Monday, 18 February 2008
Testing
When companies make sure that their system works properly by testing it. For example, for a company to test a validation rule in a database they would enter data in a field that would go against the validation rules for that particular field - if the data is not allowed to be entered they know that particuar validation rule works properly, they would record the results so they have a record of it and know what needs improving.
Why is it important?
Because without it systems will be used or products will be sent out that may not actually work which would displease customers and give the company a very bad reputation
Give two possible consequences to a company of not testing
Current orders might not go through properly so they would lose money directly and the company would loose trade in the future. They would also have to spend more time on correcting it afterwards if things go wrong which would also cost them money because they have to employ the workers to fix it.
Give two reasons why it is important to have a test plan
Because it is a much more organised way of testing that means the workers can keep track of what they are doing, also if somebody left the company and they were half way through tesing if they had a test plan somebody could easily pick up where they left off.
Consequences of not Testing
The company Protx that deals with online payments was upgrading and a problem occurred which meant that thousands of retailers lost business because orders were failing.
What were the consequences?
People could not pay for products so businesses lost money and possibly future trade. The customers did not get the products when they wanted them and Protx has given itself a bad name. Transactions would not be secure so hackers would be able to get hold of customer information – crimes such as identity theft and fraud could occur
How could testing have prevented this?
They could have tested it on one company first and then could have identified problems and see if it worked efficiently. If a problem was identified it could have been solved and avoided the situation.
Wednesday, 30 January 2008
Updated Version of Written Up Security Report
E-Commerce is transactions involving goods or services using technology often using transactional web sites.
E-Commerce is more susceptible to threats than normal commerce for a number of different reasons. Firstly, the information that the customer enters has to be sent through a broadband connection and it goes through various different computers before it gets to the intended destination. Also, the customer gives much more personal information than in normal commerce, if a customer buys an item in an ordinary shop, they do not have to give any personal details, they do not even have to enter a pin number for their credit card if they choose to pay by cash. However in eCommerce the customer is required to give the company a lot more information about themselves, for examples their name, address, credit card details and contact number. If the company know more about the customer it means that more people have access to their information than if they did not give them the information and therefore there are bigger threats to the security of customer data in eCommerce than in ordinary commerce.
Attitude, like all other transactional web sites faces many threats to the security of customer data. One of the main threats the customers’ data security is viruses. Computer viruses are pieces of software that can ‘infect’ a computer without the permission or even the knowledge of the user.
Different viruses do different things, and new ones are being created all of the time. For example, some viruses might damage or delete files or maybe reformat the hard disk, others just sit there and replicate themselves and make their presence known through methods such as audio or video messages or simply presenting text. Whatever a virus does – they always damage the computer whether it be by taking up storage space or by causing system crashes. Viruses are a threat to the security of customer data at Attitude because if a virus was to infect their computer(s) there could be severe consequences, for example if the virus deleted or changed the data it could result products being sent to the wrong addresses if sent at all. More seriously than this, it could be possible for the virus to open files and send back the customer’s details to the host, therefore giving them access to the details of the customer.
Spyware is also a major problem for transactional web sites like Attitude. Spyware is an executable program that is often added into freeware or shareware that the user has downloaded – it is put onto the users’ computer secretly so that the originator is able to spy on the user and see their activities. Trojan horses are a form of Spyware pretending to be something else, for example some sites offer what appear to be useful extensions to your web browser, such as extra buttons on the tool bar or a search bar, however they also add a monitoring system in the background. The Spyware is then able to transmit the user’s activities over the internet to the originator.
Sometimes, companies use Spyware on remote computers to collect marketing information. Some programs use information about your habits on the Internet to create pop-up adverts that relate to what you are doing. Spyware is also able to do the following:
· Monitor the web sites that the user has visited
· Monitor files used
· Collect keystrokes meaning they are able to retrieve passwords and credit card numbers
· Scan hard disks
· View chat sessions
· Change the default page of web browsers
· Hijack search engine activity to return certain web sites not wanted by the user
All of the above are very serious; any one of them could cause serious problems for the company. Most people are not aware of just how common spyware is, in fact at the end of 2006 the UK had the most pieces of spyware per PC with 30.5 on average, this does not just include ordinary consumers (although consumers make up 89%), it can include enterprises as well. Although much of this is likely to be relatively harmless, there could be some spyware that causes serious problems for the company.
