Name : Students ID : Module :Business Needs, Planning & Policy Module Code: Module Leader : Course : MSc.

IT Security

WEBSITES: A SECURITY REPORT

Executive summary
The internet has evolved so much that now that it influences the way that businesses and individuals interact. Individuals are able to make purchases from home and businesses are able to reduce costs by transaction processing and in employing less staff. However the primary concern for the customer and the business is transaction security. What are the risks for the customer and the company? This report will compare the security of four e-commerce websites; discuss the importance of secure payments processes, secure websites, business to business and business to customer relationships and how security can be implemented to strengthen these.

Question 1 Business Needs, Planning & Policy

Table of Contents
Comparison of e-commerce websites .................................................................................................... 3 Customer security issues ........................................................................................................................ 5 Organisation security issues ................................................................................................................... 7 The importance of a secure website....................................................................................................... 8 The importance of a secure electronic payment system...................................................................... 10 Business models employed and how the security can be enhanced ................................................... 12 Conclusion ............................................................................................................................................. 13 References: ........................................................................................................................................... 14 Appendices............................................................................................................................................ 15

Question 1 Business Needs, Planning & Policy

Comparison of e-commerce websites

This report will begin by comparing and contrasting the four different e- commerce websites. The websites that will be analysed are: Freebooter : www.freebooterminiatures.com Foundry: www.wargamesfoundry.com Games Workshop: www.games-workshop.com Reaper Miniatures :www.reapermini.com

In order to illustrate the functionality of an online payment systems refer to the diagram below. This shows how payment is transmitted from the online customer to the merchants website.

Question 1 Business Needs, Planning & Policy

Source: E-payment (2010)

Some common criteria will be used to identify to compare and contrast the sites. The criterion is as follows: Secure sockets layer (SSL) and seals Organisational contact details Payment methods Privacy policies Cookies

Question 1 Business Needs, Planning & Policy

The reason that these criterion was chosen from a checklist provided by Lemieux (2002).Which is a guideline that users must pay attention to before making an online transaction. The importance of having SSL encrypts all data that is transmitted between a client and a server. It not only provides confidentiality but also safe guards the integrity of the data. In addition it contains information about the website owner, which is known to the certificate authority that issued the SSL certificate (Microsoft, 2010). The importance of checking for seals is that, is that seals on their own do not provide security as there are graphics that can be duplicated but provide supplementary assurances (Lemieux ,2002). The relevance of including organisational contact details is that it is important to ensure that an organisation has full business of a street address and a contact telephone number (Consumer direct, 2010). An organisation with just an email or post office box can not be relied on as it could be fraudulent. The relevance of payment details is to illustrate the types of threats different payment types face. The importance of reviewing the privacy policy is to know if the company will share data with third parties. In addition it is equally important to know how the organisation protects all data that is supplied. Lastly it is of importance to be aware of cookies. Cookies are small file that are deposited by to users system by websites to assist them in collecting users data and preferences. However Cookies Regulation 6 requires that website employing the use of cookies notifies the user of the purpose of the cookies, how there can be removed or there can be refused. However organisations claim that some part of their websites will not work if cookies are not enabled.

Customer security issues

Secure sockets layer and seals All the websites provided (SSL) security and had a seal except for Freebooter that had neither. However (SSL) security was implemented at certain stages of the payment process. Reaper and Games workshop used SSL to encrypt both customer contact details and payment details, meaning that customer details were completely protected. Consequently Foundry only used SSL when to encrypt the payment details, meaning that customer contact details were exposed. Organisational contact details Full contact details were provided by Games workshop, Foundry and Reaper miniatures. This was comprised of the business address, telephone number and email address. This means that customer issues can be addressed and it is unlikely that there are fraudulent companies. However, Foundry only provided a business address and email as address as methods of contact making it less likely to be trusted as security issues that may arise can not be resolved quickly if email and snail mail are the only methods of contact.

