Les Labuschagne

Electronic commerce: the information‐security challenge

The major reason why most people are still sceptical about electronic commerce is the perceived security risks associated with electronic transactions over the Internet. The Internet, however, holds many opportunities that could mean survival or competitive advantage for many organisations. To exploit these opportunities, it is important to first analyse the risks they hold. Electronic commerce is based on business as well as technological risks, making it a very difficult environment to secure. Apart from these two types of risk categories there are several other issues and problems that need to be addressed.

The use of real-time risk analysis to enable dynamic activation of countermeasures

As the advantages of being connected to the Internet multiply, so do the risks. Various techniques have, for example, been devised to infiltrate networks connected to the Internet. New vulnerabilities are created and exploited daily. By analysing a communication ses- sion in real time, it is possible to detect attacks as they are being launched. This is achieved by analysing the characteristics of the protocol being used. By determining the risk values for the vari- ous components, it is possible to consolidate them into a single risk value. The latter risk value can then be applied to determine which countermeasures need to be activated to reduce the risk level of the communication session to an acceptable level.

Refereed paper: Improved system-access control using complementary technologies

Although there are many different aspects to consider when looking at IT security, one of the most tried and trusted methods of ensuring the safety of systems and data is to control peoples access to them. In this article the various complementary system-access control mechanisms will be discussed. In addition, this article is aimed at demonstrating that in order to tighten up control and security, it is important to think in terms of combining mechanisms by using various complementary technologies. This article, therefore, does not necessarily make a new contribution to the domain of system-access control, but attempts rather to integrate and consolidate current approaches to improve it. Emphasis is, therefore, placed on the inherent nature of the mechanisms rather than on specific technologies such as biometrics.

Advances in Information Security Management & Small Systems Security

This book presents a state-of-the-art review of current perspectives in information security, focusing on technical as well as functional issues. Topics in this volume include the latest developments in: Information security management issues; Network security and protocols; Information security aspects of E-commerce; Distributed computing and access control; Security in mobile environments; Advances in intrusion detection; Information Security Risk management. /List This volume contains the selected proceedings of the Eighth Annual Working Conference on Information Security Management & Small Systems Security, which was sponsored by the International Federation for Information Processing (Ifip) and held in Las Vegas, Usa in September 2001. Advances in Information Security Management & Small Systems Security will be essential reading for researchers in information systems, computer science, information technology, and business informatics, as well as to information security consultants, system analysts and engineers, and It managers.

A Framework for Electronic Commerce Security

This paper suggests a framework that can be used to identify the security requirements for a specific electronic commerce environment. The first step is to list all the security requirements for an electronic commerce environment in general. Next, all participants need to be identified. This is followed by the breaking down of the transactions into different autonomous actions. These actions are then mapped onto the participants involved, which serve as a model for the electronic commerce environment. This information is then used to identify the security requirements for a secure electronic commerce environment. The security requirements, in turn, are then used to develop the security architecture, consisting of appropriate security procedures and mechanisms and policy.

Activating dynamic countermeasures to reduce risk

Conventional risk analysis methodologies are aimed at the identification of suitable countermeasures for specific risks. In the past, many risk analysis methodologies failed to come up to expectations. The analysis of some commercial methodologies identified key problem areas. This paper proposes a categorization method which was used to investigate the recommended countermeasures from various methodologies. The method is based on three categories namely: * Proactive countermeasures — countermeasures that are implemented and activated before an incident occurs and which are constantly active; * Dynamic countermeasures — countermeasures that are triggered by an incident; * Reactive countermeasures — countermeasures that are activated after an incident has occurred. This paper emphasizes the use of dynamic countermeasures to improve consistency and effectiveness and to reduce cost. The Petri Net modelling method is used to illustrate the difference between the three categories by simulating an actual process. The underlying principle of this article is the importance of having dynamic countermeasures implemented that can either be activated or deactivated, as the case may be. Not only will these countermeasures help to make security measures foolproof, but they will also help reduce the overheads associated with security directly or indirectly.

Real-time Risk Analysis on the Internet

In current times, sending confidential data over the Internet is becoming more commonplace every day. The process of sending confidential data over the Internet is, however, concomitant with great effort: encryption algorithms have to be incorporated and encryption key management and distribution have to take place. Wouldn’t it be easier, more secure and faster if only technology could be introduced to do risk analysis in real time? The objective of doing risk analysis in real time is to find a method through which dynamically to determine the vulnerability of, for example, a TCP/IP packet in terms of generic threat categories such as interception and fabrication. Once the vulnerability of the packet has been determined, the appropriate countermeasures can be activated to secure the packet before it is sent off to its original destination. The countermeasures are activated according to certain data that is found in and extracted from the TCP/IP packets. In order to be able to obtain this data, each TCP/IP packet flowing through a certain point in a network is intercepted and analysed.

Real‐time risk analysis using Java concepts

Using new concepts, such as those on which Java is based, it is now possible to define a new framework within which risk analyses can be performed on electronic communications. In order truly to be effective, risk analyses must be done in real time, owing to the dynamic nature of open, distributed public networks. The strength of these public networks lies in the many routes available for a message to travel from point A to point B, thus ensuring that the message will be delivered. These many routes, however, also constitute the biggest security weakness in public networks, as it is impossible proactively to determine the route a message will follow. In a bid to compensate for the said weakness, this article will be devoted to a discussion on a framework in terms of which Real‐time Risk Analysis (RtRA) can, henceforth, be performed to determine a risk value for a communications session, rather than for the network components used on routes that need to be fixed and known in advance, as for conventional risk analysis. A communication session is defined as the transfer of data between two hosts; for example, exchanging e‐mail messages over open, distributed public networks RtRA produces a risk value that can be used to determine the appropriate countermeasures with which to minimise the risk associated with a communication session.

Erratum to: Information Security Management amp; Small Systems Security

Erratum to: J.H.P. Eloff et al. (Eds.) Information Security Management & Small Systems Security DOI: 10.1007/978-0-387-35575-7

Erratum to: Advances in Information Security Management & Small Systems Security

Erratum to: J.H.P. Eloff et al. (Eds.) Advances in Information Security Management & Small Systems Security DOI: 10.1007/978-0-306-47007-3