Autor: denver_d 11 December 2009
Words: 2493 | Pages: 10
Running Head: SECURITY ISSUES OF SMALL E-COMMERCE WEBSITES
E-commerce Website Security Issues
March 26, 2008
The research topic I have chosen for this CIS666 final paper is focused on recognition and evaluation of e-commerce website security issues for a small company that lacks the technical and human resources to fully cover all aspects of running a website. How can a small company protect its e-commerce website against all the security threats endangering companyÐ²Ð‚â„¢s assets and operations? With the list of security issues I covered in this paper, my recommendation is, that a small company with limited resources should outsource running of its e-commerce website to a credible web-hosting company with enough IT resources to better deal with common security issues.
Any company trying to get in any business should conduct an extensive research of its ability to succeed in the increasingly challenging environment, thoroughly evaluating its situation, business opportunities, challenges and risks, carefully weighting all of its options before deciding how to implement its business plan. The same applies to a company that wants to successfully launch an e-commerce website. A detail research and solid planning will significantly affect the outcome. While there are many challenges of building an e-commerce website, I would like to focus only on one, but major aspect of running an e-commerce website, and that is: security. Security is one of the most important issues that must be resolved to ensure the success of e-commerce. With so many well publicized security failures that often embarrass even sizable companies, small businesses must seriously question if they will ever be able to completely defend their websites, when even some big companies occasionally fail to defend themselves against all the security threats awaiting on the Internet to be tested by hackers and scammers and possibly risking all their business future. Of course, to reach the global markets and more customers, even a small company will have to implement an e-commerce website, but the question each small company should be asking is: should the website be developed and run in-house, or should it be outsourced? And one of the most important decision-making arguments should be the level of security needed. Will a small company be able to defend its e-commerce website, its hardware, software, data, and protect its customers against system failures, hackers, fraught and data theft? To answer these questions, I would like to cover in this paper several major e-commerce security issues that have to be considered, before making a final decision about an in-house development and in-house implementation of the website, or outsourcing either the development or running of the website, or some combination of the two options.
I would like to start with some statistic provided by the U.S Department of Labor: Forty percent of businesses never reopen after catastrophic data loss. Fifty percent of all businesses will fail within three years if they cannot recover lost data within 24 hours. Ninety-three percent of businesses fail if data is lost for ten days or more. Over forty percent of small businesses experience challenges when it comes to data backup. (U. S. Department of Labor Ð²Ð‚â€œ Information Security, 2008). Protecting business data is crucial, and the recent statistics support the sense of urgency. Every company should have a disaster recovery plan that covers not only natural disasters like earthquake, flooding, hurricane, tornado, and other weather-related disasters, but also man-made disasters like fire, loss of power, hardware failure and loss of data, including a cyber-attack, and even a terrorist attack. Any potential risk should be addressed, evaluated for the magnitude of the harm, and a proper response should be developed. While the companyÐ²Ð‚â„¢s data might be the most valuable assets, the proper response needs to be developed also for any major systems and their software, hardware, and networking components, including backup personnel sufficiently capable of operating these systems. That might require additional staffing, extra training and also opening access to the systems to more people and that creates additional security issues. A critical hardware must be duplicated, periodically tested and updated to insure continuous operations. The best practice is to have at least two geographical locations to prevent a disruption of operations due to a local disaster. The same applies for data. There must be a sufficient data backup that is occasionally tested for consistency and there should be several geographical locations for back-up data storage, but easy and fast access in case of emergency. And that in turn creates again some additional security issues, because the back-up data must be as secure as the original data to insure full data security.
Successful security plans include evaluation of data sensitivity, integrity, confidentiality, and date availability. System confidentiality assures that all data in the system is protected from disclosure to unauthorized processes, people, or devices. System integrity insures that companyÐ²Ð‚â„¢s data is protected from unanticipated/unauthorized, or unintentional destruction (or modification). System availability provides assurance that data, services, and IT system resources are accessible to all system-related processes and authorized users on a reliable and timely basis, while protected from denial of service (Assessing the Security of Federal IT Systems, 2007).