Question 1 Business Needs, Planning & Policy

Types of payment accepted Foundry and Games workshop accepts payment by credit card, Paypal and includes cheques postal orders if you reside in the United Kingdom were the two organisations are located. Reaper miniatures accept payments by credit card and Paypal only, and lastly Freebooter accepts payments by bank transfer, cheques in Euros and payments by credit cards. Although cheques and money orders are acceptable methods of payment (Consumer direct, 2010).The customer has to be aware that there is a risk of sending payment before receiving the goods. Credit card s and Paypal offers more protection is there is a payment dispute. Privacy policies Foundry has no privacy policies of any sort. This means that it is not known how customer data is protected or used. Reaper miniatures have a privacy policy that states that it takes protection of customer data seriously, explained in one sentence. No attempt has been made to clarify to what extent that the data is protected and if it is shared by third parties or how it is processed. Freebooter has a privacy policy that can be that states that it

Does not share data with third parties Order information is encrypted Not accountable if there site comes under attack by criminals

When Foundry claims that customer data is encrypted that is false claim, proved by the fact that when contact details are entered before making a purchase the data is not encrypted using (SSL). Claims that they also make that there are not accountable if the website is under attack, illustrates that security is not of great importance to the organisation. How Games workshop has a privacy policy that states it How data is collected and for what purpose it is used for. Data is sometimes shared with third parties but only with the authorisation of the user. It is not responsible for links that it provide to other websites. How is employs the use of cookies Offer an option to remove personal information How is has age restriction to protect impressionable young people

Games workshop has provided a more transparent privacy policy that states how it protects, processes and shares customer data. Cookies Of all the websites mentioned the only website that has mentioned how it employs the use of cookies is Games workshop. All the four websites employed cookies on their sites, evidenced

Question 1 Business Needs, Planning & Policy

by the fact if customer details are entered at the website on at a particular time and when same customer returned to the website at different time and attempted to enter there details there are automatically filled by the website, proving that cookies were being used.

Organisation security issues

The table below identifies the security issues that can affect the online organisations and the security implications of these issues.

Name of website

Freelance staff required Games workshops Yes Reaper miniatures Yes Foundry No Freebooter No Total 2

Accepts customer images Yes Yes No Yes 3

Accepts emails Yes Yes Yes Yes 4

Uses SSL Yes Yes Yes No 3

Uses Watermarking Yes Yes No Yes 3

Free lance staff The acceptance of freelance will not be based at the organisation site and will therefore require remote access to the site which can present security issues if the connection to the site is not secure. Therefore freelance staff can be configured to work securely through VPN Virtual private network is defined as a private network that uses an untrusted network such as the internet to make secure data communications by using tunnelling protocols and security policies (Whitman and Mattord, 2009) Accepts Customer images According to the table above the three organisations that accept images are prone to virus infections from images that may contain malicious code (Elledge, 2007).An anti-virus software can be implemented to mitigate the problem.

Accepts customer emails

Question 1 Business Needs, Planning & Policy

All the online organisations accept customer emails that would leave them vulnerable to email spam and phishing attacks that would result in systems being infected systems and data theft (Choo, 2008).An effective anti-virus software can be implemented as a countermeasure

Uses SSL Organisations that do not SSL to encrypt data are vulnerable to hacking attacks, because customer details and credit card details are not protected. SSL encrypts the data between the client and the website (Microsoft, 2010).

Uses watermarking Evidence by the table none of the online organisations use any digital watermarking to protect any of the images that there have from being copied. Digital watermarks embed audio or image files with an electronic signature which will can employed to show evidence ownership (Sans, 2002). Therefore images can be used else illegally with permissions.

The importance of a secure website

In order to provide a clear picture of the seriousness of malware attacks on websites, attention has to be paid to the following statistics (Dasient, 2009): A web page is infected every 1.3 seconds 77% of websites that have been compromised with malware are legitimate sites that have been infected Between 2008- 2009 then number of malicious has increased by 671% The amount of data theft conducted online is 57%

Figure 1and 2 graphs below further illustrate the extent of the problem.

