Risk Assessment for Start-Up E-Commerce Company

In this Assignment I will be advising a start-up e-commerce company, by the name of CyberCash Ltd, who intend to create a software for transferring money.

Contents

 

Cyber Threats

There are three categories of cyber threats, internal, external and social engineering.

Internal

Internal threats for a company would be weak passwords, unsecure server room, a USB infected with malware, poor awareness of social engineering exploits and employees mislaying hardware.

Weak Password

Having weak passwords leaves potentially sensitive data exposed and easily unlocked using methods such as brute force or dictionary attacks, this can be prevented by making use of strong passwords which contain symbols and numbers, rather than just letters.

Brute force is the method of a hacker using a piece of code, which will enter all possible and likely combinations of letters and words, in an attempt to crack the password. A dictionary attack is the method of a hacker using common and well known passwords, such as ‘Password123’.

It is important for an e-commerce company, such as CyberCash to have strong passwords to keep sensitive data secure. Using numbers and symbols makes a password much harder to crack through both brute force and dictionary attacks. A longer password is always better, however a company should make sure that the employees can remember the password.

Physical Security Vulnerabilities

A company’s server room should also be secured. Having an unsecure server room could result in someone breaking into the server room and potentially destroying crucial hardware or infecting the database with a USB containing malware. This can be prevented by keeping the server room locked and installing security equipment such as CCTV.

An example of companies who keep their server rooms under a very heavy security protocol is Google and Microsoft. Both companies use very advanced security measures, such as guards, CCTV and fingerprint scanner. These companies do this as their data is very valuable and if someone with unauthorised access were to gain access to the companies servers they could steal or delete this data.

You can protect you server rooms using many techniques, such as Google’s use of fingerprint scanners and on-site guards. However due to the size of your company, these techniques may not be suitable. The techniques I would advise are locks on server room doors, CCTV and heat control. Heat control is very important with servers as overheating can severely damage servers.

A company, such as CyberCash Ltd should be aware of physical security vulnerabilities. This is because poor physical security may lead to infiltration of facility and theft of data or damage of hardware, causing data loss.

Bring Your Own Device Policy

The policy of allowing employees to bring their own device is a huge threat to security. This is because an employee’s device will most likely be much less secure than the company’s network, as they do not have as high protection from viruses. This is a threat towards the company’s system, as if an employee’s device has a virus and they connect this device to the company’s network, then the network will then be exposed to the virus. This could potentially lead to the whole system becoming infected.

The best way to prevent this would be to end the BYOD policy, however this is not always the most practical and efficient solution. To help increase security with a BYOD policy I would advise you to keep a register of connected devices, force VPN use and enforce on-device security. Company Tech Advisers, Ontrack.com also advice the use of MDM.

VPN use helps encrypt data being communicated through your network. I advise this as it decreases the chances of an external source wiretapping your company. This is especially important with an e-commerce company as you will be dealing with sensitive data, such as banking information.

To summarise I would advise CyberCash to register devices as it allows you to check whether all devices connected to your network belong to your staff. This would help detect any unauthorised access to your network, and reduce the amount of resources that are being used in-efficiently. This would however rely on that your company will have an IT team regularly checking and listing devices, which may be costly for a start-up company.

External

External threats for a company would be viruses, worms, rootkits, ransomware, Industrial espionage, state actors, political/protest groups (animal welfare or terrorist groups) and hackers seeking fame.

Virus

Viruses are the most common external threat. A virus is a piece of code that can destroy or corrupt data and is capable of reproducing itself. A virus is commonly attached to a file, and could be disguised with a Trojan. Once a system has been infected with a virus the virus will be situated in the storage of the system, once in the storage the virus will delete or corrupt all data on the system.

A company such as yourself that deals with e-commerce must be very aware of the threat of a virus. This is because if the virus deletes or exposes sensitive information, such as banking information, the user will lose trust in the company and its reputational will be ruined.

A virus can be prevented by making sure all devices have an antivirus installed, are up to date and making sure that employees do not download any files from a potentially untrustworthy source.

Worms

Worms are very similar to viruses in that they both are code capable of destroying or corrupting data, however a worm does not need to attach itself to a file, unlike the virus worms use a computer network to spread itself, and once it has infected one computer it will infect others on the same network. Worms can be prevented in the same way that a virus is, using a strong antivirus and network firewall. Worms are targeted at companies rather than individual users. This is because they can infect a company’s network very easily, if the network is not secure. This can be catastrophic for a company such as yourself who deal in e-commerce.

An infamous example of a worm affecting companies is the “ILOVEYOU” worm. This worm originated from the Philippines and on 5 May 2000 started infecting companies around the world. It did this by infecting a system and then sending a replication of itself to all addresses in the systems Windows Address Book. It is estimated that the outbreak has caused £4.5 to £7.1 billion in damage. The capabilities of a worm to infect other systems on a network and prior examples of damages done to a company by a worm reinforce that they are a very threatening to a company’s security.

Rootkits

A rootkit is a software that allows an external user to gain control of a device remotely without being detected, often through a backdoor installed in the system once infected.  Rootkits are usually installed without the user’s knowledge and can be very hard to detect, this gives the hacker time to access sensitive data. Rootkits can be used to change a user’s details, such as passwords. They can also be used to gain access to a user’s sensitive details such as banking information. Once a hacker has harvested all valuable data they will most likely use the system as a ‘Zombie’, infecting other systems with the rootkit.

