Fourth Position Paper
By Kamakshi Samala
Ubiquitous services and applications when combined with computing business applications, forms a challenging context for internet security and trust. Its not only important for the user to be concerned with the basic security requirements of the internet for controlled access, data integrity, confidentiality and accountability, its also important to make sure that the users are using trusted computing devices. With the rapid change in technology, there has been rapid growth in e-commerce which makes our lives better, simpler and more productive. Electronic commerce basically uses electronic communications technology of the World Wide Web, even though electronic commerce frequently depends on computer technologies other than the World Wide Web, such as databases, and e-mail, and on other non-computer technologies, such as transportation for physical goods sold via e-commerce. Today consumers are extremely comfortable with technology and values of online retail shopping. Online shopping is a convenience both for the retailers and the customers. But as e-commerce and World Wide Web has grown, so has the number of security threats. Identity theft is still at the top of the list of consumer complaints at the Federal Trade Commission, data security breaches are often reported, and phishing is also rising. All these factors undermine trust and security of doing business through internet and World Wide Web.
Vulnerabilities associated with the Internet have put government, business and individual users at risk. The security measures that were used with the main frame computers as well as the networks within the organization are no more possible with the internet as it’s a complex world of interconnected networks with no clear boundaries and control. Originally internet was designed with an aim to put control and trust totally in the hands of users. Also, internet is digital, not physical. This means it has no geographic location and as well as no well defined boundaries. Therefore, physical rules are impossible to apply. Instead new knowledge is required to understand the issues related with the internet. Due to this reason, even though the lives of people are becoming simpler by using the internet but side by side the intruder community is also growing. Intruder tools are becoming more sophisticated and user friendly day by day. By using so called distributed-system attack tools, intruders can hack into large number of sites at a same time with a focus to attack the victim hosts or networks. Now-a-days developers of intruder tools, package their tools in such a user friendly way that even a person with least knowledge of the technology can use them.
There are various reasons for the lack of internet trust and security. Some of the reasons are as follows:
• Due to fall in the prices of communication on the Internet, use of the Internet is replacing other forms of electronic communication. The internet sites have also become so interconnected and the intruder tools have become so sophisticated that it’s easy to hack all the interconnected sites.
• As the distributed client-server and heterogeneous configurations are increasing, the management of the technology is also becoming distributed. In such cases, system administration and management fall upon those people who do not have the training, skill, resources, or interest to operate their systems securely. Therefore, with the increase in untrained system administrator and security staff, the life of attackers is becoming easier.
• With lack of knowledge about the network and security, most sensitive data of an organization such as financial information, medical records, human resources files, and customer information files, etc. can be put to risk.
• Most often when the vendors release patches or upgrades to solve the security problems, organization systems are often not upgraded because the job is too time consuming and sometimes complicated. This job probably demands a skilled system administrator which may far exceed the supply.
• Today software products, workstations, and personal computers have become so easy to use that people with little technical knowledge can install and operate them on their personal computers. Unfortunately, it is difficult to configure and operate many of these products securely. This leads to the increase in the number of vulnerable systems.
• Even the organizations that are security conscious, and have used solutions, such as firewalls and encryption, often can fall trap to false sense of security and become less vigilant. Also single solutions that are once applied are neither foolproof nor adequate. Therefore, solutions must be combined and security situation must be constantly monitored as technology changes and new exploitation techniques are discovered.
• Today the technology is evolving so rapidly that vendors most often concentrate on marketing their products with placing low priority on security features. Therefore, until the customers demand more secure products, the situation will not change.
The above reasons can lead to different types of abuses. If we take for example Web sites. The websites gather information with or without the consumer’s knowledge. The most common method is by using clickstream data. This method tracks where the individual travels in a site and which advertisement and content he/she examines and uses. One of the common tools used are Cookies. Cookies are small files that are transferred to our computer by some websites that we log on first. This file allows the Web server to track preferences and usage of information and target advertisements or specific content. Even though cookies allow a site to brand users, they do not disclose real names and addresses unless this information has previously been secured by other means. Some browsers allow the users to determine if they want cookie files located on their computer. Sometimes personal information like name, address, email, age, etc. are gathered from promotional "swebstakes," by allowing the user to enter a contest to win prizes in exchange for personal information. Matchlogic, a subsidiary of Excite, Inc, is an example of the firm that is involved in this campaign which posts advertisements and marketing campaigns on various Web sites for approximately 65 customers.
This can lead to transfer of inaccurate data, loss of identity, stolen credit card numbers and other possible problems that can be very difficult to resolve unless all the right tools find wide implementation.
Some of the possible solutions that can be used to ensure internet trust and security are:
1. Encryptions: For greater security the network must be encrypted and must have Firewalls. Firewalls deny or accept all messages and sites based on a list that is stored in the system. This is usually decided by a system administrator.
