Upload
samson-evans
View
213
Download
0
Embed Size (px)
Citation preview
Intellectual property and security challenges for management of eBusiness
MGMT 230Week 12
In today’s class we will cover....
• Additional intellectual property (IP) challenges related to online business
• Security issues for eBusiness:
Laws that apply to traditional commerce apply equally to the online world
• Examples include:– business incorporation and name registration– taxation– consumer protection and deceptive advertising– importing/exporting– product safety and product standards– criminal code– trade treaties and trade embargos– intellectual property and liability
• Companies must comply with the law of any jurisdiction where it is considered to be “carrying on business.” (Source: Canada Revenue Agency)
• However, as we discussed with respect to SPAM, prosecution is sometimes difficult
Examples of legal issues of particular interest to online businesses
• Copyright law (discussed last week)• Trademarks and domain names• The downside of the user-generated web:
Defamation / libel / incorrect information or damaging gossip
Enforcing trademarks and “cybersquatting”
• Should a brand or trademark owner have automatic rights to a related domain name?
• First come, first served?• Intention of registration (bad faith; what is the domain
being used for? Bruce Springsteen took this case to WIPO arbitration in 2001 (and lost)– BruceSpringsteen.com (fan site now taken down)– BruceSpringsteen.net (the official site)– BruceSpringstein.com (mis-spelling opportunity)
• Most countries have arbitration procedures to resolve domain name disputes– Cheaper and faster than going to court
– Apple gains control over porn-related domains• Marketers must be proactive and purchase domain name
variants www.googel.com
Defamation and the control of information
• How do you balance free speech rights with the right of an organization to protect its reputation from defamation?
• In a universe of “customer conversations” how do marketers control potentially damaging messages? – WalmartSucks.org– Electronic Arts use of DRM in Spore resulted in an
Amazon review bomb– JP Morgan’s twitter disaster– Bad Yelp reviews (and reprisals)
Thoughts?
• What is the best reaction for an organization to take in response to possibly defamatory content on the web?– In comments on the company blog or company
social network pages?
– On third party websites or social networking sites?
SECURITY IN EBUSINESS
Why is security an important management issue?
• Information is a key business asset– It needs to be accessible to all who need it– It needs to be protected
• Managers need to develop and implement an overall strategy for security
• Managers need to understand the threats• Managers need to understand specific techniques for
protecting systems• Particularly important as organizations move into
eBusiness and open upMcNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall
Why is this such a high profile issue?
• eBusiness – inevitable exposure to additional vulnerabilities in using networks
• High profile websites and businesses under attack• Sony Playstation hack (April 2011)• Adobe in October 2013• Target 2013 – 40 million stolen CC numbers• Ashley Madison 2015
• Consumer impacts (credit cards exposed, viruses, malware, spyware etc) – loss of reputation, brand equity, and loss of customers
Management problem?
• “Airtight security is not possible because companies have to allow on-line commerce. They have to make trade-offs between absolute information security and efficient flow of information.”McNurlin + Sprague
• The management challenge is that of finding the balance
• “..the key components for managing a security program are the likelihood and the likely impact of an attack.”
McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall
What are companies worried about? Canadian Cyber Crime research (2013) from International Cyber
Security Protection Alliance
https://www.icspa.org/fileadmin/user_upload/Downloads/ICSPA_Canada_Cyber_Crime_Study_May_2013.pdf
Types of direct threats and attacks: Risks to physical infrastructure
– Distributed Denial of Service attacks (DDoS)• Wikileaks (2010)• Anonymous attacks on Anti-Piracy Websites
(2011) – “Operation Payback”
– Hacking – web site defacement• MIT website in 2013
Threats to corporate(and personal) infrastructure
• Malicious code• Viruses – piece of code attached to an executable file
that must be opened for the code to run. Viruses spread by human action (usually via attachments)
• Worms – similar to viruses, but worms replicate themselves
• Trojan Horses – a piece of downloaded software that initially looks innocuous and relies on people believing that it comes from a legitimate source – Eg. CrypoLocker Ransomware
Types of threats and attacks: Attacks on data
– Intercepted transmissions (eavesdropping / sniffing)
– Attacks related to insecure passwords - are “strong” passwords and frequent changes the answer?
– social engineering (and how to protect against it)
– Phishing– Security holes related to BYOD
McNurlin & Sprague. Information Systems Management in Practice. 7th Ed. Pearson Prentice Hall
THE “4 PILLARS” SECURITY FRAMEWORK FOR ONLINE BUSINESS
Managing key security issues – the 4 pillars of security
• eCommerce sites must guard their own data, and their customer’s data and create a secure and predictable environment for commercial exchange - they must create TRUST
• 4 pillars of basic security for eBusiness: ‘PAIN’– Privacy (and confidentiality)– Authentication and Authorization– Integrity– Non-repudiation
PAIN: Privacy and Confidentiality• Protecting data
• Customer data• Firms need to ensure that information that is private or
sensitive is kept secure and not used for any purpose other than that agreed to– credit card numbers– health records etc
• Company data– trade secrets / proprietary information– business plans
• Data must be protected from intrusions and theft while it is stored
• Confidentiality during transactions is usually ensured by encryption
PAIN: Authentication• When someone submits something to your website, how
can you be sure that they are who they claim to be. eg.– using credit cards– making a contract or application– registering for an email newsletter
• Authentication is the process by which one entity verifies that another entity is who they claim to be
• Authentication requires evidence in the form of credentials: :– “something you have” plus “something you know” plus something
you are (biometrics) eg.• username and password• Two-factor authentication (Video - Gmail example)• credit card - match exact billing name and address• digital signatures, and digital certificates to authenticate web servers
• SSL Certificates: What are they? (video)
PAIN: Authorization
• Once a person has been authenticated, we need to be satisfied that she is authorized to access or do certain things on our site
• Does the person (or program) have the right to access particular data, programs, or system resources (particularly important when protecting a server from hackers)
• Authorization is usually determined by comparing information about the person or program with access control information associated with the resource being accessed (permissions)
PAIN: Integrity
• Integrity is the ability to prevent data from being altered or destroyed in an unauthorized or accidental manner– This could include hacking to deface a website– Altering data held on your website or database– Intercepting data
• The parties to a transaction must be assured that all data and documents connected with it cannot be altered without detection
PAIN: Non-repudiation• The ability to ensure that neither side in a transaction
can later claim that they for instance– didn’t order something using a credit card– or didn’t accept an order or offer for something
• Non-repudiation ensures that neither side can back out of a transaction by claiming it never took place– Particular problem with credit cards
• Verified by Visa
• Non-repudiation is usually achieved by using digital signatures that make it difficult to claim that you weren’t involved in an exchange