E-commerce Assignment Help
eBay Inc. is an America based MNC and e-commerce company that provides customer-to-customer and business –to-customer sales services through the internet. The headquarters of eBay is situated in San Jose California. Pierre Omidyar was the founder of ebay. He started the company in the year 1995 and gained success from the dotcom bubble. Today the operations of the company is spread over thirty countries across different continents ("Hackers steal up to 145 million user records in massive eBay breach", 2014). The company runs an eBay.com website, which is an online auction and shopping website where both the customers and the suppliers could buy and sell their goods respectively. Other than the auction-style –shopping, the website also runs “Buy it Now” shopping through the UPC, ISBN and the other types of SKU, classified online advertisements, trading of the online event tickets and other services. Before 2015 eBay also provided the customers online money transfer facility. Though the website is free for the customers but the sellers has to pay up charges as per the items that are listed by them on the website (Romanosky, Telang, & Acquisti, n.d.). The revenue generation of eBay takes place through a complex system that comprise of fees for the services it offers, listing of the product features and a final value fee for the sales that are proceeds by the sellers. As per the record of year 2012, the nominal charges for the U.S based ebay.com is around $0.10 to $2, which is generally based on the opening or reserved price, with no adornments. In general the final amount is equal to 10% of the total amount of the sale along with the cost of the transportation.
The employees of the ebay play a great role in the day to day activities of eBay. Around 16,000 employees work for the company in different countries around the world. The company takes immense pride in its employees and takes good care of them. Since the employee satisfaction is important for the company to expand its operations in the different countries, thus proper human resource management is a major part of the company’s decision making. In terms of the technology the company has added new concepts and security features in the eBay website. The company has designed its next generation software architecture which will help the company to increase its productivity and trading speed which will the company to expand its business operations by adding new businesses. The new technological advancement of the company’s website will enable the company to run various services such as Paypal, Half.com, shopping.com and Skype. Further eBay has invested in increasing its storage capacity so as to accommodate the new service features. The new software programs employed by the company such as eBay’s new Ad context program will help the company to compete with the Google’s Ad sense program, which runs contextual online ads that are generally upon the keywords which are most searched on the net. Being a company which is extensively dependent upon the internet technology and the software application, the company faces many cyber security threats for which it has to remain constantly vigilant and update its cyber security apparatus on a regular basis. Especially after the data security breach in the company which was unearthed in the year 2014 it has become important to carry out a risk assessment of the company’s cyber security.
In this research study the researcher will conduct a risk assessment of the company’s cyber and security. In order to make any assessment and provide recommendations to the company, the researcher will first conduct a Risk analysis and security survey, which will help the researcher to get a clear understanding to the data security and cyber security apparatus of the company.
Data Breach:
The eBay security breach was reported by the company in the year 2014. On May 21,2014 the company informed the media that the consumer databases which has their usernames, passwords, phone numbers and corresponding addresses have been breached. According to the company the data were breached between the February and the early march. The company advised all its users to change their passwords immediately. To fast track this process the company has added a change feature to the user’s profile who had not changed their password. The responsibility of the cyber attack was taken by the Syrian Electronic Army, As per the SEA, though they were able to successfully breach the details of the consumers, they will not misuse those details. The SEA was able to successfully put their logo on the front page of the company’s website. As a result of this security breach the share prices of the company plunged.
The cyber security experts have criticized the company for not taking adequate and urgent steps even after knowing that it’s security has been breached. EBay was attacked by the “cross-site scripting attack” , which users of the company’s website to be directed to a spoof site which is designed to steal the credentials of the company (Mathieson, 2007). The spoof site was designed similar to the company’s home page which made the users believe that were browsing the original website, then the visitors were redirected to a subsequent sites before they came to a site which asked them about their user log in id and password. As per the cyber security experts the company did not took the matter seriously and thus they took long time to detect the intrusion, almost two to three even on the accounts of the company’s own description. The attackers were able to infiltrate into the data and credentials of the company’s employees along with which they succe4ssfully exfiltrated the company’s data without any detection. The company has been criticized as its cyber security apparatus was not proper to tackle such attacks where as the threats that can arise from cross-site scripting is known for many years and the necessary precautions that should be undertaken especially by such firms like that eBay which have huge number of customer data and business information.
Perform a risk assessment and threat identification
The main purpose of this risk assessment survey is that it will be helpful in identifying the threats and vulnerabilities which are related to the eBay’s online portal. This risk assessment will be used to make the risk mitigation plans.
- i) Scope of the risk assessment:
The online system of eBay comprise of the various systems such as the interface for the external customers which allows the users to input their information. The online application on the company’s website is based on the applications which are generally developed and maintained by eBay. This application is made with the Microsoft’s Internet Information Server and the Active server pages are used. There is an interface with the user registration database and the PayPal- which is an e-commerce payment platform that is provided by a third party. The application of the company is hosted by the It department of the eBay. The physical components of the company are housed in the company’s headquarters (Holden, 2009). The scope of the assessment comprise of all the components that has been discussed, except of the PayPal. The interface of the PayPal which managed by the IT department of the company is within the scope of this assessment. Also the scope for this assessment comprise of all the supporting systems such as the : eBay network segment and eBay firewall. The web application, database of eBay and the operating systems which provides support to these components are all in the scope of this assessment.