2. Secure Sockets Layer (SSL): This was developed by Netscape Communications Corporation which helps to reduce the chances of the information sent through the Internet to be intercepted. It provides security to all the parties involved in the transaction.
3. Platform for Privacy Principles: This is also known as P3 which is universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers. This tries to define and describe limits on the use of user’s private information garnered from Web sites.
4. Tokens: These are small devices, which are usually the size of a credit card or calculator that the remote users physically carry with them. This is based on a challenge-response system. When the remote user tries to log on a given authentication server, a challenge is asked. The user keys the challenge into the device which then generates the correct reply. The user then sends this response to the remote server to gain access.
5. Secure Electronic Transaction (SET): It is an open, multi-party protocol that transmits bank card payments via open networks like the Internet. SET allows the parties performing the transaction, to confirm each other's identity. By employing digital certificates, SET allows a purchaser to confirm that the merchant is legitimate and also allows the merchant to verify that the credit card is being used by its owner. It also requires that each purchase request includes a digital signature, which further identifies the cardholder to the retailer. The digital signature and the merchant's digital certificate provide a certain level of trust. SET plays an important role as it offers protection from repudiation and unauthorized payments.
6. Digital Certificates: Purchasers and retailers generate these certificates through the use of secret keys that authenticates that each party to the transaction is legitimate.
7. Open Profiling Standard for Authorization and Single Sign-On (OPS): This makes it necessary for the customers to reenter information that identifies them more than once at a website.
Therefore, these are some of the solutions that can be used to have internet security and provide trust among the users.
Hence in my opinion, while doing business in the real world having and building trust among the customers is very important for the business. Merchants, consumers and financial institutions all need to be confident of the identity with whom they conduct business. Only when all of the above parties are truly able to trust who they are dealing with online, then only will the online business model be successful. Computer based crimes are increasing day by day. For example if we take the case of T.J. Maxx and Marshalls and other off-price retailers, hackers stole data of at least 45.7 million credit and debit cards of shoppers. This case is believed to be the largest breach of consumer information and is considered to be a major security concern.
Government and industries should work together towards better internet security. This way the industry can influence the type of safeguards that are put into practice. If there is resistance to cooperation with government agencies towards internet fraud, crime and privacy, legislative and other political solutions will atomically become more involved. Therefore, internet offers great potential for both consumers and businesses, but proper measures should be taken to protect the internet trust and security. This way both the industry and consumers will be benefited in the long run.
By Kamakshi Samala
Ubiquitous services and applications when combined with computing business applications, forms a challenging context for internet security and trust. Its not only important for the user to be concerned with the basic security requirements of the internet for controlled access, data integrity, confidentiality and accountability, its also important to make sure that the users are using trusted computing devices. With the rapid change in technology, there has been rapid growth in e-commerce which makes our lives better, simpler and more productive. Electronic commerce basically uses electronic communications technology of the World Wide Web, even though electronic commerce frequently depends on computer technologies other than the World Wide Web, such as databases, and e-mail, and on other non-computer technologies, such as transportation for physical goods sold via e-commerce. Today consumers are extremely comfortable with technology and values of online retail shopping. Online shopping is a convenience both for the retailers and the customers. But as e-commerce and World Wide Web has grown, so has the number of security threats. Identity theft is still at the top of the list of consumer complaints at the Federal Trade Commission, data security breaches are often reported, and phishing is also rising. All these factors undermine trust and security of doing business through internet and World Wide Web.
Vulnerabilities associated with the Internet have put government, business and individual users at risk. The security measures that were used with the main frame computers as well as the networks within the organization are no more possible with the internet as it’s a complex world of interconnected networks with no clear boundaries and control. Originally internet was designed with an aim to put control and trust totally in the hands of users. Also, internet is digital, not physical. This means it has no geographic location and as well as no well defined boundaries. Therefore, physical rules are impossible to apply. Instead new knowledge is required to understand the issues related with the internet. Due to this reason, even though the lives of people are becoming simpler by using the internet but side by side the intruder community is also growing. Intruder tools are becoming more sophisticated and user friendly day by day. By using so called distributed-system attack tools, intruders can hack into large number of sites at a same time with a focus to attack the victim hosts or networks. Now-a-days developers of intruder tools, package their tools in such a user friendly way that even a person with least knowledge of the technology can use them.
There are various reasons for the lack of internet trust and security. Some of the reasons are as follows:
• Due to fall in the prices of communication on the Internet, use of the Internet is replacing other forms of electronic communication. The internet sites have also become so interconnected and the intruder tools have become so sophisticated that it’s easy to hack all the interconnected sites.
• As the distributed client-server and heterogeneous configurations are increasing, the management of the technology is also becoming distributed. In such cases, system administration and management fall upon those people who do not have the training, skill, resources, or interest to operate their systems securely. Therefore, with the increase in untrained system administrator and security staff, the life of attackers is becoming easier.
