ÖMÜR UĞUR
Penetration Tester / Cyber Security Specialist
January, 2018 (Y.T.U. Graduation Project) (CyberMag April Issue Article)
Technological developments show more presence in our lives day by day. Although electronic commerce usage areas are quite common, it is the most easily accessible digital marketing medium, especially in terms of accessibility.
In this study, the scope of electronic commerce applications in our country and in the world, tools, security deficiencies, security weaknesses found and how to overcome these weaknesses, which tests to pass, were presented in the form of a compilation using previous publications.
1. INTRODUCTION
1.1 What is E-Commerce?
Trade, which means buying or selling a service or a product, is called “electronic commerce”, that is, “e-commerce” when done on the internet. Electronic commerce is the realization of the distribution network of the service or product by means of production, sales, advertisement and payment via the internet. Meanwhile, it is about placing the text, video player or sound recordings on the product or the service provided. Educational, institutional or institutional, advertising or public goals that have commercial qualities or oversee commercial activities are also called electronic commerce. WTO (World Trade Organization) for products and services provided; It describes e-commerce as telecommunication networks that undertake the organization of producing, selling, promoting and distribution.
…
…
1.5. Models of Electronic Commerce
The most convenient way to classify e-commerce is to evaluate the trade for mutual parties. The organizations that are wanted to be described as parties are called firms, consumers and the state.
Inter-business e-commerce; It means that processes such as purchasing from the manufacturer, invoicing and payment between companies occur on the internet.
E-commerce between business and consumer; The best example that can be given to virtual stores consisting of marketing and sales services that companies offer to consumers in the internet environment is amazon.com.
Inter-consumer e-commerce; It covers the mutual shopping of the websites by creating the membership of the consumers on the internet. The best example to e-commerce between consumers is ebay.com, which is widely used all over the world, and one of the best examples in our country is gittigidiyor.com.
E-commerce from consumer to public institutions; It is a fairly new genre among e-commerce models. In this system, which is seen as an Electronic State, transactions such as driver’s license, passport, bank, identity applications are handled (Deniz, 2001: 16).
2. Electronic Commerce Security
As there is no face-to-face shopping between the enterprise (seller) and the consumer (buyer) within the scope of e-commerce, trust must be provided in electronic environment. The most important of the measures taken for this is the situation of identifying each other among the buyers and sellers. Considering this need, digital signature or digital certificate systems come into play.
2.1. Security Protocol of Electronic Commerce
Security is a very important issue for every business. Considering that shopping and payment transactions are carried out over the virtual environment today, it is obvious that data and information protection is very difficult to protect. The protection of payment and information, software and hardware components against third parties for businesses and consumers using electronic commerce is one of the security policies of e-commerce (Özmen, 2013: 485).
..
..
Security unit is the most attacked unit in enterprises. For this, quite care must be taken and new technologies must be used. E-commerce companies should be set up their security units in line with their needs, flexible and precautionary measures can be taken. The important points here are; the security resulting from the software used by the consumer is the security resulting from the storage of the information and the security of the enterprise (Karabacak, 2008: 68).
..
..
Security protocol is determined specific to companies. However, certain rules to be followed in general terms are privacy, integrity, usability, security, administrative and commercial security protocol (Exam, 2014).
2.2. Security Shakes and Attack Types in Businesses
The intensive use of systems such as the Internet, extranet by businesses has brought the enterprise and employees to face an electronic attack. There are many attack methods and models against the e-commerce system. The attackers do these things to make money. The measures taken against the attackers cause the cost to increase and the speed of the transaction to slow down (Özmen, 2013: 489–490).
..
..
Today, production units have been the most important target of the attacks. The reason for this is the increase of contractors and subcontractors existing in the production sector. The most important element for the attacks against contractor and subcontractor companies of this chain is the main enterprise, which is the big link of the chain (Symantec, 2015).
These attacks against businesses or institutions called cyber attacks can be listed as unauthorized access to the system, corruption or blocking of the unit, modification, destruction or unauthorized use of data (Atalay, 2014). Some types of cyber attacks are as follows;
Harmful content ads placed on the sites; It is the purchase of the sites reserved for advertising and putting the attack codes here.
..
..
DDoS (Distributed Denial of Service); This type of attack, called distributed service blocking, is carried out by sending requests to the person or persons to be attacked. During the sending of the request, the attack is completed by occupying the bandwidth of the users and deactivating the users. Today, we are exposed to this type of attack quite a lot (Lin and Tseng, 2004).
Heartbleed; Apache, Nginx etc. it exists in OpenSSL libraries, which servers frequently use for encrypted communication. This openness in the system has enabled the capture of the personal information and passwords of users on 500,000 web addresses worldwide (Durumeric et al. 2014).
Data theft; Especially in 2014, there was a lot of talk. With data theft, information of world giant companies such as Apple, Turkcell, Ebay has been stolen (Altundal, 2014).
