Looking to write 500 words on the attachment.

0

Solomon Enterprises: E-Commerce Boon & Security Measures

Manpreet Kaur, Kishan Patel, Nitish Pisal, Vinay Charan Eddu, Kartik Sagar Mamidi & Hitendra Kudikala

University of the Cumberlands, KY

Introduction (Manpreet Kaur)

Solomon Enterprises is an e-commerce industry focused towards providing electronic products like televisions, mobile phones, laptops, DVD players, desktop computers, iPods, iPads, cameras, fans, ovens, washing machines, game consoles, printers and radios. Their business products can be purchased through an online web site.

Solomon Enterprises consists of 500 employees in five different locations throughout the domestic United States. They have their central database/data center located in West Virginia and regional offices in Florida, Texas, Arizona, Montana, and Missouri. Customers, clients, and users have access via the Internet throughout the world. The company has a disaster recovery site which is in Billings, Montana. Solomon Enterprises employees can work remotely or within one of the regional offices.

Nowadays, Companies are selling products all over the world and hence, never have to leave the bounds of their physically secure location. With this move to a global economy there’s an increase in security threats to organizations, individuals and agencies. Information systems have inherent risks and vulnerabilities to attacks from internal users, external customers, hackers and criminals. Solomon Enterprises generates $200 million in annual revenue through its business model therefore making it a target for hackers or criminals. Organizations must have a robust security program in place to meet these attacks and be proactive in their security stance.

Solomon Enterprises have a VPN connection that ensures that their connection is encrypted. The central data center has a firewall along with each regional office having another firewall to monitor traffic and keep unauthorized access from the facility. The company has also issued devices located within the office and laptops that can be taken for remote access. All these devices are running Windows XP and their server is running Windows 2003.

Therefore, the security policy for Solomon Enterprises need to identify administrative, physical, and technical controls that must be in place to identify security risks and develop mitigation strategies to minimize the effects of these risks.

There are several scopes can be implemented in Solomon enterprise to make good administrative control such as fair and secure hiring practices, background checks, security training, access control mechanism, work supervision, policy implementation to disclose an information outside organization, good operational activities, managing customer relationship and partnership with an external organization. Background checks provides assurance to an organization, employee does not have any criminal background which impose threats to an organization. Background checks can be done by verifying candidate information to contact their potential reference they mentioned in application to verify experience. This is good hiring practice as you know in advance about the employee, we are hiring for Solomon enterprise best fit for the position and business module. In Solomon Enterprise we can create Training module platform based on employee role. Employee needs to complete security and awareness training before the due date and it is mandatory for every employee. “If the employee has specific information security-related duties, the employee should be formally trained to carry out those duties” (Purcell,2007). “To reinforce security awareness and training, the training should be carried out on a regular basis” (Purcell,2007).

According to Purcell 2007, Access control mechanism is important policy Solomon enterprise needs to build in order to access information to other system or data within organization. For Example, when employee hire, they have basic system and data access which needs to perform their day to day activities. In addition to that if someone requires additional access, they need to request with detail description and reason for the access. All the request needs Manager approval before Access management team can grant the access. When employee submit their request authorized personnel who are monitoring access will review the request and provide access for the duration of the time mentioned in request description. Work supervision and review allows organization to keep up good work ethics and provide areas of improvement for an employee which will improve business and decisions organization must make in future. Disclosure of information and Employment agreements are also coming under Administrative control. In pre-employment process employee needs to sign agreement align with organization policy and procedures. Part of the agreement Employee at any stage cannot disclose organizational information or practice to any other company or customer. Solomon Enterprise has authority to terminate any employment if they found any sensitive information threats.

Physical access controls of premises are required to protect unauthorized user to access or gain information of Solomon Enterprise. Badge are necessary for all employee to enter building or any common area in organization. Set up the surveillance to monitor premises for unusual activity and protect building from any attack. Physical security is important to secure assets and data or equipment is in building. Furthermore, physical security is necessary to safeguard employees since their security is important assets for Solomon enterprise.

Passive wireless intrusion detection systems are increasingly popular because of ease installment and maintenance. For detecting any unauthorized physical access in offices and warehouses we have proposed the use of RASID, a WLAN Device free system to detect human activity. RASID combines different modules for statistical anomaly detection while adapting to changes in the environment to provide accurate, robust, and low-overhead detection of human activities using standard Wi-Fi hardware (Kosba, Saeed, & Youssef, 2012). It can alarm the security guards or the security in-charge about the detected activity and necessary action can be taken.

