Chapter 12 Management of Electronic Commerce Security The business world has taken this to heart when it has come to the Internet. Companies have ventured onto the Information Superhighway in increasing numbers to "reduce distribution and marketing costs, eliminate the middleman, increase efficiency, promote impulse transactions and streamline distribution to far-flung locales"as well as to "connect directly with consumers at home, streamline operations and internal transactions, and increase business-to-business sales More importantly, electronic commerce ("e-commerce)stands on the threshold of broad global acceptance. According to projections by one research firm, worldwide e-commerce sales will reach as high as $3. 2 trillion in 2003, representing nearly five percent of all global sales. As a esult, people have to pay great attention to secure issues of e-commerce 12.1 Risks of network transactions and general ideas for management of security 12.1. 1 Risks in Electronic commerce Conducting business over the Internet is an area of developing law and carries with it isks, The Internet allows anyone to reach any number of new markets, regardless of geogra This raises several questions, such as Two parties can exchange and accept an offer on-line, but without a physical signature, does this constitute an enforceable contract? What are the risks in listing the same items on multiple on-line exchanges? If one of the parties to an on-line transaction files suit, which court would have What if a valid contract in this country is nullified by the laws in another? 1. Legal risks E-commerce transactions expose you to the highest possible jurisdictional risk; most contracts are negotiated over the Internet but finalized on paper. In the future, the goal is to eliminate that paperwork, which will require some sort of electronic signature. Some states already have electronic-signature laws designed to protect the parties to Internet contracts, but the requirements differ from state to state Currently on-line transactions generally aren't subject to sales tax, but don't look for that to last. It is difficult to believe that Internet transactions will not be taxed. Ultimately a tax system will be implemented, but the government has given it a free ride for the time being Intellectual property is often commandeered and abused on the Internet. It is urged that companies get the proper trademarks and copyrights on all materials posted on their Web sites Apart from legal risks in Electronic commerce, there are other risks as follows Authentication Privacy and Protection of Information Fraud and Misrepresentat Reliability of trading partners Measures of management. Including secure systems of transactions, real-tim of security, education of security and so on 12. 1. 2 General ideas for Management of Security Electronic commerce encompasses all aspects of using the Internet for business or personal Internet. For some, it is simply the ease of communication, for others, having the alver the use. Now, more than ever, a great deal of business is performed in one way or another
Chapter 12 Management of Electronic Commerce Security The business world has taken this to heart when it has come to the Internet. Companies have ventured onto the Information Superhighway in increasing numbers to “reduce distribution and marketing costs, eliminate the middleman, increase efficiency, promote impulse transactions and streamline distribution to far-flung locales” as well as to “connect directly with consumers at home, streamline operations and internal transactions, and increase business-to-business sales.” More importantly, electronic commerce ("e-commerce") stands on the threshold of broad global acceptance. According to projections by one research firm, worldwide e-commerce sales will reach as high as $3.2 trillion in 2003, representing nearly five percent of all global sales. As a result, people have to pay great attention to secure issues of e-commerce. 12.1 Risks of network transactions and general ideas for management of security 12.1.1 Risks in Electronic Commerce Conducting business over the Internet is an area of developing law and carries with it new risks, The Internet allows anyone to reach any number of new markets, regardless of geography. This raises several questions, such as: ▪ Two parties can exchange and accept an offer on-line, but without a physical signature, does this constitute an enforceable contract? ▪ What are the risks in listing the same items on multiple on-line exchanges? ▪ If one of the parties to an on-line transaction files suit, which court would have jurisdiction? ▪ What if a valid contract in this country is nullified by the laws in another? 1. Legal risks E-commerce transactions expose you to the highest possible jurisdictional risk; most contracts are negotiated over the Internet but finalized on paper. In the future, the goal is to eliminate that paperwork, which will require some sort of electronic signature. Some states already have electronic-signature laws designed to protect the parties to Internet contracts, but the requirements differ from state to state. Currently on-line transactions generally aren't subject to sales tax, but don't look for that to last. It is difficult to believe that Internet transactions will not be taxed. Ultimately a tax system will be implemented, but the government has given it a free ride for the time being. Intellectual property is often commandeered and abused on the Internet. It is urged that companies get the proper trademarks and copyrights on all materials posted on their Web sites. Apart from legal risks in Electronic commerce, there are other risks as follows: ▪ Authentication. ▪ Privacy and Protection of Information. ▪ Fraud and Misrepresentation. ▪ Reliability of trading partners. ▪ Technology Risk. ▪ Measures of management. Including secure systems of transactions, real-time monitoring of security, education of security and so on. 12.1.2 General ideas for Management of Security Electronic commerce encompasses all aspects of using the Internet for business or personal use. Now, more than ever, a great deal of business is performed in one way or another over the Internet. For some, it is simply the ease of communication, for others, having the ability to