APT (Advanced Persistent Thereat); It is a type of attack on superstructures such as important institutions of the state, banks, financial units, military. This attack type is Stuxnet, Duqu and Flame. The Stuxnet attack targeting the nuclear activity system in the Iranian country has enabled and disabled the high speed operation of nuclear machines (Gücüyener, 2015: 19).
2.4. Purposes of Security Tests
The importance of corporate data security and security tests is increasing day by day. Performing security tests ensures that the corporate data is determined before the security attacks and that security measures are taken. One of the aims of these tests is to prevent the access of attackers trying to access data without authorization and to eliminate weaknesses (Abrams, 2003). These tests are carried out by institutions to be used in various fields. Some of these are given below;
Identification of new weaknesses
Finding design weaknesses
Protection of the image for the institution
Evaluation of information security systems
Studies for harmonization of information security certificates
Security is effective and conscious
The return of investments made for security benefits the institution
Evaluation of the responsibilities of the staff of the institution
It is aimed to keep the security at a high level for malicious attacks against corporate information systems (Dahl, 2005).
2.5. Standards and Guidelines
Important standards for open source projects developed for penetration tests, which are becoming widespread worldwide, are briefly explained as subtitles.
2.5.1. OSTMM
OSTMM, which was created to make measurements in safety tests, continues its activities within a non-profit institute by ISECOM. This project is to create a model like a preliminary project of penetration tests and to ensure the approval of the appropriate tests.
Penetration tests of this model; data security, time security, security for technologies provided by the internet, communication security, server and network security, and physical security. Each department has its own tests to be done (Herzog, 2006).
2.5.2. OWASP
It is an open source study that contributes to the development of software tools and the creation of guides for this purpose in order to ensure the security of all kinds of web applications. It also carries out studies for security tests performed by users with the participation of a wide audience. This increased security for WEB applications is the unauthorized access of attackers to web applications.
..
2.7. Security Test (Penetration Test)
Penetration tests are scanning and reporting processes for predicting and detecting attacks on systems. It is a preliminary measure to prevent bad consequences of harmful internet attack tools such as seizing, abuse of personal and corporate confidential data, viruses, spam, spyware, worms (E Şahinaslan, A Kantürk, Ö Şahinaslan, E Borandağ; Information Security Awareness in Companies, Its Importance and Creation Methods, Academic Informatics 2009, Şanlıurfa, P.1).
In cases where network security test is performed and precautions are not taken; unauthorized access, network and miscellaneous services may be subject to the result of legal sanctions due to the lowering of service quality, incompatibility with international security standards and lack of checks.
It is convicted to provide international standards such as PCI, ISO27001 of systems where critical information (TR identity number, Credit Card Information, etc.) is available. Security risks are inevitable in the infrastructure of these large and complex structures and necessary standards must be provided.
…
2.8. SECURITY TOOLS USED IN INFORMATION SYSTEMS
A lot of work is done to ensure the security of computer systems. These studies are generally in the system; There may be solutions such as installing firewalls, installing intrusion detection systems, providing secure communication protocols, using software against harmful codes.
However, even if all controls are provided, there may be vulnerabilities on the system that can be exploited for malicious individuals. These deficits can be detected with tools written by well-intentioned software developers for security tests, and necessary measures can be taken.
The main purpose of security tools is to attack servers, computers, websites.
The reason for this is to detect the vulnerabilities in the systems before the attackers and correct the necessary deficits and ensure the security of the system (Gündüz M. Z., “IP Based Evidence Detection for IT Crimes”,
Master Thesis, Fırat University, Institute of Science and Technology, 2013).
Many tools have been developed by well-intentioned software developers to provide security facilities. With these tools, we can identify the vulnerabilities on the system, get comments including how to fix the vulnerabilities and fix the vulnerabilities.
2.8.1. NMAP
NMap (Network mapper) is an open source program used in network scans. It can work efficiently to scan large-scale networks. By sending IP packets, it shows the active and passive devices (server, computer etc.) on the network. In addition, these computers or servers can provide information about open / closed port information, which applications are installed on these ports it has detected, and for what purpose these applications are used (Gündüz MZ, “IP Based Evidence Detection for Information Crimes”, Master Thesis, Fırat University, Institute of Science, 2013).
2.8.2.NESSUS
It is a powerful and up-to-date remote scanning tool. Many UNIX are capable of operating from operating systems such as WINDOWS. It is a very comprehensive and useful security tool with additional programs and interfaces compatible with Nessus. It can find over 200 security vulnerabilities and generate reports on them in a very comprehensive way. (HTML, LaTeX, ASCII, etc.)
2.8.3.WIRESHARK
..
..
2.8.4.TCPDUMP
It is a tool to prevent network movements, which allows to monitor and listen to network traffic. Nmap uses the libpcap packet capture library, which forms the infrastructure of Tcpdump. Today, the wireshark tool is often used to perform these operations (sans DEVELOPER / SECURITY 5 4 2Web App Penetration Testing and Ethical Hacking).
2.8.5.DSNIFF
..
..