Another danger to Attitude is hackers. Hackers are people who specialize in working with the security mechanisms of computers and network systems. It is common for people to attempt to ‘hack’ into the databases belonging to transactional web sites like Attitude so that they can get customers details and steal their identities – if a hacker got hold of a customer’s personal details they would be able to commit fraud, for example by using their details to buy products online and get them sent to somewhere they are able to pick them up from instead of the cardholders address. This is a serious problem because if something like this happened it would give Attitude a very bad reputation and they would consequently loose customers.
Employees can also put customers’ data in danger. This could be because of human error or through dishonesty. Firstly, human error can affect data security because, for example if somebody did not apply the correct security settings they would make it much easier for others to get hold of the customer details. Also it is possible for an employer to forget to make sure they have not left any ‘back doors’ when an employee leaves, this means ways in which they are still able to access the system and then
Need to add more into this bit from other notes
However there are preventative methods that can be taken by Attitude to prevent their system from being infected by viruses, the most obvious one is to install anti-virus software. It is extremely important that the software is always up-to-date because new viruses are being created all the time, therefore it is also important the software updates itself regularly in order to give the highest possible protection against viruses, for example McAfee security software updates itself automatically to ensure the computer it is installed on is always protected against new viruses as well as older ones. Although anti-virus software is generally successful in preventing computers from being infected, this is not always the case as occasionally viruses are able to ‘slip through’. The following are preventative measures are given to individual users on zyra.org.uk, these are easy to do but could save a lot of problems:
· If using Windows, select ‘Do Not Hide File Extensions’
· Be wary of files ending with .doc.com or .something.somethingelse as well as ones ending with exe , .bat , .scr , .com , .pif as these are all executable.
· Do not set the computer to automatically run CDs when they are inserted into the computer
· Never run attachments on emails if you do not know who has sent them or if they are executable (unless you know the sender and know that they intended for them to be executable)
· Have yourself in your address book, this way if a virus tries to send itself to your other contacts you will get an unexpected email form yourself and will therefore be able to tell that there is something wrong so you can deal with the virus quickly
· Do not allow ActiveX cookies to run automatically without a safeguard and never let them run if they are in an email as this is almost always a virus.
· Do not accept or run free screen savers that are sent from strangers
· Install anti-virus software (for example McAfee – make sure it is suitable – e.g. no point having software that is made for businesses with lots of data to protect if you only need it for a home computer with not much data to protect)
· Beware of free anti virus software as it can often contain the virus itself, e.g. the Klez-E Immunity scam.
Tuesday, 29 January 2008
Security Report So Far
E-Commerce is transactions involving goods or services using technology often using transactional web sites.
E-Commerce is more susceptible to threats than normal commerce for a number of different reasons. Firstly, the information that the customer enters has to be sent through a broadband connection and it goes through various different computers before it gets to the intended destination. Also, the customer gives much more personal information than in normal commerce, if a customer buys an item in an ordinary shop, they do not have to give any personal details, they do not even have to enter a pin number for their credit card if they choose to pay by cash. However in eCommerce the customer is required to give the company a lot more information about themselves, for examples their name, address, credit card details and contact number. If the company know more about the customer it means that more people have access to their information than if they did not give them the information and therefore there are bigger threats to the security of customer data in eCommerce than in ordinary commerce.
Attitude, like all other transactional web sites faces many threats to the security of customer data. One of the main threats the customers’ data security is viruses. Computer viruses are pieces of software that can ‘infect’ a computer without the permission or even the knowledge of the user.
Different viruses do different things, and new ones are being created all of the time. For example, some viruses might damage or delete files or maybe reformat the hard disk, others just sit there and replicate themselves and make their presence known through methods such as audio or video messages or simply presenting text. Whatever a virus does – they always damage the computer whether it be by taking up storage space or by causing system crashes. Viruses are a threat to the security of customer data at Attitude because if a virus was to infect their computer(s) there could be severe consequences, for example if the virus deleted or changed the data it could result products being sent to the wrong addresses if sent at all. More seriously than this, it could be possible for the virus to open files and send back the customer’s details to the host, therefore giving them access to the details of the customer.
However there are preventative methods that can be taken by Attitude to prevent their system from being infected by viruses, the most obvious one is to install anti-virus software. It is extremely important that the software is always up-to-date because new viruses are being created all the time, therefore it is also important the software updates itself regularly in order to give the highest possible protection against viruses, for example McAfee security software updates itself automatically to ensure the computer it is installed on is always protected against new viruses as well as older ones. Although anti-virus software is generally successful in preventing computers from being infected, this is not always the case as occasionally viruses are able to ‘slip through’.
