Report on Security of Data for your Website
E-Commerce is transactions involving goods or services using technology often using transactional web sites.
E-Commerce is more susceptible to threats than normal commerce for a number of different reasons. Firstly, the information that the customer enters has to be sent through a broadband connection and it goes through various different computers before it gets to the intended destination. Also, the customer gives much more personal information than in normal commerce, if a customer buys an item in an ordinary shop, they do not have to give any personal details, they do not even have to enter a pin number for their credit card if they choose to pay by cash. However in eCommerce the customer is required to give the company a lot more information about themselves, for examples their name, address, credit card details and contact number. If the company know more about the customer it means that more people have access to their information than if they did not give them the information and therefore there are bigger threats to the security of customer data in eCommerce than in ordinary commerce.
Attitude, like all other transactional web sites faces many threats to the security of customer data. One of the main threats the customers’ data security is viruses. Computer viruses are pieces of software that can ‘infect’ a computer without the permission or even the knowledge of the user.
Different viruses do different things, and new ones are being created all of the time. For example, some viruses might damage or delete files or maybe reformat the hard disk, others just sit there and replicate themselves and make their presence known through methods such as audio or video messages or simply presenting text. Whatever a virus does – they always damage the computer whether it be by taking up storage space or by causing system crashes. Viruses are a threat to the security of customer data at Attitude because if a virus was to infect their computer(s) there could be severe consequences, for example if the virus deleted or changed the data it could result products being sent to the wrong addresses if sent at all. More seriously than this, it could be possible for the virus to open files and send back the customer’s details to the host, therefore giving them access to the details of the customer.
However there are preventative methods that can be taken by Attitude to prevent their system from being infected by viruses, the most obvious one is to install anti-virus software. It is extremely important that the software is always up-to-date because new viruses are being created all the time, therefore it is also important the software updates itself regularly in order to give the highest possible protection against viruses, for example McAfee security software updates itself automatically to ensure the computer it is installed on is always protected against new viruses as well as older ones. Although anti-virus software is generally successful in preventing computers from being infected, this is not always the case as occasionally viruses are able to ‘slip through’.
Separate notes (for copying and pasting and to add stuff to):
Threats to Data Security in E-Commerce
Viruses
Computer viruses are pieces of software that can ‘infect’ a computer without the permission or even the knowledge of the user. Viruses are often confused with computer worms and Trojan horses however there are key differences, firstly a virus can only spread from one computer to another if its host is taken to the uninfected computer, computer worms, however, can spreads itself to other computer without needing a host. Trojan horses are files that appear harmless until they are run, however a virus is always harmful – even when they are not being executed.
Different viruses do different things, and new ones are being created all of the time. For example, some viruses might damage or delete files or maybe reformat the hard disk, others just sit there and replicate themselves and make their presence known through methods such as audio or video messages or simply presenting text. Whatever a virus does – they always damage the computer whether it be by taking up storage space or by causing system crashes.
Hackers
Hackers are people who specialize in working with the security mechanisms of computers and network systems. It is common for people to attempt to ‘hack’ into the databases belonging to transactional web sites so that they can get customers details and steal their identities – if they hacker got hold of a customer’s personal details they would then be able to use the details to buy items in their name.
Spyware
Spyware is an executable program that is often added into freeware or shareware that the user has downloaded – it is put onto the users’ computer secretly so that the originator is able to spy on the user and see their activities. Trojan horses are a form of Spyware pretending to be something else, for example some sites offer what appear to be useful extensions to your web browser, such as extra buttons on the tool bar or a search bar, however they also add a monitoring system in the background. The Spyware is then able to transmit the user’s activities over the internet to the originator.
Sometimes, companies use Spyware on remote computers to collect marketing information. Some programs use information about your habits on the Internet to create pop-up adverts that relate to what you are doing. Spyware is also able to do the following:
· Monitor the web sites that the user has visited
· Monitor files used
· Collect keystrokes meaning they are able to retrieve passwords and credit card numbers
· Scan hard disks
· View chat sessions
· Change the default page of web browsers
· Hijack search engine activity to return certain web sites not wanted by the user
Damaging Spyware is extremely common; however most computer users are not aware of this.
Human error
Very often humans make mistakes which can result in very bad things for both the customer and the company. For example if incorrect data is entered by accident this would then be going against the data protection act which is punishable for the company. Also incorrect data being entered on the customers’ behalf (e.g. when entering their credit card details before making a purchase), if the wrong details are entered the data won’t go through. Also if somebody did not apply the right security setting then it would be really easy for hackers to get access to the company’s database.
Dishonest Employees
E.g. An employee might try to steal personal data from customers and use it for their own benefit.
Natural Disasters
E.g. tornados, hurricanes, earthquakes, volcanoes, floods etc.
Theft
E.g. if a storage device that has customer details on is stolen the thief would then have details of all of the customers in his possession (although it should be encrypted, this is not always the case) – this could have very bad consequences for the customer as the thief can then use their details to make their own purchases.
Etc
What are the Preventative Measures for these Threats?
Encryption
Encryption is often used to protect personal data such as credit card numbers. The data is scrambled into a kind of code according to an algorithm (a mathematical rule or procedure for solving a problem), it can only then be translated back into it’s original form using by a computer with the correct software, this software also usually requires access to a security code called a ‘key’ before it can carry out the procedure of unscrambling the code.