Question 1 Business Needs, Planning & Policy

Source: Dasient (2009)

The attacks described in this section of the report are applicable to all the four websites previously discussed. Firstly describing the threats and applying the retaliatory measures.

File upload forms Permitting users to upload files to a website is similar to allowing a backdoor for hackers to take advantage of your web server (Calin, 2009). Todays business web applications allow file uploads to in order to increase business efficiency. However the more control that the end user is permitted the greater the threat to the website. This increases the chance for a hacker to take control and compromise the site. SQL injection SQL injection is this is one of the attacks that can be employed to steal information from an organisation (Acunetix, 2010). This type of attack exploits weaknesses found in coding of web applications that permit a malicious user to inject SQL commands, in for example a login form; this will allow access to information residing in the database.

CRLF injection attacks and HTTP response splitting The CRLF injection attack, also know as HTTP response splitting is another serious web attack (Acunetix, 2010). The CRLF (Carriage Return and Line Feed) are characters of importance to programmers. When programmers develop code for web programs they separate headers which is determined on where the CRLF is located. If a hacker is capable of injecting a malicious version of CRLF sequence into the HTTP stream, this will allow them

Question 1 Business Needs, Planning & Policy

to control web applications. For instance, suppose website contains a members section. A hacker can send an email to a particular member with a CRLF link. The link will look authentic and will appear to originate from the site. When the member clinks on the link a web page with the following message Hacker content will be displayed on the victims system. This would have occurred because the hacker has injected HTML code into the members browser through the web server. Variations of this attack are poisoning of the a users web cache, cookies, XSS, defacement of site pages or data theft. Retaliatory measures File uploads In order to counter threats from file uploads; prevent existing files from being overwritten, client-side and server-side validation must be enforced, files can be uploaded in folders out side the server root and anti-virus software can be implemented (Calin, 2009). SQL injection Secure coding in SQL requires that parameterized queries are used which are referred to as prepared statements. This is a method of protection against SQL injection bugs, because the parameters will properly handle escaping the input used in a SQL statement. (Gallagher et al., 2006 p. 350) CRLF injection attacks and HTTP response splitting A countermeasure that can be applied to mitigate the attack is to sanitize Urls on web pages that have server redirection code (Acunetix, 2010).

The importance of a secure electronic payment system

Online payment security needs to be balanced against fact that users will be discouraged from using the system is time consuming and complicated. The attacks described in this section of the report are also applicable to all the four websites previously discussed. Firstly describing the threats and applying the retaliatory measures Html based email Email messages can be sent containing text or graphics (Elledge, 2007). Attackers send malicious emails in HTML format, incorporating graphics in order to make it look more authentic as if it originated from a reputable organisation. Html forms

10

Question 1 Business Needs, Planning & Policy

This is uses a similar method as the HTML-based email, but involves HTML form embedded within the body of a HTML based email (Elledge, 2007). A URL is hidden on the enter button when the user has completed their form. The firm is used to attract the user.

Social engineering This method tries to deceive a user into releasing personal information by attempting to convince them that is originating from a trusted individual or organisation (Elledge, 2007). The fraudulent emails claim to come from a legitimate source so there are more likely to be trusted. Spear phishing Spear phishing is more directed towards a group or an organisation (Elledge, 2007).. The attacker transmits and email that is made to appear as if it originated from within the organisation. User will probably open the email and its contents if it is assumed to have originated from an internal source. However its contents such as attachments will contain a Trojan horse which will create a backdoor into the system, with the intention of stealing financial data. Botnets Botnets consists of a network of computers that have been compromised by malicious software with the intention of transmitting spam. However, there can also be employed to commit criminal acts. In June 2006, botnets sent an estimated 80% of e-mail spam, an increase of 30% from 2005. (Elledge, 2007, p.11) Retaliatory measures Two factor authentication This is a method that requires a user to use two different methods to validate a users credentials (Elledge, 2007).. For instance a user is authenticated using login credentials (username and password) and then a one time password is generated that allows that provides an extra layer of security. Anti-virus software Although, phishing is caused by viruses (Elledge, 2007).. When a user becomes infected by a worm, it can download a Trojan horse that will in that is capable of recording personal data.