A rootkit infection can be prevented by having a reliable anti-virus installed, such as Bitdefender or Malwarebytes, keeping your system up to date and any social engineering attempts. It is important to prevent rootkits from infecting your system, as they are very difficult to detect and remove.

If a system has already been infected, removal of a rootkit can be very complicated, this is because it can subvert detection attempts, and in some extreme cases the operating system must be reinstalled.

Rootkits are a very serious threat to e-commerce companies, such as CyberCash. This is because you will most likely have sensitive data, such as banking information, stored on your system. This makes Rootkits a threat as a hacker could harvest this data, potentially exposing your customer’s bank accounts to the hackers. This would result in a lack of trust from your consumer base and a deterioration of reputation. This could lead to customers choosing more secure and reliable competitors over your business.

Industrial Espionage

Industrial Espionage is dangerous for corporations who have trade rivals, such as yourself. Industrial Espionage could be anything from stealing trade secrets to a rival paying hackers to disrupt your business’s trade, for example a rival could pay a hacker to launch a DDOS attack to bring the target company’s sit down, disrupting trade. This would cause the rival companies. Or a rival could hire a hacker to gain data on an unreleased product of a rival, to produce their own improved version.

Industrial Espionage is a threat that is little talked about, however, is very dangerous to a company like CyberCash. For example if a rival company were to hire a hacker to hack your system. This would cause customers to lose trust in the security of your company, and most likely will not do business with you in fear of their sensitive data, such as bank details being harvested. Companies with rivals do this often, to gain customers for themselves, and decrease the number of customers of the rival company.

Ransomware

Ransomware is a malicious piece of code that encrypts the data on the infected system. Once the infected system’s data has been fully encrypted the user will get a message demanding a ransom for the data to be decrypted, in most cases there is also a timer with an attached threat such as deletion of data or increase of ransom, if the money is not paid within the given time. The money will often be demanded through cryptocurrency, such as bitcoin. This is because crypto-currency is much harder to trace than other currency methods, giving the hackers a lower chance of being caught.

You can prevent the risk of Ransomware to your company by backing up data to an external drive, keeping systems up to date and having a strong anti-virus installed. Keeping a backup reduces the threat of ransomware as you will have a second copy of any data, which has been potentially encrypted if your system has been infected. This would allow your company to continue business with the back-up data, until the ransomware has been safely removed. Keeping your system up to date decreases the risk of Ransomware as for example, updates for an operating system, such as windows can contain security updates, which will increase the security of your system. Having a strong anti-virus installed reduces the threat of Ransomware, as it will detect and block the virus before it has successfully infected your system, therefore preventing the software from encrypting your systems data.

A famous example of Ransomware is CryptoLocker. CryptoLocker was a ransomware Trojan that used Gameover ZeuS botnets and infected email attachments to spread itself. Once the system had been infected the files were encrypted using an RSA 2048 bit encryption. The ransomware would then prompt the user to pay to unlock their data, via a key. It is estimated that approximately 500,000 people were infected by this ransomware. CryptoLocker was eliminated on the 2nd of June 2014 in ‘Operation Tovar’. This operation included elements from Interpol, FBI and various cyber security groups. Dutch security firm Fox-IT supplied decryption tools to those with who had their data locked by the ransomware. Thankfully CryptoLocker is no longer an active threat, however it does show how dangerous a threat ransomware can be.

CyberCash should be aware of ransomware as they will store sensitive data, such as banking details and statements. This makes ransomware a threat as you cannot risk losing this data, as it would most likely result in a loss of trust amongst your customers, potentially prompting them to leave to a more secure and trusted e-commerce site.

Social Engineering

It is important for a company to make sure that its employees are aware of exploits such as social engineering. This is because the practise of social engineering is getting increasingly more common and believable. If a company’s employee gets targeted, it could result in the whole company becoming compromised. To help combat this a company should educate it’s users on such methods. Doing decreases the risk of being exploited through social engineering hugely. There are many Social Engineering techniques, such as Phishing, Typo Squatting and Doppelganger Domain.

Typosquatting

Typosquatting also known as URL hijacking, is a type of cybersquatting that targets users who incorrectly type a trustworthy website address into their web browser, for example if someone was searching for “google.com”, but instead type “gooogle.com”. Typosquatting is used for many different reasons, by hackers to install adware or malware into your system, to redirect to a competitors site or a seemingly identical site to the original that harvests the user’s login details.

A famous example of Typosquatting is “yuube.com”. This URL was intended for users attempting to reach the famous site “YouTube.com” and led the user to a malicious site, which installed adware and malware onto the user’s system. This was resolved by YouTube when the redirected the URL to the legitimate site.

Typosquatting may not be a large threat to companies such as CyberCash, with the proper training of staff on cyber security. However it may stop potential customers from reaching your site, if a Typosquatting URL is made to take advantage of users attempting to reach your company. I this does happen I would advise to warn users of a potential Typosquatting or redirect the URL back to your legitimate site.

Doppelganger Domain

A doppelganger domain is a domain spelled identical to the legitimate domain, however is missing the dot between the host and domain, the domain will usually contain adware or malware that will infect the user’s computer.