Participants:
| Role | Participant |
| System Owner | Pierre Omidyar |
| System Custodian | Thomas J. Tierney |
| Security Administrator | Devin Wenig |
| Database administrator | John Smith |
| Network Manager | Mary Blue |
| Risk assessment team | Elaine Ronnie, David Slim and Tom Sample |
Techniques Used:
| Techniques | Description |
| Risk Assessment Questionnaire | The members of the assessment had customized version of the self-assessment questionnaire in NIST SP-26 “Security Self-Assessment Guide for Information Technology Systems”. This questionnaire helped the team to identify the risks. |
| Assessment Tools | Different security testing tools were used to carry out the assessment so as to review the configuration of the system and to identify the vulnerabilities present in the application. the various tools that were used were nmap, nessus and Appscan ("Data breach activity is getting worse", 2007). |
| Vulnerability Sourcers |
There were several sources of vulnerability that were accessed so that the potential of the vulnerabilities can be identified. The different sources that were accessed are as follows:
· SANS Top 20 (www.sans.org/top20/)
· OWASP Top 10
(www.owasp.org/documentation/topte
n.html)
· NIST I-CAT vulnerability database
(icat.nist.gov)
· Microsoft Security Advisories
(www.microsoft.com/security)
· CA Alert service
(www3.ca.com/securityadvisor)
|
| Transaction walkthrough | For this assessment atleast one transaction of each type was selected and each of the transactions were walked through the application in order to get a better insight of the flow of the dart and the control points. |
| Review of the Documentation | For carrying out the assessment, various documents such as the security policies of the eBay, documents related to the system, diagrams of the network and the operational manuals which are related to eBay (Cheney, n.d.). |
| Interviews | In order to validate the information various interviews were conducted. |
| Site Visits | In order to conduct an assessment of the physical access and the environment control a site visit was done. |
Risk Model:
For the identification of the risks that are related to the eBay the belo given model was used for classifying the risk:
Risk = Threat likelihood × Magnitude of impact
| Likelihood (Weight Factor) | Definition |
| High (1.0) | The source of the threat is highly motivated and the has sufficient capacity and controls so as to prevent the vulnerabilities from being exercised are ineffective. |
| Medium (0.5) | The source of the threat is motivated and is capable, but there are controls which may restrict the successful using the vulnerability |
| Low (0.1) | The source of the threat lacked motivation or capability or the controls are in place to restrict any significant impact on the vulnerability being exercised (Black, 2007). |
System Characterization- Technology Components
| Component | Description |
| Applications | The application is developed using the Microsoft Active server pages which were running under the Microsoft Internet Information Server 4.0 |
| Databases | Microsoft SQL server 2000 |
| Operating System | Microsoft Windows NT version 4.0 SP 2 |
| Networks |
Checkpoint Firewall
Routers of Cisco
|
| Interconnections | Interface to PayPal |
| Protocols | For transmission between the web browser of the client and the web browser, SSL is used. |
System Characterization- Physical Location
| Location | Description |
| Data center | 775, Sample Street, New York |
| Help desk | 8820, Any road, New York |
| NOC | 100, MDH avenue, New York |
Data Used by the system:
| Data | Description |
| Personally Identifiable information |
Comprise of :
· Name
· Address (current and previous)
· Phone Number
· SSN #
· DOB
|
| Product Information |
Comprise:
· Product description
· Product Code
· Price of the product
|
| Financial Information |
· Credit card #
· Verification code
· Expiry date
· Card type
· Authorization reference
· Transaction reference
|
| Tax | · Service tax |
Users:
| Users | Description |
| Customers | There can access the system through the web browser. They are able to purchase the products by entering the details of the credit card. they are also able to change or enter their personal details |
| eBay IT Personnel | Their responsibility is to manage the system along with the firewalls and the networks. They are also helpful in maintaining the security configuration of the system. |
| eBay Operations | They are helpful in utilizing the information that are contained in the database of the eBay for taking management decisions (Bisogni, n.d.). |
| ebay Offices | The eBay application is used for in-person renewals |
Vulnerability Statement- The below mentioned potential vulnerabilities were identified:
| Vulnerability | Description |
| Cross-site scripting | The web application is used as a tool to attack end user |
| SQL injection | Information in the web application not validated |
| Password strength | The passwords used in the web application are not properly formulated |
Unnecessary
services
| There unnecessary applications on the web server |
| Disaster recovery | There are no procedure for the safeguard the system from any type of disaster |
Lack of
documentation
| There is no proper documentation of the System specifications, design and operating processes |
| Integrity checks | There is no way to check the integrity of the data input into the system |
Threat Statement- The following threat sources were identified which are applicable to eBay:
| Threat Source | Actions taken by threat |
| Hacker |
• Web defacement
• Social engineering
• System intrusion, break-ins
• Unauthorized system access
|
| Computer criminal |
· Identity theft
· Spoofing
· System intrusion
|
| Insiders |
• Browsing of personally identifiable
information
• Malicious code (e.g., virus)
• System bugs
• Unauthorized system access
|
| Environment | Natural disaster |
Response Plan:
| Observations | Recommended controls |
| The passwords of the users can be guessed or they can be cracked | Special characters to be used for the passwords |
| The possibility of Cross site scripting | All the headers, cookies, quesry strings, form fields and hidden fields should be validated |
| Inappropriate extraction of the data | It has to be ensured that all the parameters are validated before they are used. All the parameters should be checked against a strict format |
| The running of the unnecessary services on the web server and the application server | To remove the unnecessary services the system has to reconfigured |
No comments:
Post a Comment