research topics, products, or even people makes the Internet an absolute necessity for business Businesses have begun exploiting the Internet for commercial transactions. Recognizing the dangers in sending confidential information over an inherently insecure media, a number of secure data transport protocols have emerged. Minimally, these protocols encrypt sensitive information such as credit card numbers to prevent unauthorized people from capturing the data. Some protocols even facilitate payment for merchants through banking institutions Even with the strong security provided in the transport of data, e-commerce security still remains elusive. In practice, most security violations occur through other avenues than breaking cipher text. Often, we infer security from encryption when we are so vulnerable otherwise In order to provid a secure platform for Electronic commerce, at least, three measures should be taken Measures of technology. Such as firewall technology, anti-virus, identification, authorization and so on Measures of laws Only by combining the above three factors, can we creat a secure environment for Electronic commerce 12.2 Client Certification Technology With the explosive growth of the Internet and its continued potential, e-commerce security has evolved from an information technology infrastructure concern to a business concern. We should have access to "information system security, control and audit practitioners with a concise guidebook of specific technologies, procedures, protocols and best practices relating to secure Internet-enabled e-commerce. By having these technologies, procedures and protocols in place e-business continuity can be maintained Lack of privacy organization and its business, along with system slowdowns and downtime. It is imperative that business or e-commerce has the organizational, architectural and procedural approaches in place so security, reliability and availability of e-business transactions are consistently in working order Client certification includes Identification and Authentication, which guarantees complete authentic and deniable communications 12.3 To Serve and Prevent from hacker 12.3. 1 Basic Concept of Hacker Hacker is a slang term for a computer enthusiast. Among professional programmers, the term hacker implies an amateur or a programmer who lacks formal training. Depending on how it used, the term can be either complimentary or derogatory, although it is developing an increasingly derogatory connotation. The pejorative sense of hacker is becoming more prominent largely because the popular press has co-opted the term to refer to individuals who gain unauthorized access to computer systems for the purpose of stealing and corrupting data. Hackers, themselves maintain that the proper term for such individuals is cracker the he basic difference between hackers and crackers is. hackers build things, crackers break There is a community, a shared culture, of expert programmers and networking wizards that traces its history back through decades to the first time-sharing minicomputers and the earliest ARPAnet experiments. The members of this culture originated the term hacker. Hackers built the nternet. Hackers made the Unix operating system what it is today. Hackers run Usenet. Hackers make the World wide Web work There is another group of people who loudly call themselves hackers, but aren't. These are people(mainly adolescent males) who get a kick out of breaking into computers and phreaking the phone system. Real hackers call these peoplecrackers' and want nothing to do with them. Real hackers mostly think crackers are lazy, irresponsible, and not very bright, and object that being able to break security doesn't make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word"hacker to describe crackers; this irritates real hackers no end
research topics, products, or even people makes the Internet an absolute necessity for business. Businesses have begun exploiting the Internet for commercial transactions. Recognizing the dangers in sending confidential information over an inherently insecure media, a number of secure data transport protocols have emerged. Minimally, these protocols encrypt sensitive information such as credit card numbers to prevent unauthorized people from capturing the data. Some protocols even facilitate payment for merchants through banking institutions. Even with the strong security provided in the transport of data, e-commerce security still remains elusive. In practice, most security violations occur through other avenues than breaking cipher text. Often, we infer security from encryption when we are so vulnerable otherwise. In order to provid a secure platform for Electronic commerce, at least, three measures should be taken: ▪ Measures of technology. Such as firewall technology, anti-virus, identification, authorization and so on.. ▪ Measures of laws. Only by combining the above three factors, can we creat a secure environment for Electronic commerce. 12.2 Client Certification Technology With the explosive growth of the Internet and its continued potential, e-commerce security has evolved from an information technology infrastructure concern to a business concern. We should have access to "information system security, control and audit practitioners with a concise guidebook of specific technologies, procedures, protocols and best practices relating to secure Internet-enabled e-commerce." By having these technologies, procedures and protocols in place, e-business continuity can be maintained. Lack of privacy, integrity and confidentiality can cause tremendous damage to an organization and its business, along with system slowdowns and downtime. It is imperative that e-business or e-commerce has the organizational, architectural and procedural approaches in place so security, reliability and availability of e-business transactions are consistently in working order. Client certification includes Identification and Authentication, which guarantees complete, authentic and deniable communications. 