• With lack of knowledge about the network and security, most sensitive data of an organization such as financial information, medical records, human resources files, and customer information files, etc. can be put to risk.
• Most often when the vendors release patches or upgrades to solve the security problems, organization systems are often not upgraded because the job is too time consuming and sometimes complicated. This job probably demands a skilled system administrator which may far exceed the supply.
• Today software products, workstations, and personal computers have become so easy to use that people with little technical knowledge can install and operate them on their personal computers. Unfortunately, it is difficult to configure and operate many of these products securely. This leads to the increase in the number of vulnerable systems.
• Even the organizations that are security conscious, and have used solutions, such as firewalls and encryption, often can fall trap to false sense of security and become less vigilant. Also single solutions that are once applied are neither foolproof nor adequate. Therefore, solutions must be combined and security situation must be constantly monitored as technology changes and new exploitation techniques are discovered.
• Today the technology is evolving so rapidly that vendors most often concentrate on marketing their products with placing low priority on security features. Therefore, until the customers demand more secure products, the situation will not change.
The above reasons can lead to different types of abuses. If we take for example Web sites. The websites gather information with or without the consumer’s knowledge. The most common method is by using clickstream data. This method tracks where the individual travels in a site and which advertisement and content he/she examines and uses. One of the common tools used are Cookies. Cookies are small files that are transferred to our computer by some websites that we log on first. This file allows the Web server to track preferences and usage of information and target advertisements or specific content. Even though cookies allow a site to brand users, they do not disclose real names and addresses unless this information has previously been secured by other means. Some browsers allow the users to determine if they want cookie files located on their computer. Sometimes personal information like name, address, email, age, etc. are gathered from promotional "swebstakes," by allowing the user to enter a contest to win prizes in exchange for personal information. Matchlogic, a subsidiary of Excite, Inc, is an example of the firm that is involved in this campaign which posts advertisements and marketing campaigns on various Web sites for approximately 65 customers.
This can lead to transfer of inaccurate data, loss of identity, stolen credit card numbers and other possible problems that can be very difficult to resolve unless all the right tools find wide implementation.
Some of the possible solutions that can be used to ensure internet trust and security are:
1. Encryptions: For greater security the network must be encrypted and must have Firewalls. Firewalls deny or accept all messages and sites based on a list that is stored in the system. This is usually decided by a system administrator.
2. Secure Sockets Layer (SSL): This was developed by Netscape Communications Corporation which helps to reduce the chances of the information sent through the Internet to be intercepted. It provides security to all the parties involved in the transaction.
3. Platform for Privacy Principles: This is also known as P3 which is universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers. This tries to define and describe limits on the use of user’s private information garnered from Web sites.
4. Tokens: These are small devices, which are usually the size of a credit card or calculator that the remote users physically carry with them. This is based on a challenge-response system. When the remote user tries to log on a given authentication server, a challenge is asked. The user keys the challenge into the device which then generates the correct reply. The user then sends this response to the remote server to gain access.
5. Secure Electronic Transaction (SET): It is an open, multi-party protocol that transmits bank card payments via open networks like the Internet. SET allows the parties performing the transaction, to confirm each other's identity. By employing digital certificates, SET allows a purchaser to confirm that the merchant is legitimate and also allows the merchant to verify that the credit card is being used by its owner. It also requires that each purchase request includes a digital signature, which further identifies the cardholder to the retailer. The digital signature and the merchant's digital certificate provide a certain level of trust. SET plays an important role as it offers protection from repudiation and unauthorized payments.
6. Digital Certificates: Purchasers and retailers generate these certificates through the use of secret keys that authenticates that each party to the transaction is legitimate.
7. Open Profiling Standard for Authorization and Single Sign-On (OPS): This makes it necessary for the customers to reenter information that identifies them more than once at a website.
Therefore, these are some of the solutions that can be used to have internet security and provide trust among the users.
Hence in my opinion, while doing business in the real world having and building trust among the customers is very important for the business. Merchants, consumers and financial institutions all need to be confident of the identity with whom they conduct business. Only when all of the above parties are truly able to trust who they are dealing with online, then only will the online business model be successful. Computer based crimes are increasing day by day. For example if we take the case of T.J. Maxx and Marshalls and other off-price retailers, hackers stole data of at least 45.7 million credit and debit cards of shoppers. This case is believed to be the largest breach of consumer information and is considered to be a major security concern.
Government and industries should work together towards better internet security. This way the industry can influence the type of safeguards that are put into practice. If there is resistance to cooperation with government agencies towards internet fraud, crime and privacy, legislative and other political solutions will atomically become more involved. Therefore, internet offers great potential for both consumers and businesses, but proper measures should be taken to protect the internet trust and security. This way both the industry and consumers will be benefited in the long run.
No comments:
Post a Comment