Más contenido relacionado
La actualidad más candente (19)
Similar a 50120130406020 (20)
Más de IAEME Publication (20)
50120130406020
- 1. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING &
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME
TECHNOLOGY (IJCET)
ISSN 0976 – 6367(Print)
ISSN 0976 – 6375(Online)
Volume 4, Issue 6, November - December (2013), pp. 175-180
© IAEME: www.iaeme.com/ijcet.asp
Journal Impact Factor (2013): 6.1302 (Calculated by GISI)
www.jifactor.com
IJCET
©IAEME
E-BUSINESS TRANSACTION SECURITY: CHANGING TRENDS IN DATABASE
SECURITY-CRITICAL REVIEW
Anuradha Sharma
Dr. Puneet Mishra
Dept. of Computer Science,
Amity University, Lucknow campus
Asst.Prof, Dept. of Computer Science,
Lucknow University, Lucknow
ABSTRACT
The electronic business has grown leaps and bounds with the popularity of internet. The
popularity has also grown due to the services provided by the ISP companies. As the e-business is
growing, so is the problem of data breaching. For breaching, a hacker needs an internet connection
and a careless worker/administrator so that the hacker can gain access to gigabytes of information
using his own laptop. These hacking incidences result in theft of personal information in the
database. This paper is a review showing that the greatest losses to someone or an organization result
when there is breaching of mainly confidentiality, integrity and availability.
Keywords: Confidentiality, Integrity, Availability.
I. INTRODUCTION
E-business or electronic business is not only limited to buying and selling of goods over the
internet. E-business includes using internet to provide better customer service, streamline business
process, increase sales and reduce cost of the business for the customer as well as the organization.
IBM first used the term e-business in October 1977.
Transaction simply means an instance of buying and selling something. A transaction
consists of a unit of work in a database management system against a database which is in general
independent of other transactions. The transaction has to complete in its entirety in order to make the
database changes permanent. The transaction should be atomic, consistent, isolated and durable.
The transactions in case of e-business have tree major constituents viz. the client computer,
the communication medium, and the web and commerce servers. The security can be penetrated at
any of the three parts. There are also three parties which are involved in transactions over the internet
viz. the client, the merchant and the transmission way (internet)[8].
175
- 2. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME
E-business has not grown to its full potential despite its wide use and opportunities, – one of
its most important obstacles being the lack of adequate security measures as well as difficulties to
specify adequate security requirements. An abundance of research about security in e-business can
be found in literature[10]. As a start reference, we suggest the final report of the SEMPER (Secure
Electronic Market Place for Europe) project .
Database security breaching is not new to the internet world. Many breaches happen together
daily around the world and increase the count. Some are very small and some are huge. Huge
security breaches result in great loss of database and small once, cause some loss, but not to a great
extend. E-commerce activities are tempered by security breaches. Millions of dollars are spent by
organizations on security appliances to make online transactions more secure. Then too, a new virus
(a clever computer program) or a clever hacker can easily compromise these deterrents and cause
losses of millions of dollars annually [1].
Security breaches can be categorized as unauthorized data observation, incorrect data
modification, and data unavailability [2]. Out of these, disclosure of information to users not entitled
for it is an unauthorized data observation. It consequences in heavy losses in terms of both financial
and human point of view for commercial as well as social organizations. Incorrect data modification,
be it intentional or unintentional, results in an incorrect database state. The use of this incorrect
database results in heavy losses for the organization. Data unavailability means that the crucial
information for the proper functioning of the organization is not available when needed [2].
Ponemon Institute’s research The Human Factor in Data Protection focuses on how employees and
other insiders can put sensitive and confidential information of organizations at risk [3].
II. SECURITY GOALS
The term security can have different meanings in different aspects of life. In terms of
computers, security can be précised as confidentiality, integrity and availability.
1. Confidentiality: Confidentiality means preventing disclosure of unauthorized information.
Confidentiality may be sometimes called secrecy or privacy. It means that only a person who has
been given access to something will only be able to access it. This access can be a reading, writing or
even printing permissions [4].
2. Integrity: Integrity refers to the trustworthiness of data or resources, and refers to preventing
improper or unauthorized changes. As [4] quotes, Welke and Mayfield recognize three particular
aspects of integrity- authorized action, separation and protection of resources, and error detection and
correction [5][6]. Integrity can be enforced for e-business in the same manner as confidentiality i.e. by
controlling who or what can access which resources in which manner [4].