Separate notes (for copying and pasting and to add stuff to):
Threats to Data Security in E-Commerce
Viruses
Computer viruses are pieces of software that can ‘infect’ a computer without the permission or even the knowledge of the user. Viruses are often confused with computer worms and Trojan horses however there are key differences, firstly a virus can only spread from one computer to another if its host is taken to the uninfected computer, computer worms, however, can spreads itself to other computer without needing a host. Trojan horses are files that appear harmless until they are run, however a virus is always harmful – even when they are not being executed.
Different viruses do different things, and new ones are being created all of the time. For example, some viruses might damage or delete files or maybe reformat the hard disk, others just sit there and replicate themselves and make their presence known through methods such as audio or video messages or simply presenting text. Whatever a virus does – they always damage the computer whether it be by taking up storage space or by causing system crashes.
Hackers
Hackers are people who specialize in working with the security mechanisms of computers and network systems. It is common for people to attempt to ‘hack’ into the databases belonging to transactional web sites so that they can get customers details and steal their identities – if they hacker got hold of a customer’s personal details they would then be able to use the details to buy items in their name.
Spyware
Spyware is an executable program that is often added into freeware or shareware that the user has downloaded – it is put onto the users’ computer secretly so that the originator is able to spy on the user and see their activities. Trojan horses are a form of Spyware pretending to be something else, for example some sites offer what appear to be useful extensions to your web browser, such as extra buttons on the tool bar or a search bar, however they also add a monitoring system in the background. The Spyware is then able to transmit the user’s activities over the internet to the originator.
Sometimes, companies use Spyware on remote computers to collect marketing information. Some programs use information about your habits on the Internet to create pop-up adverts that relate to what you are doing. Spyware is also able to do the following:
· Monitor the web sites that the user has visited
· Monitor files used
· Collect keystrokes meaning they are able to retrieve passwords and credit card numbers
· Scan hard disks
· View chat sessions
· Change the default page of web browsers
· Hijack search engine activity to return certain web sites not wanted by the user
Damaging Spyware is extremely common; however most computer users are not aware of this.
Human error
Very often humans make mistakes which can result in very bad things for both the customer and the company. For example if incorrect data is entered by accident this would then be going against the data protection act which is punishable for the company. Also incorrect data being entered on the customers’ behalf (e.g. when entering their credit card details before making a purchase), if the wrong details are entered the data won’t go through. Also if somebody did not apply the right security setting then it would be really easy for hackers to get access to the company’s database.
Dishonest Employees
E.g. An employee might try to steal personal data from customers and use it for their own benefit.
Natural Disasters
E.g. tornados, hurricanes, earthquakes, volcanoes, floods etc.
Theft
E.g. if a storage device that has customer details on is stolen the thief would then have details of all of the customers in his possession (although it should be encrypted, this is not always the case) – this could have very bad consequences for the customer as the thief can then use their details to make their own purchases.
Etc
What are the Preventative Measures for these Threats?
Encryption
Encryption is often used to protect personal data such as credit card numbers. The data is scrambled into a kind of code according to an algorithm (a mathematical rule or procedure for solving a problem), it can only then be translated back into it’s original form using by a computer with the correct software, this software also usually requires access to a security code called a ‘key’ before it can carry out the procedure of unscrambling the code.
Anti-Virus Measures
The following tips for anti-virus measures are given on the web site http://www.zyra.org.uk/avirus.htm:
· If using Windows, select ‘Do Not Hide File Extensions’
· Be wary of files ending with .doc.com or .something.somethingelse as well as ones ending with exe , .bat , .scr , .com , .pif as these are all executable.
· Do not set the computer to automatically run CDs when they are inserted into the computer
· Never run attachments on emails if you do not know who has sent them or if they are executable (unless you know the sender and know that they intended for them to be executable)
· Have yourself in your address book, this way if a virus tries to send itself to your other contacts you will get an unexpected email form yourself and will therefore be able to tell that there is something wrong so you can deal with the virus quickly
· Do not allow ActiveX cookies to run automatically without a safeguard and never let them run if they are in an email as this is almost always a virus.
· Do not accept or run free screen savers that are sent from strangers
· Install anti-virus software (for example McAfee – make sure it is suitable – e.g. no point having software that is made for businesses with lots of data to protect if you only need it for a home computer with not much data to protect)
· Beware of free anti virus software as it can often contain the virus itself, e.g. the Klez-E Immunity scam.