Being an online retailer, Solomon Enterprises has to provide a high level of security to the users by authenticating and validating the legit users trying to access the system. Our authentication mechanisms involve requirement of minimum password length of 8 characters and maximum length of 64 characters, no more than 3 consecutive characters allowed and use of at least one number and one special character. Furthermore, to avoid brute-force attacks, before allowing a user to choose a password we check all new passwords against a list of known passwords which are not strong enough or are involved in compromises provided by NIST Bad Passwords open source API. In the future, Solomon Enterprises plan to implement Multi-Factor Authentication Technique to provide additional layer of protection.

Our company uses Advanced Encryption Standard (AES) is the encryption algorithm which is most robust security protocol and claimed to be the stronger and better cryptographic standard in 21st century by NIST. AES satisfies our most basic security goal – that the only best attack against it should be trying every possible key until we find the one that works (Key Exhaustion). Here the size of key determines the strength of the algorithm. For example, to find a n-bit key, it is, on average, necessary to try 2n–1 key, but if you make n sufficiently large, this becomes wildly impractical (Burr, 2003).

Forrester research suggests that there were around 10 million purchases during 1998 on the Internet which constituted around 15 billion in sales and that the number of online shoppers will reach 230 million in 2021. Credit card or debit card are currently the primary means of online purchases and with the rise in online shoppers / merchants there is increase in credit card fraud. Criminals can acquire credit card numbers illegally by various methods and therefore it is very important to verify the buyer’s identity before approving the purchase. AVS involves matching user inputs against public records and bank records to find any discrepancies. The inputs include the consumer's credit card number, billing address, home address, shipping address, remote IP address, email address, address verification system (AVS), credit card verification system (CVV), and user verification data. (Jain, Arnold, Marcus, & Shah, 2006).

AVS Flowchart

Information security programs in any organization are reinforced by policies and procedures aiming to attain three critical goal in regard to the data safety. The major goals are confidentiality, integrity and availability of data. While integrity deals with protection of data from either accidental or intentional changes to system data, availability involves ensuring data can always be accessed for authorized used particularly in emergencies and disasters. Confidentiality includes protecting the data from authorized access and keeping critical information from accidental exposure (Newton, Anslow, & Drechsler, 2019). The principle focus of this paper describes the data safeguarding policies such as media destruction, incident response and acceptable use policies.

The destruction policy of media provides guidelines on the time for disposing information and retaining data. It requires that all activities for dealing with both the hard and soft copy are outlined and well documented. This policy also outlines that any duplicate information should be destroyed but the originals be retained. Disposal is required to be done decisively depending on the type of data; less sensitive one should be disposed normally or by recycling, personal data burnt or shredded while electronic files should be wiped by 3 pass steps to make sure it cannot be recovered through forensic means (Boyd, Woollard, Macleod, & Park, 2018).

Incidence response policy deals with procedures that are undertaken after an attack. The policies ensure that all the steps taken during this period are directed towards achieving of minimizing the damage that results from the attack. Under it, the people responsible for what action are described and what should be done stepwise (Tsakalidis, Vergidis, Petridou, & Vlachopoulou, 2019).

Acceptable use policy involves regulations and practices that the user must agree to in order to use the data. It involves generating an ID to allow people access the data via a network or internet. AUP regulate how the data should be used, what should be posted or excluded, e.g. not sending massive emails to flood the server (O'Byrne, 2019).

In conclusion, data security policies are important in safeguarding the data. Since the threats are dynamic so should the policies. However, there is nothing that is 100% safe, thus, incidence response is made to minimize the extent of resulting damage.

Companies and organizations are forced to prevent their systems and information from being cyber attacked. Different countries have different cyber security laws used to govern their information and systems from malicious attacks. Cyber security laws have many effects on e-commerce companies due to escalation of breach of data. Governments have focused on passing cyber security legislation measures to protect the big and also small companies. These measures carry mandatory requirements that are to be complied to so as to prevent theft of unauthorized user information. Existing cyber security legislation together with the current ones create dynamic landscapes. The United States of America alone has a total of 51 federal and individual state laws (Neil, 2019).