Phishing

“Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.”  1

As stated phishing is a cybercrime, where the hacker will pose as a legitimate company. Vulnerable people such as the elderly are usually the most at risk and targeted, as they are not usually familiar or prepared against the method, very rarely are these targeted at companies such as yourselves. This method can be prevented by training staff in awareness of social engineering tactics such as phishing.

Being an e-commerce company I would advise CyberCash to warn and educate staff and customers on phishing.

Physical Threats

Physical threats can be just as dangerous to a company’s data as cyber threats. Physical threats include both Localised Disasters and Natural Disasters.

Localised Disaster

Localised Disaster are physical threats that only affect the local area. An example of localised disasters are water leaks, fires or power outages.

Localised Disasters can be prevented with appropriate means, such as making sure your servers have a backup power source in case of a power outage. It is ideal to have backup files stored on an external server, this is because if you store backups on a server which is onsite, it may also be damaged.

Overall I would say that Localised disasters are a severe threat to CyberCash, if hardware is not maintained correctly or data is not backed up as the loss of crucial sensitive data, such as customer information will likely lead to a halt in business operations.

Natural Disaster

Natural Disasters are usually more dangerous than Localised Disasters and cannot be predicted or prevented like Localised Disasters. Natural Disasters include earthquakes, volcanoes and floods. Natural disasters can cause data loss by damaging the hardware, such a company’s Servers or Hard Drive storage. CyberCash should be aware of this threat as if crucial storage hardware, such as servers are damaged they may lose crucial sensitive data, such as user banking information.

This threat can be reduced by storing back-ups of the data in servers that are spread in areas with different climates, this way the company will still be able to access the data they need through the back-up servers, until the damaged servers are repaired.

Overall I would say that natural disasters are a threat to CyberCash, if data is not backed up on external storage. This is because the loss of sensitive data, can lead to halting of operations or disruption of company trade.

Network Threats

A company such as yourself should be aware of the two groups of Network Threats, Active Threats and Passive Threats.

Passive Threats do not actively destroy or edit data, but instead lists it. The system is usually monitored to gain information about the target system. Notable Passive Threats are Wiretapping, Port scanning, Traffic analysis, War driving and idle scanning.

Active Threats

Active Threats are a type of network exploit in which an unauthorised person attempts to make changes to data to data on a system on the network or data travelling on the network. Notable Active Threats are DoS attacks, MITM, SQL injections, Buffer Overflow and Format String.

DOS Attacks

DoS stands for Denial of Service. These DoS attacks are carried out by a selection of zombie systems. These are usually computer systems that have been infected with malware and can be controlled remotely by the hacker. DoS attacks usually result in a target server being constantly pinged by these zombie systems, eventually this will result in the server becoming overloaded with requests and crashing.

A famous example of the results of a DoS attack is a DoS attack on December 2015, against Microsoft Xbox Live and Sony’s PlayStation Network. This attack resulted in both services being closed over the Christmas period, for over a week.

A DoS attack on a company’s server system can have catastrophic results, especially for web-reliant business, such as CyberCash. This is because many of the company’s web-based resources, such as websites and file sharing will be down. This is a very large impact to cyber based companies, such as CyberCash, as they are unable to carry out their business. This would likely infuriate customers as they will be unable to access their funds stored in CyberCash.

MITM

MITM stands for Man in the Middle. This is where a hacker will intercept data sent between the user and the browser. This gives the hacker the opportunity to edit and view this data and then send it to the original receiver. This allows the hacker to incorporate potentially malicious software into the data or view potentially sensitive data.

An example of the effects of a MITM attack is a MITM attack on Iranian Google users. This MITM attack intercepted data of Iranian Google users for months and led to many Iranian Activists being exposed and fed misinformation. The MITM attack intercepted data from the google search engine and email service.

CyberCash should be aware of MITM attacks and know how to prevent these. This is because sensitive data, such as banking information will be sent through the CyberCash network. If this data is edited it could have severe consequences. For example, a hacker could potentially edit the bank information for malicious purposes. This would cause the customer to lose trust in the company.

SQL injections

SQL injection is a type of attack that allows the hacker to execute malicious SQL statements. Attackers can use SQL injections to bypass application authentication measures. This could allow a hacker to obtain access to the SQL database, which holds potentially sensitive data.

To summarise this type of network attack is very dangerous to CyberCash. This is because CyberCash will be storing very sensitive data, such as user’s bank information and personal details (such as address and age). If this data is exposed it would be a breach of GDPR and would result in a fine and damage to reputation. However this network attack can be prevented, using a strong network firewall and by not using dynamic SQL, which can be exploited.

Passive Threats

Passive Threats do not actively destroy or edit data, but instead lists it. The system is usually monitored to gain information about the target system. Notable Passive Threats are Wiretapping, Port scanning, Traffic analysis, War driving and idle scanning.

Wiretapping

Wiretapping is the interception and monitoring of internet-based communication, such as email to gain information, without the sending or receiving user knowing. Wiretapping is a threat as potentially sensitive information could be exposed. Such as banking information. This makes wiretapping a large threat to CyberCash, as being an e-commerce company they will be sending and receiving a large amount of sensitive information.

This can be prevented by encrypting communication on a network. This can be achieved using methods, such as Point to Point encryption. This will prevent the interceptor from reading the intercepted message, as it will be in cypher-text.

Overall I would advise CyberCash to increase the communication encryption. This is because although the no data is destroyed or corrupted, the data is still seen and harvested. This should concern CyberCash as depending on the data harvested, this could result in a breach of GDPR or in the hackers using this collected data for malicious intent.

