Definition of 'Cryptography :

Definition: Cryptography is associated with the process of converting ordinary plain text into
unintelligible text and vice-versa. It is a method of storing and transmitting data in a particular
form so that only those for whom it is intended can read and process it. Cryptography not only
protects data from theft or alteration, but can also be used for user authentication.

Cryptology has two components, kryptos and logos. Cryptographic methods to certify the safety
and security of communication and main goal is user authentication, data authentication such as
integrity and authentication, non-repudiation of origin, and confidentiality and it has two
functions encryption and decryption.

The Role of Cryptography in Information Security :

Cryptography can be used to achieve several goals of information security, including

confidentiality, integrity, and authentication.

✓ Confidentiality: First, cryptography protects the confidentiality (or secrecy) of

information. Even when the transmission or storage medium has been compromised, the
encrypted information is practically useless to unauthorized persons without the proper
keys for decryption.
✓ Integrity: Cryptography can also be used to ensure the integrity (or accuracy) of
information through the use of hashing algorithms and message digests.
✓ Authentication: Finally, cryptography can be used for authentication (and non-
repudiation) services through digital signatures, digital certificates, or a Public Key
Infrastructure (PKI).
✓ Access control – Only authorized users (login & password) can access to protect
confidential data etc. Access would be possible for those individual that had access to the
correct cryptographic keys.

1
sThreats to Information Security
Threat can be anything that can take advantage of vulnerability to breach security and negatively
alter , erase , harm object or objects of interest. Cybercriminals are carefully discovering new
ways to tap the most sensitive networks in the world. Protecting business data is a growing
challenge but awareness is the first step. Here are the threats to information security today:

• Virus : they have the ability to replicate themselves by hooking them to the program on
the host computer. Like file virus , macro virus , stealth virus etc.

• Worms : these are also self replicating in nature but they don’t hook themselves to the
program on the host computer. Biggest network btwn virus and worms is that worms are
network aware. They can easily travel from one computer to another if network is
available.

• Technology with Weak Security – New technology is being released every day.
More times than not, new gadgets have some form of Internet access but no plan for
security. This presents a very serious risk – each unsecured connection means
vulnerability. The rapid development of technology is a testament to innovators, however
security lags severely1.

• Social Media Attacks – Cybercriminals are leveraging social media as a medium to

distribute a complex geographical attack called “water holing”. The attackers identify
and infect a cluster of websites they believe members of the targeted organization will
visit2.
• Mobile Malware – Security experts have seen risk in mobile device security since the
early stages of their connectivity to the Internet. The minimal mobile foul play among the
long list of recent attacks has users far less concerned than they should be. Considering
our culture’s unbreakable reliance on cell phones and how little cybercriminals have
targeted them, it creates a catastrophic threat.
• Third-party Entry – Cybercriminals prefer the path of least resistance. Target is the
poster child of a major network attack through third-party entry points. The global

2
 retailer’s HVAC vendor was the unfortunate contractor whose credentials were stolen
and used to steal financial data sets for 70 million customers3.
• Neglecting Proper Configuration – Big data tools come with the ability to be
customized to fit an organization’s needs. Companies continue to neglect the importance
of properly configuring security settings. The New York Times recently fell victim to a
data breach as a result of enabling only one of the several critical functionalities needed
to fully protect the organization’s information4.
• Outdated Security Software – Updating security software is a basic technology
management practice and a mandatory step to protecting big data. Software is developed
to defend against known threats. That means any new malicious code that hits an
outdated version of security software will go undetected.
• Social Engineering – Cybercriminals know intrusion techniques have a shelf life.
They have turned to reliable non-technical methods like social engineering, which rely on
social interaction and psychological manipulation to gain access to confidential data. This
form of intrusion is unpredictable and effective.
• Lack of Encryption – Protecting sensitive business data in transit and at rest is a
measure few industries have yet to embrace, despite its effectiveness. The health care
industry handles extremely sensitive data and understands the gravity of losing it – which
is why HIPAA compliance requires every computer to be encrypted.
• Corporate Data on Personal Devices – Whether an organization distributes
corporate phones or not, confidential data is still being accessed on personal devices.
Mobile management tools exist to limit functionality but securing the loopholes has not
made it to the priority list for many organizations.
• Inadequate Security Technology – Investing in software that monitors the security of
a network has become a growing trend in the enterprise space after 2014’s painful rip of
data breaches. The software is designed to send alerts when intrusion attempts occur,
however the alerts are only valuable if someone is available to address them.

