Information security is the talk of the day. With the advent of growing popularity of information services and web enabling technologies for enterprise digitization, information becomes the critical asset that enterprises have to protect. So how does these critical assets fall under the risk of security breaches? Let us investigate some of the popular approaches.
Social Engineering Techniques:
These involve surveillance of the site and the techniques of phishing. They play with the names of famous sites and these typo pirates trick the users into sharing their private data with them. The shopper mistypes and enters the illegitimate site and provides confidential information. Also another technique is spoofing mails to make them look like those received from authentic channels. The link actually has a rogue site that collects the information.
Snooping the computer:
The security features are vague to an extent as far as knowledge goes. To ship products easier and cheaper, software and hardware disabled. A non techie in most cases does not enable them, nor does he read the manual. This is a treasure trove for the attacker, and the tool most commonly used here is the SATAN, to perform port scans on a computer and detect entry point into the machine. Based on the open ports found, the attacker can use various techniques to gain entry into the system. Upon entry, the files are scanned, and the relevant information is poached on.
Even if a firewall system is bought, in most cases, there are compatibility issues with the other programs that prevent its smooth functioning.
Here the attacker monitors the data between the shopper s computer and the server. He collects data about the shopper and steals personal information, such as credit card numbers.
There are certain points where these certain type of attacks are more prominent than others. If the attacker is in the middle of the network, then within the scope of the Internet, this attack becomes impractical. A request from the client to the server is broken up into smaller pieces and these packets leaves the client’s computer to be reconstructed at the server. The attacker cannot access all the packets and cannot decipher the message.
Guessing Passwords :
These types of attacks can be manual or automated. Manual attacks are labour intensive, and successful only if the attacker knows something about the shopper. There are tools that use all words in the dictionary to manipulate the id and the password. The attacker can manipulate multiple sites at the same time.
Denial of Service attacks :
The hacker infects computers on the internet via a virus or other means. The infected computer becomes slaves to the hacker. The hacker then bombards the server with useless, but with requests that involve usage of a high degree of resources and requests that the server would find tough to handle. This causes the target site to have problems and also the entire set of packets is routed in a number of different ways.
There is a high probability that the software being used in the site has some bug and the owner of the site has not applied the required patch. This is when the hacker comes in to the picture as he analyses the software being used in the site, finds that patch is not installed and uses this to enter the site as the weakness. This is a simple but effective attack.
Server root Techniques:
These techniques allow the user to get Super user access to the site. Here the possibilities are limitless and usually by an attack where in confidential information of only one person is available, but then, this is a coveted type of attack, wherein the entire value chain is exposed and under the attacker’s control. In a buffer overflow attack, the hacker takes advantage of a specific type of computer program bug that involves allocation of storage. The trick is to fool the server into executing code written by the hacker.
- Install personal firewalls for the client machines
- Store confidential information in encrypted form
- Make use of Secure Socket Layer protocol to protect information flowing between client and the e commerce site.
- Use password change policies, firewalls and routine external security audits.
- Use threat model analysis, strict developmental procedures and audits by externals agents who are highly trained to protect the software.
With increasing emphasis on E commerce the risk of data poaching is also increasing. So, business organisations should take steps to constantly check their facilities and infrastructure to make sure that they are fool proof, because in this era of cut throat competition, even one instance of loss of data about a consumer is enough to close down a business enterprise.
Security is paramount !