3. Availability: Availability is the ability to use the information or resource desired. Availability
applies to both data and services. Expectations of availability are very high and the security
community is just beginning to understand what availability is and how to ensure it.
4. Accountability: If the accountability of a system is guaranteed, the participants of a
communication activity can be sure that their communication partner is the one he or she claims to
be. Thus, the communication partners can be held accountable for their actions [10][12].
Confidentiality and integrity can be preserved by a single access control point but it is not clear that
it can enforce availability or not[4].
Studies by Gartner Research point out that, due to online fraud, 33% of online shoppers are buying
fewer items. Similarly, according to studies by TRUSTe, 40% of consumers avoid buying from small
online retailers due to identity theft concerns.
Gartner report adds that, during the period May 2004 to May 2005, about 73 million
consumers have received phishing attacks through e-mails. Of which 2.4 million users have reported
losing money. Companies up in arms after being targeted include Paypal, eBay, Citizens bank, bank
176
- 3. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME
of America, MSN, Amazon.com, VISA, Citibank, Lloyds TSB, Yahoo, US Bank, Microsoft and
AOL. According to Forester Research, 0.6 million Internet banking customers turned away from
online financial transactions due to fear of keystroke logging Trojans and phishing mails.
This clearly reveals that growth of e-commerce is greatly deterred by malicious activities like
hacking, virus / worm or phishing attacks [1].
III. LOSSES CAUSED DUE TO VARIOUS TYPES OF BREACHES
Some hackers might be involved in planting worms and viruses to interrupt business
operations, others are involved in getting more profit in less time. Some ways that hackers can profit
from breaching an organization’s security and obtaining confidential content are identity theft,
selling of sensitive technical or financial information to competitors, abusing customers' confidential
data, and also misusing the organization’s name or product brands[7].
Following major breaches occurred in the year 2009 and 2010.
As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of
breaches of unsecured protected health information affecting 500 or more individuals. These
breaches are now posted in a new, more accessible format that allows users to search and sort the
posted breaches. Additionally, this new format includes brief summaries of the breach cases that
OCR has investigated and closed, as well as the names of private practice providers who have
reported breaches of unsecured protected health information to the Secretary [9]. The following
breaches, enlisted in table 1 and table 2, have been reported to the Secretary:
Table 1: Breaches of Health Information in the year 2009
Country
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
State
Missouri
California
Torrance, California
Torrance, California
Torrance, California
Torrance, California
Torrance, California
California
Texas
Tennessee
District of Columbia
District of Columbia
Tennessee
Texas
Kentucky
Pennsylvania
Michigan
District of Columbia
Indiana
Nebraska
New York
Texas
New York
California
California
Wyoming
Wilmington, North Carolina
Rhode Island
Michigan
Arizona
Tennessee
Utah
Approx.# effected
1000
610
952
857
5,257
5,166
6,145
5,900
1,430
998,442
15,000
3,800
6,400
1,000
676
943
10,000
3,400
480,000
800
83,000
3,800
344,579
7,300
15,500
9,023
2,000
528
10,000
1,101
3,900
5,700
177
Date of breach
9/22/09
9/22/09
9/27/09
9/27/09
9/27/09
9/27/09
9/27/09
9/27/09
9/30/09
10/02/09
10/07/09
10/09/09
10/11/09
10/16/09
10/20/09
10/20/09
10/22/09
10/26/09
11/03/09
11/11/09
11/12/09
11/19/09
11/24/09
11/30/09
12/01/09
12/02/09
12/08/09
12/11/09
12/15/09
12/15/09
12/23/09
12/27/09
Type of Breach
Theft
Phishing Scam
Theft, Unauthorized Access
Theft, Unauthorized Access
Theft, Unauthorized Access
Theft, Unauthorized Access
Theft, Unauthorized Access
Theft
Loss, Improper Disposal
Theft
Unauthorized Access
Loss
Theft
Theft
Misdirected E-mail
Theft
Theft
Unauthorized Access
Hacking/IT Incident
Theft
Incorrect Mailing
Loss
Other
Theft
Theft
Unauthorized Access
Hacking/IT Incident
Unauthorized Access
Theft
Theft
Other
Theft
- 4. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME
1200000
1000000
800000
600000
Series1
400000
200000
0
theft
loss
incorrect
mail/hacking
others
Graph 1: Comparison of different data breaches during 2009
Table 2: Breaches of Health information in the year 2010
Country
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
State
Missouri
Illinois
California
Illinois
Texas
Colorado
Florida
Minnesota
Florida
Florida
North Carolina
Connecticut
Approx.# effected
9,309
1,300
532
1,300
689
649
568
16.291
12,580
3,800
5,220
957
Date of breach
1/10/10
1/13/10
1/11/10
1/13/10
1/18/10
1/19/10
1/19/10
1/26/10
1/27/10
1/29/10
2/03/10
2/04/10
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
U.S.A
Tennessee
Texas
Washington
Connecticut
Illinois
Florida
Wisconsin
Tennessee
New York
Ohio
California
California
Illinois
Tennessee
Ohio
New York
Maryland
Kansas
Texas
Nevada
1,874
763
5,080
54,165
180,111
2,600
600
10,515
130,495
60,998
40,000
584
1,000
1,745
1,001
1,020
937
1,105
600
7,526
2/05/10
2/09/10
2/12/10
2/18/10
2/27/10
3/09/10
3/19/10
3/20/10
3/24/10
3/27/10
4/02/10
4/04/10
4/12/10
4/19/10
4/22/10
4/30/10
5/03/10
5/12/10
5/29/10
6/11/10
178
Type of Breach
Theft
Theft
Other
Theft
Theft
Improper Disposal
Loss
Other
Theft
Other
Loss
Unauthorized Access,
Hacking/IT Incident
Loss
Unauthorized Access
Theft
Theft
Theft
Unauthorized Access
Other
Theft
Loss
Theft
Theft
Theft
Theft
Loss
Other
Unauthorized Access
Other
Theft
Theft
Theft
- 5. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME
450000
400000
350000
300000
250000
200000
150000
Series1
100000
50000
0
Graph 1: Comparison of different data breaches during 2010
The analysis of the above table1 and table 2 has been done with the help of graph 1 and graph
2 respectively. Based on the above analysis of the health sector in USA during the years 2009 and
2010, it can be concluded that the greatest losses have been caused because of the breaches which
can be broadly categorized as confidentiality, integrity and availability.
Thus, the major objective of security of electronic business transactions should be considered as
confidentiality, integrity and availability [12]. There is great requirement for security analysts to focus
on these three areas of security breaches viz. confidentiality, integrity and availability.
IV. CONCLUSION AND FUTURE SCOPE
With the growing usage of internet, there is always threat to our valuable data. Lot of people
are affected when ever such type of data reaches occur. With the study done in this paper, with the
data analyzed during the year 2009 and 2010, it can be concluded that most of the breaches that
occurred on the above data can be broadly categorized as falling in the categories of confidentiality,
integrity and availability. Thus, a lot of work needs to be done for securing these type of breaches.
The above analysis has been done on the health sector data of USA. Similar attacks occur in
case of electronic business. Thus, based on the conclusion done in the above analysis, we can say
that in case of electronic business also, the security breaches can be broadly categorizes as
confidentiality, integrity and availability. There can be many more types of breaches also like
accountability, but for our further study, we will focus on the above mentioned three categories. With
the help of this study, we can develop a framework for the various categories of electronic business
and the types of breaches that can attack the data. The framework can be used to define the
possibilities of threats for the various categories of e-business. Based on the possibilities of the
threats, a security measure can be further developed that can help the parties involved in the
electronic business. These parties can be the clients and the merchants which are being directly
involved in the electronic business. With the help of the security measure, the database of the
electronic business can be secured.
179
- 6. International Journal of Computer Engineering and Technology (IJCET), ISSN 0976-6367(Print),
ISSN 0976 - 6375(Online), Volume 4, Issue 6, November - December (2013), © IAEME
V. REFERENCES
[1].
[2].
[3].
[4].
[5].
[6].
[7].
[8].
[9].
[10].
[11].
[12].
[13].
[14].
[15].
[16].
[17].
[18].
[19].
[20].
[21].
[22].
[23].
[24].
A. Mukhopadhyay et.al, “Insuring Big Losses to Security Breaches Through Insurance: A Business
Model”, Proceedings of the 40th Annual Hawaii International Conference on System Sciences
(HICSS'07) 0-7695-2755-8/07 © 2007, IEEE.