E-commerce companies that allow payment with credit cards are subjected to the Payment Card Industry Data Security Standard (PCI-DSS) (Margaret, 2012). This is a cyber security standard that holds credit cards from major credit card frauds. This standard is expected to protect credit card holders from cases of their identities being stolen due to credit card fraud.

The Gramm-Leach-Bliley Act (GLBA) was a cyber security regulation enacted to protect financial institutions from cyber-attacks (Julia, 2019). This regulation was created to allow participants of financial industries to be able to offer more services.

With Encrypt Act, Standards created on state levels are to be replaced by a national standard encryption. This bill was put forth by a group of independent representatives. The bill would make sure that there is a uniform national policy for interstate problem of encryption technology (Teri, 2019).

Cyber security laws have made huge impacts to e-commerce organizations. Some of these impacts are:

• Heightened risk management function. Business entities will improve on their risk management measures as it affects the security of corporate information. Customers will not be affected by considerable breach of information since this will intensify the sanctity of electronic commercial transactions under the new system (Banwo & Ighodalo, 2016).

• Improve confidence of individuals. The new legal system has hopes that it will boost the trust of individuals, firms and companies to take practice in transacting more business and provide services online without being afraid of encountering plagiarism, identity theft or copyright violation (Banwo & Ighodalo, 2016).

• Increase commercial litigation. The volume of commercial deals that were ended electronically and the number of instances instituted for seeking rectification in instances of breaches (Banwo & Ighodalo, 2016).

I recommend that e-commerce organizations be familiar with cyber security laws that govern their information from cyber-attacks since they have a huge positive impact on their e-commerce organizations. Cyber security laws are enacted by federal law to protect individuals and organizations against cyber-attacks against their information. Different countries introduce different cyber security laws but they all serve the same purpose of protecting information from cyber-attacks.

Network security is essential in providing safeguards for information stored in computers. Implementation of network security devices and software protects data from unauthorized access by both people and other unauthorized devices and software. Applying network security in ecommerce is very key when it comes to mitigating risk factors on the side of the buyers and the sellers. Some of the risks that the business owners are prone to include payment fraud and unauthorized access to customer data. Some of the network security measures involve the use of Cisco, ISE, and ACS as discussed below.

Cisco is a software that mainly helps business owner to integrate activities and finish projects much faster. As a result, the performance of a business in general gets a positive push upward, generating more profit. This software exists to ensure customer satisfaction and achievement of the sellers’ goals. Cisco provides for easier ways of conducting business, and these include, sharing of information, relaying video surveillance, transmitting text and researching data from other sources. These services are aimed at ensuring that customers are comfortable as they shop. The products available include, routing, which helps the business owners to transmit information over broad networks very fast and reliably, using routers. Secondly, Cisco has particular internet appliances that help protect the information from unauthorized access, for instance firewalls, and Virtual Private Networks. Being one of the largest networking companies, applying these product offerings to an e commerce business would help to improve the outlook of the business and to meet the needs of the customers.

An ISE is a development from Cisco, an Identity Service Engine which ensures security at data access points. The main concept behind this engine is to simplify identity and compliance of users of a given network. It therefore makes work easier by collecting date on identity and only authorizing access to the specified network through the identity. Additionally, this engine is essential when it comes to authentication protocols, which vary from passwords, to face identities as well as special passcodes. All these measures secure data of the players involved, ensuring that only an authorized party becomes privy to the information available. Applying such a system in ecommerce helps to keeps all the information of the customer regarding their transactions and credit card details secure. They are the only who can access such data and make changes whenever necessary (Sweeney, Baumrucker, Burton, & Dubrawsky, 2003)

An ACS is an Access Control Server. This is a development made in order for customers to make secure transactions using payment cards (GPayments, 2019). An example would be processing payments using Visa cards after an online transaction. The authentication process in usually such that the information on the card is sent through a 3D message to the bank which issued the card to authenticate the data and enable the transaction to proceed. The customer in required to enter the identification PIN, and if the data stored in the bank’s systems match the ones provided by the customer, the money is debited, and the customer can get the goods they desire. These control servers are essential in preventing payment fraud by authenticating all the details of the customers to ensure they all match. This measure ensures that an unauthorized third party cannot shop using a stolen payment card if they do not have all the details required.

