Herb Heskeths Weblog

Hi, today I was ask to prepare a number of questions for the preparation of the proposal, and this is what I came up with

1. Identify and describe at least one area of IT that you are interested in as an area in which you could do research. I am particularly interested in the area that you might choose as the basis of your project next semester.

• Data security in E-commerce; I have found out so far that E-commerce is basically electronic commerce (using the Internet as a marketplace), and data security can be a number of things, like: monitoring traffic, privacy, firewalls, digital signatures, digital certificates, transmission security, etc.

2. For the area (or one of the areas if you have described more than one) identify and describe at least 3 questions that you think would be interesting to research or investigate.

• Q1 – How advanced is data security in E-commerce?
• Q2 – What would be the problems of using data security in E-commerce? Is it hard to setup? What is the cost?
• Q3 – Why would you use data security in E-commerce?

3. For each of those 3 questions, identify and describe how you might go about finding the answers (in other words what kind of research approach might you use).

• Q1 – Review the literature on:

a) Data security in the past/now.

b) Comparison of data security benefits/problems.

c) People’s previous work in relation to data security.

• Q2 – a) Send a survey to businesses.

b) Find research papers relating to the problems associated with data security in E-commerce.

c) Use an Empirical research approach to back the question up with quantitative results.

• Q3 – a) Ask people from businesses (interview).

b) Use graphs to show the percentage of people who do use data security, the percentage of people who don’t, and the percentage of people who don’t even know that there is data security in E-commerce.

This evening I stumbled upon a website which closely relates to what I am currently researching, it was discussing that there is a new security method in e-commerce called ‘monitoring’.

This is quoted from the site: “Besides controlling access, organizations also need to monitor security events across the enterprise so that suspicious activities can be quickly pinpointed. This is becoming critical as enterprise networks grow rapidly in complexity and strategic importance. New monitoring technology lets organizations consolidate data from all their disparate security sensors—firewalls, anti-virus software, host systems, and routers— and provides a coordinated single image of potential intrusions for effective incident response”. The site where this information was from can be found here:

http://www.ecommerceprogram.com/ecommerce/Ebusiness-Security.asp

Found some very good references which I will look further into. Here they are:

IDG (2001) Securing the Internet Economy. Holliston, MA: IDG/Infoworks.

Laudon, K. and Traver, C. (2001) E-commerce: Business, Technology, Society. Boston, MA: Addison Wesley.

Percival-Straunik, L.L. (2001) E-Commerce. London: Economist Books.

This interesting article was from:
Groucutt, J & Griseri, P. (2004). References. Mastering e-business. P 87. Published by Palgrave Macmillan : N.Y.

An interesting article:

‘There are, however, further and more sophisticated forms of authentication of users. Public key encryption can be used to develop additional protections, such as:

•  Digital signatures: Each document is processed initially by a special function (called a hash function) to produce material that functions as the signature; this along with the original data is then encrypted in the normal asymmetric way; the recipient then decrypts in the usual way, and also reverses the hashed material; if the de-hashed material mirrors the original message, then there has been no tampering with it since initiation from source; in this way each document has a unique identification.
• Digital certificates: There are now a number of central authorities, called certificate authorities, that issue certificates that verify the identity of an e-business, including digital signature and other relevant information; these authorities include private organisations such as Verisign, and state bodies such as Post Offices.’

Transmission security

Potentially, there can be many different kinds of signature, many different kinds of certificate structure. Two protocols have been developed that standardise this aspect of security:

• Secure sockets layer: SSL – also known as TLS or Transport Layer Security – is a standard relating to authentication and certification.
• Secure Electronic Transaction: SET is a more comprehensive approach to authentication developed to facilitate online credit card transactions; not only does it verify who someone is, it also carries out the other electronic only does it verify who someone is, it also carries out the other electronic messaging necessary to complete a transaction, such as contacting the credit card company.’