2.8.7. ETTERCAP
It is an intervention tool used in terminal networks in Ethernet networks. It monitors and intervenes many protocols, Active-Passive, encrypted-non-encrypted. It can interfere and injection between two or more connections. Understand the network structure, map the network (sans DEVELOPER / SECURITY 5 4 2Web App Penetration Testing and Ethical Hacking).
2.8.8. JOHN THE RIPPER
It is a tool that is used to crack passwords very easily. It makes bulk requests and by this way it detects and cracks passwords. Although it is UNIX based, it works in many operating systems (sans DEVELOPER / SECURITY 5 4 2Web App Penetration Testing and Ethical Hacking).
2.8.11. CAIN & ABEL
It is one of the best software for ARP Poison attack. By performing packet analysis, including secure protocols, it can read encrypted data and attack the arp poison.
..
..
2.8.12. Metasploit
It is a framework infrastructure that produces various scenarios to carry out security tests, including exploits, payloads and encoding. It is open source software.There are also commercial versions of the scan tool (sans DEVELOPER / SECURITY 5 4 2Web App Penetration Testing and Ethical Hacking) that first appeared for free but was bought by the company Rapid7 after a while.
2.8.13.NİKTO
It is an open source scanning tool (sans DEVELOPER / SECURITY 5 4 2Web App Penetration Testing and Ethical Hacking) that provides analysis of more than 6700 harmful files, version deficiencies, and old version checks.
2.8.15.SQLMAP
Sqlmap, an open source penetration testing tool in the Linux operating system, serves to uncover the SQL injection vulnerability. It is a tool for capturing and processing data related to the database as a result of manipulating requests via the website by automating SQL clauses (Network Security Tools, http://sectools.org/).
2.9. APPLICATION SAFETY RISKS IN OWASP TOP 5 STANDARDS
2.9.1 Injection
Injection flaws like SQL, OS, XXE, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s enemy data translator allows you to execute unwanted commands or access data without proper authorization.
2.9.2. Authentication and Session Management
Application functions related to authentication and session management are obviously used to allow attackers to use passwords, keys or other application’s flaws to assume other users’ identities (temporarily or permanently).
2.9.3 Cross-Site Scripting (XSS)
XSS flaws are cross-site scripting vulnerabilities. Often encountered in dynamically structured sites. It is a vulnerability that allows client-placed code blocks to be executed by placing client-based code blocks between HTML codes.
2.9.4. Breaking access control
Attackers can use these flaws to access unauthorized functionalities and / or data, such as accessing other users ‘accounts, viewing sensitive files, changing other users’ data, changing access rights, as restrictions allowed by authenticated users are not properly enforced.
2.9.5. Incorrect Security Configuration
Applications, application server, web server, database server, platform etc. structures should be kept safe. The necessary checks should be made and the software should be kept up-to-date (https://www.owasp.org/index.php/Top_10_2017-Top_10)
RESULT
In my study, the factors that are important in ensuring corporate information security in e-commerce (electronic commerce) sites that have an important role in digital marketing channels have been researched. The introduction of electronic commerce into our life, its progress and its current position are mentioned. Today, almost all the functions in our lives have advanced towards the virtual (internet) medium and have become an important part of our lives. For this reason, some security problems have occurred.
In order to ensure Corporate Information Security, it is important to know and apply internationally accepted information security standards as well as current threats. In order to detect and eliminate these threats, the existing platforms / applications (websites, mobile applications, servers, etc.) are subjected to penetration tests at certain intervals in accordance with the standards, elimination of vulnerabilities and deficiencies that occur or may occur after penetration tests, and routine follow-up of these deficits. It is important.
It summarizes the importance of penetration tests to ensure information security in order to test the factors affecting corporate information security as an aggressor as a whole and to identify and eliminate weaknesses. Due to the awareness of our approach to the system / application through the eye of the attacker, cyber attacks are prevented since the deficiencies on the system are detected and closed before the attacker.
Security testing is an important early warning system that will prevent system vulnerabilities and counteract countermeasures before the adverse condition of working computer systems. In order for the security tests to be successful, different institution-specific scenarios must be developed taking into account the weights of the factors that affect the security of the institutions.
In our country, most e-commerce sites consider themselves sufficient in the field of information security without taking the necessary precautions because they think that their policies will not harm their systems without complying with the standards of security. In order to compensate for this deficiency, PCI — DSS standards, which are the worldwide accepted Credit Card Transaction security standard, should be eliminated and document their applications. It is an important factor to implement the policies to be established within the framework of Information Security Management without compromising, and to ensure a high level of corporate information security by the obligation of suppliers and partner companies to comply with these policies.
As a result, in addition to the findings made, a wide literature study was conducted on the methods of performing safety tests within the scope of this study, and as a result of these studies, a method was presented on how to perform safety tests. According to this method, security tests are carried out in five stages: planning, gathering information, finding weaknesses, using weaknesses and reporting. It is evaluated that it will make an important contribution to the high level of corporate information security by performing security tests performed with this method.
You can find the full article in the April 2018 issue of Cybermag.
