Taught by Prof.
Tim Richardson School of Marketing and e-Business, Faculty of Business
DETAILED OUTLINE, Security Considerations©
4. Security Considerations
In dealing with a matter
as serious as internet security issues it is prudent to issue a "disclaimer",
It is not intended that
the presentation of these topics will result in the participants learning
they need to know about e-security; - but rather
1. create an awareness of
the business and marketing consequence of these security considerations
2. identify resources they
can access should they need to know a lot more
This section of IEC 719 will
be delivered with some key guest speakers, in addition to lectures by the
course professor and related reading material.
can be broadly categorized into three main areas (WTGR)
This section of IEC 719 will
be focusing on Corporate Security
security of the country's border,
property and assests from general external risk and threats
protection and defense against
the activities of hostile countries or organizations
security and safety of the citizens
security of the company's property
and assests from general and unspecified external risk and threats
protection and defense against
the targeted activities of hostile competitive companies, organizations
or individuals - which would negatively effect the company's ability to
achieve profit and the prime corporate goals
security and safety of the employees
security for your family and
protection of property
personal protection and defense
against an attack specifically directed to you
The following topics will
Copyright Protection Techniques
Principles of competitor monitoring
Competitor Intelligence, role
in new product development
Security monitoring services
Policy and Procedures (SOP)
Firewall and other hardware
and software considerations
security of sending and receiving messages, and data
sabotage, hacking vulnerabilities, viruses
Government Involvement in internet crime and e-business security
The subject of security concerns
cannot be properly dealt with in this section given time constraints. Originally
when IEC 802 was taught in 1999, security concerns was only mentioned in
one and a half classes. In IEC 719 (Sept-Dec 2000) we have made security
concerns a whole section of one month. Ideally, security concerns could
be a complete course by itself but our present IEC curriculum does not
allow for this. This section of the course will be delivered in December
and due to final exam schedules and Christmas holidays we will only be
able to have 3 (possibly 2) in-class sessions to discuss this material.
There is more material listed
below than we can discuss in class. We will concentrate on the issues at
the beginning of this list and leave the topics at the end for your personal
reading interest should you have the time.
The criteria for choosing
the following links and information is not based on creating "e-commerce
experts" among the IEC participants but rather giving you a solid introduction
to the major topics in this area and allow you to know about the risks
and consequences. Most of these links can allow you to read much material
further if you develop a strong interest on a particular area (eg. Digital
In SAN's web page, which includes
the listing "How To Eliminate
The Ten Most Critical Internet Security Threats" their introduction
serves to provide some important points we should consider in beginning
this section of the IEC 719 course, namely:
The majority of successful attacks
on computer systems via the Internet can be traced to exploitation of one
of a small number of security flaws.
Recent compromises of Windows
NT-based web servers are typically traced to entry via a well-known vulnerability.
A few software vulnerabilities
account for the majority of successful attacks because attackers are
opportunistic – taking the easiest and most convenient route. They
exploit the best-known flaws with the most effective and widely available
attack tools. They count on organizations not fixing the problems,
and they often attack indiscriminately, by scanning the Internet
for vulnerable systems.
System administrators report
that they have not corrected these flaws because they simply do not know
which of over 500 potential problems are the ones that are most dangerous,
and they are too busy to correct them all
Commerce: Security, Risk Management and Control by Greenstein
In the 4rth section of IEC
719, this book by Greenstein should be used more extensively than it was
in Nov 2000. Ideally this section of the course should utilize the following
chapters in Greenstein,
Chapter 5, Risk of Insecure
Chapter 6, Risk Management
Chapter 7, Internet Security
Chapter 8, Cryptography
Chapter 9, Firewalls
will be covered by Prof.
David Bath's classes
Hannon's book The
Business of the Internet
Chpt 6 deals with business security issues
strongly recommended reading
This chapter discusses how
computer security gets more complicated when companies start using the
Internet for business, and the additional measures business must
take to keep to protect their information.