Port Scanning

Port Scanning is an application designed to probe a host or server for open ports. This can be used by network administrators or even hackers to access computer systems remotely and exploit any vulnerabilities within the system.

Traffic Analysis

Traffic Analysis is the intercepting and examining messages sent by users to gain information about them, such as browsing habits and patterns.

This can be prevented by encrypting communication on a network. This can be achieved using methods, such as Point to Point encryption. This will prevent the interceptor from reading the intercepted message, as it will be in cypher-text.

Overall I would advise CyberCash to increase the network encryption. This is because although the no data is destroyed or corrupted, the data is still seen and harvested. This should concern CyberCash as depending on the data harvested, this could result in a breach of GDPR.

Security Measures

Training of Staff

Training of staff will prevent and reduce the likelihood of a successful social engineering or external attack on CyberCash.

Advantages of training staff is that it can prevent social engineering attacks, such as phishing. It can also help reduce the chances of an external attack, such as a virus. This is because during the training the staff should be taught not to open untrusted files and not to browse unprotected sites. This will reduce the vulnerability of the device, therefore reducing the chances of a successful virus attack against the company.

A disadvantage of this is that training staff can be a very slow and costly progress. It will also rely on the staff’s willingness to complete the training course. This means if the staff does not complete the course the company has wasted money.

Overall I would advise CyberCash to train their staff as it will reduce the company’s vulnerability to social engineering attempts and malware. However CyberCash must be aware of the cost and risks involved of training staff. This mainly being that it relies on the staff’s willingness to complete the course, otherwise the training course will waste the company’s money, which is already low, as CyberCash is a start-up business.

Backups

Consistent backing up of data will ensure that vital, sensitive data is not lost. This is essential for companies such as CyberCash who will be storing sensitive data.

Advantages of Backups are that it provides a second set of data if the first set is lost. This means if the first set of data is lost or corrupted through damage of servers or malware, the company will have a backup of that data. This allows the company to continue with providing their services and continue trade.

A disadvantage of backing up data is that it requires twice as much storage space, for the same level of data. This is especially bad for companies that have a small amount of storage space available.

Overall I would advise CyberCash to backup data. This is because it will allow CyberCash to continue providing their services to their customers, even if the first set of data is lost. However I acknowledge that backing up data is not ideal for companies with limited amount of space, as it requires twice as much storage.

Firewall

A firewall is a piece of security software that protects a systems on a company’s network. It does this by stopping the user from downloading files that may be harmful to the system. When utilised with an anti-virus software provides a strong level of protection against external threats.

An advantage of utilising a firewall on a network is that it will prevent the user from downloading malicious software or opening corrupted files. This is good as it protects the system, preventing malware such as a virus from infecting a system and deleting sensitive data.

A disadvantage of a firewall is that it cannot protect systems on a network from internal attacks.

Anti-Virus

Anti-Virus is a security software that protects a system from malware, such as viruses, worms, ransomware and rootkits. When utilised alongside a Firewall provides a high degree of security against external cyber threats.

An advantage of using anti-virus software on a system is that it will improve your systems security. This is because it will prevent malware from infecting your system, some anti-virus software is also capable of scanning a system for malware and then remove or isolate the infected file.

A disadvantage of anti-virus is that it may slow a system. This is because the anti-virus will be running in the background of other tasks. Some malware can exploit vulnerabilities in the system’s OS, therefore bypassing the anti-virus software.

Overall I would advise CyberCash to utilise anti-virus software on their systems. This is because CyberCash will likely be storing and accessing sensitive data, such as user’s bank information and personal details. If a system were to be infected by an anti-virus this data may be lost or compromised. But if CyberCash utilised anti-virus software, this will protect a system form anti-virus. Yet I do understand that malware can still infiltrate a system through vulnerabilities in the OS.

User Authentication

User authentication is the method of asking for a username and password when a user attempts to login to an account. There are many methods to utilise for user authentication, such as password authentication.

An advantage of user authentication is that it ensures that the user has the authentication to access the account and view stored data, for the account. An advantage of password authentication, is that it is simple to deploy and for users to use. This is important as if the user cannot use the authentication they will not be able to access the account.

A disadvantage of password user authentication is that its security relies on the strength of the password. Therefore if the password is weak the account could be hacked using methods, such as brute force or a dictionary attack.

I advise CyberCash to use user authentication as it ensures the user has authorisation to access the data stored. I advise password authentication as it simple to deploy and use. However I do understand that the security of password authentication may be vulnerable if the user has a weak password.

Physical Security and Hardware Maintenance

Physical security includes methods such as CCTV, locks, guards and heat control

The advantages of utilising physical security measures such as locks, CCTV and heat control is that it reduces the threat of damage done maliciously and accidentally. The locks and CCTV will prevent or significantly reduce the chances of malicious damage done to vital hardware such as servers. The heat control will prevent the servers from being accidentally damaged, due to overheating.

The disadvantages of having physical security measures, such as locks, CCTV and heat control are price. This is not a problem with locks, as they can be inexpensive, some heat control and CCTV systems can be costly however.

Overall I would advise CyberCash to utilise physical security measures such as CCTV, locks and heat control systems. This is because it prevents damage to crucial hardware, which will interfere with the company’s business and trade. However I do understand that security measures, such as on-site guards and retina scanners may not be feasible for a start-up company such as CyberCash.

