Emerging E-Commerce Security Challenges
Posted: Tuesday, October 10, 2006
by Shwan Jaf
Introduction
The ever-increasing use of the Internet and the associated services and technologies are pushing many global businesses into adopting e-commerce as one of the options in carrying out the business of today. Whether it is Business-to-Business (B2B) or Business-to-Customer (B2C), the benefits and the opportunities abound. But as is the case with any human activity, there are associated risks and challenges, most of which are related to network security issues. There are just so many people outside that that are ever on the prowl, looking fort the slightest opportunity to make money from the unwary users of the Web. Sometimes the motive may be to interfere with the business of the competitor, through the Internet. The list can be fairly long. Traditional threats include viruses, worms and Trojans, which can be used to compromise business information confidentiality and integrity, as well affecting the network availability. The mode and nature of the threats and attacks are quite dynamic, tending always to target at the vulnerabilities in the most widely used applications [4], some of which appear innocuous at the face value. Applications like e-mails, instant messaging, spam, etc, may appear harmless to many organizations but these are being used quite successfully to compromise e-commerce security.
Any e-commerce activity must have a well designed and implemented architecture, in which security forms a major component through design to implementation and maintenance [1]. The traditional protections based on firewalls, VPNs, antivirus software, etc, are not enough [2] [3]. Besides the architecture must be designed and implemented in such a manner that it is dynamic in terms of the architecture being both scalable and adoptable. A layered defense approach provides the best protection result in a three-tier scenario. Specific details on security at each tier must take in cognizance the likely attack and threat scenarios. Client-side and server side security details and requirements are similar in some aspects, but there are certain glaring differences in information security requirements.
The client side security must address three issues:
Protection of the information stored in the client computer system to prevent unauthorized access, disclosure, or manipulation of the stored information. This protection needs be both physical and software based. A number of applications are now supporting biometrics as a physical access technology that provides better authentication. Host hardening and the use of secure access controls can greatly enhance client side security.
Repudiation property of the information must be maintained to avoid a customer from disowning a transaction. The use of digital signatures and incorporation of encryption-based approaches when carefully selected and implemented can greatly minimize non-repudiation type of security attacks.
Communication security must be ensured in order to prevent the breeching of information confidentiality and integrity. Encryption and the use of secure HTTP (S-HTTP or HTTPS) must form an integrated component of the solution to this challenge. Use of the right security enhancing protocols is highly recommended. These measures, taken together, will largely minimize the effects of typical communication security threats of eavesdropping by sniffer programs, software backdoors, spoofing, denial of service, etc.
Server-side security is greatly enhanced by separating the e-commerce web server from the application servers and database servers. The web server is open to access from the Internet and can be regarded as an un-trusted or semi-trusted e-commerce component. Sensitive information, such as credit card numbers, should preferably not be stored in the web server. If this has to be done the information has to be encrypted. As is the case with the client machine, physical and logical access control must be strictly enforced based on the company security policy. The server protection is enhanced by considering a number of issues:
- Ensuring a correct physical and network location in a demilitarized zone (DMZ). A dual-homed web-server ensures physical and logical separation between the web traffic and the back-end database server and/or application server.
- The choice and configuration of the web server operating system is critical in e-commerce security. The most secure system should be chosen. The configuration must then be performed with security in mind. As a well accepted general rule, all unnecessary services must be turned off, including DNS services. Vulnerability scanning must be preformed in order to tune the server for maximum security.
- In addition to the server OS the server software must also be carefully selected and configured for maximum-commerce security, money allowing. The basic rules should always be observed, such as always running the server as root or administrator and as a separate account. The web server root should never be same as system root directory in order to avoid directory based attacks to important files.
Application server(s) should preferably be incorporated to further enhance e-commerce security. The application server (AS) shields the database server (dbs) from direct contact with the web server, thereby increasing the security depth layers. A customer, for example, will make a request for some information. This is directly handled by the web server, which passes the information request to the AS. It is the AS that sends query requests to the database server. In the reply path the dbs sends the required data to the AS which processes it and passes the reply to the customer via the web server.
Database security is most critical in e-commerce systems. An intruder can gain access to sensitive data and use it for malicious purposes or can even cripple the operation of the system. An un-available system means loss of customers and business, and this is a situation that should never be allowed to occur in an e-commerce system. Consider the following issues:
- The DBS location must be in the DMZ and should be a completely trusted system.
- Enhance security by demanding for some form of authentication during the query requests to the DBS, particularly when sensitive customer information such as password, user ID, credit card number, etc, are being handled. The IDs should have restricted access rights, typically read only rights.
- The DBS must be correctly configured with security in mind at all times. Audit trailing must be configured for all aborted and successful access attempts, as a basic means of intrusion detection.
- Methods of disaster recover must planned out and implemented, together with all the transaction updates.
