The Problem

advertisement
6-1
TOPIC 6: Security, Legal, Ethical and Social Issues
6.1 Basic security issues
6.2 Basic types of network security attacks
6.3 Managing security
6.4 Ethical and legal issues in EC
6.5 Difficulties in protecting privacy in EC
6.6 Issues of intellectual property rights in EC
6.7 Free speech and censorship on the Internet
6.8 EC fraud and protection
6.9 Societal issues in EC
6.10 Role and impact of virtual communities on EC
6.11 The future of EC
Module: Competing in the Network Economy
6-2
Case Study: Brute Force Credit Card Attack Story
• The Problem
– Spitfire Novelties usually generates between 5 and 30
transactions per day
– On September 12, 2002 in a “brute force” credit card attack,
Spitfire’s credit card transaction processor processed
140,000 fake credit card charges worth $5.07 each (62,000
were approved)
– Total value of the approved charges was around $300,000
– Spitfire found out about the transactions only when they
were called by one of the credit card owners who had been
checking his statement online and had noticed the $5.07
charge.
Module: Competing in the Network Economy
6-3
Case Study: Brute Force Credit Card Attack Story
• The Problem
– Brute force credit card attacks require minimal skill
– Hackers run thousands of small charges through
merchant accounts, picking numbers at random
– When the perpetrator finds a valid credit card number it
can then be sold on the black market
– Some modern-day black markets are actually memberonly Web sites like carderplanet.com, shadowcrew.com,
and counterfeitlibrary.com
Module: Competing in the Network Economy
6-4
Case Study: Brute Force Credit Card Attack Story
• The Problem
– Online Data’s credit card processing services: all a
perpetrator needed was a merchant’s password in order
to request authorisation
– Online Data is a reseller of VeriSign Inc. credit card
gateway services
• VeriSign blamed Online Data for the incident
• Online Data blamed Spitfire for not changing their initial
starter password
Module: Competing in the Network Economy
6-5
Case Study: Brute Force Credit Card Attack Story
• Another Problem
– In April 2002, hackers got into the Authorize.Net card
processing system (largest gateway payment system on
the Internet)
• Executed 13,000 credit card transactions, of which 7,000
succeeded
• Entry into the Authorize.Net system required only a logon name, not a password
Module: Competing in the Network Economy
6-6
Case Study: Brute Force Credit Card Attack Story
• What should have been done…..
– Online Data should assign strong passwords at the start
– Customers should modify those passwords frequently
– Authorisation services such as VeriSign and
Authorize.Net should have built-in safeguards that
recognise brute force attacks
– Signals that something is amiss:
• A merchant issues an extraordinary number of requests
• Repeated requests for small amounts emanating from the
same merchants
Module: Competing in the Network Economy
6-7
Case Study: Brute Force Credit Card Attack Story
• The results of the two attacks
– VeriSign halted the transactions before they were
settled, saving Spitfire $316,000 in charges
– Authorize.Net merchants were charged $0.35 for
each transaction
– The criminals acquired thousands of valid credit
card numbers to sell on the black market
Module: Competing in the Network Economy
6-8
Case Study: Brute Force Credit Card Attack Story
• What we can learn…
– Any type of EC involves a number of players who
use a variety of network and application services that
provide access to a variety of data sources
– A perpetrator needs only a single weakness in order
to attack a system
– Some attacks require sophisticated techniques and
technologies
– Most attacks are not sophisticated; standard security
risk management procedures can be used to minimise
their probability and impact
Module: Competing in the Network Economy
6-9
6.1: Basic Security Issues
• From the user’s perspective:
– How can the user be sure that the Web server is
owned and operated by a legitimate company?
– How does the user know that the Web page and form
do not contain some malicious or dangerous code or
content?
– How does the user know that the owner of the Web
site will not distribute the information the user
provides to some other party?
Module: Competing in the Network Economy
6-10
6.1: Basic Security Issues
• From the company’s perspective:
– How does the company know the user will not
attempt to break into the Web server or alter the
pages and content at the site?
– How does the company know that the user will not
try to disrupt the server so that it is not available to
others?