12.3 To Serve and Prevent from Hacker 12.3.1 Basic Concept of Hacker Hacker is a slang term for a computer enthusiast. Among professional programmers, the term hacker implies an amateur or a programmer who lacks formal training. Depending on how it used, the term can be either complimentary or derogatory, although it is developing an increasingly derogatory connotation. The pejorative sense of hacker is becoming more prominent largely because the popular press has co-opted the term to refer to individuals who gain unauthorized access to computer systems for the purpose of stealing and corrupting data. Hackers, themselves, maintain that the proper term for such individuals is cracker. The basic difference between hackers and crackers is: hackers build things, crackers break them. There is a community, a shared culture, of expert programmers and networking wizards that traces its history back through decades to the first time-sharing minicomputers and the earliest ARPAnet experiments. The members of this culture originated the term ‘hacker’. Hackers built the Internet. Hackers made the Unix operating system what it is today. Hackers run Usenet. Hackers make the World Wide Web work.. There is another group of people who loudly call themselves hackers, but aren't. These are people (mainly adolescent males) who get a kick out of breaking into computers and phreaking the phone system. Real hackers call these people ‘crackers’ and want nothing to do with them. Real hackers mostly think crackers are lazy, irresponsible, and not very bright, and object that being able to break security doesn't make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word ‘hacker’ to describe crackers; this irritates real hackers no end
12.3.2 Different Ways of Attack Made by Hacker Electronic communication networks and information systems are now an essential part of daily lives and are fundamental to the success of the economy Networks and information systems are converging and becoming increasingly interconnected. Despite the many and obvious benefits of this development, it has also brought with it the worrying threat of intentional attacks against information systems. These attacks can take a wide variety of forms including illegal access, spread of malicious code and denial of service attacks. It is possible to launch an attack from anywhere in the world, to anywhere in the world, at any time. New, unexpected forms of attacks could occur in the future. Threats against computer systems include 1. Unauthorized access to information systems This includes the notion of"hacking". Hacking is gaining unauthorized access to a computer or network of computers. It can be undertaken in a variety of ways from simply exploiting inside information to brute force attacks and password interception. It is often though not always with malicious intent to either copy, modify or destroy data. Intentional corruption of websites can be one of the aims of unauthorized access 2. Disruption of information systems ber, Different ways exist to disrupt information systems through malicious attacks. One of the known ways to deny or degrade the services offered by the Internet is a" denial of service attack. In a way this attack is similar to fax machines being flooded with long and repeated essages. Denial of service attacks attempt to overload web servers or Internet Service Providers with automatically generated messages. Other types of attacks can include disrupting servers operating the domain name system and attacks directed at"routers" Attacks aimed at disrupting systems have been damaging for certain high profile websites like portals. Companies rely on th availability of their websites for their business and those companies that depend on it for just in time"supply are particularly vulnerable Execution of malicious software that modifies or destroys data The most well known type of malicious software is the virus. Infamous examples include the I Love You"and"Melissa"viruses. About 1l of European users have caught a virus on their home PC. There are other types of malicious software. Some damage the PC itself, whereas others use the PC to attack other networked components. Some programs often called"logic bombs' can lie dormant until triggered by some event such as a specific date, at which point they can cause major damage by altering or deleting data Other programs appear to be genuine, but when opened elease a malicious attack often called Trojan Horses. Another type is a program often called a worm that does not infect other programs as a virus, but instead creates copies of itself, which in turn create even more copies and eventually swamp the system 4. Interception of communications Malicious interception of communications compromises the confidentiality and integrity equirements of users. It is often called"sniffing 5. Malicious misrepresentation Information systems offer new opportunities for misrepresentation and fraud. The taking of someone else's identity on the Internet, and using this for malicious purposes, is often called 12.3.3 Main Technological Skills to Prevent from Hacker If you're worried about viruses or hackers wreaking havoc on your syst some precautionary measures-and breathe a little easier. The best way to make sure your computer is ready to do battle with its many potential enemies is to load it up with software designed to protect it from potential hackers and evil viruses Think of your computer as an extension of yourself: You don 't run into the street without looking both ways and you dont blindly enter crime-ridden areas without taking precautions. Simply put
