Security Fundamentals for e‐Commerce

Dr Hassler is on the faculty of the Technical University of Vienna and has written this book to support her lectures on network and e‐commerce security. Based on eight years’ of teaching in this area, the book’s audiences are her graduate students and “all IT professionals” and others with some technical background who are interested in e‐commerce security. This reviewer falls within the latter category, but has approached the book from a perspective of whether it could be adapted for a class in telecommunication policy. Hassler is to be commended for this ambitious undertaking, given the complexity and the rapidity with which the telecommunications and IT technologies and applications are changing. She was in the difficult position of having to seek to anticipate developments between the time when writing the text began (circa “early 2000”, p.302), when the text was completed (October, 2000, p.xxii), and when the text was published (2001).

The reader who does not take time to read the preface places not only herself or himself at a disadvantage, but the author as well. Hassler enters the disclaimers that while she has provided URLs to provide the reader with additional sources and more detailed information, she cannot guarantee that “they will still be valid at the time of reading” or that referenced draft documents representing “work in progress” in standardization bodies will not have expired or will still be available (p. xxi). Her preface contains two other important elements. First, it provides a roadmap on how to read the book; i.e. the reader is advised that each of the five parts of the book builds upon the other (pp. xxi‐xxii). Second, and more importantly, the reader is provided with the basic assumption upon which the book is based: “I do not consider IT (Information Technology) security to be the main obstacle to widespread use of e‐commerce” (p. xx). “E‐commerce” is defined “as any transaction involving some exchange of value over a communications network” (p. 67).

Part 1 focuses upon information security. Common security threats are presented, followed by a discussion of various security mechanisms, namely cryptographic systems. Part 2 looks at electronic payment security and examines the components of electronic payment; i.e. payment systems, payment instruments, and payment security. The reader must wait until Part 3 – communications security – and Part 4 – Web security – for discussion of the broader operational environments that are affecting information security. This is not a criticism, but it suggests this reviewer’s preference of transitioning from a broad discussion of issues to a narrower discussion rather than vice versa.

Putting this structural issue aside, Hassler’s comparative discussion in Part 3 of the OSI model and the Internet model is very useful from a policy perspective, given the convergence between the public network and Internet. A list of common security threats and/or vulnerabilities is provided; e.g. denial of service, eavesdropping on a payload, tampering with a payload, and masquerading (p.150). The reader is then methodically led through the corresponding layers of each model and respective security concepts intended to address the threats and/or vulnerabilities. The discussion of Web security in Part 4 is similarly instructive, including consideration of “privacy violations”; e.g. cookies, the Referer header, and log files (p. 287). Another useful approach employed by the author is the care that has been taken to define specialized terms, such as those cited above, in words that are understandable to a student or layperson, and to define and use the terms in context.

It is with respect to the book’s basic assumption (that IT security is not considered to be the main obstacle to widespread use of e‐commerce) that differences in perspectives emerge. It is worth noting that export controls on cryptography, the need for trusted third party certification of IT products with security functionalities, and the easier‐said‐than‐done need for constant supervision and upgrading in overall security are offered as other obstacles.

Technically, the generally accepted notion is put forth that all systems – Internet and otherwise – are vulnerable: “Since there is no perfectly secure computer (operating or communication) system and there are many clever attackers in the Internet looking for new security holes or new ways of exploiting old ones, every system that is accessible from the Internet should actively watch for intrusion attempts ...” (pp. 210‐11).

Many of the “security holes” are identified and basic security technologies, which are “for the most part, sufficiently mature” (p. xx), are discussed. One non‐technical remedy that is called for in both the preface (p. xx) and afterword (p. 385) is international legislation to support these security technologies. This remedy has since been partially addressed by the Council of Europe’s Convention on Cybercrime that was signed last November by 30 nations, including the United States.

Politically, Hassler makes no effort to concede the vulnerable nature of Internet: “Unfortunately, it is ... a public and very insecure infrastructure, so data in commerce must be protected by some form of information security” (p. 1; emphasis added), and vulnerabilities in one place in the network can create risks for all (p. xx).

While technically correct and known to industry, the Internet community, and government for a long time, these vulnerabilities and privacy violations, more recently, have become cause for increasing concern by the public. Two reasons for these concerns are the highly publicized nationwide impacts of “Code Red” and “Nimda” last year, and growing consumer unease over the collection of personal data, creation of databases, and exploitation of these databases.

Moving from the public’s increasing interest to that of the government, the Clinton Administration‐appointed Commission on Critical Infrastructure Protection in 1997 concluded that: “The rapid proliferation and integration of telecommunications and computer systems have connected infrastructures to one another, in a complex network of interdependence. This interlinkage has created a new dimension of vulnerability ...”[1]. The Commission’s findings and recommendations led to Presidential Directive 63 on Critical Infrastructure Protection. They also provided a baseline for the Bush Administration’s National Security Presidential Directive #1 on Organization of the National Security Council System in February 2001 that subsequently led to the establishment of the Office of Homeland Security and the Homeland Security Council, and the Office of Cyberspace Security.

From a technical standpoint, IT security may not be considered to be “the” main obstacle to the development of e‐commerce, but events such as “Code Red” and “Nimda”, increased awareness of privacy violations, and Government’s cyberspace security initiatives suggest a contrary view from a public policy perspective. Overall Hassler has written an apolitical, yet provocative, technical text regarding e‐commerce security fundamentals from a European perspective. While it would not make a “required reading” list in a policy‐oriented class, it could be “suggested” reading.

Dr Jack Oslund

Graduate Telecommunication Program, George Washington University, Washington, DC. E‐mail: joslund@gwu.edu