Module: Competing in the Network Economy
6-11
6.1: Basic Security Issues
• From both parties’ perspectives:
– How do both parties know that the network
connection is free from eavesdropping by a third
party “listening” on the line?
– How do they know that the information sent backand-forth between the server and the user’s browser
has not been altered?
Module: Competing in the Network Economy
6-12
6.1: Basic Security Issues
• Authentication: The process by which one entity verifies
that another entity is who they claim to be
• Authorisation: The process that ensures that a person has
the right to access certain resources
• Auditing: The process of collecting information about
attempts to access particular resources, use particular
privileges, or perform other security actions
• Integrity: As applied to data, the ability to protect data from
being altered or destroyed in an unauthorised or accidental
manner
• Nonrepudiation: The ability to limit parties from refuting
that a legitimate transaction took place, usually by means of
a signature.
Module: Competing in the Network Economy
6-13
6.1: Basic Security Issues
Exhibit 11.1 General Security Issues at EC Sites
Module: Competing in the Network Economy
6-14
6.2: Types of Threats and Attacks
• Nontechnical attack:
– An attack that uses chicanery to trick people into
revealing sensitive information or performing actions
that compromise the security of a network
– Social engineering
• A type of nontechnical attack that uses social pressures to
trick computer users into compromising computer
networks to which those individuals have access
• Multiprong approach used to combat social engineering:
– Education and training
– Policies and procedures
– Penetration testing
Module: Competing in the Network Economy
6-15
6.2: Types of Threats and Attacks
• Technical attack:
– An attack perpetrated using software and systems
knowledge or expertise.
• Common (security) vulnerabilities and exposures
(CVEs):
– Publicly known computer security risks, which are
collected, listed, and shared by a board of securityrelated organisations (cve.mitre.org)
Module: Competing in the Network Economy
6-16
6.2: Types of Threats and Attacks
• Denial-of-service (DoS) attack:
– An attack on a Web site in which an attacker uses
specialised software to send a flood of data packets to
the target computer with the aim of overloading its
resources
• Distributed denial-of-service (DDoS) attack:
– A denial-of-service attack in which the attacker gains
illegal administrative access to as many computers on
the Internet as possible and uses these multiple
computers to send a flood of data packets to the
target computer
Module: Competing in the Network Economy
6-17
6.2: Types of Threats and Attacks
Exhibit 11.2 Using Zombies in a Distributed Denial-of-Service Attack
Module: Competing in the Network Economy
6-18
6.2: Types of Threats and Attacks
• Malware:
– A generic term for malicious software
• A number of factors have contributed to the overall
increase in malicious code. Among these factors, the
following are paramount:
– Mixing data and executable instructions
– Increasingly homogenous computing environments
– Unprecedented connectivity
– Larger clueless user base
Module: Competing in the Network Economy
6-19
6.2: Types of Threats and Attacks
• As the number of attacks increases, the following
trends in malicious code are emerging:
– Increased speed and volume of attacks
– Reduced time between the discovery of a vulnerability
and the release of an attack to exploit the vulnerability
– Remotely-controlled bot networks are growing
– E-commerce is the most frequently targeted industry
– Attacks against Web application technologies are
increasing
– A large percent of Fortune 100 companies have been
compromised by worms
Module: Competing in the Network Economy
6-20
6.2: Types of Threats and Attacks
• Malicious code takes a variety of forms—both pure
and hybrid
– Virus:
• A piece of software code that inserts itself into a host,
including the operating systems, to propagate; it requires
that its host program be run to activate it
– Worm:
• A software program that runs independently, consuming
the resources of its host in order to maintain itself and is
capable of propagating a complete working version of
itself onto another machine
Module: Competing in the Network Economy
6-21
6.2: Types of Threats and Attacks
• Malicious code takes a variety of forms—both pure
and hybrid
– Macro virus or macro worm:
• A virus or worm that is executed when the application
object that contains the macro is opened or a particular
procedure is executed
