S 5.95 Secure e-commerce using Internet PCs
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
Not only is the Internet used today as a means of finding information and communicating, but also extensively as a platform for business and administrative processes, such as online ordering, banking and securities transactions and e-government applications.
The security requirements for e-commerce and e-government applications are usually more stringent than those for retrieving information from the World Wide Web. In particular, steps must be taken to prevent manipulation of online transactions and of orders processed on the Internet PC and sent through the Internet. If an Internet PC is used also for e-commerce or e-government applications, it is therefore advisable to follow the recommendations made below.
Before entering into business relations with providers through the Internet, it is advisable to check whether their data protection and data security standards are consistent with the organisation's requirements. Providers should publish the required information on their web servers.
A virus protection program with a regularly updated virus database needs to be installed in order to protect Internet PCs from computer viruses, Trojan horses and other malware. Further recommendations on this matter can be found in module S 1.6 Protection against malware and safeguard S 4.3 Use of virus protection programs.
Backups of the databases and configuration settings needed for e-commerce and e-government applications have to be made regularly (see also S 6.79 Protection of Data on Internet PCs). Otherwise, there is a risk of being unable to restore the application promptly or of being unable to retrace actions or transactions if the Internet PC fails or if data are inadvertently deleted.
If an application requires special software components, e.g. online banking programs, these should be obtained from trusted sources only; if possible, directly from the manufacturer or provider. Regular checks should be made as to whether any security-related patches or updates are available for these software components. If so, they should be installed. Software and updates should be checked for malware before installation.
If an Internet PC is used regularly for e-commerce or e-government applications, it should be assigned permanently to one user and used exclusively for these applications. Otherwise, there is a risk of subsequently not being able to determine which user has performed a particular action.
Web browsers are used as client programs with many e-commerce and e-government applications.
The mechanism generally used to protect data transfer is the TLS/SSL protocol. It makes use of cryptographic procedures to protect the confidentiality and integrity of the data. TLS/SSL connections can be recognised in browsers by the fact that the web address (URL) begins with https: instead of http:, and in commonly used browsers by a special symbol as well, e.g. a closed padlock.
Web-based e-commerce and e-government applications should be used exclusively through TLS/SSL. The provider should supply the entire web application through TLS/SSL. Steps should be taken to ensure that a browser is used which supports strong cryptographic procedures, especially 128-bit key length. Due to export restrictions, some older browsers do not support this encryption.
The TLS/SSL protocol uses certificates to authenticate web servers. When using e-commerce or e-government applications through TLS/SSL, users should occasionally check whether the server certificate is valid and whether they are actually connected to the server requested. Users therefore need to be trained in using the web browser and briefed on how to check the browser installation and configuration.
Review questions:
- Have steps been taken to prevent manipulation of online transactions and of orders processed on the Internet PC and sent through the Internet?
- Are the general terms and conditions of the e-commerce provider consistent with the organisation's requirements, especially with regard to data protection and data security?
- Are regular backups of the databases and configuration settings of the e-commerce applications made?
- Have steps been taken to ensure that e-commerce and e-government applications are used exclusively through TLS/SSL?
- Is the validity of the server certificates used by e-commerce providers checked?