3
 Act of human error accidents employee mistakes

Technical hardware failures equipment failure

Technical software failures bugs , code problems

Technological obsolescence outdated technology

NETWORK SECURITY GOALS :

Three primary goals of Network Security are

• Confidentiality

• Integrity

• Availability

These three pillars of Network Security are often represented as CIA Triangle, as shown below.

Confidentiality: The first goal of Network Security is "Confidentiality". The function of

"Confidentiality" is in protecting precious business data (in storage or in motion) from unauthorized
persons. Confidentiality part of Network Security makes sure that the data is available OLNY to
intended and authorized persons. Access to business data should be only for those individuals who
are permitted to use that data.

Integrity: The second goal of Network Security is "Integrity". Integrity aims at maintaining and
assuring the accuracy and consistency of data. The function of Integrity is to make sure that the date
is accurate and reliable and is not changed by unauthorized persons or hackers. The data received by
the recipient must be exactly same as the data sent from the sender, without change in even single bit
of data.

Availability: The third goal of network security is "Availability". The function of "Availability" in
Network Security is to make sure that the Data, Network Resources or Network Services are
continuously available to the legitimate users, whenever they require it.

Authentication : sender and receiver want to confirm the identity of each other

Access control : service must be accessible to users

4
E commerce security requirement :

Commerce over open network can secure if the following happen :

• Server security
• Message privacy ( confidentiality )
• Message integrity
• Authentication
• Authorization
• Non repudiation
• Payment and settlement

1.) Server security : a secure server is a web server that guarantees secure online
transactions. It use the secure socket layer protocol for data encryption and decryption to
protect data from unauthorized use.

How can we secure the server :

• SSh keys : it is a secure shall . SSH key are a pair of cryptography keys that can
be used to authenticate to an SSH server as an alternative to password based
logins. A public key and private key pair are created . private key is kept secret
and secure by user while the public key can be shared with anyone.
• Firewall : a firewall is a piece of software that controls what services are exposed
to the network. It means to blocking or restricting access to every port except that
should be publically available.
• VPN and private networking : Private network are network that are only
available to certain users. A VPN virtual private network is a way to create secure
connections between remote computers and present the connection.
• Service auditing : it is a process of discovering what services are running on the
servers of your infrastructure , which ports they are using for communication and
what protocols are accepted.
• Every packet going from the firms computer to the internet or vice versa will be
checked.
• Security against attack such as viruses , unauthorized access of hackers, Trojan
horses can be provided.

5
2.) Message privacy :

It is a key requirement for e-commerce. In an open network such as internet , message

privacy particularly for ecommerce transaction, require encryption. Message privacy
assures thats the communication between trading parties are not revealed to other,
therefore an unauthorized party cannot read or understand the message.

3.) Message integrity : The validity of transmitted message . it means that a message has
not been tempered with or altered.the most common approach is to use a hash function
that combines all the bytes in a message with a secret key and produces a message digest
that is difficult to reverse. Integrity checking is one component of an information security
programme.
4.) Authentication : It is important because it enables organization because it enables
organization to keep their networks secured by permitting only authenticated users to
access its protected resources, which may include computer systems , networks ,
databases , websites and other network based applications or services.
5.) Authorization : It is the process of granting or denying access to a network resource.
It ensures that the trading party has the authority of transaction.

It prevents the risks that employees transaction create economic damages.

Authentication vs Authorization
• Once the system knows who the user is through authentication , authorization is
how the system decides what the user can do.
• When you log in to a Pc with a user name and password you are authenticated.
Authorization is the process of verifying that you have access to something.

6.) Audit Mechanism and non-Repudiation :

• It enables exchanging parties to maintain and revisit the history/sequence of
events during a period of transaction
• In e commerce these could be computer time stamps, or record of different
computer of different stages of transaction.
• Non repudiation is the assurance that something cannot deny something. It refers
to the ability to ensure that a party to a contract or a communication cannot deny
the authenticity of their signature on a document or the sending of a message that
they originated.

6
 7.) Payment and Settlement :
• A payment system is used to financial transaction related to buying and selling of
goods in online business. So it must be secure in a high manner.
• A secure E payment ensures that commitment to pay for goods and services over
media are met.
• It is vital to widespread e-commerce.