– Trojan horse:
• A program that appears to have a useful function but
contains a hidden function that presents a security risk
Module: Competing in the Network Economy
6-22
6.3: Managing EC Security
• Common mistakes in managing their security
risks (McConnell 2002):
–
–
–
–
–
Undervalued information
Narrowly defined security boundaries
Reactive security management
Dated security management processes
Lack of communication about security
responsibilities
Module: Competing in the Network Economy
6-23
6.3: Managing EC Security
• Security risk management:
– A systematic process for determining the likelihood
of various security attacks and for identifying the
actions needed to prevent or mitigate those attacks
– Phases of security risk management
•
•
•
•
Assessment
Planning
Implementation
Monitoring
Module: Competing in the Network Economy
6-24
6.3: Managing EC Security
• Phases of security risk management
– Assessment
• Evaluate security risks by determining assets, vulnerabilities of
their system, and potential threats to these vulnerabilities
– Planning
• To arrive at a set of policies defining which threats are tolerable
and which are not
– Implementation
• Particular technologies are chosen to counter high-priority
threats
– Monitoring
Module: Competing in the Network Economy
6-25
6.3: Managing EC Security
Module: Competing in the Network Economy
Case Study: MP3.com, Napster, and
Intellectual Property Rights
• The
6-26
Problem
– Before the advent of the Web, people made audiotape
copies of music and videos to give to friends and family
or used them for their own personal enjoyment
– Such activities were ignored by the producers,
distributors, and artists who had the legal rights to the
content
– MP3.com enabled users to listen to music from any
computer with an Internet connection without paying
royalties
– Using peer-to-peer (P2P) technology, Napster supported
the distribution of music and other digitised content
among millions of users.
Module: Competing in the Network Economy
Case Study: MP3.com, Napster, and
Intellectual Property Rights
• The
6-27
Problem
– MP3 and Napster claimed to be supporting what had
been done for years and were not charging for their
services
– Popularity of MP3.com and P2P services was too great
for the content creators and owners to ignore
– To the creators and owners, the Web was becoming a
vast copying machine
– MP3.com’s and Napster’s services could result in the
destruction of many thousands of jobs and millions of
dollars in revenue
Module: Competing in the Network Economy
Case Study: MP3.com, Napster, and
Intellectual Property Rights
• The
6-28
Problem
– Existing copyright laws were written for physical, not
digital, content
– The Copyright Infringement Act states, “the defendant
must have willfully infringed the copyright and gained
financially”
– The “no financial gain” loophole in the Act was later
closed
Module: Competing in the Network Economy
Case Study: MP3.com, Napster, and
Intellectual Property Rights
6-29
• The Solution
– In December 2000, EMusic (emusic.com) filed a
copyright infringement lawsuit against MP3.com
– In 2001, Napster faced similar legal claims, lost the legal
battle, and was forced to pay royalties for each piece of
music it supported—Napster collapsed—in October 2003
it reopened as “for fee only”
Module: Competing in the Network Economy
Case Study: MP3.com, Napster, and
Intellectual Property Rights
6-30
• The Results
– In 1997, the No Electronic Theft Act (NET) was
passed, making it a crime for anyone to reproduce
and distribute copyrighted works
• Applied to reproduction or distribution accomplished
by electronic means
• Even if copyrighted products are distributed without
charge, financial harm is experienced by the authors
or creators of a copyrighted work.
Module: Competing in the Network Economy
Case Study: MP3.com, Napster, and
Intellectual Property Rights
6-31
• The Results
– MP3.com suspended operations in April 2000 and
settled the lawsuit
– Napster suspended service and settled its lawsuits
• Tried to resurrect itself as an online music subscription
service with the backing of Bertelsmann AG
• Filed for bankruptcy in June 2002
• Purchased by Roxio with plans to revive Napster into a
royalty-paying framework
Module: Competing in the Network Economy
Case Study: MP3.com, Napster, and
Intellectual Property Rights
6-32
• What we can learn…
– All commerce involves a number of legal,
ethical, and regulatory issues
– EC adds to the scope and scale of these issue
– What constitutes illegal behavior versus
unethical, intrusive, or undesirable behavior?