Cloud Storage Risks

“Cloud storage is a cloud computing model in which data is stored on remote servers accessed from the internet, or “cloud.” ” 2

As stated above, cloud storage is the storing of data on remote servers which can be accessed from the internet. Cloud storage is becoming increasingly popular with developing business as a cheap alternative to servers. However cloud storage also comes with many disadvantages, such as security. To help advise CyberCash whether or not to utilise Cloud Storage I will explain the main advantages and disadvantages of Cloud Storage.

Advantages of Cloud

Accessibility

One main advantage of Cloud storage is its accessibility compared to on-site server storage. This is because the data that is stored in cloud storage can be accessed from any device anywhere, as long as they have the required authentication to view the files and have access to the internet. This will increase the efficiency of a business as data that is crucial to potential business projects can be accessed therefore allowing work to continue off-site. It also allows a business to access crucial data if an on-site server is damaged, therefore allowing the company to continue business.

This would be good for CyberCash as will increase the efficiency of the staff, as business can be continued off-site, as they can access important data which will be required. It will also act as a back-up if utilised alongside on-site servers. This is important as if important data, such as customers banking information is lost due to hardware failure it can still accessed due to cloud storage. This will allow CyberCash to continue business.

Cost Savings

The cost savings that cloud storage offers compared to on-site servers is vast. This is due to the company not having to pay hardware maintenance costs for the server or having to pay for the addition power that will be required for the servers.

This is important for a start-up company such as CyberCash, as due to a small budget CyberCash will have to be very efficient with spending. Therefore utilising Cloud Storage would be of benefit to CyberCash.

Disadvantages of Cloud

Security

Cloud storage is much less secure than on-site servers. This is because of the lack of control a company will have over data once it is stored on a cloud, as once on the cloud the data will be managed by the storage provider. This will mean that the business’s and its customer’s data will be less secure. This disadvantage will concern CyberCash as they will be storing sensitive data, such as customer’s personal information and banking information, therefore will desire full control over this data to keep it secure.

Another security threat is if the Storage-provider if affected by hardware failures or malware infection, potentially sensitive data may be lost. This is a large disadvantage for a company like CyberCash as if the company’s business will halt if access to crucial data, such as customer’s banking information and transactions is lost.

A third security threat of Cloud storage is that servers are shared. This is a risk as potentially malicious or anomalous data could be stored on the same server where a company stores its sensitive data. This could cause this sensitive data to become corrupted or lost. This is important for CyberCash as they could potentially lose crucial data, such as bank information.

Internet Reliant

A major risk of Cloud Storage is that it requires an access to the internet. This is a huge risk to data, as if there is the system cannot access a strong or any network connection, then the stored data will be unreachable or very slow to access. This will reduce the efficiency of data transfer or prevent it entirely, which will likely cause the customer to turn to a competitor with faster and more efficient data storage methods.

Encryption

Cryptography is the technique of hiding data so that although it can be seen or read, it cannot be understood without a key. Encryption is most often used in DRM, WI-FI encryption, Password Storing, File encryption, Encrypted communications and Steganography.

However the disadvantages of encryption that CyberCash must be aware of, these are loss of encryption key. The loss of an encryption key will mean that there is no way to decrypt the encrypted data, meaning the data will be potentially lost. This is especially severe to companies that will be transferring sensitive data, such as CyberCash, who will be transferring data, such as bank information.

The topic of encryption and cryptography is very important to companies such as CyberCash. This is because sensitive data such as bank information and passwords will be sent and received from the company, which can be intercepted by hackers through methods, such as wiretapping. To keep this information secure it is necessary to encrypt the data whilst in transit. CyberCash will need to use cryptography for password storing, to keep passwords secure, secure transactions, File and folder encryption and encrypted communications.

Types of Encryption

Symmetric and Asymmetric Keys

Symmetric encryption requires one key. This key is used to encrypt the data before transit, and decrypt data after transit. Symmetric key algorithms are AES, DES and 3DES.

Asymmetric encryption requires two keys. One key is used to encrypt data, whilst another key is used to decrypt data. Asymmetric key algorithms are SSH and PGP.

CyberCash will need to use Symmetric key encryption algorithms to encrypt communications and WI-FI encryption. CyberCash will need to use Asymmetric key encryption algorithms for digital signatures.

Block and Stream Cyphers

Block Cyphers break data into a fixed number of bits and encrypt each block of data separately. Block Cyphers use Symmetric Key encryption. Are ideal if the size of data is known, for example in messages or documents.

Stream Cyphers encrypt data as a continuous stream, a byte at a time. Stream Cyphers uses Symmetric Key encryption. Stream Cyphers are used commonly to encrypt audio or video.

CyberCash will be using Block Cypher based encryption, rather than Stream Cypher. This is because CyberCash will be using data, with a known size, such as messages and documents. This data will need to be encrypted to keep sensitive data confidential. CyberCash will most likely not need to encrypt audio and video. Therefore Block Cypher will be of the most benefit to CyberCash.

Hash Functions

Hash Functions take a string of plaintext as an input and will output a fixed length hash value. Hash Functions are a one way function and are used for password verification and digital signatures. There are two main hashing techniques.

Uses of Encryption

Communication Encryption

Encrypted communications can be achieved with the technique of point to point encryption. This technique is where the plain-text entered by the sender is encrypted into cypher text during transmission and converted back to plain-text when it reaches the receiver. This method ensures that a hacker cannot intercept this data, using techniques such as wiretapping.