12.3.2 Different Ways of Attack Made by Hacker Electronic communication networks and information systems are now an essential part of our daily lives and are fundamental to the success of the economy. Networks and information systems are converging and becoming increasingly interconnected. Despite the many and obvious benefits of this development, it has also brought with it the worrying threat of intentional attacks against information systems. These attacks can take a wide variety of forms including illegal access, spread of malicious code and denial of service attacks. It is possible to launch an attack from anywhere in the world, to anywhere in the world, at any time. New, unexpected forms of attacks could occur in the future. Threats against computer systems include: 1. Unauthorized access to information systems This includes the notion of "hacking". Hacking is gaining unauthorized access to a computer or network of computers. It can be undertaken in a variety of ways from simply exploiting inside information to brute force attacks and password interception. It is often though not always with malicious intent to either copy, modify or destroy data. Intentional corruption of websites can be one of the aims of unauthorized access. 2. Disruption of information systems Different ways exist to disrupt information systems through malicious attacks. One of the best known ways to deny or degrade the services offered by the Internet is a "denial of service" attack. In a way this attack is similar to fax machines being flooded with long and repeated messages. Denial of service attacks attempt to overload web servers or Internet Service Providers with automatically generated messages. Other types of attacks can include disrupting servers operating the domain name system and attacks directed at "routers". Attacks aimed at disrupting systems have been damaging for certain high profile websites like portals. Companies rely on the availability of their websites for their business and those companies that depend on it for "just in time" supply are particularly vulnerable. 3. Execution of malicious software that modifies or destroys data The most well known type of malicious software is the virus. Infamous examples include the "I Love You" and "Melissa" viruses. About 11 % of European users have caught a virus on their home PC. There are other types of malicious software. Some damage the PC itself, whereas others use the PC to attack other networked components. Some programs often called 'logic bombs' can lie dormant until triggered by some event such as a specific date, at which point they can cause major damage by altering or deleting data. Other programs appear to be genuine, but when opened release a malicious attack often called 'Trojan Horses'. Another type is a program often called a worm that does not infect other programs as a virus, but instead creates copies of itself, which in turn create even more copies and eventually swamp the system. 4. Interception of communications Malicious interception of communications compromises the confidentiality and integrity requirements of users. It is often called "sniffing". 5. Malicious misrepresentation Information systems offer new opportunities for misrepresentation and fraud. The taking of someone else's identity on the Internet, and using this for malicious purposes, is often called "spoofing". 12.3.3 Main Technological Skills to Prevent from Hacker If you're worried about viruses or hackers wreaking havoc on your system, take some precautionary measures-and breathe a little easier. The best way to make sure your computer is ready to do battle with its many potential enemies is to load it up with software designed to protect it from potential hackers and evil viruses. Think of your computer as an extension of yourself: You don't run into the street without looking both ways and you don't blindly enter crime-ridden areas without taking precautions. Simply put
letting your guard down makes you susceptible to all sorts of bad things. The same goes for your computer, regardless of type or operating system. But, unlike you it probably faces more precarious positions in a day than you do in a year. And if you connect to the Internet, beware Countless unwanted agents are at work in cyberspace, constantly spying on you and hacking into your files for amusement or criminal activity In light of all this, every system should regularly run a basic antivirus software program and have general Internet security safeguards 1. Minimize network access One way to prevent your computer from being hacked is by preventing others from accessing it over the network. Many corporations will use a device called a"firewall"that blocks outside users from gaining access to critical systems or services. In particular, many firewalls are designed to block hacker scans The primary method to secure your computer on the network is to turn off all nonessential network services, such as file sharing, FTP, telnet, and web hosting If your computer is no listening for network connections, a hacker cannot break into it. Services that you do provide, such as file sharing, must be protected with strong passwords 2. Using strong passwords You absolutely must set strong passwords to protect all network services offered by your omputer. Rules for setting strong passwords are based on examining the types of programs used by hackers to crack passwords. Because it takes too long to try every possible password, hackers use programs that try common patterns of words and word permutations, using large dictionaries of English and foreign language words. If you avoid those patterns, your password is much less likely to be guessed by a hacker Never use a password that matches your account name itself, any part of your own name, or any easily obtainable personal information( such as your spouse's name). Do not