Creating disaster recovery plans is very challenging and time-consuming task, given the fact that the Internet environment is constantly evolving, so even a great security plan might get outdated fast, if no one is constantly watching for new developments, recent trends and new security threats. Quick developments of proper responses to those changes and constant re-evaluation of the plans is crucial for the un-interrupted business operations. While the big companies have dedicated IT staff just for this purpose, it might prove to be very challenging task for a small business with limited resources (financial and staffing) to promptly response to any emerging security threat.
Another major security issue to be addressed by the e-commerce website owners is privacy protection. A privacy protection is a personal and fundamental right of companyÐ²Ð‚â„¢s customers and employees as well as a requirement of law. Among the most basic of customers and employeesÐ²Ð‚â„¢ rights is an expectation that their company will protect the confidentiality of personal and financial information. (U. S. Department of Labor Ð²Ð‚â€œ Information Security, 2008). Any e-commerce website transmits and processes large amounts of data, including customer personal information and companyÐ²Ð‚â„¢s proprietary information. This presents a very challenging aspect of the e-commerce security. The crucial data still needs to be securely transmitted and securely stored, while hackers relentlessly target both processes. The level of hackerÐ²Ð‚â„¢s successes depends on the level of security awareness and readiness of the e-commerce companies. But even some well prepared and secured e-commerce businesses might fall a victim of a brand-new-idea attack. It is unlikely that this kind of a unique attack would be mounted on a small business website, as hackers take a pride in successfully attacking a well-known business. Nevertheless it could happen simultaneously, and then even a small company is in a risk. But small e-commerce websites are much more vulnerable to older, but previously successful attack schemes, as the discovered vulnerability gets exploited by a wider community of hackers, who gladly share their discoveries and hacking Ð²Ð‚?successesÐ²Ð‚â„¢. As the new attack schema spreads among hackers, the e-commerce community has to act quickly to develop a defense. While the dedicated IT security staff at big companies is notified almost immediately, it often takes too much time to disseminate the threat details to the smaller companies, so some of them will actually notice the attack, when the harm is already done. Compromising company data might cause a fatal blow to a small company, even if the attack does not directly disrupt operations. Many states now require companies that had their customer/personal data accessed without authorization (=hacked) to notify every potential victim, which usually results in a major loss of customer loyalty, possibly in expensive lawsuits and consequently in seizing operations due to unrecoverable losses. Especially small businesses are severally affected by this, because they usually do not have enough reserves to weather this kind of event. There are some insurance companies offering insurance against these events, but that again can prove costly solution for many of those low-margin (and no-reserves) small businesses.
There are many known techniques how to obtain private data illegally. One of the most popular and constantly evolving technique is to infiltrate a website with a malware (a malicious code, like viruses, worms, Trojan horses, zombies, applets, ActiveX and other harmful scripts) in order to spread it though a network, and then disrupt operations or retrieve sensitive information. Another popular way of hacking is exploiting known and unknown operating systems vulnerabilities as well as exploiting other business-software security holes. MicrosoftÐ²Ð‚â„¢s patches often inform hackers about new security holes, so they can mount an attack on websites that did not fully update/patch their operating systems yet. Social engineering (=Ð²Ð‚â„¢con-artistsÐ²Ð‚â„¢ calling company, asking for secure information) and dumpster diving methods of retrieving secure data are preventable, yet some hackers are still successful with these low-tech exploits. MicrosoftÐ²Ð‚â„¢s operation systems have many basic services (i.e.: Messenger) that could be easily exploited to retrieve private data, so it is better to turn those often-unnecessary services off.
And then there are two communication security threats possibly resulting in capturing private data. The first one is a secrecy threat and its main example Ð²Ð‚â€œ sniffing programs.
Network sniffing is more sophisticated way to capture data sent electronically, but data encryption via HTTPS protocol (implementing SSL - Secure Sockets Layer) is a powerful tool to prevent that. Exploiting backdoors left by software developers (intentionally or unintentionally) is another example of a secrecy threat. The other communication security threat is an integrity threat, and its prime examples: spoofing and phishing. Both of them alter data or messages, and with use of spam they can pretend to be valid messages (emails) from some well-known e-commerce website, luring customers to some other (fake) website to and asking them to reveal personal info that is then illegally used.
