Chapter 5 Security, Maintenance, and Management Objectives By study of the chapter, you will be able to: Identify the problems and issues in the security in your E-business What are the considerations in developing a security plan Describe the security architecture of the website Identify and analyze the common website security measures Identify the website security resources Describe the considerations in website management and maintenance Questions and Discussion Homework the problems and issues in the security in E-Commerce 50% of all small to midsized e-businesses were hacked in 2003, a study reported by Gartner Inc. According to CERT (Computer Emergency Response Team: http://www.cert.org), a total of 82,094 incidents reported in 2002; however, this number was doubled in 2003 An incident may include a hacker attack; computer virus; an e-crime; and a fraud CERT reported that 2003 E-Crime Losses Estimated At $666 Million Therefore, all of e-businesses must take the necessary steps to ensure that adequate levels of security are in place The considerations in developing a security plan Access control of your website by a firewall Authorization to bind the identification of an individual to a specified message or transaction Data privacy and integrity to ensure that communications and transactions remain confidential and accurate The security architecture of the website Limit outside access by using: – Firewall – User account login – Software security – Additional protection for sensitive data Protect your Web server – Hacker resistance – Antivirus software Implement monitoring and analysis solutions – Who and what is connecting to your systems The security architecture of the website (continue) – Log analysis reports – Site traffic analysis and statistic reports Encryption – Use of encoding algorithms to construct an overall mechanism for sharing sensitive data Use of a Web hosting service – May provide professional staff and latest technology for the protection of your website with a low cost – http//www.google.com Identify and analyze the common website security measures Routers – How routers work? Firewalls – How firewall works? Disable Nonessential services User account security – Authentication: verify that you are who you claim to be – Authorization: What a user is allowed to do Identify and analyze the common website security measures (continue) Data confidentiality – Only authorized people can view data transferred in networks or stored in databases – Methods include: Put the data on a separate server behind a firewall Give a database or database server its own security subsystem and user authentication Restrict the number of user accounts that can read/write the data Separate write data from read data Encrypt the data and control access to the encryption key Identify and analyze the common website security measures (continue) Content security – The most common reported problem in website security is website defacement (breaks its look) and sabotage (damage the content of the website) – According to London security consultancy mi2g Ltd., website defacements totaled 20,371 in the first half of 2002, up 27 percent from the 16,007 recorded in the same period the year before – An intermediate or development server may be installed to ensure the security before the contents of the website are uploaded to the actual Web server – The security software may be installed to such server to ensure that your site’s content is staged and preserved before the deployment – Such software also logs the incident and send an alert to the website’s administrator Identify and analyze the common website security measures (continue) Monitoring your website – Monitor your logs for break ins or after the attacks – Run a security analysis program for the weakness or potential security problem of your website – Perform security audits with an outside auditor – Back up your website files on a scheduled basis Credit card security – Most online purchase transactions are encrypted using the Security Sockets Layer (SSL); therefore, online purchases are no more dangerous than credit card purchases made in the physical world Identify and analyze the common website security measures (continue) – All credit card transactions should meet the standard called SET (Security Electronic Transactions) – SET encrypts a credit card information so that the designated banks and credit card companies can read the data – Term “e-wallet” refers to the software that allows credit card transactions more secure – Some popular websites offering e-wallets include: http://www.passport.com http://www.iliumsoft.com http://www.gator.com/home2.html Identify the website security resources Some websites providing good and reliable security information include: – – – – – – http://www.cisco.com/warp/public/cc/so/neso/sqso/index.shtml http://www.microsoft.com/security/default.mspx http://www.sun.com/security http://www.ciac.org/ciac (Computer Incident Advisory) http://www.fedcirc.gov (Federal Incident Response Capability) http://www.alw.nih.gov/Security (Advanced Laboratory Workstation System) – http://www.cert.org (CERT - Computer Emergency Response Team) Considerations in website management and maintenance The establishment, management, and maintenance of a website requires a significant investment of time and resources on your part The best approach is to start with the basics: – Design your website for ease of modification – Avoid sloppy formatting, numerous images, and superfluous links on every page – Know who will maintain and update the website and have more than one person that can easily step in and take control Considerations in website management and maintenance (continue) Avoid simple but common errors: – Navigation breakdown – Links breakdown – A web page too long – Too many graphics – No updating Example: date of copyright; old contact info Considerations in website management and maintenance (continue) Link management – According to statistic report by the author, the average website has one page in every four containing a broken link – You have to check these links regularly and update or delete them when the links are inaccurate – There are some link management software available to discover the broken links, investigate their causes, and repair them; some of them provide content analysis as well: ChangeAgent CyberSpyder Link Test Link Checker Pro Linkscan Hardware and infrastructure maintenance (continue) Hardware and infrastructure Maintenance – The total “end-to-end” performance of the website’s infrastructure must be understand and analyzed in order to ensure that it delivers the performance demanded by today’s web customers – Many companies provide software packages to perform such analysis and maintenance: NetMechanic TIDF Maintenance Repair Shop (Data backup and recovery) Example of an infrastructure maintenance service contract Questions and Discussion Homework for Extra Points Describe what are the most important security issues and considerations in an ebusiness today? Describe what is hardware and infrastructure maintenance. For a large e-business cooperation, what method would you like to employ for such maintenance and why? It’s better to use some examples in China to support your points Due: Wednesday, April 13, 2005 in the class