CS_11Security

=Security= In addition to the security measures required for running an e-commerce web site with a shopping cart, it is necessary to provide secure methods for ensuring the protection of customer data and the files that they upload for processing by // Foto Creativa //. Consideration has to be given to the installation of anti-virus and anti-spyware software, in addition to firewall and Internet security tools to protect the web site and its underlying data.

// Glossary of Terms: Firewall, Denial of Service Attack, HTTPS //

1. For the network diagram that you created earlier, amend this diagram to include the hardware you would purchase in order to improve the security of your network, website and clients data. 2. For each of the following, describe how they can help secure Foto Creativa Network and website.
 * · Firewalls **
 * Firewalls contain packet filtering and proxy servers, and also application and circuit-level gateways for applying security systems. Through an IP address, packet filtering checks what messages are able to pass in and out of a network, e.g. employees using company computers to access facebook, while proxy servers are used to stop messages entering and leaving the network, e.g. employees’ request to facebook gets denied.

· Internet security tools to protect the website ** . ** The internet provides a vast amount of security tools for users in order to protect their website from hackers/viruses/malicious software. Tools include: site guard, HTTPS, cookie guard and spam protection. Site guard is built-in software for certain internet browsers e.g Firefox that detects potentially harmful websites. These sites could be detected by previous usage from other users and gathering any reports of malicious acts. Site Guard would display a message on the screen of the blocked site detailing why it was blocked and when. This would prevent Carmen from visiting any sites which are phishing for information or downloading files containing viruses. HTTPS could be used so that customers of Foto Creativa could be assured that private information would not be stolen. Carmen would have to register for HTTPS in order to benefit from the added encryption software. The encryption software would secure any information that travels over the net by jumbling it up into a code that only the appropriate users can access. Cookie guard would be used by Foto Creativa to eliminate any tracking cookies that are potentially harmful as well as advertising cookies. Lastly, Foto Creativa might receive some spam mail from other companies or from annoying customers. This would be irritating to deal with when checking through their mail. Spam protection would delete any e-mail that does not involve key words from the site like the name of the shop or products they sell.

· Antivirus/anti spyware

3. Explain how a denial of service attack can happen and the steps that Foto Creativa can take to prevent this.
 * // In typical connections, a user would send a message requesting the server to grant them authentication to the network. The server then grants the request by sending back an approval to the users IP address. However during Denial of Service (DOS) attacks, a user will send many requests authenticating access to their network but via false IP addresses. So when the server wants to send back the approval, it can't because the IP addresses that requested access can't be found, and therefore it waits before closing the connection. This process continues each time the connection gets closed down, and this slows down the site making it difficult for other users to access it. //

4. Explain how a hacker can gain access to Foto Creativa’s database and harvest the customers data. ** . ** Malware and network sniffing are two very popular methods that could be used by hackers to gain access to Foto Creativa’s database of information. Malware involves Carmen/Foto Creativa’s staff to download a particular program/piece of software that contains a virus. When the application is opened, the virus activates allowing a third party to secretly access Foto Creativa’s computer system and steal any private information. Popular forms of Malware are Trojans, viruses, spyware and worms. Network sniffing involves a hacker stealing information that is transmitted over the internet possibly between Foto Creativa and one of their customers. For example, using certain software, a hacker may interrupt a credit card transaction thus stealing a customer’s credit card details which may result in identity theft. However, this would only be applicable if the information sent over the internet is not encrypted.

5. SSL Secure Socket Layer Encryption is used when a URL has HTTPS. Describe the measures that would need to be put in place to protect customer’s personal information and photos while they are being uploaded for processing.

The best method for securing data that travels over the internet is to encrypt the data. This involves jumbling up the data so only the intended receiver and sender can understand it. Private information like credit card details are vulnerable to intercept over the internet if they are kept not encrypted. An SSL (secure Socket Layer Encryption) involves the use of a public and private key. The public key would be used by the sender to encrypt the data i.e jumble up the letters and the private key would be used by both the sender and the receiver to decrypt the data and allows their computer to make sense of the jumbled-up words. Furthermore, Foto Creativa’s server would have to obtain an SSL certificate as authentication to identify itself to the client.