These measures are all customer oriented and can enable easier transactions and boost e commerce businesses. It is essential for businesses to embrace the network security measures, for purposes of convenience and customer satisfaction.

The goal here was to develop a plan that evaluates the current security posture of the organization of the company and what controls need to be put into place to safeguard their information.

When it comes to the current security posture of the organization, several scopes that are suggested to be implemented in Solomon enterprise for administrative control like background checks that provides assurance to an organization, thus doesn’t impose threats to an organization. Another measure is having employee complete security and awareness trainings. Access control mechanism is a critical measure to help access information to any system of an organization. Surveillance monitors on the premises should be used for unusual activity in order to protect building from any attack. Authentication mechanisms should be used to avoid brute-force attacks, allowing a user to choose a password which is unique and strong so that it doesn’t compromises provided by NIST Bad Passwords open source API. AES placates the basic security goals that works on Key Exhaustion along with address verification system.

Information security programs should be reinforced by policies and procedures aiming to achieve 3 major goal regarding the data safety. The goals are confidentiality, integrity and availability of data. Here we suggest using media destruction policy for retaining data and disposing information along with incorporating incidence response policy that are undertaken after an attack. These policies safeguard the steps taken during attack are directed towards achieving of diminishing the damages.

Cyber security legislation measures should be considered in order to protect the organizations. They have compulsory requirements that are required to prevent theft of unauthorized user information.

Application of network security devices protects organization’s data from unauthorized access by the people, devices and software. Some of the network security measures involve the use of Cisco, ISE, and ACS which helps in making sure that the network security measures are taken care of.

References

Banwo. Ighodalo. (2016). Milestone in electronic commerce: How the cyber-crime act 2015 impacts businesses Retrieved from https://www.lexology.com/library/detail.aspx?g=c0bea62a-274c-4dcb-982a-6479459ece20

Boyd, A., Woollard, M., Macleod, J., & Park, A. (2018). The destruction of the ‘Windrush’disembarkation cards: a lost opportunity and the (re) emergence of Data Protection regulation as a threat to longitudinal research. Wellcome open research, 3.

Burr, W. E. (2003). Selecting the advanced encryption standard. IEEE Security & Privacy, 1(2), 43-52.

GPayments. “3D Secure Authentication.” What Is 3D Secure, ACS and MPI? (2019) Retrieved from https://www.gpayments.com/about/3d-secure/.

https://www.inc.com/neill-feather/how-new-cybersecurity-laws-can-help-protect-your-business.html

Jain, N., Arnold, J., Marcus, K., & Shah, N. (2006). U.S. Patent Application No. 11/285,748.

Julia, K. (2019). The Gramm-Leach-Bliley Act of 1999 (GLBA) Retrieved from https://www.investopedia.com/terms/g/glba.asp

Kosba, A. E., Saeed, A., & Youssef, M. (2012, March). Rasid: A robust wlan device-free passive motion detection system. In 2012 IEEE International Conference on Pervasive Computing and Communications (pp. 180-189). IEEE.

Margaret, R. (2012, April) PCI DSS 12 requirements. Retrieved from https://searchsecurity.techtarget.com/definition/PCI-DSS-12-requirements

Neil, F. (2019). How new cyber security laws can help protect your business Retrieved from

Newton, N., Anslow, C., & Drechsler, A. (2019). INFORMATION SECURITY IN AGILE SOFTWARE DEVELOPMENT PROJECTS: A CRITICAL SUCCESS FACTOR PERSPECTIVE.

O'Byrne, W. I. (2019). Acceptable Use Policies. The International Encyclopedia of Media Literacy, 1-6.

Purcell, JE. (2007) Security Control Types and Operational Security. Retrieved from World Wide Web.

Sweeney, M., Baumrucker, C. T., Burton, J. D., & Dubrawsky, I. (2003). Cisco security professional's guide to secure intrusion detection systems. Syngress Publishing.

Teri, R. (2019). Top cyber security legislation of 2019. Retrieved from https://www.scmagazine.com/home/security-news/top-cybersecurity-legislation-of-2019/

Tsakalidis, G., Vergidis, K., Petridou, S., & Vlachopoulou, M. (2019). A cybercrime incident architecture with adaptive response policy. Computers & Security, 83, 22-37.