Chapter begins with a very
good example of how a system was hacked by focusing on the weakest link.
The Chapter recounts how
"Fortune magazine found a company named WheelGroup, a security company
located in San Antonio, Texas. Run by Tony Jennings, a former Air
Force captain, WheelGroup also employs former National Security Agency
employees. Armed with computers, modems, and phone lines, WheelGroup set
its sights on a company identified only as "Corp. XYZ". Its mission
was to crack this company's internal computer security system.
The WheelGroup began by locating
the company in the public records of InterNIC, the Internet computer registry
service. In doing so, WheelGroup determined all the addresses of company's
computers that were actually connected to the Internet. Several hours later,
the group encountered the company's firewall. The firewall had just been
installed and contained all the latest security features. No break-in
through the firewall occurred. This could be the end of the story if
it were not for a device called a "dialer." A dialer is a program that
automatically dials thousands of numbers looking for phones that are answered
by modems. WheelGroup used such a program and found six computers
that not only answered the call with a modem, but also responded to a common
account name and password for that kind of computer. "
Read Chpt 6 to find out
how the story ended
(WheelGroup no longer exists
as an independent company, in April 1998 they were bought out by Cisco
for $124 million)
new book on
|Chapter 5 in Schneider and
Perry's book is titled "Security Threats to Electronic Commerce"
Chapter 6 is titled "Implementing
Security for Electronic Commerce"
In Chapter 5 one of the key
points noted at the beginning of the chapter is Security Policy and Integrated
Security. Various experts agree that the most security situations in e-commerce
are vulnerabilities caused by people either not having a sound security
policy that sets out procedures, or they have a policy, but do not follow
The rest of the material
in the chapter is organized around three themes
protecting client computers
protecting the transmission
of information on the Internet
protecting the e-commerce server
Dan Janal is the author
of several books, and much of the content is helpfully available online.
One of his books titled
Business: Protect Your Business from Being Stalked, Conned or Blackmailed
on the Web is particularly helpful to this section.
In an online excerpt from
this book, Mr. Janal lists 30 practical ways to protect yourself and your
organization from online attacks.
The list, which you should
read through, is available at
items on the list include
5. If you sell products
on the Internet, fight fraud by requiring customers to tell you where they
live. Credit card companies call this "address verification" and it can
cut your fraud rate down to next-to-nothing!
9. Check out your online
image. Are people spreading inaccurate information about your company
via the Internet? This has happened to Tommy Hilfiger, Snapple, Nieman
Marcus and many other companies. Use search engines to check everything
that's being said about your company -- and notify the people
when they say misstatements!
||The SANS Institute http://www.sans.org
Bethesda, Maryland, USA
in their own words "The SANS
(System Administration, Networking, and Security) Institute is a cooperative
research and education organization through which more than 96,000 system
administrators, security professionals, and network administrators share
the lessons they are learning and find solutions for challenges they face.
SANS was founded in 1989."
does SANS offer people interested in the most contemporary and reliable
internet security information?
SANS offers three different
free electronic subscriptions:
Security Alert Consensus (SAC)
One definitive weekly summary
of new alerts and countermeasures week with announcements from: SANS, CERT,
the Global Incident Analysis Center, the National Infrastructure Protection
Center, the U.S. Department of Defense, Security Portal, Sun, and
several other vendors.
SANS NewsBites - weekly
NewsBites keep up with everything
going on in the computer security world. A dozen or two articles, each
just one, two, or three sentences in length, elaborate a URL that points
to the source of the detailed information
SANS Windows Security Newsletter
provides updates to NT Security:
Step-by-Step and guidance on new Hotfixes and Service Packs that should
and should not be implemented. It also summarizes new threats and bugs
found in Windows and its services.