set a passwor that consists simply of any common English or foreign language word or proper name(whether all lowercase or all uppercase), or any such word written backwards. Do not use a common word with only one or two characters preceding or following it, such as 9gorange or orange 3. Install security patches regularly All software has"bugs". Even if you correctly configure network services on your computer nd use strong passwords, there could be a software defect that still allows a hacker to access your computer. Fortunately, as these bugs are discovered, all the major software vendors implemer fixes, normally called security patches, which they make freely available on their web sites Because even a new computer comes with a copy of its operating system and software that is several weeks to months old, you must look for and download security patches connect your computer to the Stanford network. Then, if you plan to allow any type of network connection, such as file sharing or web hosting, you must regularly check for and download new patches as they are made available 4. Backup computer data Your final line of defense against damage caused by a hacker or other computer failure is to ave good backups of your data files. In some cases, a hacker will deliberately or accidentally erase the files from your disk. Or your disk could suffer a hardware fail, causing loss of data. You could be in serious trouble if the only copy of your research data, latest paper, thesis, or grant proposal was among the lost files
letting your guard down makes you susceptible to all sorts of bad things. The same goes for your computer, regardless of type or operating system. But, unlike you, it probably faces more precarious positions in a day than you do in a year. And if you connect to the Internet, beware: Countless unwanted agents are at work in cyberspace, constantly spying on you and hacking into your files for amusement or criminal activity. In light of all this, every system should regularly run a basic antivirus software program and have general Internet security safeguards. 1. Minimize network access One way to prevent your computer from being hacked is by preventing others from accessing it over the network. Many corporations will use a device called a "firewall" that blocks outside users from gaining access to critical systems or services. In particular, many firewalls are designed to block hacker scans. The primary method to secure your computer on the network is to turn off all nonessential network services, such as file sharing, FTP, telnet, and web hosting. If your computer is not listening for network connections, a hacker cannot break into it. Services that you do provide, such as file sharing, must be protected with strong passwords. 2. Using strong passwords You absolutely must set strong passwords to protect all network services offered by your computer. Rules for setting strong passwords are based on examining the types of programs used by hackers to crack passwords. Because it takes too long to try every possible password, hackers use programs that try common patterns of words and word permutations, using large dictionaries of English and foreign language words. If you avoid those patterns, your password is much less likely to be guessed by a hacker. Never use a password that matches your account name itself, any part of your own name, or any easily obtainable personal information (such as your spouse's name). Do not set a password that consists simply of any common English or foreign language word or proper name (whether all lowercase or all uppercase), or any such word written backwards. Do not use a common word with only one or two characters preceding or following it, such as 99orange or orange!. 3. Install security patches regularly All software has "bugs". Even if you correctly configure network services on your computer and use strong passwords, there could be a software defect that still allows a hacker to access your computer. Fortunately, as these bugs are discovered, all the major software vendors implement fixes, normally called security patches, which they make freely available on their web sites. Because even a new computer comes with a copy of its operating system and software that is several weeks to months old, you must look for and download security patches as soon as you connect your computer to the Stanford network. Then, if you plan to allow any type of network connection, such as file sharing or web hosting, you must regularly check for and download new patches as they are made available. 4. Backup computer data Your final line of defense against damage caused by a hacker or other computer failure is to have good backups of your data files. In some cases, a hacker will deliberately or accidentally erase the files from your disk. Or your disk could suffer a hardware fail, causing loss of data. You could be in serious trouble if the only copy of your research data, latest paper, thesis, or grant proposal was among the lost files
12.4 Secure Management Systems for Network Transactions Systems 2.4.1 Optimize Network Security Architectures 1. Traditional Firewalls Deploying the optimal security architecture, one that is effective and cost-efficient, requires three primary elements: maximum threat protection with minimum risk, high performance and ease of administration. Meeting all three requirements at the same time is a fairly straightforward ask these days, thanks to the advent of integrated virtual private network (VPNyfirewall Firewalls are the gatekeepers that work to control access both in and out of corporate networks. VPNs use encryption and tunneling to privately connect users over a public network. Both indispensable security mainstays, they coexisted quite well for a decade until their integration was prompted by one pesky problem: Firewalls cannot enforce access control of encrypted traffic This dilemma means that companies using stand-alone VPNs must