This interesting article was from:
Groucutt, J & Griseri, P. (2004). User identification/Transmission security. Mastering e-business. P 85, 86. Published by Palgrave Macmillan : N.Y.

An interesting article:

‘Controlling data access 

The prime feature of any violation of security for an e-business is where some unauthorised party reads, and maybe changes, data. One natural way of preventing this happening is to make the transmission medium as secure as possible. Another way is to make the data useless, because it makes no sense to the reader. This is the concept behind encryption, the transformation of data via code or key so that only authorised people can read it.

Box 4.2 Internet data encryption

There are two prime methods of data encryption used with the internet:

Private key (or symmetrical): This is where each party has access to the same key, so that the sender uses this key to codify data before transmission, and the receiver uses the same key to reverse the codification; it is relatively quick but amongst its drawbacks are (a) the potential for one or other party to lose their copy of the key or allow it to be accessed by unauthroised individuals, and (b) the need for e-businesses with large numbers of users and clients to hold vast numbers of such keys.

Public key (or asymmetrical): More popular nowadays (though generally a slower process) involves two different keys; one is a public key that can be used to encrypt the data of a wide range of users, the other is a private key, held only by the e-business, which enables the data to be decrypted. This approach is only possible because certain mathematical functions are non-reversible, but can be further transformed by other functions to yield the original data again; in principle, a hacker with an enormous amount of computing power might be able to retrieve the private key, but as these system often use keys tat are 256 or even 512 bits in length, we are talking years at current computing rates, which clearly makes such an exercise redundant for the purposes of getting quick access to the underbelly of an organisation’s data sets.’

This interesting article was from:
Groucutt, J & Griseri, P. (2004). Controlling data access. Mastering e-business. P 84, 85. Published by Palgrave Macmillan : N.Y.

Found a couple of interesting articles relating to e-Commerce Security:

‘Types of hacking

• Access to and theft of data from databases: much of the concern in this area has been with potential loss of financial data, such as bank and credit card account data.
• Covert monitoring of information: sometimes called ’sniffing’, this is where a program may be introduced as a virus or Trojan; one common form of this is the email wiretap, where a program simply reads and forwards on internal or external email messages (some of which might contain confidential corporate information, or compromising information about the private lives of senior managers, which then can be used for blackmail purposes, and so on).
• Identity misrepresentation: sometimes called ’spoofing’, a hacker may masquerade as a legitimate organisation, for example to induce a supplier to send goods to a new address.
• Denial of service (often called DoS attacks): perhaps the most dramatic kind of hacking occurs when an organisation is flooded with traffic, so much so that its internal systems crash and the organisation’s e-business operations are offline for a period of time; more and more extensive versions of these are continuing to be developed: distributed DoS attacks use a large number of computer to launch the traffic: a smurf goes one further and induces large numbers of potential users and customers to send verification messages to an organisation; much of all this is likely to be used by hactivists rather than the professional fraudster.’

This interesting article was from:
Groucutt, J & Griseri, P. (2004). Types of hacking. Mastering e-business. P 81, 82. Published by Palgrave Macmillan : N.Y.

Found an interesting article today from a new library book in the NMIT library ‘Mastering e-Business’. ‘e-commerce: The online exchange of value, without geographical or time restrictions, between companies and their partners, employees, or customers (Singh et al., 2001).’ ‘e-business: In many ways e-business encompasses the above definition for example, would be the macro factors commonly known as the PESTLE factors. Here, we need to consider the influences of Politics, Economics, Society, Technology Legal and Environmental. How, for example, will these influence both businesses and customers in the future?’

I thought this article was very interesting as it opened my mind as to what is outside e-Commerce; which is e-Business. e-Business covers a broader range of topics whereas e-Commerce just focuses on the commerce side of things. I think changing e-Commerce to e-Business for my Project in second semester might be a better option.

Here is where the article was from:

Groucutt, J & Griseri, P. (2004). Defining e-business and e-commerce. Mastering e-business. P 19. Published by Palgrave Macmillan : N.Y.