Elisa Bertio, Ravi Sandhu, Fello IEEE, “Database Security- Concepts, Approaches and Challenges”,
IEEE Transactions on Dependable and Secure Computing, Vol. 2, No.1, January-March 2005.
Ponemon Institute Research Report, “The Human Factor in Data Protection”, January 2012.
Charles P. Pfleeger, Shari Lawrence Pfleeger, Deven N. Shah, “Security in Computing”, pp. 7-11,
Pearson Prentice Hall, 2009, ISBN 978-81-317-2725-6.
Mayfield, T., et al. “Integrity in Automated Information Systems”, C Technical Report, 79-91,
Sep1991.
Welke, S., et al, “A Taxonomy of Integrity Models Implementations, and Mechanisms”, Proc
National Computer Security Conf, 1990, p541-551.
White paper, “Data Leakage Worldwide: The High Cost of Insider Threats”, 2008, Cisco Systems,
Inc.
Anuradha Sharma, Puneet Mishra, “Security requirements for e-business applications”, proceedings
of TIMES-2013, Alwar, 2013.
U.S. Department of Health and Human Services, “Breaches affecting 500 or more individuals” ,
available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html.
Konstantin Knorr, Susanne Röhrig, “Security requirements of e-business processes”, Volume 202
of IFIP Conference Proceedings, pages 73-86, Kluwer, 2001.
Lacoste, G.; Pfitzmann, B.; Steiner, M.; Waidner, M. (Hrsg.), “SEMPER-Secure Electronic
Marketplace for Europe”, LNCS 1854, Springer, 2000.
Knorr, Konstantin; Röhrig, Susanne, “security of electronic business applications- Structure and
Quantification”, In: Proceedings of the 1st International Conference on Electronic Commerce and
Web Technologies EC-Web 2000, Greenwich, UK, Sep. 2000, pp. 25-37.
Randy C. Marchany, Joseph G.Tront, “E-Commerce Security Issues”, Proceedings of the 35th
Hawaii International Conference on System Sciences – 2002.
Singh, M. P. , “Introduction to web semantics, The Practical Handbook of Internet Computing”,
pp29-1-29-13, Chapman & Hall/CRC2005, 2005.
Zwass Vladimir, “E Commerce: Structures and issues”, International Journal of Electronic
Commerce, 1(1):3-23, 1996.
Matt Bishop, “Introduction to Computer Security”, Pearson, 2011, pp. 4-10.
A Sengupta, C.Mazumdar, M.S.Barik, “E-commerce Security-A Lifecycle Approach”, Sadhana, vol.
30, Parts 2&3, April/June 2005, pp. 119-140.
Atul kahate, “Cryptography and Network Security”, TMH, New Delhi, pp. 4-10,2006.
Singh, M. P. , “Introduction to web semantics, The Practical Handbook of Internet Computing”, pp291-29-13, Chapman & Hall/CRC2005, 2005
O. SamySayadjari, “Multilevel Security: Reprise,” IEEE Security and Privacy, vol. 3, no. 5, 2004.
Vijay Arputharaj J and Dr.R.Manicka Chezian, “Data Mining with Human Genetics to Enhance Gene
Based Algorithm and Dna Database Security”, International Journal of Computer Engineering &
Technology (IJCET), Volume 4, Issue 3, 2013, pp. 176 - 181, ISSN Print: 0976 – 6367, ISSN Online:
0976 – 6375.
V.Srikanth and Dr.R.Dhanapal, “Ecommerce Online Security and Trust Marks”, International Journal
of Computer Engineering & Technology (IJCET), Volume 3, Issue 2, 2012, pp. 238 - 255,
ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375.
Abhishek Pandey, R.M.Tugnayat and A.K.Tiwari, “Data Security Framework for Cloud Computing
Networks”, International Journal of Computer Engineering & Technology (IJCET), Volume 4,
Issue 1, 2013, pp. 178 - 181, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375.
M. Karthikeyan, M. Suriya Kumar and Dr. S. Karthikeyan, “A Literature Review on the Data Mining
and Information Security”, International Journal of Computer Engineering & Technology (IJCET),
Volume 3, Issue 1, 2012, pp. 141 - 146, ISSN Print: 0976 – 6367, ISSN Online: 0976 – 6375.
180