Security represents a principal concern of e-business managers. The principal concern is the security of information (both about customers and internal company data about logistics, finance, accounting, marketing and employees).
In order to be an e-business, an organization should mainly operate online, therefore, should have a website. The base for functioning of a website is represented by the Internet, which can imply some security risks. We will present you the top Internet security risks and some solutions:
1. Validation of input and output data
All data used by websites (e.g. users, other servers, other websites and internal systems) must be validated for type (e.g. numeric, string, type), length (e.g. 500 characters maximum), syntax (e.g. product codes begin with 3 letters and are followed by 7 digits) and business rules (e.g. computers can only cost between £100 and £2,000, an order can contain at most 10 items). Data written as output (displayed) need to be safe to view in a browser, e-mail client or other software and the integrity of any data that are returned must be checked.
SEO spamming represents a common problem to website owners where disreputable companies use scripts to automate add links to their sites for search engine optimization purposes through comment forms, in blogs, forums and social networks. To combat this, a CAPTCHA system such as reCAPTCHA (www.recaptcha.net) is required. Captcha stands for “Completely Automated Public Turing test to tell Computers and Humans Apart“. It requires a person submitting a web form such as a comment to enter letters or numbers from an image to validate that they are a genuine user.
2. Direct data access
If data exist, they can potentially be viewed or extracted. It is important to avoid storing data that you do not need on the website and its database(s) – for example some data relating to payment cards should never be stored. The poorly developed systems may allow access to data through SQL injection compromises, insufficient input and output data validation (see No 1 above) or poor system security.
3. Data poisoning
If users can modify or delete data inappropriately and these are then used to update your internal systems, business information is being lost. This can be hard to detect and it is important that the business rules are examined and enforced to validate data changes to ensure poisoning is not occurring. Moreover, if poisoning is not detected until well after it has occurred, it may be impossible to recover the original data.
4. Malicious file execution
Uploaded files or other data feeds may not be what they seem. Never allow user-supplied input to be used in any file name or path (e.g. URLs or file system references). On the other hand, uploaded files may also contain a malicious payload so should not be stored in web accessible locations. Note that Google will automatically identify some sites that contain malware within the search results listings. Malware such as key loggers are also a significant problem for infection of end-user computers. They are often delivered as trojan e-mail attachments.
5. Authentication and session management
Websites rely on identifying users to provide access permissions to data and functions. If the authentication (verification of identity, registration and logging in), authorization (granting access rights) and session management (keeping track of the identity of a logged-in user while they browse a website) can be circumvented or altered, a user could access resources they are not allowed to. Beware especially of how password reminders, remember-me, change password, log-out and updating account details are handled and how session tokens are used, and always have log-in forms on dedicated and encrypted (SSL) pages.
6. Denial of service
Denial-of-service attack, also known as a distributed denial-of service (DDOS) attack, involves a hacker group taking control of many “zombie” computers attached to the Internet whose security has been comprised. This “botnet” is then used to make many requests to a target server, so overloading it and preventing access to other visitors.