The ECRC Program is sponsored
by the U.S. Department of Defense
Joint Electronic Commerce Program Office (JECPO). The Bremerton ECRC
is operated by Concurrent Technologies Corporation, EDC of Kitsap County
and Olympic College for JECPO
|Electronic Commerce Resource Center
Bremerton, WA USA
The ECRC describes itself
as a "clearinghouse and jumpstation for electronic commerce information
|"The Security Resources
page includes resources on a variety of security issues, including document
transfers, financial transactions, firewalls, and virus information. The
ECRC also offers a free Internet Security Issues seminar"
Mr. Sean Rooney, President
|Mr. Rooney is personally
very knowledgable about the "hacker and cracker" side of the security industry
and can provide some "nitty gritty" insights into what vulnerabilities
can exist and why we should be concerned.
Coldstream is a Canadian
IT security service company that has many security services, some of which
The purpose of noting Mr. Ronney,
is to allow you to know the existence of these specialized firms and how
they can be useful to you when you are involved with client situations/employers
that require "serious" IT security services.
Security Assessment Teams
small, specialised units, whose
purpose is to assess the integrity of client systems
||"Security is a process, not a product"
Bruce Schneier, CTO of Counterpane
Author of the book Applied
read the BusinessWeek article
interviewing Bruce Schneier about "distributed denial-of-service attacks"
" The nature of distance
has also changed. In the world offline, your house only has
to be secure from criminals
within driving distance. On the Net, eBay (EBAY) and
Yahoo! (YHOO) must be concerned
about everyone on the planet. The hackers
need not be in America.
This is the death of distance: Crime is no longer based on
"We are dealing with fact
that software products are always buggy, and probably always will be. At
the same time, systems are too complex to secure. We actually can't test
security to the level we need to. We'll see three or four major bugs in
each new version of Windows or Explorer or Java. New products are coming
out faster and faster, so we keep losing ground. We've been finding and
fixing security bugs in past years, but none of those fixes transfers forward.
For all these programs, a new version comes out, the new version is more
complex, and there are new bugs."
||Aladdin Knowledge Systems
Internet Security Unit
is based in Seattle
From their main web site
you can also see a link
to "Glossary of terms" on their main page
|Shimon Gruper is the Chief
Technology Officer of Aladdin's Internet Security Unit
Gruper has had a list of
Top 10 Security Tips on Aladdin's web site for quite some time and the
list is quite valuable to refer to.
The point form list of the
10 tips is to the right.
but this link was not active
1. The Safe use of Email
2.Vandals in Word Documents?
3.Setting Browser Security
4.Buying Products over the
5.Protecting your Personal
6.What about Cookies?
7.Are Java and ActiveX Safe?
8.Are Plug-ins and Push
9.What about Viruses?
10.How to handle Spam Mail
||Matthew Friedman, writing
in the Plesman publication e-Business, authored an article in April 2000
about Hackers in which he said that "Security Managers are confident in
the security postures of their organizations.But a recent report suggests
they might not be getting the whole picture"
that in Feb 2000 the publicized stories of hackers overloading some well
known sites like Yahoo raised awareness of security issues but Friedman
goes on to cite some experts who say not enough is being done, and more
importantly, key people don't understand the implications of security vulnerabilities.
Friedman notes Steven Ross, Deloitte & Touche's director of e-business
technologies and security - quoting Ross "there's a feeling among the security
people themselves that management doesn't understand the issues like
Friedman's article is a very
good report on the key issues and you are strongly encouraged to read it
Much of the material in
this inset table (either in direct quotes or summary form) comes from e-Scotia.com's
e-Scotia has a whole page
on Security and Cryptography at
|There are 5 key components
of security in correspondence that business is trying to establish in e-commerce
Confidentiality - the
communication between two parties has not been seen by a third party and
the material of the communication has remained secret
Integrity - the communication
has not been tampered with nor has the message been edited (or the amount
of money been changed) and there is must be a way of matching the copy
held by the receiver, to the original sent by the sender
Authentification - the
identity of the author/sender can be verified so that the receiver knows
the message / information did indeed come from the proper source
Non-repudiation - the
sender cannot deny having sent the message nor can they have means to change
any of the content (including currency amounts) within the message. This
is critical to keeping agreements when time lag (between sending and receiving)
sees market conditions change
Access Control - only
the authorized recipient can open the message. Usually to open it you need
some sort of cyber key which will be a large unbreakable number hopefully
difficult to hack in to.
works on two levels
|Data is scrambled
or digitally encrypted and only parties who have
the right key can unlock
and decode the data.