11

Question 1 Business Needs, Planning & Policy

This is a were anti-virus software can be an effective tool. Best security practises recommend that all users should have anti-virus software installed on their systems regardless of their perception of phishing.

Firewalls Some current firewall products are capable of blocking phishing and spamming through heuristic rules that are constantly updated when new threats are discovered (Elledge, 2007). There able to identify the source of the emails through IP addresses and websites site addresses of known phishing sites. User education Education is an important part of fighting against the threat of phishing (Elledge, 2007). User needs to be trained to adhere to the following rules. Not to reply to emails that request for account confirmation information. Instead to contact the company to confirm that the email is genuine When entering information on a website to ensure that a https is enabled. Not to send sensitive data in an email Report and thing out of the ordinary.

Additional retaliatory measures that can be applied by an online retailer can be found in appendix 3.

Business models employed and how the security can be enhanced

There are seven business models but the ones employed by the four websites fall in the following models: Advertising based model Merchant model Manufacturing model Commission based

The advertising business model is when the website owner offers free content or services to draw end users (Aruah and Tucci, 2003). The business income is then generated by selling advertising to the visitors attracted to the site. The manufacturing model is when manufacturers attract customers directly from there websites this is done in order to reduce costs and to observer customer habits. The merchant model is a model employed by wholesaler or retailers. An organisation purchases good from a manufacture and sells them directly to the customers. A commission based model is a business that depends on

12

Question 1 Business Needs, Planning & Policy

commissions as its main form of revenue. The business models employed by Games workshop, Foundry and Reaper miniatures is a manufacturing model because there manufacture products that there sell directly via there website. Freebooter operate a merchant model because there sell the finished product. All the organisations except for Foundry operate advertising model were have links that connect other organisations. Games workshop operates a commission based model based model by giving users to be stockist therefore allowing users to make a commission from sells. The security for the these models can be enhanced by ,ensuring that customers are protected from attack, customer data residing on the server is protected, SSL security is used to encrypt customer both customer data and credit card details. Anti- virus software is installed on the systems and data inputs on data bases are sanitised. VPN must be configured for remote clients, and monitoring must be enabled on servers. Business continuity can be applied to the site by ensuring that backups are taken regularly and that the back tapes are tested to ensure there are recording data. A site to site synchronisation must be configured so that data on the website is copied to another site so that in the event of a disaster site traffic can be directed to the alternative site maintaining business continuity.

Conclusion
In this report four different e-commerce site were compared and contrasted with the aim of addressing security issues for the client and the company. Attention was paid to the importance of securing online payments and a secure website. Business models for the sites was identified and security features were implemented to increase the security. Recommendations were made on how to provide business continuity. Security is a major important factor if a online business and if organisation do not pay attention to the security needs of their organisations and there clients there will lose their reputation and there will be out of business.

