Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

SPECIAL NOTE TO ALL VISITORS:
Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.

TIPS FOR PROTECTION FROM E-COMMERCE HACKERS

Posted on February 17, 2000

      The American Institute of Certified Public Accountants (AICPA) is offering several tips to e-commerce sites to help protect them and their customers against disruptive actions.

      "With the advent of e-commerce comes the vulnerability of Web sites to attacks from hackers, among other cyber-crimes," says Anthony Pugliese, Director of Assurance Services of the AICPA. "Many online businesses are searching for tools with which they can protect their sites and provide assurance to their customers that their information is kept private and their transactions are protected."

      The AICPA offers these tips to e-commerce businesses:

1. Conduct a risk assessment of your Internet business: A risk assessment should be carried out prior to implementing specific technical controls, allowing you to identify possible security vulnerabilities and decide what enhancements are necessary. The greatest threat will come from the weakest links in your defenses, so the risks you face will change as you develop your security solutions.

2. Develop security standards: Criminal hackers exist inside and outside an organization, and experts recommend that online businesses must protect against both threats. A security policy based on technical standards and procedures must underpin any technical solutions. The company security policy must be clearly communicated to employees so that they are aware of their responsibilities, the penalties for misuse and what to do in the event of a suspected security breach.

3. Test your defenses: Check your physical security systems to prevent an attack by an outsider who may have very little knowledge about your company but is capable of using either information or a physical product that can be used to hack into your system. Test remote access to systems using specialist tools to attempt access to resources through e-mall, the Internet and telephone systems. Also test for unauthorized attacks by employees. Conduct an entire system audit, testing the security -- especially firewalls -- to identify loopholes.

4. Develop procedures for prevention and use independent third-parties to test them: Prevention of fraud depends on having robust procedures, strict controls and strong audit capabilities. Work with independent third-parties, such as CAs or CPAs, to test and verify the security and safety of your site. A licensed CA who offers WebTrust will examine the site's firewalls, security systems, and risk analysis tools to provide recommendations for improved protection. Stronger prevention and thorough examination will help e-commerce sites lower the risk of security breeches.

5. Limit the number of individuals who may access controls to your e-commerce business: Access to controls should be implemented according to the basic rule that access is only provided to the minimum number of people for the minimum possible number of systems and for the minimum amount of time required to do the job. Use authentication methods such as passwords, smart cards, PIN numbers or fingerprint scans to access your systems. Utilize digital certificates to verify electronic identities. Use encryption to render data unintelligible to unauthorized users who do not have access to the decryption key. Utilize anti-virus software and keep it up-to-date. Software should be installed on individual client machines, servers or firewalls.

6. Utilize Firewalls: Firewalls intelligently isolate one network from another by passing messages through a control point at which the system can check whether their transmission conforms to the site's security policy. Firewalls can be implemented in various ways, the most typical involving a combination of devices, including routers and servers running appropriate software.

7. Utilize surveillance tools: Surveillance tools allow you to monitor employees to quickly identify if they are abusing legitimate access to the system. Products in this category normally act by "sniffing" the network cable and logging actions, raising alerts if certain criteria are matched. The detailed logs produced by such tools can be used as documentary evidence in legal proceedings.

   Security tools: Security management tools can help administrators to enforce security policies consistently across the various technical environments within a site and simplify or even automate the process of managing user privileges.

   E-mail security tools: E-mail security tools allow e-mail to be intercepted and scanned automatically to determine if it presents a security risk. This type of tool can review content, access authorizations and sensitivity of information.

8. Monitor your networks for unusual activity: If you discover unusual activity, monitor important systems using intrusion detection software or services. This can help mitigate the attack by discovering actions that can be taken (e.g. installing security patches, expanding RAM to maintain performance during Denial-Of-Service attacks). It can also help detect signs that this attack is more than a nuisance e.g., it can determine that a Denial-Of-Service attack is being waged as a diversion intended to distract your attention from an actual takeover of your systems. If other organizations are under particular attack, check your systems for similar signs of attack as well.

9. Contact your Internet Service Provider: Contact your ISP (if your site uses one) to determine the level of protection it already has in place. In addition, it is possible that the ISP can take action to block the attacks before they reach your computer systems.

10. Report computer violations to the proper law enforcement authorities: Contact law enforcement authorities to inform them of the incident. You may not be the only organization under attack, and the authorities may be able to provide technical assistance or contacts to help your response efforts. You can help the law enforcement efforts by collecting system log information from target systems. These logs may be important evidence that law enforcement needs to take action. It is critical that this information be collected and protected before it is accidentally or deliberately erased.

      In cooperation with the Canadian Institute of Chartered Accountants, the AICPA has developed WebTrust, a service by which CAs, CPAs and their international counterparts examine online businesses to determine if they are legitimate, their transactions are secure, the information they collect from customers is kept private, their business practices are fully disclosed to customers, and they have a mechanism to resolve customer complaints.

      WebTrust is now being offered in the United States, Canada, Puerto Rico, England, France, Ireland, Scotland, Wales, Australia and New Zealand. Negotiations with other European and Asian countries are currently underway.

• For more information about WebTrust, please visit WebTrust.net

• Need more Info about web site security, click to PrivaGate.com

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

ALERT
ARCHIVES
Final Entries
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999