Encryption allows communication
to be confidential however it will not:
Provide proof that the originator
has participated in the transaction
Authenticate the identity of
Protect the data from being
intercepted and modified.
|Digital signatures can be
authenticated by third parties with credibility of the sender and receiver.
In e-commerce, leading financial institutions and government authorities
are positioning themselves to be "certification authorities". When the
digital signature of the recipient is validated by a "certification authority",
assurance can be provided that:
The sender of a message/transaction
is who they claim to be
The sender has participated
in the transaction, meaning they are aware of the content and amounts if
money is part of the message)
The information details, (payee
or payor) and any statement of money has not been changed in mid-transit.
In the on-line version of
Chpt 6 of his book, The
Business of the Internet Neil Hannon, notes a link to an article
about Netscape Communications Corp. white paper that deals with the issue
of intranet security and some of its many challenges.
"Cryptography Is The Key
To Intranet Security Needs"
Copyright (c) 1997 CMP Media
"What is cryptography? Cryptography
comprises a family of technologies that include the following:
Encryption transforms data into
some unreadable form to ensure privacy. Internet communication is like
sending postcards in that anyone who is interested can read a particular
message; encryption offers the digital equivalent of a sealed envelope.
Decryption is the reverse of
encryption; it transforms encrypted data back into the original, intelligible
Authentication identifies an
entity such as an individual, a machine on the network or an organization.
Digital signatures bind a document
to the possessor of a particular key and are the digital equivalent of
paper signatures. Signature verification is the inverse of a digital signature;
it verifies that a particular signature is valid."
Users of Netscape Communicator
version 4.7+ can now surf their way to the SmartUpdate service
and obtain a significant encryption capability upgrade. The update
consists of a single file, which minimizes download time dramatically.
The new security will
give Netscape browser users a major upgrade from international-grade
encryption (56-bit) to US-grade encryption (128-bit), significantly
increasing the safety of e-commerce and enabling online banking and bill-paying
|"Why Cryptography Is
Harder Than It Looks" by Bruce Schneier
CTO and Founder, Counterpane
Internet Security, Inc.(as cited by Neil Hannon)
WTGR notes this is a very
very useful article to read thoroughly. Here is a snapshot of some of the
points made by Schneier
end, many security systems are broken by the people who use them. Most
fraud against commerce systems is perpetrated by insiders. Honest users
cause problems because they usually don't care about security. They want
simplicity, convenience, and compatibility with existing (insecure) systems.
They choose bad passwords, write them down, give friends and relatives
their private keys, leave computers logged in, and so on. It's hard to
sell door locks to people who don't want to be bothered with keys. A well-designed
system must take people into account. Often the hardest part of cryptography
is getting people to use it. ... It's hard to build a system that provides
strong authentication on top of systems that can be penetrated by knowing
someone's mother's maiden name."
- a very long article explaining
||As a former consultant on
a specific aspect of international security related matters, the author
of this course knows from experience that one of the biggest problems in
implementing a successful security solution is the customer themselves.