6. Research similar websites and find examples of policies that are displayed which cover privacy and the security of personal data.

__**GOOGLE**__

Privacy Policy
Last modified: October 3, 2010 ([|view archived versions]) This Privacy Policy applies to all of the [|products, services and websites] offered by Google Inc. or its subsidiaries or affiliated companies except Postini ([|Postini Privacy Policy]). Sometimes, we may post product specific privacy notices or Help Center materials to explain our products in more detail. If you have any questions about this Privacy Policy, please feel free to [|contact us] through our website or write to us at Privacy Matters c/o Google Inc. 1600 Amphitheatre Parkway Mountain View, California, 94043 USA

Information we collect and how we use it
We may collect the following types of information: In addition to the above, we may use the information we collect to: If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use. Google processes personal information on our servers in the United States of America and in other countries. In some cases, we process personal information outside your own country.
 * **Information you provide** – When you sign up for a [|Google Account], we ask you for [|personal information]. We may combine the information you submit under your account with information from other Google services or third parties in order to provide you with a better experience and to improve the quality of our services. For certain services, we may give you the opportunity to opt out of combining such information. You can use the Google Dashboard to learn more about the information associated with your Account. If you are using Google services in conjunction with your Google Apps Account, Google provides such services in conjunction with or on behalf of [|your domain administrator]. Your administrator will have access to your account information including your email. Consult your domain administrator’s privacy policy for more information.
 * **Cookies** – When you visit Google, we send one or more [|cookies] to your computer or other device. We use cookies to improve the quality of our service, including for storing user preferences, improving search results and ad selection, and tracking user trends, such as how people search. Google also uses cookies in its advertising services to help advertisers and publishers serve and manage ads across the web and on Google services.
 * **Log information** – When you access Google services via a browser, application or other client our servers automatically record certain information. These [|server logs] may include information such as your web request, your interaction with a service, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser or your account.
 * **User communications** – When you send email or other communications to Google, we may retain those communications in order to process your inquiries, respond to your requests and improve our services. When you send and receive SMS messages to or from one of our services that provides SMS functionality, we may collect and maintain information associated with those messages, such as the phone number, the wireless carrier associated with the phone number, the content of the message, and the date and time of the transaction. We may use your email address to communicate with you about our services.
 * **Affiliated Google Services on other sites** – We offer some of our services on or through other web sites. Personal information that you provide to those sites may be sent to Google in order to deliver the service. We process such information under this Privacy Policy.
 * **Third Party Applications** – Google may make available third party applications, such as gadgets or extensions, through its services. The information collected by Google when you enable a third party application is processed under this Privacy Policy. Information collected by the third party application provider is governed by their privacy policies.
 * **Location data** – Google offers location-enabled services, such as Google Maps and Latitude. If you use those services, Google may receive information about your actual location (such as GPS signals sent by a mobile device) or information that can be used to approximate a location (such as a cell ID).
 * **Unique application number** – Certain services, such as Google Toolbar, include a unique application number that is not associated with your account or you. This number and information about your installation (e.g., operating system type, version number) may be sent to Google when you install or uninstall that service or when that service periodically contacts our servers (for example, to request automatic updates to the software).
 * **Other sites** – This Privacy Policy applies to Google services only. We do not exercise control over the sites displayed as search results, sites that include Google applications, products or services, or links from within our various services. These other sites may place their own cookies or other files on your computer, collect data or solicit personal information from you.
 * Provide, maintain, protect, and improve our services (including advertising services) and develop new services; and
 * Protect the rights or property of Google or our users.

Information security
We take appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data. These include internal reviews of our data collection, storage and processing practices and security measures, including appropriate encryption and physical security measures to guard against unauthorized access to systems where we store personal data. We restrict access to personal information to Google employees, contractors and agents who need to know that information in order to process it on our behalf. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.

Back