DOMAIN NAME DISPUTES

A domain name is your website name . A domain name is the address where internet
users can access your website. Domain name are used to identify one or more IP addresses. For
ex. The domain name Microsoft.com represents about a dozen IP address.

A Domain name dispute is a conflict that arises when more than one individual or group
believes it has the right to register a specific domain name. All domain name registrars must
follow the ICANN’s UNIFORM DOMAIN NAME DISPUTE RESOLUTION POLICY.

Firewall

A firewall is software or firmware that enforces a set of rules about what data packets will be
allowed to enter or leave a network. Firewalls are incorporated into a wide variety of networked
devices to filter traffic and lower the risk that malicious packets traveling over the public internet
can impact the security of a private network. Firewalls may also be purchased as stand-alone
software applications.

A firewall is a system designed to prevent unauthorized access to or from private network. You
can implement a firewall in either hardware or software or combination of both.

It is a network security system that monitors and controls the incoming and outgoing network
traffic based on predetermined security rules. A firewall typically establishes a barrier between a
trusted internal network and untrusted external network , such as internet.

Firewalls are often categorized as either network firewalls or host based firewalls.

Network firewalls filter traffic between two or more networks and run on network hardware.

Host based network run on host computers and control network traffic in and out of these
machines

7
 Limitations of firewall :
A firewall is a crucial component of securing your network and is designed to address the
issues of data integrity or traffic authentication and confidentiality of your internal network. So
the importance of including a firewall in your security strategy is apparent , firewall do have the
following limitations :

1. It cannot protect against attacks that by-pass the firewall.

2. It may not protect against internal threats when an insider collaborates with an outside
adversary.

3. It may not be able to protect against viruses and infected files since it may not be
possible to scan all incoming traffic.

4. firewall cannot protect against what has been authorized.

5.It cannot stop attacks if traffic does not pass through them.

6. it cannot stop social engineering attacks.

7. firewall cannot fix poor administrative practices or poorly designed network security
policies.

8. firewall cannot enforce your password policy or prevent misuse of passwords.

9. firewall cannot stoop internal users from accessing codes with malicious code, making
user educational critical.

8
Risk management in e-commerce transactions
Today, e-commerce has become a trend of modern economy with its outstanding platform called
Magento. Because it’s a new trend so online store owner cannot avoid risks in transactions. The
management of risk in e-commerce transactions is considered the most important factor for the
long term survival of your business.
These risks may relate to internet fraud, information security, payment methods or even e-
commerce legislation. Once getting into one of those risks, it would be costly for business to
solve and to recover. Each year, it costs e-commerce and direct marketing businesses billions of
dollars annually, making it imperative for merchants to understand the risks associated with
doing business online. So business owners should develop an internal policy to address the
potential risks and train your staff on implementing it. Following are the most important
procedures for managing risk in e-commerce transactions.

1.Understand the risks and train your staff

Your staff should know clearly what risks your e-commerce business may have to deal with.
Everyone in your business structure needs to understand the types of risks inherent in online
payments. Then, establish a procedure on avoiding and solving risks, which is a must for all staff
to follow.

2. Ensure information security

Information here includes customer databases, buying requests, payment process.etc. Internet is
easily hacked by hackers so you need to ensure good security all the time to avoid data being
changed or stolen. You need to set up a secure and efficient process for submitting authorization
requests over the internet, before you can start accepting card payments online.

3. Select the right acquiring bank and merchant services provider.

The right acquiring bank and merchant services provider will provide effective risk management
support have a complete understanding of e-commerce fraud risk and liability associated with
online transactions. You will also want to consider an adequate customer data protection
capability when making your selection.

4. Create and display effective policies

Your website must list your privacy, shipping, return and refund policies on each page.
Customers should not be forced to search for them. This will also create satisfaction and
convenience for customers to visit your page more often.

5. Use collection efforts to minimize losses

You have control over most types of charge-backs and especially the ones resulting from
processing errors. A well-designed collection system can help recover
unwarranted chargeback losses.

9
6. Minimize unnecessary chargebacks :

Chargebacks results in extra processing time and costs , while hurting your profits and may
results in a loss of revenue.

7. Secure the process of routing your authorization

You must ensure that your authorization requests are submitted in a secure and efficient manner ,
before you accept the card payment on the internet.

8. Protect your merchant account from intrusion

10