Module: Competing in the Network Economy
6-33
6.4: Ethical and Legal Issues in EC
• Ethics:
– The branch of philosophy that deals with what is
considered to be right and wrong
• What is unethical is not necessarily illegal
• Ethics are supported by common agreement in a
society as to what is right and wrong, but they are
not subject to legal sanctions
Module: Competing in the Network Economy
6-34
6.4: Ethical and Legal Issues in EC
• EC ethical issues
– Non-work-related use of the Internet
• Employees use e-mail and the Web for non-workrelated purposes
• The time employees waste while surfing non-workrelated Web sites during working hours is a concern
• Can be minimised by having a Corporate code of
ethics
Module: Competing in the Network Economy
6-35
6.4: Ethical and Legal Issues in EC
• Major ethical/legal issues
–
–
–
–
–
Privacy
Intellectual property rights
Free speech versus censorship
Consumer and merchant protection against fraud
Unsolicited electronic ads and spamming (covered
in Lesson 4)
Module: Competing in the Network Economy
6-36
6.5: Difficulties in Protecting Privacy in EC
• Privacy:
– The right to be left alone and the right to be free of
unreasonable personal intrusions
– Privacy issues abound when collecting information
about individuals:
•
•
•
•
•
•
Web site registration
Cookies
Spyware and similar methods
RFID’s threat to privacy
Privacy of employees
Privacy of patients
Module: Competing in the Network Economy
6-37
6.5: Difficulties in Protecting Privacy in EC
• Privacy:
– There are few restraints on the ways in which the
site can use this information
• Use it to improve customer service or its own
business
• Or sell the information to another company that could
use it in an inappropriate or intrusive manner
Module: Competing in the Network Economy
6-38
6.5: Difficulties in Protecting Privacy in EC
• Protection of privacy
– Notice/awareness
– Choice/consent
• Opt-out clause: Agreement that requires computer users
to take specific steps to prevent collection of information
• Opt-in clause: Agreement that requires computer users to
take specific steps to allow collection of information
– Access/participation
– Integrity/security
– Enforcement/redress
Module: Competing in the Network Economy
6-39
6.6: Intellectual Property Rights in EC
• Intellectual property:
– Creations of the mind, such as inventions,
literary and artistic works, and symbols,
names, images, and designs used in
commerce
Module: Competing in the Network Economy
6-40
6.6: Intellectual Property Rights in EC
• Copyright:
– An exclusive grant from the government that allows
the owner to reproduce a work, in whole or in part,
and to distribute, perform, or display it to the public
in any form or manner, including the Internet
•
•
•
•
•
Literary works
Musical works
Dramatic works
Artistic works
Sound recordings, films, broadcasts, cable programs
Module: Competing in the Network Economy
6-41
6.6: Intellectual Property Rights in EC
• Copyright protection (against piracy of software,
music, and other digitisable material)
– Using software to produce digital content that
cannot be copied
• Cryptography
• Tracking copyright violations
– Digital watermarks:
• Unique identifiers imbedded in digital content that
make it possible to identify pirated works
Module: Competing in the Network Economy
6-42
6.6: Intellectual Property Rights in EC
• Trademark:
– A symbol used by businesses to identify their goods
and services; government registration of the
trademark confers exclusive legal right to its use
– The owner of a registered trademark has exclusive
rights to:
• Use the trademark on goods and services for which the
trademark is registered
• Take legal action to prevent anyone else from using the
trademark without consent on goods and services
(identical or similar) for which the trademark is registered
Module: Competing in the Network Economy
6-43
6.6: Intellectual Property Rights in EC
• Cybersquatting:
– The practice of registering domain names in order to sell
them later at a higher price
• Anticybersquatting
– Consumer Protection Act of 1999 allows trademark
owners sue for statutory damages
• Juliaroberts.com
• Madonna.com
Module: Competing in the Network Economy
6-44
6.6: Intellectual Property Rights in EC
• Patent:
– A document that grants the holder exclusive rights
on an invention for a fixed number of years
• Patents serve to protect tangible technological
inventions
• Patents are not designed to protect artistic or literary
creativity
• Patents confer monopoly rights to an idea or an
invention, regardless of how it may be expressed
Module: Competing in the Network Economy
6-45
6.6: Intellectual Property Rights in EC
• Fan and hate sites
– Cyberbashing:
• The registration of a domain name that criticises
an organisation or person
• May violate the copyrights of the creators or
distributors of intellectual property
• This issue shows the potential collision between
protection of intellectual property and free
speech
Module: Competing in the Network Economy
6-46
6.7: Free Speech and Censorship in EC
• One of the most important issues of Web surfers (as
per surveys) is censorship
– Censorship
• Governmental attempts to control broadcasted
material
– Controlling spam
• Spamming: The practice of indiscriminately
broadcasting messages over the Internet (e.g., junk
mail)
• Spam comprises 25 to 50% of all e-mail.
