314                                                     10  E-Commerce Security and Fraud Issues and Protections

             1.  Conduct a vulnerability assessment of your EC systems. A  10.6   DEFENDING INFORMATION
              vulnerability assessment is a process of identifying and   SYSTEMS AND E-COMMERCE
              evaluating problem areas that are vulnerable to attack on a
              computerized  system.  The  EC  system  includes  online  Defending information systems regardless of their nature are
              ordering, communication networks, payment gates, prod-  similar and are described in many books (e.g., by Andress 2014).
              uct database, fraud protection, and so forth. The most criti-  We provide only highlights of this security, dividing it into
              cal vulnerabilities are those that can interrupt or shut down  three categories: (1) Access control, encryption, and PKI, (2)
              the business. For example, a DoS can prevent order taking;  Security in e-commerce networks, and (3) General controls,
              a virus attack can prevent communication. The assessment  spam, pop ups, and social engineering. In Section 10.7 we
              will determine the need for, and priority of, the defense  describe fraud protection.
              mechanisms. For an overview of vulnerability assessment   A comprehensive coverage of cybersecurity threats and
              including the process, see  searchmidmarketsecurity.  defense is provided by Scott in several volumes titled Cyber-
              techtarget.com/definition/vulnerability-analysis.  security 101. Volume 1 (Scott 2016a) covers mostly nontechni-
             2.  Conduct  penetration  (pen)  tests  (possibly  implemented  cal areas, while Volume 2 (Scott 2016b) covers mostly technical
              by hiring ex-hackers) to find the vulnerabilities and secu-  areas. A comprehensive book regarding defense against attacks
              rity weaknesses of a system. These tests are designed to  on the Web is provided by Harwood (2015).
              simulate outside (external) attacks.  This is also called
              “black-box”  testing.  In  contrast,  software  development
              companies conduct intensive “white-hat” testing, which   The Defense I: Access Control, Encryption,
              involves a careful inspection of the system—both hard-  and PKI
              ware and software. Other types of pen testing include tar-
              geted texting, blind testing, and double blind testing.  In this section, we describe the following topics: Access con-
                                                              trol methods, biometric systems, encryption, and PKI encryp-
              For more information, see searchsoftwarequality.tech-  tion. For an overview of the defense, see Cloud (2015).
           target.com/definition/penetration-testing.
                                                                Access Control
             Penetration Test
                                                              Access control determines who (person, program, or machine)
           A penetration test (pen test) is a method of assessing the  can legitimately use the organization’s computing resources
           vulnerability of a computer system. It can be done manually,  (which resources, when, and how).
           by allowing experts to act as hackers to simulate malicious
           attacks. The process checks the weak (vulnerable) points that  Authorization and Authentication
           an attacker may find and exploit. Any weakness that is discov-  Access control  involves  authorization  (having the  right  to
           ered is presented to management, together with the potential  access) and authentication, which is also called user identifi-
           impact and a proposed solution. A pen test can be one step in  cation (user ID), i.e., proving that the user is who he or she
           a comprehensive security audit.                    claims to be. Each user has a distinctive identification that dif-
              Several methods can be used to execute pen tests (e.g.,  ferentiates it from other users. Typically, user identification is
           automated process). In addition, many software tools are  used together with a password.
           available for this purpose. For a review and a tutorial, see
           pen-tests.com and  coresecurity.com/penetration-testing-  Authentication
           overview. For more on penetration tests, see Maxwell (2016).  After a user has been identified, the user must be authenticated.
                                                              Authentication is the process of verifying the user’s identity
                                                              and access rights. Verification of the user’s identity usually is
             SECTION 10.5  REVIEW QUESTIONS                   based on one or more characteristics that distinguish one indi-
                                                              vidual from another.
             1.  What is Information Assurance? List its major components.
             2.  Define confidentiality, integrity, and availability.    Biometric Systems
             3.  Define authentication, authorization, and nonrepudiation.
             4.  List the objectives of EC strategy.          A biometric authentication is a technology that measures
             5.  List the eight categories of defense in EC systems.  and analyzes the identity of people based on measurable
             6.  Describe vulnerability assessment.             biological or behavioral characteristics or physiological
             7.  What is a penetration test?                  signals.