Password Storing

CyberCash will have to store user passwords. This can be achieved by the password entered in plain text being encrypted and sent to a server for verification. Passwords can be kept secure using a technique named Salt. This technique adds a random value to the encrypted password. This will prevent or at least slow any hacking attempt.

WI-FI

WI-FI encryption is necessary to keep the confidentiality and integrity of data transmitted wirelessly over a network. There are three main encryption methods for WI-FI, these are WEP, WPA and WPA 2.

If CyberCash intends to utilise a wireless network connection WI-FI encryption is crucial, I would advise the use of the WPA 2 encryption level. This is because it provides a high degree of encryption, which is required for a company such as CyberCash who will be transferring sensitive data, such as customer details over the network. I would not advise the use of WEP or WPA as they have a weaker level of encryption, and will leave the network vulnerable to cyber-attack.

WEP

WEP stands for Wired Equivalent Privacy. It is a symmetric stream based cypher. It uses a 40 bit key encryption, which is weaker than the encryption of both the WPA and WPA 2. Using this level of wireless encryption leaves your wireless network open to potential cyber-attacks.

WPA

WPA stands for WI-FI Protected Access. WPA is a symmetric stream based cypher which is the standard encryption of wireless networks and features improved data encryption and user authentication than WEP. It uses a 120 bit key encryption, which is more secure than the WEP encryption.

WPA 2

WPA 2 is an upgraded version of the WPA. This form of encryption is the most secure, out of the three listed and uses a 256 bit key encryption. This level of encryption is greater than both the WEP and WPA encryption.

Secure Web Communication

A secure web communication ensures that a user’s data is secure when accessing a site. This is crucial for a company such as CyberCash as sensitive data will be exchanged on their site. There are two methods for CyberCash to secure their website. These are SSL and TLS.

SSL & TLS

SSL stands for Secure Sockets Layer. This is the standard security technology for creating an encrypted link between the web server and the browser. This encrypted link maintains that all data that is passed from the browser to the web server is kept private and secure. SSL works by the web server sending the browser an SSL certificate. Once the browser has received the SSL it will verify whether or not this SSL can be trusted. If so the web browser will send back a digitally signed acknowledgement to begin the encrypted session. It was made mandatory by Google to implement SSL by 2018.

TLS is a newer version of SSL and works in a very similar way. TLS uses stronger encryption algorithms and can work on multiple ports. This is better than SSL as it provides better encryption, therefore protecting user data to a higher level.

The advantages of SSL & TLS are that it ensures that user data is protected when being transmitted from browser to web server, it ensures that the user is accessing the correct and legitimate CyberCash site and not a malicious typo-squatting site.

The disadvantages of SSL & TLS are that it can be expensive for a company to acquire a SSL or TLS certificate, which is needed to initiate a secure encrypted session.

Overall I would definitely advise CyberCash to utilise SSL & TLS encryption. This is because both SSL & TLS provide a strong encryption and ensure that potentially sensitive data, such as bank information or passwords is not exposed if the data is intercepted in transit. It also ensures that the user is accessing the real CyberCash site and not a typo-squatting site, therefore keeping your customers safe and ensuring their trust. However I do understand and acknowledge the disadvantages of SSL & TLS, such as the cost of acquiring a certificate. However, I believe that the cost is necessary as a company such as CyberCash should be committed to keeping user data safe and secure. Google also made the use of SSL mandatory by 2018, this means that if CyberCash does not utilise SSL or TLS due to the price of the certificate the site will be flagged as unsafe on the browser. This is bad as Google is a very popular browser and if the site is flagged as unsafe, users are unlikely to trust the site with sensitive data.

Legal

A company such as yourself must follow a set of legal requirements, regarding cyber use. The five main laws your company must be aware of is GDPR, Copyright Act, Computer Misuse Act, Telecommunication Regulations and the Fraud Act.

GDPR

GDPR stands for General Data Protection Regulation and was introduced in 2018. GDPR is a regulation which protects user’s personal data inside the EU. It requires companies who store user’s data, must make sure that the data does not lead back to the user. It does this by covering names, email addresses, addresses and IP addresses. It also addresses that any customer data they hold they are responsible for, so if the data is leaked, the company will be punished.

This is very important for an e-commerce company as you will be storing very sensitive user data, such as banking information. If this information is leaked your company will be responsible and punished according to GDPR.

There are six principles of GDPR of which you must be aware, these are;

Lawfulness, Fairness and Transparency

This principle requires personal data to be processed lawfully, fairly and transparently in relations of the owner of the data. This means that the data processed must meet the criteria for data processing laid out in GDPR, be used for what it has described and informing the user of the data processed. This ensures that you are lawful, fair and transparent in the processing of data.

Purpose limitations

This principle requires that personal data can only be collected specified and legitimate purpose. This data once collected can only be used for the described purposes, otherwise this will be a breach of the GDPR.

Data minimization

This principle requires that personal data is only collected if it is needed for an adequate and relevant purpose. This means that personal data cannot be collected if it will not be used in a specified and relevant purpose.

Accuracy

This principle requires that all personal data collected must be up to date and accurate. Any data which is out of date or inaccurate, must be edited and updated, when found.