Module: Competing in the Network Economy
6-47
6.8: EC Fraud and Consumer and Seller Protection
• Fraud on the Internet
– Online auction fraud (87% of online crime)
– Internet stock fraud (spread false rumors)
– Other financial fraud
• Bogus investments
• Phantom business opportunities
• Other schemes
– Other fraud in EC—nonfinancial fraud
• Customers receive poor-quality products and services
• Customers do not get products in time
• Customers are asked to pay for things they assume will be
paid for by sellers
Module: Competing in the Network Economy
6-48
6.8: EC Fraud and Consumer and Seller Protection
• Fraud on the Internet
– Identity theft
• A criminal act in which someone presents himself
(herself) as another person and uses that person’s
social security number, bank account numbers, and so
on, to obtain loans, purchase items, make obligations,
sell stocks, etc.
– Phishing
• The act of using fraudulent communications in an
attempt to obtain another individual’s identifying
information.
Module: Competing in the Network Economy
6-49
6.8: EC Fraud and Consumer and Seller Protection
• Consumer Protection
– Third-party assurance services
•
•
•
•
•
•
TRUSTe (truste.org)
Better Business Bureau (bbbonline.com)
WHICHonline (which.net)
Web Trust Seal (TRUSTe, cpawebtrust.org, Gomes.com)
Online Privacy Alliance
Evaluation by consumers
– Authentication and Biometrics controls
Module: Competing in the Network Economy
6-50
6.8: EC Fraud and Consumer and Seller Protection
• Seller Protection
– Customers who deny that they placed an order
– Customers who download copyrighted software
and/or knowledge and sell it to others
– Customers who give false payment (credit card or
bad checks) information in payment for products
and services provided
– Use of their name by others
– Use of their unique words and phrases, names, and
slogans and their Web addresses by others
Module: Competing in the Network Economy
6-51
6.8: EC Fraud and Consumer and Seller Protection
• What can sellers do?
– Use intelligent software to identify possibly
questionable customers
– Identify warning signals for possibly fraudulent
transactions
– Ask customers whose billing address is different
from the shipping address to call their bank and
have the alternate address added to their bank
account
Module: Competing in the Network Economy
6-52
6.9: Societal Issues in EC
• Digital divide
– The gap between those who have and those who do
not have the ability to access electronic technology
in general, and the Internet and EC in particular
• Other societal issues
– Education
• Virtual universities
• Companies use the Internet to retrain employees
• Home-bound individuals can get degrees
Module: Competing in the Network Economy
6-53
6.9: Societal Issues in EC
• Other societal issues
– Public safety and criminal justice
• collaborative commerce
• e-procurement
• e-government—coordinating, information sharing, and
expediting legal work and cases
• e-training of law enforcement officers
– Health aspects
• Safer and healthier to shop from home than to shop in a
physical store
• Some believe that exposure to cellular mobile
communication radiation may cause health problems
• Collaborative commerce can help improve health care
Module: Competing in the Network Economy
6-54
6.10: Virtual (Internet) Communities
• Virtual (Internet) community
– A group of people with similar interests who interact
with one another using the Internet
– Characteristics of Communities
• One possibility is to classify members as traders,
players, just friends, enthusiasts, or friends in need
– The gathering of needs in one place enables vendors
to sell more and community members to get
discounts
Module: Competing in the Network Economy
6-55
6.10: Virtual (Internet) Communities
Commercial Aspects of Communities
1.
2.
3.
4.
