. Viruses are not such a threat as they used to be but the American Government still used one to disable the Iranian Nuclear program in 2012. Firewalls have been improved immeasurably but Sony was still hacked. Single fraudsters like Kevin Mitnick are more rare but LulzSec has recently hacked the Twitter Accounts of North Korea. High profile cases are known like Wikileaks and the recent Facebook hack but the best forms are rarely caught. Click here and here for recent news. M2.3 – Task 10 - Research the impact that 3 different cases of website security breaches have had on society. Three cases should be discussed from the three categories, at least one from each category, discussing the threat, the impact on society and how the threat was resolved. Case examples could include: ◦ Viruses, Trojans and Worms (Sobor, iloveyou, Lovesan) ◦ Hackers (Adrian Lamo, Kevin Mitnick, MafiaBoy) Sony, Facebook and Twitter ◦ Identity theft (Abraham Abdallah) ◦ Phishing (Nigerian Oil, 180 Solutions) Scenario Criteria Tasks 1 2 3 4 5 6 7 8 9 10 Assessment P3.1 - Task 1 – Define and explain the potential risk to an organisation’s ecommerce system from hacking attacks and viruses. P3.2 - Task 2 – Define and explain the potential risk to an organisation’s ecommerce system from Fraud and Phishing scams and ID Theft. P3.3 - Task 3 – Define and explain the potential risk to an organisation’s ecommerce system from DDos attacks and Piggybacking. P3.4 - Task 4 – Define and explain the potential risk to an organisation’s ecommerce system from Spyware attack. P3.5 - Task 5 – Define and explain the potential risk to an organisation’s ecommerce system from losing or inadequate use of Passwords. P3.6 - Task 6 – Define and explain the potential risk to an organisation’s ecommerce system from Payments and Return issues. P3.7 - Task 7 - List all the various types of threats to the an e-commerce system and their data and describe in detail the nature of the threat. M2.1 - Task 8 – Define and explain how Firewalls and SSL security can protect information on an organisation’s e-commerce system. M2.2 - Task 9 – Define and explain how Antivirus software, Encryption and Digital Certificates can protect information on an organisation’s e-commerce system. M2.3 – Task 10 - Research the impact that 3 different cases of website security breaches have had on society. Scenario Criteria Scenario Tasks Criteria 1 Tasks 2 3 41 5 2 6 37 8 4 95 106 Assessment 7 8 Assessment