Risk Analysis
This is when the company carries out an assessment of the potential risks faced by the organisations systems and what might happen if valuable data is lost or stolen or if the system had a major failure. Most of the precautions in a risk assessment are just common sense and the first step is to identify the potential threats to data stored (see section on risks to data for more information). Once the risks have been identified they are classified according to how potentially dangerous they are, with very dangerous risks being classified as ‘high’, and insignificant ones as ‘low’. After this spending on protection can be organised and a recovery plan can be drawn up (containing the steps that should be taken in the event of data loss). Risks and security protection should be reviewed regularly to allow for changes in equipment and operations. It is important that the company is aware of the risks from inside the organisation as well as outside as it is usually more difficult to protect data from dishonest employees than from outsiders as many have a high level of access to the system. The company especially needs to take care when employees leave the organisation to make sure they have not left any ‘back doors’, meaning alternative ways to access the system.
Passwords
Passwords are used to control access to certain data as only those with permission to access the data are told the password and it is kept a secret from anyone who is not allowed access, if somebody enters the wrong password, their access to the data is denied. A major fault in having passwords as a method of data protection is that people can guess them. Although this is a big issue, it should not be too much of a problem as long as people do not use passwords that are too easy to guess, such as the name of a pet or family member or default passwords such as ‘password’. The password is also made more difficult to guess by the addition of numbers. Some companies also have a system where employees are required to change their passwords regularly so that if somebody did guess a password correctly, they would not be able to access the information for very long anyway because the password would soon change. However software is available to hackers that automatically guesses millions of passwords.
Access Levels
In some companies, different people are allowed to access different data, meaning some employees have higher access levels than others when needed. This means that employees only have access to the data that they need in their jobs, and only very trusted employees have access to very important data and as few people as possible are granted access to customers’ personal information.
Backup
Companies should always keep up-to-date backup copies of their data so that if data is lost they will be able to recall it easily. The company should choose a suitable backup method for the type and amount of data they need to backup, they should also consider how often they need to back the data up and what data needs to be backed up in the first place (not all data will need to be backed up every time as this will take a very long time and is unnecessary). Once the first backup has been done, only incremental backups should be necessary (where only the files that have been changed are added to the backup).
Training
It is important that employees are trained in how to deal with the data properly in order to prevent human error from being responsible for data loss. For example, if employees of a company are properly trained they are less likely to make silly mistakes such as deleting important data by accident.
Firewalls
Applied ICT Data Security Report plan:
What is E-Commerce?
E-Commerce is transactions involving goods or services using technology often using transactional web sites.
Why is E- Commerce more susceptible to threats than normal commerce?
E-Commerce is more susceptible to threats than normal commerce for a number of different reasons. Firstly, the information that the customer enters has to be sent through a broadband connection and it goes through various different computers before it gets to the intended destination. Also, the customer gives much more personal information than normal commerce – e.g. if you buy something in a shop you do not have to give your name, address or even your card details if you pay by cash
What information has the customer given to the website?
Name, address, telephone number, credit card details
What are the threats to Data Security for E-Commerce?
1.Viruses
2.Hackers
3.Spyware
4.Hardware failure
5.Human error
6.Dishonest employees
7.Natural disasters
8.Theft
9.Terrorism
10.Flood and fire
What are the preventative methods for these threats?
1.Encryption
2.Anti-virus measures
3.Risk analysis
4.Passwords
5.Access levels
6.Backup
7.Training
8.Firewalls
9.Secure Electronic Transactions (SET)
10.Physical security
Describe the legislation that the business should be aware of:
1.Computer Misuse Act
2.Data Protection Act
3.
4.
5.
How effective are these pieces of legislation?
1.Only effective to a certain extent because technology is always changing so there are always new virus’ and ways of hacking into computers
2.Find e.g
3.
4.
5.
Overall conclusions:
Is data secure on this website – yes:
1. Preventative methods (above section – used by Attitude)
2. Legislation
3.
Is data insecure on this website – no:
1. Legislation not always effective
2. Hackers etc.
3.
Overall conclusion:
1.
2.
3.
Macintosh HD:Users:mhighmore:Documents:Report plan y12.docx Created on 21/01/2008 13:33
Tuesday, 8 January 2008
Back Office Processes (Continued)
A cookie is a small text file, when the user visits a web site, they are stored on their hard drive. Transactional web sites use cookies to to a record of the users' activities and preferences while the are on the site so that next time they come back to the web site it can respond to the user in a customised way - for example on some web sites such as 'ask.com' the user is able to change the colour scheme - because this web site uses cookies, the next time the user accesses the site it remembers their preference of colour scheme and uses it automatically. Another example is if somebody accessed a web site in Germany and clicked on the link for them to see the English version of the site, next time they accessed the site it would remember their preference and automatically load the English version of the web site because a cookie would be placed on the users's hard disk with the message 'Language=English'. This makes customers more likely to come back to the web site.