think carefully about the placement of the VPn gateway in relation to the firewall. Certain placements will limit access control and present multiple authentication challenges. Others will affect routing prose thereby All placements, clearly, will require that the vPn remain separate from the firewal saddling security engineers with two devices to manage and maintain, each with its own policies and procedures. By opting to use integrated devices, however, companies can reduce the burden of security administration, while improving protection and performance 2. Integrated Firewalls Most corporate networks seek the same primary security objective: Keep threats to a minimum. An integrated VPN/firewall solution better meets this objective because the VPN gateway, and therefore VPN connectivity, receives protection from the firewall Since the devices share user information, access control keeps prohibited content and users from passing through the firewall, while remote users with permission to access specific resources behind the firewall are recognized and allowed to proceed Without firewall protection, however, a Vpn is vulnerable to a number of threats Stand-alone Vpn gateways only have rudimentary access control techniques--such as packet filtering-that apply solely to the data being transmitted and do not apply to remote users gaining appropriate access to corporate resources Integrated VPN/firewalls can potentially improve performance through the use of cryptographic acceleration cards, which offload processor-intensive cryptographic operations fron the host CPu to a dedicated processor on the card. Integrated bandwidth management addresses network congestion issues by prioritizing business-critical traffic over discretionary traffic to optimize available WAN links Conversely, the use of stand-alone VPNs can actually undermine the efficiency of the security architecture. VPNs placed in front or to the side of the firewall often do not share information with the firewall, posing a problem for traffic passing through from remote access users. The Vpn gateways decrypt traffic, but they do not control access. This means that decrypted connections must also pass through the firewall to obtain clearance, so a user may be forced to authenticate at the vpn gateway and again for every firewall rule requiring 12.5 Laws on E-Commerce Security 12.5.1 The Core legislative concern electronic and digital signatures 1. Definition of Digital signature Digital signature is simply a term for one techno type of electronic signat It involves the use of public key cryptography to""sign"a message, and is perhaps the one type of
12.4 Secure Management Systems for Network Transactions Systems 12.4.1 Optimize Network Security Architectures 1. Traditional Firewalls Deploying the optimal security architecture, one that is effective and cost-efficient, requires three primary elements: maximum threat protection with minimum risk, high performance and ease of administration. Meeting all three requirements at the same time is a fairly straightforward task these days, thanks to the advent of integrated virtual private network (VPN)/firewall solutions. Firewalls are the gatekeepers that work to control access both in and out of corporate networks. VPNs use encryption and tunneling to privately connect users over a public network. Both indispensable security mainstays, they coexisted quite well for a decade until their integration was prompted by one pesky problem: Firewalls cannot enforce access control of encrypted traffic. This dilemma means that companies using stand-alone VPNs must think carefully about the placement of the VPN gateway in relation to the firewall. Certain placements will limit access control and present multiple authentication challenges. Others will affect routing processes. All placements, clearly, will require that the VPN remain separate from the firewall, thereby saddling security engineers with two devices to manage and maintain, each with its own policies and procedures. By opting to use integrated devices, however, companies can reduce the burden of security administration, while improving protection and performance. 2. Integrated Firewalls Most corporate networks seek the same primary security objective: Keep threats to a minimum. An integrated VPN/firewall solution better meets this objective because the VPN gateway, and therefore VPN connectivity, receives protection from the firewall. Since the devices share user information, access control keeps prohibited content and users from passing through the firewall, while remote users with permission to access specific resources behind the firewall are recognized and allowed to proceed. Without firewall protection, however, a VPN is vulnerable to a number of threats. Stand-alone VPN gateways only have rudimentary access control techniques--such as packet filtering--that apply solely to the data being transmitted and do not apply to remote users gaining appropriate access to corporate resources. Integrated VPN/firewalls can potentially improve performance through the use of cryptographic acceleration cards, which offload processor-intensive cryptographic operations from the host CPU to a dedicated processor on the card. Integrated bandwidth management addresses network congestion issues by prioritizing business-critical traffic over discretionary traffic to optimize available WAN links. Conversely, the use of stand-alone VPNs can actually undermine the efficiency of the security architecture. VPNs placed in front or to the side of the firewall often do not share information with the firewall, posing a problem for traffic passing through from remote access users. The VPN gateways decrypt traffic, but they do not control access. This means that decrypted connections must also pass through the firewall to obtain clearance, so a user may be forced to authenticate at the VPN gateway and again for every firewall rule requiring authentication. 12.5 Laws on E-Commerce Security 12.5.1 The Core Legislative Concern: Electronic and Digital Signatures 1. Definition of Digital signature Digital signature is simply a term for one technology-specific type of electronic signature. It involves the use of public key cryptography to “sign” a message, and is perhaps the one type of