Search communities
Trading communities
Education communities
Scheduled events
communities
5. Subscriber-based
communities
6. Community consulting
firms
7. E-mail-based communities
8. Advocacy communities
9. CRM communities
10. Mergers and acquisitions
activities
Module: Competing in the Network Economy
6-56
6.10: Virtual (Internet) Communities
• Types of virtual communities:
–
–
–
–
Transaction
Purpose or interest
Relations or practice
Fantasy
• Financial Viability of Communities: Revenue model
of communities can be based on:
–
–
–
–
–
Sponsorship
Membership fees
Sales commissions
Advertising
Combination of these
Module: Competing in the Network Economy
6-57
6.10: Virtual (Internet) Communities
Eight critical factors for community success:
•
•
•
•
Increase traffic and
participation in the community
Focus on the needs of the
members; use facilitators and
coordinators
Encourage free sharing of
opinions and information—no
controls
Obtain financial sponsorship.
This factor is a must.
Significant investment is
required
• Consider the cultural
environment
• Provide several tools and
activities for member use;
communities are not just
discussion groups
• Involve community members
in activities and recruiting
• Guide discussions, provoke
controversy, and raise sticky
issues. This keeps interest
high
Module: Competing in the Network Economy
6-58
6.10: Virtual (Internet) Communities
Key Strategies for Successful Online Communities
•
•
•
•
•
•
Handle member data sensitively
Maintain stability of the Web site with respect to the
consistency of content, services, and types of
information offered
Provide fast reaction time of the Web site
Offer up-to-date content
Offer continuous community control with regard to
member satisfaction
Establish codes of behavior (netiquette/guidelines) to
contain conflict potential
Module: Competing in the Network Economy
6-59
6.11: The Future of EC
• Nontechnological success factors:
–
–
–
–
–
–
–
–
Internet Usage
Opportunities for Buying
M-Commerce
Purchasing Incentives
Increased Security and Trust
Efficient Information Handling
Innovative Organisations
Virtual Communities
Module: Competing in the Network Economy
6-60
6.11: The Future of EC
• Nontechnological success factors:
–
–
–
–
–
–
–
–
–
Payment Systems
B2B EC
B2B Exchanges
Auctions
Going Global
E-Government
Intra-business EC
E-Learning
EC Legislation
Module: Competing in the Network Economy
6-61
6.11: The Future of EC
• EC technology trends:
–
–
–
–
–
–
–
–
Clients
Embedded Clients
Wireless Communications and M-Commerce
Pervasive Computing
Wearable Devices
RFID
Servers and Operating Systems
Networks
Module: Competing in the Network Economy
6-62
6.11: The Future of EC
• EC technology trends:
–
–
–
–
–
–
–
–
EC software and services
Search engines
Peer-to-peer technology
Integration
Web services
Software agents
Interactive TV
Tomorrow’s Internet
Module: Competing in the Network Economy
6-63
6.11: The Future of EC
• EC technology trends:
– Utility computing
• Computing resources that flow like electricity on demand
from virtual utilities around the globe—always on and
highly available, secure, efficiently metered, priced on a
pay-as-you-use basis, dynamically scaled, self-healing,
and easy to manage
– Grid Computing coordinates the use of a large
number of servers and storage, acting as one
computer
Module: Competing in the Network Economy
6-64
6.11: The Future of EC
• Integrating the marketplace and marketspace:
– Probably the most noticeable integration of the two
concepts is in the click-and-mortar organisation
– A major problem with the click-and-mortar
approach is how the two outlets can cooperate in
planning, advertising, logistics, resource allocation,
and so on and how the strategic plans of the
marketspace and marketplace can be aligned
– The impact of EC on our lives will be as much as,
and possibly more profound than, that of the
Industrial Revolution
Module: Competing in the Network Economy
6-65
Managerial Issues
1.
2.
3.
4.
5.
6.
7.
8.
Have we budgeted enough for security?
What are the business consequences of poor security?
Which e-commerce sites are vulnerable to attack?
What steps should businesses follow in establishing a
security plan?
Should organisations be concerned with internal security
threats?
What sorts of legal and ethical issues should be of major
concern to an EC enterprise?
What are the most critical ethical issues?
What impacts on business is EC expected to make?
Module: Competing in the Network Economy
Download