Storage limitations

This principle requires that data can only be stored if it is being used for a relevant purpose. This means that once any personal data is no longer in use, it must be removed.

Integrity and confidentiality

This principle requires that the confidentiality and integrity of stored personal data, must be maintained. The data stored must be adequately protected, if this data is exposed the company holding the personal data will be held responsible.

Copyright Act

The Copyright, Designs and Patents Act was introduced in 1988. This act ensures that somebody’s intellectual property, such as book, film or photo cannot be copied and resold, without the creator’s permission. This act protects creators and makes it easier for them to sell their products. If someone copies without permission the creator can file an infringement claim and sue for the amount of money the copied made.

An e-commerce company such as CyberCash must make sure that they follow the copyright act, otherwise they will be fined. They can do this by making sure that any content they use on their site or platform is either made for them or is copyright free.

Computer Misuse Act

The Computer Misuse Act was introduced in 1990 and was created to punish users using computers for malicious uses. This act was very important as before this hacking was frowned upon, not illegal.

CyberCash should be aware of this law. This is because they must make sure that all of their employees follow this act. They can make sure of this by enforcing policies on staff that will initiate a termination of contract if the staff break this act, such as editing data they are not authorised to.

There are 3 levels to the computer misuse act.

•         Accessing data without the required authorisation, for example viewing someone else’s data.

•         Accessing data without the required authorisation, with malicious intent, for example stealing data or harvesting data.

•         Altering or deletion of data without the required authorisation, for example writing a virus to corrupt or delete someone’s data.

Telecommunications Regulations

The Telecommunications Regulation was introduced in 2000 and allows companies to view communications sent on their network as long as if doing so, may prevent criminal activity, is in the interest of UK security, verifies that the person monitored is performing tasks efficiently, allows detection of unauthorised use of the system.

CyberCash should be aware of this law, as they may have to monitor communication over their network. This is because if they are monitoring communications, without knowledge of the Telecommunications Regulations, they may breach it. This will result in a fine.

Fraud Act

The Fraud Act was introduced in 2006 and defines fraud into 3 classes; fraud by failure to disclose information, fraud by false representation and fraud by abuse of position. This act prevents companies from giving false information to customers.

Fraud by Failure to Disclose Information

This is where someone fails to inform another information, which he is legally obliged to disclose. An example of this related to CyberCash would be if someone’s data is exposed. CyberCash is legally obliged to inform the user of this otherwise this would be Fraud by failure to disclose information, it would also be in breach of GDPR.

Fraud by False Representation

This is the false representation of data someone is legally obliged to inform to another. An example of this related to CyberCash would be if they lied to their customer’s about the level of encryption that is utilised on their network.

Fraud by Abuse of position

This is where someone who is expected to safeguard someone’s finances abuses their position, this includes an omission rather than an act.

Principles of Data Security 

The three principles of Data Security are Confidentiality, Integrity and Availability. An example of these principles in use for an e-commerce company, such as CyberCash are as follows. Confidentiality is employed in a high degree through the use of passwords and two-factor authentication. This is because the data stored is very sensitive as it is banking information, therefore the company (CyberCash) must ensure that only authorised users can view this data. Availability is crucial as the users of CyberCash will expect to be able to access their money at any time. This means that the data must be stored on multiple servers. Integrity of data is necessary to ensure that the data is correct. This can be ensured by making sure the data stored is accurate and up to date. This can be done by consistent updating of data. CyberCash must make sure that the data cannot be edited before reaching the user. This can be done using file permissions and access control.

Confidentiality

Confidentiality of data means that it is only accessible to authorised individuals. Data can be made confidential by encrypting the data and only allowing access to said data after the verification of the user. A method which implements a high degree of security is two-factor authentication.

Integrity

Integrity of data means that the data is accurate and complete. The integrity of data can be ensured by storing backups of the data, these backups should ideally be backed up consistently and on multiple servers in different geographical locations. This ensures that there is always an accurate up to date copy of data. There must also be a method of ensuring that data is not altered before reaching the user. This can be achieved using methods such as file permissions and access control.

Availability

Availability of data means that the data can be accessed when needed. The availability of data can be ensured by having data stored on separate servers around the world. This ensures availability as the data can be accessed by users, even if one server holding the data is damaged.

Impact

There are five main impacts of cyber security threats which CyberCash should be aware of, Operational Impact, Financial Impact, Damage to Reputation, Legal Consequences and Ongoing Cost.

Operational Impact

Operational Impact is the loss of data or services required for a company to perform efficiently and effectively. This will result in the company’s customers being unable to access or utilise a company’s services or stored data. For CyberCash this impact would be caused by the loss of bank information. This will cause operational impact as the company’s customers will be unable to access their stored funds. This loss of the company’s services and operations, may lead to other impacts, such as a damage to reputation due to a loss of faith of customers, and financial impact due to loss of trade.

This impact is not as serious as damage to reputation or the legal impacts, as it does not have any direct negative impacts, such as fine. The impact is also resolved quickly if you have an experienced and skilled cyber security expert, allowing trade and services to continue. However is very severe to a company. This is because it will disrupt the trade and services of the company. This can lead to Financial Impact and Damage to Reputation.

Financial Impact

Financial Impact is theft of money and the disruption of a company’s trade. The type of financial impact depends heavily on the type of threat, for example ransomware will affect a company’s finances directly, demanding money in return for a company’s crucial sensitive data. However worms and viruses will affect a company’s finances indirectly, deleting or corrupting data which is crucial for a company to run, therefore disrupting trade.