electronic signature that has generated the most business and technical efforts, as well as A signature, whether electronic or on paper, is first and foremost a symbol that signifies intent Thus, the definition of"signed"in the Uniform Commercial Code includes"any symbol"so long as it is"executed or adopted by a party with present intention to authenticate writing. "The primary focus, of course, is on the intention to authenticate, which distinguishes a signature from an autograph. Yet, the nature of that intent will vary with the transaction, and in most cases can be determined only by looking at the context in which the signature was made. A signature may, for example, signify an intent to be bound to the terms of the contract, the approval of a subordinate's request for funding of a project, confirmation that a signer has read and reviewed the contents of a memo, an indication that the signer was the author of a document, or merely that the contents of a document have been shown to the signer and that he or she has had an opportunity to review them 2. Purposes and Functions of Digital signature In addition to evidencing a person's intent, a signature can also serve two secondary purposes rst,a signature may be used to identify the person signing Second, a signature may serve as some evidence of the integrity of a document, such as when parties sign a lengthy contract or final page and also initial all preceding pages to guard against alterations in the integrity of the document through a substitution of pages For electronic transactions, these secondary signature functions of identity and integrity can be key. Especially to the extent that we automate electronic transactions, and conduct them over significant distances using easily altered digital technology, the need for a way to ensure the identity of the sender and the integrity of the document becomes pivotal Unlike the world of paper-based commerce, where the requirement of a signed writing most frequently serves the function of showing that an already identified person made a particular promise, in the e-commerce world, a requirement of an authenticated electronic message serves not only this function, but the more fundamental function of identifying the person making the promise contained in the message in the first place. This additional function is critical in e-commerce because there are few other methods of establishing the source of an electronic Thus, while handwritten signatures in most cases serve merely to indicate the signers intent, signatures in an electronic environment typically serve three critical purposes for the parties engaged in an e-commerce transaction -i.e, to identify the sender, to indicate the senders intent (e. g, to be bound by the terms of a contract), and to ensure the integrity of the document signed 12.5.2 The Fundamental Legal Issues Raised by E-Commerce Three fundamental legal issues arise when parties to a transaction use electronic records to replace paper, employ an electronic medium as the mode of communication, and use electronic signatures to authenticate their transactions (1) Is it legal? Both federal and state law contain many requirements that transactions be documented in"writing"and be"signed. Many are concerned that this requires ink on paper and, thus, that electronic communications do not meet appropriate legal requirements for writing and signature and will not be enforceable (2) Can I trust the message? Recipients of electronic messages must have some basis for trusting the message(from a legal perspective), so that they can act in reliance upon the message, often in real time, and without the need for out-of-band verification. Achieving the key goals of e-commerce(including speed, efficiency, and economy) requires that recipients of electronic messages be willing to act in reliance on messages received(e.g, ship product, transfer funds, enter into binding contractual commitments, change position in reliance on messages), and to do so promptly and in many cases automatically. Yet, the indicia of reliability that usually accompany paper-based communications(such as a paper document signed with ink signatures and delivered by trusted third parties such as the U.s. Postal Service)are missing in electronic transactions. moreover. the ease with which digital documents can be altered without detection increases the risk of fraud for electronic transaction (3) What are the rules of conduct? As with all legal transactions, the parties should know the rules of the game. For example, what is the liability of a certification authority or
electronic signature that has generated the most business and technical efforts, as well as legislative responses. A signature, whether electronic or on paper, is first and foremost a symbol that signifies intent. Thus, the definition of “signed” in the Uniform Commercial Code includes “any symbol” so long as it is “executed or adopted by a party with present intention to authenticate writing.” The primary focus, of course, is on the “intention to authenticate,” which distinguishes a signature from an autograph. Yet, the nature of that intent will vary with the transaction, and in most cases can be determined only by looking at the context in which the signature was made. A signature may, for example, signify an intent to be bound to the terms of the contract, the approval of a subordinate’s request for funding of a project, confirmation that a signer has read and reviewed the contents of a memo, an indication that the signer was the author of a document, or merely that the contents of a document have been shown to the signer