13

Question 1 Business Needs, Planning & Policy

References:
Lemieux, K., (2002) Shopping for security.[online]. Available from: Sans Institute < http://www.sans.org/reading_room/whitepapers/ecommerce/shopping-security_869> [Assessed 20 May 2010] Consumer direct, (2010) Consumer direct- Safe shopping.[online]. Available from: Consumer direct < http://www.consumerdirect.gov.uk/before_you_buy/online-shopping/safe-shopping> [Assessed 20 May 2010] Microsoft, (2010) Microsoft online safety-How to shop online more safely.[online]Available from: < http://www.microsoft.com/protect/fraud/finances/shopping_us.aspx> [Assessed 20 May 2010] Simmons, (2006).The secure online business hand book. A practical guide to risk management and business continuity. 4th ed. United Kingdom. Kogan page Acunetix, (2010).Web application security. [online]. Available from: http://www.acunetix.com/websitesecurity/cross-site-scripting.htm [Assessed 20 May 2010] Dasient, (2009).Drive-by-downloads, web malware threats, and protecting your websites and your users.[online] Available from Sans Institute: < http://www.sans.org/reading_room/whitepaper/threats/342.php > [Assessed 21 May 2010] E-payment,(2010).Online e-payment. [online].Available from: < http://www.epayment.com.au/online_diagram.php > [Assessed 16 My 2010] Elledge, A., (2007) Phishing: An analysis of a growing threat. [online] Available from Sans: < http://www.sans.org/reading_room/whitepapers/threats/phishing-analysis-growingproblem_1417> [Assessed 17 May 2010] Calin, B., (2009).Why File upload are a major security threat.[online] Available from Sans: < http://www.acunetix.com/websitesecurity/upload-forms-threat.htm.> [Assessed 16 May 2010]
Gallagher, et al., (2006).Hunting Security Bugs.[online] United Sates: Microsoft press. Available from: Safari Books Online. <http://proquest.safaribooksonline.com.ezproxy.westminster.ac.uk/073562187X > [Assessed 16 May 2010]

Sans, (2001) Steganography: Why it matters it matters in and quote; Post 911 and quote: World. [online] .Available from:< http://www.sans.org/reading_room/whitepapers/covert/steganography-matters-post-911world_676> [ Assessed 16 May 2010]

14

Question 1 Business Needs, Planning & Policy

Aruah, A., Tucci, C., (2003). Internet business models and strategies. 2nd ed. New York. McGraw- Hill
Choo, K.,Smith,R.,(2008). Criminal Exploitation of Online Systems by Organized Crime Groups [online] Available from Springer: < http://www.springerlink.com/content/l437117571870577/ > [Assessed 18 May 2010]

Appendices
Further information Appendix 1 PCI Compliance E-commerce sites that have systems that process credit card information are required to adhere to the Payment Card Industry Data Security Standard (PCI DSS) (Simmons, 2006) or face the possibility of sanctions being imposed that can be in the form of heavy fines or in serious circumstances a full restriction on processing credit card payments. The standard was developed by Visa and Mastercard and other credit card companies to combat identity theft and online fraud. The standard is comprised of a 12 step security audit that ecommerce retailers are required to complete in order to be granted certification that will permit them to process credit cards. The audit will be conducted every three months. In short the audit will require the online retailer to: A firewall must be installed and configured correctly to safe guard data A seller supplied devices must not use default passwords All data must be protected from any threats or intrusions All credit card data must be encrypted when its been transmitted Anti- virus programs must be installed and updated System and applications must be secured Data must be restricted to authorised users only All users that have access to systems must have unique identification Data access must be restricted physically Monitoring must be configured for systems and access to data Systems and processes security must be checked frequently Develop an information security policy

However standard does have its disadvantages such as the security requirements tending to be expensive for the retailer.

Appendix 2

15

Question 1 Business Needs, Planning & Policy

ISO (17799) Standards Control A.10.9.2 of the standard control was developed for online transactions with the aim of protecting data from being altered, copied, exposed and is authentic and to make sure it is prevented from being used for fraudulent purposes(Simmons, 2006). The ISO 17799 standards make these following recommendations: Electronic signatures for commercial transactions Technical controls for user access controls, strong passwords, SSL to be implemented and privacy policy Encrypted controls for emails and other data Sensitive information is to denied when online and should be available from within organisation perimeter through a secure server Security to be implemented end-end in a trusted relationship Legal issues must be applied with regards to which jurisdiction the transaction occurs and the legal arrangements required to protect it.( Legal advice will be required)

However the standard does not address online fraud or phishing attacks. Nevertheless organisation with large internet presence more likely are to be exposed to these attacks. These organisations have a duty to inform their customer of revealing their passwords and must have systems in place to quickly identify fraud.

16

Question 1 Business Needs, Planning & Policy

17