9) Why is it useful to get a customer to log in to the web site?
Because when a customer is logged in it allows them to be tracked anonymously by using a random number sent in a cookie. Other tables in a database can track the user's actions. When a customer is logged in they can be monitored much more closely - actions can trigger data being written to the database - this information can then be used in a number of ways. An example of how this can be used is to reward loyal customers with special offers.
Activity (pg 144)
List of tables from figure 2.20 that might be involved in tracking customers actions:
- bundles
- cartRows
- cartRowsOptions
- Categories
- Categories_products
- creditCards
- customers
- customer types
- customer_specialPrices
- emails
- layout
- options
- orders
- payments
- rentals
- reviews
- screenMessages
- settings
- shipments
- visits
- wapCarts
- wapSessions
- wishList
10) At what point is HTTPS encryption used? Why?
It is used when the user gives their credit card details in order to keep the information they give secure. Both the data itself and the field or table need to be encrypted. This means that if the database is read by unauthorised peopel they will not be able to read the card details.
11) Why is this method safe even if someone intercepts the data travelling to the website?
Because they will not be able to read or understand the data once it has been encrypted.
12) Explain why a stolen card is unlikely to be used for online shopping.
Because on most web sites, address details will be checked to make sure they match the card and first time orders must alwasy be delivered to the address held by the card company meaning whoever stole the card will not be able to get it delivered to themselves.
13) What is stock control? How are stock recorders managed by computer?
Stock control is all of the processes involved in ordering, storing and selling goods. Often real-time stock control is used so that there is no way that two users can order the same item. A web sites stock control runs on a computer system. The purpose is to make sure that there is always enough stock to meet the demands but not too much stock as this is a waste of money when it could be used for other parts of the business. When replacements need to be ordered, the web iste could have links to the supplier on the Internet so that the replacement goods can be automatically ordered. Careful analysis of sales is required ot help with prediction of sales volume so that the minimum stock levels cna be maintained.
14) List the processes involved in Despatch and Delivery of goods.
- Customer logs on
- Customer selects goods required
- Goods in stock? (if yes...)
- Customer confirms order (if yes...)
- Customer logs out after payment
- Customer order
- Check customer details and credit cards
- Amend stock database
- Print despatch note and pick goods
- Arrange despatch of goods
Monday, 7 January 2008
Back Office Processes
Back office processes are necessary because without them there wouldn’t be any system and the company would lose customers. They help the business to run efficiently. All of the processes are there to help the customer and make sure their goods are there on time and to help the company keep track of their customers.
Processes involved in stock control:
· Make sure that the items are in stock and available and you don’t sell the same item twice.
· This is a real time process – once an item is bought it is immediately taken off the list by a stock control system.
· At the centre of a stock control system would be a database because they can have all the items listed and all the fields related to that item – all relevant information about an item can be stored on a database such as how many are in stock.
Active Server Pages à the web page can access a database – it logs onto the database via the Internet. E.g. Amazon – when you go onto the site you are actually opening the page from a database. ASP code is run every time you click the ‘search’ button on a web page. The customer clicks on a search, the code sends and the answer is sent back as a web page.
On a web page the customer can usually see their virtual shopping basket and also the total price is given. You can add things to or take things out of the shopping trolley. Web sites such as Amazon store the information about your shopping basket over weeks or months.
· Items are added
· Prices are totalled
· Stock is reserved so that it is not sold twice
· Items can be removed
· Delivery costs may be added
HTTP Authentication and Cookie identification:
HTTP is like login and password – checks who you are
Cookie identification checks things like when you were last on, stored on your computers hard drive – a way of allowing you to go to a web site and it remembers you – e.g. change the colour scheme one time you go on it and then when you go back again it remembers.
Cookies don’t allow you to buy an item because just because it is the same computer as you used before doesn’t mean that you are using it – could be another person on the computer or could be public computer.
You can block cookies but this can cause problems because sometimes websites need cookies to work properly.
Advantagese of cookies:
Done without the user knowing - automatic way of tracking who they are and what they are doing and they don't have to be logged on for them to work.