Emerging e-commerce security issues
There is no doubt that between viruses and Trojans, the latter are the more potent threat to e-commerce systems. Not to say that viruses are no major concern. They are a nuisance and their presence in client or server machines often results in non-availability of e-commerce services through denial-of-service type attacks. Virus and worms will continue to be around and dynamic protective actions must always be in place. And much more so with the continued emergence of multi-vectored viruses and worms. Trojans, on the other hand, are the hidden malware that can secretly send out confidential and critical e-commerce information to competitors or other malicious users. These programs can be written to cleverly bypass authentication and authorization mechanisms in an e-commerce system. In this way the Trojans can be used to defeat almost all the purposes of e-commerce security systems, such as confidentiality, integrity and availability.
Based on the Trojan threats there are certain applications that pose serious security problems for e-commerce systems. Some of these threats include emails, spam, instant messaging, spyware, active content and cookies.
E-mails are increasingly being used by employees, usually through the local network and the web access that is sued for e-commerce. Through email attachments Trojans or malware can be installed in the business network and can cause the above mentioned security breeches in the client and server machines. E-commerce systems will have to merge tight security policies and content scanning and filtering technologies to minimize the effects of Trojans through emails.
Instant Messaging (IM), P2P and chat applications are ever increasing. These applications are quite useful to company employees but are emerging as a worrying source of Trojan-based attacks. Hall [5] reports certain mind-boggling statistics on the number of IM attacks: a growth rate of 1,693% and 2,403 unique types of threats! Intelligent worms are already emerging which can take advantage of these seemingly harmless applications and take control of e-commerce networks.
Spyware and phishing are also emerging as major headaches for the present and future e-commerce security. The Anti-Phishing Working Group [6] reports that the phishing attacks increased from 8,800 in December 2004 to 15,200 in December 2005, with the sites increasing by over 400% over the same period. The Trojans used in these attacks are able to bypass most of the traditional security mechanisms and gain access to files and redirect files to phished sites.
Cookies and active contents are another major source of increasing worry in e-commerce security. Both are useful in client and server machines due to the stateless nature of HTTP. Cookies are used by web browser to store certain transactional information during e-commerce interaction. Critical information such as credit card numbers, pass words and user IDs are often affected. Trojans and viruses can access these files and tamper with the information or send the information to other sites for malicious use. Active contents are becoming increasingly useful in e-commerce services, such as placing items in shopping carts and calculating invoice amounts, etc. Malware can be embedded with these plug-in and violate secrecy and integrity aspects of security.
The list for these emerging "hidden" threats can be long since the designers for malware are always looking for some way of "breaking into the system". Spam or un-solicited mail is one such malware. The mail can overwhelm an enterprise network. The hackers can use spam to render a targeted network unavailable, with the usual dire consequences.
Conclusion
E-Commerce systems are set to continue growing, but so do the security threats and attacks. The systems vulnerabilities stem from the fact that the underlying fabric of the Internet was not built with security in mind. A number of protocols are emerging with security in mind but most of these are reactionary. The hackers, on the other hand, are proactionaries and the gap is bound to remain. With the rights technologies and practices, the effects, especially financial, will be minimized. The need for corporate user training can not be overstated. Most of the reported security breeches are a s result of lack of user awareness on the effects of their actions on the overall system security. So is the case with frequent vulnerability testing and updates on both hardware and software.
References
[1] Anderson Consulting and CERIAS. (2002) " Policy framework for interpreting Risk in eCommerce Security"
Web site http://www.cerias.purdue.edu/news_and_events/events/securitytrends/1999_pfires.pdf
(Accessed September 29, 2006).
[2] Dillard Clayton T. (2001) "eCommerce and defense in depth", SANS Institute, 2003. Web site http://www.iseca.org/mirrors/sans.org/18-571.pdf (Accessed October 1, 2006).
[3] Randy C.M, Tront J.G. (2002) "e-commerce security issues" Proceedings of the 35 th Annual Hawaii International Conference on systems sciences (HICSS-35'02).
Web site < http://csdl2.computer.org/comp/proceedings/hicss/2002/1435/07/14350193.pdf > (accessed October 1, 2006).
[4] Symantec Press release, September, 2004. "Symantec Internet Security Threat Report Identifies More Attacks Now Targeting e-Commerce, Web Applications"
Web site http://www.symantec.com/press/2004/n040920b.html (Accessed October 3, 2006)
[5] Hall M. (2006) "IM threats steadily Evolving"
Web site http://www.esecurityplanet.com/trends/article.php/3577386 (Accessed October 3, 2006).
[6] Bourque L. (2006) "Phishing Comes of Age"
Web site http://www.esecurityplanet.com/trends/article.php/3588426 (Accessed October 3, 2006)
This Article has been viewed 2,475 times. (Not updated in real-time.)
No comments yet.We want your comments! If you can read this, you don't have javascript enabled, so you can't use this comment system. Please enable javascript.