 The severity of this impact on CyberCash can vary significantly, depending on the data lost or being ransomed. However I would not rate this as severe as Damage to Reputation, Legal Impacts or Operational Impact as there are no repercussions, and the money can be regained. However I do understand that if the financial loss is too great it can potentially cripple a company’s finances. But in most cases there is not a great enough level of data, lost or ransomed and the company is able to recover financially.

Damage to Reputation

A successful attack against your company can result in damage to reputation. This can lead to a loss of trade and sales which would then result in a reduction to profit. A company’s reputation is very important which makes this impact the most severe for businesses. This is because a company can easily recover from financial or operational impacts as long as their customers still have trust in them, however once a company loses its reputation it will also lose the trust and likely patronage of the customer.

This impact is not the most severe to CyberCash. This is because it does not hold the risks that legal impact does, such as fines or imprisonment. However this is very close to being the most severe. This is because, an e-commerce company, such as CyberCash must maintain a good reputation to keep customer’s trust. This is important as customer’s will be trusting CyberCash with their very sensitive data, such as banking information and personal details.

Legal Impacts

A company will also face many Legal Consequences due to a Cyber Attack. This is because the company is responsible for any staff or customer data they hold, due to GDPR. This means that if this sensitive data is compromised the company will face fines and other legal consequences. This would effect CyberCash severely, as if a cyber-attack revealed your customers data. This is because you hold your customers bank details, which is very sensitive data. CyberCash

This is the most severe impact, this is because it will lead to a various array of punishments, depending on the law which has been broke. For example a breach of GDPR can lead to a two million Euro fine, or 4% of the company’s annual income. And will then lead potentially to other Impacts, such as Damage to Reputation and Financial Damage.

Ongoing Cost / Forensic Research

After a cyber-attack the affected company will need to carry out Forensic Research. This is crucial to determine and close the breach, otherwise the business will be vulnerable to another cyber-attack. This Forensic Research can be very expensive and time consuming as the business will need to employ specialists in cyber security to analyse the attack and discover the breach.

This impact of cyber-crime is the least severe as it actually holds some benefits. This is because it will lead to breaches, which are potentially making the company vulnerable to cyber-attacks, being secured. Therefore this impact is the least severe as it will actually benefit the company’s security.

References

Quoted Information

• [n1]Unlisted. (Unlisted). What is Phishing? Available: https://www.phishing.org/what-is-phishing. Last accessed 2/10/19.
• Unlisted. (Unlisted). Cloud Storage. Available: https://www.techopedia.com/definition/26535/cloud-storage. Last accessed 20/10/19.

 

Visited Sites and Sources

• Ben Lloyd. (01 August 2014). 6 Tips for Improving BYOD Security. Available: https://www.ontrack.com/uk/blog/top-tips/6-tips-improving-byod-security/. Last accessed 1/10/2019.
• Monique Magalhaes. (23 January 2018). The 6 GPDR principles. Available: http://techgenix.com/6-gdpr-privacy-principles/. Last accessed 2/10/19.
• Unlisted. (25 May 2018). Guide to the General Data Protection Regulation. Available: https://www.gov.uk/government/publications/guide-to-the-general-data-protection-regulation. Last accessed 04/10/19.
• Unlisted. (12 October 2018). Fraud Act 2006 Summary. Available: https://www.lawteacher.net/acts/fraud-act-2006.php. Last accessed 04/10/19.
• Unlisted. (Unlisted). Computer Misuse Act 1990. Available: https://www.legislation.gov.uk/ukpga/1990/18/section/1. Last accessed 04/10/19.
• Jane McCallion. (17 September 2019). What is the Computer Misuse Act? Available: https://www.itpro.co.uk/it-legislation/28174/what-is-the-computer-misuse-act. Last accessed 04/10/2019.
• Unlisted. (Unlisted). Copyright. Available: https://en.wikipedia.org/wiki/Copyright. Last accessed 04/10/19.
• Aaron Russell. (02 October 2019). What is SSL? Available: https://www.ssl.com/faqs/faq-what-is-ssl/. Last accessed 07/10/19.
• Lea Toms. (02 February 2016). Closed for Business – the Impact of Denial of Service Attacks in the IoT. Available: https://www.globalsign.com/en/blog/denial-of-service-in-the-iot/. Last accessed 15/10/19.
• Seth Schoen & Eva Galperin. (29 August 2011). Iranian Man-in-the-Middle Attack Against Google Demonstrates Dangerous Weakness of Certificate Authorities. Available: https://www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-against-google. Last accessed 15/10/19.
• Daniel Hein. (26 February 2019). 7 Cloud Storage Security Risks You Need to Know About. Available: https://solutionsreview.com/cloud-platforms/7-cloud-storage-security-risks-you-need-to-know-about/. Last accessed 20/10/19.
• Unlisted. (Unlisted). 6 Pros and Cons of Cloud Storage for Business. Available: https://www.comparethecloud.net/articles/6-pros-and-cons-of-cloud-storage-for-business/. Last accessed 20/10/19
• Unlisted. (20 June 2018). Financial Impacts of Cybercrime. Available: https://merchantriskcouncil.org/news-and-press/mrc-blog/2018/financial-impacts-of-cybercrime. Last accessed 20/10/19.