No amount of security hardware, software, systems and procedures can be
successful if the customer
does not understand how to use
will not use it effectively
cannot get everybody in the
organization to follow proper procedures
has internal threats caused
by disgruntled employees
Joaquim Menezes writing
in a May issue of Computing Canada subtitled a May 26th article
"Expert Says Ignorance,
Internal Threats far more Problematic than Possible External Threats"
There are a number of articles
we could swamp you with reading in this area but suffice it to say that
a good summary of the issues could be quoted from Richard Reiner
"A disgruntled employee with
access to corporate passwords can wrought much more damage than a hacker
who has got into a system by exloiting a buffer overflow"
"Investigators Root Out
Elusive Internal Security Threats"
Geoffrey Downey writing
in the May 26th, 2000 isssue of Computing Canada
Downey's article carries
the theme that companies shouldn't just be concerned about the outside
world when trying to eliminate security threats. Downey quotes extensively
from Scott Loveland, a former RCMP officer who works with other former
Mounties at KPMG's security branch titled
KPMG Investigation and Security
Loveland is quoted by Downey
as saying that in terms of real problems in security, "the threat from
internal is larger than external in terms of frequency" - meaning,
people who are going to cause security problems are most frequently going
to be unhappy current employees who have access to the system - which makes
it difficult to defend against.
Loveland also cautions that
sometimes, "some perceived security issues aren't attacks at all...For
example, if you have a server that is getting 65,000 hits on the administrator
password with failed log-ins, is that a penetration from the outside, ...
or is that a misconfigured NT box somewhere in the testing lab?"
||- scanned article re: Royal
Bank buying Security First Network Bank
"Royal Bank in Wireless
is the title of a 13 June
2000 article written by Vito Pilieci for The National Post
In August 2000, the online
version of this story was still available at this link above
Royal Bank formed a company
with Baldhead Systems www.baldhead.com/
to provide secure wireless
banking and brokerage services. The new company will be named Sona Innovations.
Royal Bank will own 20%
and Baldhead will own 80%
In August 2000, people viewing
Baldhead's splash page can see the Royal Bank logo along with the words
"Corporate partners with" and a click through to the royal bank web site.
Pilieci quotes Jim Connor,
Manager of Electronic Services Technologies for Royal Bank as saying
"This gives us the opportunity
to put a product out where we have end-to-end security between the palm
unit and our back-end systems"
On Baldhead's web site, they
still have the digital version of the June 2000 press release. You can
read all the points yourself at
This clearly indicates that
Royal Bank considered more and more customers will be accessing banking
services through mobile devices and they are building capability by buying
into a company developing products for this market.
"There are many reasons
to personalize information (like on My Yahoo or Excite), or to help with
on-line sales/services (like on Amazon Books or Microsoft), or simply
for the purposes of tracking popular links or demographics (like
DoubleClick)." Cookies also provide programmers with a quick and
convenient means of keeping site content fresh and relevant to the user's
interests because the cookie tells them simple information about who has
been hitting what part of the page
|some cookie FAQs
|"Many Netizens are concerned,
"If I allow a Web 'cookie' to be set, someone can access my hard drive."
However, cookies cannot be used to get data or view data off your hard
drive. Cookies can only get data from what has been written to the cookie
file. Are cookies dangerous to your computer? NO. The cookie is simply
a text file saved in your browser's directory or folder. It cannot be used
as a virus, and it cannot access your hard drive. MSN and Netscape use
cookies to store information so you don't have to remember it (passwords,
etc.). If you want to see what information is stored in your cookie file,
use a word processor to open a file called cookies.txt or MagicCookie.
Don't want to accept cookies? Configure your browser to warn you when one
is about to be set or refuse them all. It's your choice."
The text to the left was
quoted from the page
"IT's Battleground: The
Quest for Virus Protection"
is the title of an August
4th, 2000 in Computing Canada
||It is not the intention
of this part of the course to be able to adequately cover all the various
types of viruses that may effect e-commerce since do not have the time
not resources to do that satisfactorly - but, it is important to have some
understanding of the business risk at stake here and try to evaluate if
it is a serious problem, because - if it is a serious problem, then every
e-commerce professional needs to add to their portfolio of knowledge, some
degree of understanding about viruses.
In this August 4rth article
it is noted that
"A recent survey estimated
that viruses and other destructive acts will cost large businesses (over
1,000 employees) worldwide $US1.6 trillion this year and result in almost
40,000 person-years of lost productivity ...It's no wonder the anti-virus
software market has hit almost $US70 million so far this year "
||Is the problem getting worse?