and that he or she has had an opportunity to review them. 2. Purposes and Functions of Digital signature In addition to evidencing a person’s intent, a signature can also serve two secondary purposes. First, a signature may be used to identify the person signing. Second, a signature may serve as some evidence of the integrity of a document, such as when parties sign a lengthy contract on the final page and also initial all preceding pages to guard against alterations in the integrity of the document through a substitution of pages. For electronic transactions, these secondary signature functions of identity and integrity can be key. Especially to the extent that we automate electronic transactions, and conduct them over significant distances using easily altered digital technology, the need for a way to ensure the identity of the sender and the integrity of the document becomes pivotal: Unlike the world of paper-based commerce, where the requirement of a signed writing most frequently serves the function of showing that an already identified person made a particular promise, in the e-commerce world, a requirement of an authenticated electronic message serves not only this function, but the more fundamental function of identifying the person making the promise contained in the message in the first place. This additional function is critical in e-commerce because there are few other methods of establishing the source of an electronic message. Thus, while handwritten signatures in most cases serve merely to indicate the signer’s intent, signatures in an electronic environment typically serve three critical purposes for the parties engaged in an e-commerce transaction – i.e., to identify the sender, to indicate the sender’s intent (e.g., to be bound by the terms of a contract), and to ensure the integrity of the document signed. 12.5.2 The Fundamental Legal Issues Raised by E-Commerce Three fundamental legal issues arise when parties to a transaction use electronic records to replace paper, employ an electronic medium as the mode of communication, and use electronic signatures to authenticate their transactions: (1) Is it legal? Both federal and state law contain many requirements that transactions be documented in “writing” and be “signed.” Many are concerned that this requires ink on paper and, thus, that electronic communications do not meet appropriate legal requirements for writing and signature and will not be enforceable. (2) Can I trust the message? Recipients of electronic messages must have some basis for trusting the message (from a legal perspective), so that they can act in reliance upon the message, often in real time, and without the need for out-of-band verification. Achieving the key goals of e-commerce (including speed, efficiency, and economy) requires that recipients of electronic messages be willing to act in reliance on messages received (e.g., ship product, transfer funds, enter into binding contractual commitments, change position in reliance on messages), and to do so promptly and in many cases automatically. Yet, the indicia of reliability that usually accompany paper-based communications (such as a paper document signed with ink signatures and delivered by trusted third parties such as the U.S. Postal Service) are missing in electronic transactions. Moreover, the ease with which digital documents can be altered without detection increases the risk of fraud for electronic transactions. (3) What are the rules of conduct? As with all legal transactions, the parties should know the rules of the game. For example, what is the liability of a certification authority or a
trusted third party for inaccurate identification? What is the liability of the signer of a message who loses the private key or other signature device used to create the message? What is required for cross-border recognition of electronic messages? The most difficult question of all is what role, if any, electronic signature legislation should lay in addressing such legal issues References 1. Eric Steven Raymond. How to Become A Hacker. Internet 2nttp://www.catb.org/-esr/faqs/hacker-howto.html#twhatis 2. Fergal Gallagher, Fergal Maher, Eoin Roche, Rob Ryan, lan Wright, Viruses/Hackers, Internet http:/ntrg.cs.tcdie/undergrad/4ba2.02/infowar/hack.html 3. Network Security Resources and reporting problems, School of Sciences, Stanford University, Internet:http://lpangea.stanford.edu/computerinfo/resources/network/securitv/index.html 4. Tim Triplett, The legal risks of e-commerce, New Steel, May 2004 eelcomn00ONM0005 13 htm 5. Thomas J Smedinghoff, Electronic Signature Legislation as a Vehicle for Advancing E-Cor 6. Robert Shuster, Network Management: Security ternet:http://www.findarticles.com/n/articles/mimocMn/iS1238/ai81389640
trusted third party for inaccurate identification? What is the liability of the signer of a message who loses the private key or other signature device used to create the message? What is required for cross-border recognition of electronic messages? The most difficult question of all is what role, if any, electronic signature legislation should play in addressing such legal issues. References 1. Eric Steven Raymond, How to Become A Hacker, Internet: http://www.catb.org/~esr/faqs/hacker-howto.html#what_is 2. Fergal Gallagher, Fergal Maher, Eoin Roche, Rob Ryan, Ian Wright, Viruses/Hackers,Internet: http://ntrg.cs.tcd.ie/undergrad/4ba2.02/infowar/hack.html 3. Network Security Resources and Reporting Problems, School of Sciences, Stanford University, Internet: http://pangea.stanford.edu/computerinfo/resources/network/security/index.html 4. Tim Triplett, The legal risks of e-commerce, New Steel, May 2004 Internet: http://www.newsteel.com/2000/NW000513.htm 5. Thomas J. Smedinghoff, Electronic Signature Legislation as a Vehicle for Advancing E-Commerce, 6. Robert Shuster, Network Management: Security, Internet: http://www.findarticles.com/p/articles/mi_m0CMN/is_12_38/ai_81389640