One more communication security threat is a necessity threat. Denial of Service attack (DoS) and Distributed Denial of Service attack (DDoS) are main examples of the necessity threat. During DoS attack hackers flood a selected web-server with so many messages that the regular website visitors cannot get any response. This attack is often done though Ð²Ð‚?zombie-PCsÐ²Ð‚â„¢ (= hijacked PCs), so it is very intense, but difficult to find the hacker behind it. The attacked web-server eventually crashes. Mail bomb is a similar attach on email servers that are flooded by emails from zombie-PCs until they crash. Another way for hackers to attempt to crash a web-server is a buffer overflow attack that increasingly uses system memory to eventually take all resources available, so the server crashes.
There are many security tools that provide efficient on-line security protection, especially when properly deployed, periodically upgraded, and maintained. The most important ones are listed here: firewalls, Virtual Private Network (VPN), data encryption, Intrusion Detection System (IDS), Anti-virus and Anti-spyware programs, network monitoring, vulnerability scanning, power and data backups, and many others. But these tools must be used it combination to have a full protection effect and that might prove challenging for a small business without 24/7 IT staffing and with limited resources to buy the best security technologies possible and keeping them updated/upgraded.
I have covered many security issues already, but there are definitely more security challenges for the small e-commerce websites. It might seem almost impossible for a small company to be fully prepared for all the security threats the World Wide Web presents. With just a small staff and probably just one IT person, it would be probably just a matter of time before the website is attacked by hackers, or faces some serious issues. And the amount of money needed to prevent a disaster would be probably prohibitive. So, how could a small company have its web presence without risking losing its business to hackers? Well, one convenient way to limit negative effects of many of the security threats mentioned above is to use application service providers (ASPs) for hosting e-commerce sites. This is especially viable solution among small companies that might suffer terminal consequences if their systems are compromised. The application service providers will not only host an e-commerce website with a high level of security, they might also offer their security expertise to build or customize a secure e-commerce website, or its major parts, like databases, shopping card, and payment transactions. Some of the security flaws are exploited when 3rd party developers turn over systems to a company with no liability for the open holes that they leave. It is then the e-business ownerÐ²Ð‚â„¢s liability to be responsible for any financial and other damages caused by a successful attack. Therefore it would be wise to let the application service provider also to build the website, so it could be easily updated by the provider any time. It is crucial to select a reputable company for developing and web-hosting purposes, because some security holes and backdoors might be left by the developers intentionally, resulting in compromised data Ð²Ð‚â€œ as an inside job. A reputable company will charge a reasonable price for its services, hopefully staying in business for a long time, so the small companies do not have to worry about contingency plans for their e-commerce businesses, in case of a sudden closure or bankruptcy of the web-hosting provider.
While outsourcing of the e-commerce website operations presents some minor challenges too, I believe it is much better option for the small companies, because running the websites Ð²Ð‚Ñšin-houseÐ²Ð‚Ñœ would poses even more security dangers, and the eventual failure would be almost imminent. With so many on-line security threats it is almost impossible for those small companies to successfully protect their e-commerce websites by just their own in-house IT resources. It would be very irresponsible from the company to expose its users/customers to all of those on-line security threats, because the cyber-attack would eventually occur, probably with disastrous consequences. Therefore I would definitely recommend to any small company to pay a reasonable monthly fee for the professional security services of a reputable application service provider that has enough IT staff and expertise to defend the e-commerce websites it is hosting against all the negative elements of the Internet, especially the hacking community out there. While the cost of the e-commerce services might add up for a small company, I truly believe it will pay for itself in increased security and better customer protection, resulting in continuous operations and more satisfied customers.
Assessing the Security of Federal IT Systems. (n. d.). Retrieved December 28, 2007, from
Beasley, Jeffery. (2004). Networking. New Jersey: Pearson Education, Inc.
IT Security at MIT. (n. d.). Retrieved February 4, 2008, from
IT Security Cookbook. (n. d.). Retrieved January 23, 2008, from
Schneider, Gary. (2007). Electronic Commerce. (7th ed.). Boston: Thomson Course Technology.
U. S. Department of Labor Ð²Ð‚â€œ Information Security. (n. d.). Retrieved February 4, 2008, from
USDA - Annual Security Plans for IT Systems. (n. d.). Retrieved January 23, 2008, from