At this stage statistics on known virus attacks seem to indicate the problem
is getting worse. For the most part, security experts believe the majority
of virus attacks are made by unhappy employees and egotistical hackers
and crackers - it does not appear to be something that companies are employing
against each other to give themselves a competitive edge - but it may not
be long before this happens since businesses large and small have been
known to use very "illegal and immoral" tactics to gain advantage.
From the August 4rth article
of the market-leading Norton Anti-Virus, has seen an average of 115 new
viruses each month this year, up 30 per cent from 1999."
||In this section, which we
may not have time to discuss in class, there will be provided some links
to web sites from various security and police agencies of national governments.
It is hoped that you will be able to read a couple of these articles to
get some idea of the degree to which the FBI, CIA, RCMP, CSIS etc. may
or may not, be understanding of, and contributing to, a more safe environment
for business on the Web.
||It was announced in August
2000 that The Federal Bureau of Investigation
(FBI) will head up this year's World
E-Commerce Forum, at which global Internet security will be an
issue for the first time. The full story announcing this event, written
by Jennifer Hampton, was in the E-commerce Times in August.
reason why you would read this article is because it mentions that
Michael Vatis, director of the FBI's
computer crime investigation
unit "the goal of the summit ... is to identify how a global Internet
security agency can be established, and how international law can be
utilized to develop and enforce penalties against hackers and virus-mongers"
|The FBI and
|"Carnivore attaches a combination
of hardware and software
applications to the
network of an Internet Service Provider
(ISP) and scans all
of the e-mail and other transmissions to
locate a "target"
piece of e-mail or communication from a
specific person or
suspect. Carnivore can analyze millions of
messages per second
while it searches for the specific
messages that it wants.
The FBI is developing
Carnivore to help the agency police
cyberspace. Law enforcement
officials have expressed
over how the Internet is used illegally for
those who would anonymously
distribute child pornography,
proprietary information or wreak havoc on
by hacking into their systems".
by Dan Gebler E-Commerce
Times August 3, 2000
full online article at
The FBI's own statement on
their web site about using "Carnivore"
"The National Infrastructure
Protection Center (NIPC) serves as a national critical infrastructure threat
assessment, warning, vulnerability, and law enforcement investigation and
|Recommended by Mr. Sean
in this particular document
"... the NIPC has observed
that there has recently been an increase [December 2000] in hacker
activity specifically targeting U.S. systems associated with e-commerce
and other internet-hosted sites. The majority of the intrusions have occurred
on Microsoft Windows NT systems, although Unix based operating systems
have been victimized as well. The hackers are exploiting at least three
known system vulnerabilities to gain unauthorized access and download propriety
information. Although these vulnerabilities are not new, this recent activity
warrants additional attention by system administrators. In most cases,
the hacker activity had been ongoing for several months before the victim
became aware of the intrusion."
Computer Crime Prevention
with sections on
Steps to establish and maintain
an adequate computer security program
Common Methods to Commit Computer
This section of the RCMP
web site is not very extensive but it does include a small section on the
PKI - Public Key Infrastructure
crimes include piracy, copyright infringement, currency and document counterfeiting,
smuggling, hate- and sex-related offences, stalking, extortion, mischief,
conspiracy, theft, fraud, and gambling."
from an article on the RCMP
web site titled
"Business in Internet-related
crime is booming"
Maclean's online magazine
had a story June 12th, 2000,
"Canada's police are
only starting to catch up with hackers and other criminals who target online
The article mentions a number
of well known internet security situations that have happened and says
that "Canada's response has been relatively low-key"
written by Chris Wood with
Brenda Ranswell in Montreal and Robert Scott in Toronto
RCMP involvement with e-businesses
that have been hit by cyber crime.
A recent example (Feb 2000)
is what happened to the HMV website. Basically, it was a denial of service
attack. HMV's site went offline for an hour Feb. 7 after being flooded
with bogus information.
Full story was available
on the Toronto Star's web site