Anti-Virus Measures
The following tips for anti-virus measures are given on the web site http://www.zyra.org.uk/avirus.htm:
· If using Windows, select ‘Do Not Hide File Extensions’
· Be wary of files ending with .doc.com or .something.somethingelse as well as ones ending with exe , .bat , .scr , .com , .pif as these are all executable.
· Do not set the computer to automatically run CDs when they are inserted into the computer
· Never run attachments on emails if you do not know who has sent them or if they are executable (unless you know the sender and know that they intended for them to be executable)
· Have yourself in your address book, this way if a virus tries to send itself to your other contacts you will get an unexpected email form yourself and will therefore be able to tell that there is something wrong so you can deal with the virus quickly
· Do not allow ActiveX cookies to run automatically without a safeguard and never let them run if they are in an email as this is almost always a virus.
· Do not accept or run free screen savers that are sent from strangers
· Install anti-virus software (for example McAfee – make sure it is suitable – e.g. no point having software that is made for businesses with lots of data to protect if you only need it for a home computer with not much data to protect)
· Beware of free anti virus software as it can often contain the virus itself, e.g. the Klez-E Immunity scam.
Risk Analysis
This is when the company carries out an assessment of the potential risks faced by the organisations systems and what might happen if valuable data is lost or stolen or if the system had a major failure. Most of the precautions in a risk assessment are just common sense and the first step is to identify the potential threats to data stored (see section on risks to data for more information). Once the risks have been identified they are classified according to how potentially dangerous they are, with very dangerous risks being classified as ‘high’, and insignificant ones as ‘low’. After this spending on protection can be organised and a recovery plan can be drawn up (containing the steps that should be taken in the event of data loss). Risks and security protection should be reviewed regularly to allow for changes in equipment and operations. It is important that the company is aware of the risks from inside the organisation as well as outside as it is usually more difficult to protect data from dishonest employees than from outsiders as many have a high level of access to the system. The company especially needs to take care when employees leave the organisation to make sure they have not left any ‘back doors’, meaning alternative ways to access the system.
Passwords
Passwords are used to control access to certain data as only those with permission to access the data are told the password and it is kept a secret from anyone who is not allowed access, if somebody enters the wrong password, their access to the data is denied. A major fault in having passwords as a method of data protection is that people can guess them. Although this is a big issue, it should not be too much of a problem as long as people do not use passwords that are too easy to guess, such as the name of a pet or family member or default passwords such as ‘password’. The password is also made more difficult to guess by the addition of numbers. Some companies also have a system where employees are required to change their passwords regularly so that if somebody did guess a password correctly, they would not be able to access the information for very long anyway because the password would soon change. However software is available to hackers that automatically guesses millions of passwords.
Access Levels
In some companies, different people are allowed to access different data, meaning some employees have higher access levels than others when needed. This means that employees only have access to the data that they need in their jobs, and only very trusted employees have access to very important data and as few people as possible are granted access to customers’ personal information.
Backup
Companies should always keep up-to-date backup copies of their data so that if data is lost they will be able to recall it easily. The company should choose a suitable backup method for the type and amount of data they need to backup, they should also consider how often they need to back the data up and what data needs to be backed up in the first place (not all data will need to be backed up every time as this will take a very long time and is unnecessary). Once the first backup has been done, only incremental backups should be necessary (where only the files that have been changed are added to the backup).
Training
It is important that employees are trained in how to deal with the data properly in order to prevent human error from being responsible for data loss. For example, if employees of a company are properly trained they are less likely to make silly mistakes such as deleting important data by accident.
Firewalls
Applied ICT Data Security Report plan:
What is E-Commerce?
E-Commerce is transactions involving goods or services using technology often using transactional web sites.
Why is E- Commerce more susceptible to threats than normal commerce?
E-Commerce is more susceptible to threats than normal commerce for a number of different reasons. Firstly, the information that the customer enters has to be sent through a broadband connection and it goes through various different computers before it gets to the intended destination. Also, the customer gives much more personal information than normal commerce – e.g. if you buy something in a shop you do not have to give your name, address or even your card details if you pay by cash
What information has the customer given to the website?
Name, address, telephone number, credit card details
What are the threats to Data Security for E-Commerce?
1.Viruses
2.Hackers
3.Spyware
4.Hardware failure
5.Human error
6.Dishonest employees
7.Natural disasters
8.Theft
9.Terrorism
10.Flood and fire
What are the preventative methods for these threats?
1.Encryption
2.Anti-virus measures
3.Risk analysis
4.Passwords
5.Access levels
6.Backup
7.Training
8.Firewalls
9.Secure Electronic Transactions (SET)
10.Physical security
Describe the legislation that the business should be aware of:
1.Computer Misuse Act
2.Data Protection Act
3.
4.
5.
How effective are these pieces of legislation?
1.Only effective to a certain extent because technology is always changing so there are always new virus’ and ways of hacking into computers
2.Find e.g
3.
4.
5.
Overall conclusions:
Is data secure on this website – yes:
1. Preventative methods (above section – used by Attitude)
2. Legislation
3.
Is data insecure on this website – no:
1. Legislation not always effective
2. Hackers etc.
3.
Overall conclusion:
1.
2.
3.
Macintosh HD:Users:mhighmore:Documents:Report plan y12.docx Created on 21/01/2008 13:33
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment