What is a website developer?

A website developer is someone that provides web services for anything on the internet. The term is a very broad because there is so much that a web developer can do, depending on their specialization. Recently, the term website developer has come to be characterized as someone that provides services related to the popular fields of E-Commerce, business development, content management development, scripting and website server configuring.

How is web development different from website design?

Many non-web professionals do not understand the difference between a web designer and a web developer. Web development is usually characterized by non-design aspects of creating websites, such as writing code that allows individuals to add an item to a shopping cart, or implementing a payment gateway so that users can provide credit-card information to be processed by a companies bank.

How do I choose a website developer?

No matter where you live, be it Miami, Boca Raton, Ft. Lauder, or beyond, finding a website developer willing to take on your project won’t be hard. What is hard is making sure this individual has both the technical skills and business sense to make the project successful. First off, you should view some of the individuals past work. Their portfolio will give you an idea of there experiences and understanding of web development. Make sure to request an updated list of their portfolio, because many individuals are not able to post their work directly on their personal sites due to copyright considerations. Next, ask for a professional reference. The web developer should have no problem providing a reference or two if their work was satisfactory on the project.

How much do I need to spend?

No one can answer this question without specifics based on your project. Be very cautious when you see advertisements for $400 websites or $1000 for a content management system. Each project is different an requires careful examination of the project guidelines and requirements. Without a specifications sheet, or even a description of the project, it is impossible for someone to estimate their time.

You do not want to be shoved into a cookie-cutter web solution, even if it seems very appealing. Depending on your project, you can expect to spend anywhere between $20 and $50 an hour for website development services. Any less and you will not be receiving quality services, any more and you probably don’t need to be reading this article because your project is so advanced that you most likely have an advanced knowledge of website project management.

Are you looking for a website developer in Miami or South Florida? I have over 4 years developing complex websites and web solutions for the internet. Please contact me and I’ll give you an honest opinion related to your project.

I offer an array of web design services that each help to improve your business image.

The best way for me to understand what type of design and requirements you would like to see on your site is to provide me some designs that convey the type of design that you are looking for. The website might not even be from a company that is in the same industry as you, and that does not matter. I’m just looking to get an idea of your personal tastes and interests. This will help me to design the type of site you are looking for more quickly.

Gathering as much information related to the type of site you need is essential to us completing the project in a timely manner. The majority of delays in the development process are usually due to designers waiting for content from the client.

Make sure to take detailed notes and provide specific opinions. Also, it is important to remember to look at a site as if you were the consumer of your product. Who is your target audience? What is the target age group? Viewing your new website through the eyes of a consumer instead of yourself will help us to develop a site that will give you the best results.

Think about your site in ‘scale’. Web developers use the term scalability all the time to signify that it will not be difficult to add new features later on in the development cycle. Think about this when you give requirements for the project. Are you thinking about adding a shopping cart later on? Maybe adding some automated videos for users? Let me know, and I will ensure that it is never difficult to implement these services at a later time.

Finally, make sure to look around and get a feel to ensure that the person you choose meshes well with your personality. Not all people are mean’t to work together, and other people should never work apart. When choosing a web designer, make sure to look into response times to queries. If a response is not given to a inquiry within 4-6 hours during a weekday, you might want to rethink using that designer. Also, make sure to check out their portfolios to get an idea of their talents and styles. Do they mesh well with yours?

I hope this article gave you some insight on how to ensure that your project goes off without a hitch. If you want to learn more about me, please read more about my web design services, or contact Kevin for a quote.

Introduction

With the development of fourth generation mobile networks, mobile devices will be able to access and take advantage of an array of different network transmission types, which will allow users to have network access from virtually anywhere. These systems can be described as self-aware and adaptive in that they are constantly searching for transmission services that can improve upon their connection and allows for constant network availability. Due to the nature of these devices, security is a  topic of interest among network professionals. Because of the abundance of network types and resources being used in conjunction with one another, it is apparent why security needs to be put into the forefront of planning and development. Wireless systems use very different proprietary technologies and security protocols, thus it is difficult to create a general security policy for devices that will use multiple protocols. Current mobile access systems will be evaluated as to their security protocols and issues related to their heterogeneous usage in a 4G system will be discussed. The issues related to both low-layer and high-layer architectures will also be considered. Systems will be proposed that attempt to bridge the current security and accessibility gap to create a scalable, manageable, and adaptive solutions for future systems.

History of Mobile Networks

The deployment of NMT, or the Nordic mobile telephony in 1981 is considered to be the beginning  of mobile networks. Throughout the 1980’s new protocols were developed and standards were created in an attempt to breed more efficient networks. Groups were developed in countries around the world, especially in European regions, for the purpose of creating these standards for a universal system. Frequency bands were defined and reserved for GSM usage at 900MHz, 1900 MHz and 1900MHz. In 1991, these system specifications were put into production to develop the first commercial GSM system, thus bringing into light 2G. This was the first entirely digital solution, bringing to the forefront many improvements to other cellular technologies. It ensured better efficiency related to frequency utilization, security of transmissions, quality of voice, and a reduction in the cost of phones. A new, important feature was the ability for a users’ device to switch mobile networks when they are located outside of their provider’s coverage area, allowing for constant system use and availability. As soon as the 2G system was put into place, the International Telecommunications Union was already selecting frequency ranges for the next generation system.

The third generation of mobile networks were intended to provide better voice applications in wide-range voice channels and more efficient data services, however it was found to have much less of an impact on user experiences as it was predicted to. Compared to the development of wired networks, the increase in performance for wireless networks has been significantly slower. Data rate is not the only downfall of mobile networks; high network latency also plagues many users. It is not uncommon to see round-trip latency times of over 600 milliseconds. These speeds make it impossible to develop for certain application types, such as VoIP and other conferencing technologies and interactive games.  A large investment is needed on a per-location basis to bring 3G networks to the point it was expected to be at the time of development. Due to this, the fourth generation of mobile networks is being highly anticipated so that it is able to accommodate a wider array of usages and business applications.

3G to 4G

The transition period towards a fourth generation network is coming to an end. Preceding mobile network transitions took place over to a 10 year period. If 4G follows the same pattern, commercial systems should be in the implementation phase by 2013. Business applications may be the biggest proponent of a new generation of systems that that fulfill the needs of managing mobile personnel, instant high-speed multimedia streaming, reduction of cost overhead, and other features that take into account the global business. Private users also have an interest in developing new systems that allow for better eCommerce interaction, head-to-head gaming, and streaming communications. 3G was initially developed with the intention of creating a standard around the world for communication, which has not happened. Flexible standards need to be developed that allow for communications to be established  for world-wide service availability. The development of communications systems that integrate into wireless devices has been rapid in recent years. Through communications systems such as personal area networks, LAN protocols and device-to-device transfers, users can create extended LAN-like communications in mobile areas. The vision for 4G networks is that it will allow users to access data independently from an in-use device, for example, a user on a hand-set will be able to use their phone-book stored on their personal PC to dial a number.  Thus bidirectional communications allow for users to create a personal intranet that they can access from any location. This network system must be secure and reliable, allowing for use of the best connection in the immediate vicinity. Existing mobile networks do not allow for this. The idea is to attempt to integrate 3G and WLAN’s to provide a system that is fast, mobile, secure, and vast in coverage.

When looking back on the development of 2G and 3G infrastructures, it is apparent where many of the pitfalls are during development. 4G architecture must have certain characteristics to make it successful. It must allow for the highest percentage of infrastructure reuse. A goal of 4G needs to be to ensure that there is no risky reliance on a particular technology, so that in the future there is flexibility as to a particular protocol. The best solution would allow for the system to utilize an array of services in any manner necessary, thus being reliant on the user’s needs, not any factor related to technology. First and second generation systems were developed for use primarily with voice telecommunications, thus the systems design was aimed at providing a single service. Due to this, the infrastructure was heavily circuit-concentrated and the network was developed only with voice requirements in mind, thus it is very efficient at providing voice services, however it is very difficult to provide reuse for these and other services. Thus, this framework is not scalable. With digital architecture it is better to reuse resources from the same infrastructure to combine services. Access networks in 4G should be able to deliver different service types based on a user-centric design that allow heterogeneous access to networks. This could also allow for providers to have free choice of technologies. Allowing for this flexibility comes at a cost, as previous network technologies concentrate on a single service.

Allowing for more services within a single architecture will make it difficult to ensure that the quality of service is adequate. Moving towards a type of user-oriented architecture that diversifies the protocols involved in providing internet access. Network management must be at the forefront of development as organizing the different technologies will be difficult. With 4G, the improvement is developed through the ability of users to utilize the services that they select. The integration of different technologies is essential to success. This open type of architecture should be operated by multiple providers working in conjunction to provide different network functions. These provider networks are the core of network communications; however they must also support different access network technologies that will allow users to communicate on a more personal level.

Handling 4G Security Issues

Two issues that will be at the forefront of 4G development are the verification of users and the limitation of network access in the heterogeneous architecture. Other vulnerabilities involve providers utilizing different systems and the basis of user-centered design, which allows users to select their preferred connection method.  Due to their shared nature, naturally broadcasted states, unclear perimeters, and invisible access; wireless networks are treated as having more vulnerabilities than wired networks.  Many different aspects must be taken into account when developing for wireless networks, such as performance on systems with limited capabilities, battery charge issues, and different user states and requirements.  Due to the heterogeneous nature of the proposed network, this adds an additional vulnerability requirement for the system. Because the system will allow for multiple available connectionss, a potential attacker will have more systems to evaluate, giving them a better chance of finding vulnerabilities. Finding a systems exploit in one protocol might give access to another, thus complex management systems are necessary that can provide control systems and signaling for devices. Because devices will be connected to different interfaces and through multiple providers, the device will be exposed to attacks from each connection. The device will be exposed at different intervals to attacks based on code related to drivers, communication protocols, transportation and signaling stacks, file-sharing, update features, and other installed applications. Physical security should also be considered with these applications.  Device deactivation and erasure are all necessary features for a device that will be utilized on so many fronts. It is difficult to quantify the security risks of 4G when it has yet to be developed, however it is essential that developers find a definable way to find a balance between practical applications and the necessary security levels involved with the network.

Finding the balance between creating practical applications and secure systems will yield the most difficult problems for developers. With the heterogeneous makeup of the 4G system, it will be necessary to ensure that each security measure is universally utilized across each type of network.  Thus, the security measure have to be technology-independent, meaning that they will be applied in a top-down nature and be overlaid upon the entire system, not necessarily one of the specific networks, however this often comes at a price. It is considered to be inefficient to secure applications through overlay technologies, which is why previous systems have enforced security through device  measures to protect revenues through access controls. This is usually applied through the networks interface hardware. Because of access networks in 4G, such as terminals for local access, it would be best kept as a hardware authentication system so that authentication would be processed on the first network chosen by the user and so that user devices, such as those detailed earlier for access networks, would be authenticated by the device and secure. Each type of network allowed by device will have much different requirements when authenticating user identifies and handling sessions.

Types of Authentication

Typical pre-authentication methods have complex risks associated with them, such as denial of service vulnerabilities, resource consumption from unpaid users and difficult to manage user sessions regarding tracking and localization principles. From this, it is apparent that a user-authentication method is desired so that reliable controls can be placed on systems’ access and resource allocation. Network authentication helps to eliminate man-in-the-middle attacks by ensuring that network identity information is received  in its original state and trust is established with the provider. The most difficult authentication procedures will take place with what are known as L2 networks, such as 802.11 and other physical devices commonly used in many everyday wireless networking situation. 802.11 utilizes a handshake protocol that is hardwired into the interface of the network. Only the interface and device are authorized, thus access points do not play a role in authentication and no materials are created, such as keys. How will 4G be integrated with systems, such as these when their authentication protocols vary so widely for each network type? If a given technology is going to be used in 4G devices and networks, then they must fulfill common goals with regards to authentication or else the technology will be considered ill-equipped for 4G. The reason for this is so that overhead related to creating security profiles for each individual device will be minimized in an attempt to stop problems that have plagued the preceding generations of mobile networks. Requirements for the L2 systems authentication methods lie in ensuring strong cryptographic strength, dynamic creation of keys to protect future sessions and system mutuality. Key integration must utilize perfect forward secrecy so if an attack on the key was successful, no user credentials should be divulged and no location tracking information will be provided. Above all the 4G authentication system must be developed in a way that acknowledges that it should be easily up-datable. With so many differing systems being utilized, we can predict that eventually an authentication vulnerability will be found and a patch will need to be implemented. The system should also diminish round-trip times for re-authentication and implement some type of pre-authentication method so that when switching network interfaces, there is no noticeable connection lag.

Encryption and Data Integrity

The majority of current wireless technologies utilize different encryption methods and integrity systems for each of their functions. Often, shared-key systems are implemented for link-encryption and network/data integrity. This key is taken from the authentication system  created when the device first joins the network..  In previous systems, proprietary technologies were utilized in these areas, providing information for potential attackers to use, such as known weak keys, encryption format and key length.  These functions must be used throughout the entire phone and network session, thus aspects such as power usage and systems resource consumption need to be taken into account. Due to this, it would be best if the function is developed into the network adapter on a hardwired base that communicates with software based firmware.  These functions should utilize the authentication session keys and support fast key re-authentication with a  strong cryptographic base. If any flaw or attack is detected on the network  interface, this rapid re-keying will allow for keys to be changed quickly.        

Planning for 4G Security

An important aspect when planning to create a new mobile network, or any network for that matter, is virtualization, which is the principle of ensuring that flexibility is taken into account during the development and planning phases. It helps to visualize aspects of the system by providing information pertaining to what the system should do, not necessarily how to do it. This will benefit the 4G system in many ways, most notably by ensuring that code is freed from specific logic and that it is able to be flexible when choosing which methods to use. For example, instead of dictating how to authenticate a user, a virtualization plan would provide information related to controlling, transporting, and evaluating frames, thus an array of authentication methods may be used by systems as long as they follow a typical plan.   Another aspect that should be considered is adaptation related to changes within different communicating networks and devices.  This would relate specifically to access network and terminal security in different environments. This is a new aspect that can be brought to mobile networks with the idea of virtual SPN’s that work to fulfill different users’ expectations based on their differing requirements when attempting to locate the correct network interface. This is an idea that will work to eliminate issues caused between usage of different access networks.  On the terminal access network, adaptation can be used to help where the shortcomings of the different access networks become apparent. Through a set of criteria, the terminal can utilize adaptation to verify active network interfaces, its active measures, and it can factor in information related to vulnerabilities of user input and secure networking channels to process information in a secure manner despite its inherent flaws.

Necessary Standards

Standardization of components and functions will be necessary to ensure a strong base for 4G mobile security. The use of standardization will help to avoid the 3G pitfalls caused by different providers and regions using protocols that do not integrate with each other. This, however does not come without its own concerns. If everything in completely standard, then we move away from the entire purpose of 4G, which is one of a technology-opportunistic vision where different technologies work together. Thus, we must work to ensure that the proper decisions are made to ensure that an understanding is made with regards to what should be standardized and what should be left for the technology to make decisions regarding. When creating a standardization plan, it is important to follow virtualization and separate what goes into 4G and how it will be carried out. A signaling standard should be developed to provide strong adaptation so that overlay solutions are not necessary. From this standard protocol, access and data protection could be standardized and these technologies could be used across all systems as the primary method of data transportation.

Conclusion

What 4G will develop into is still a looming question regarding mobile networks. There is no single vision for 4G that allows for a specific plan to be developed, however it is apparent that these questions must be thought of and standardized so that common problems from other mobile networks are not repeated. The ideas and formats outlined herein are considered to be a prediction of what the systems architecture of a new 4G system will be comprised of and the problems that are likely to be encountered. The vision of 4G presented here focuses on a system of heterogeneous networks and user-centric access systems utilizing multiple terminals and access networks. If 4G network systems are able to provide the necessary virtualization, adaptation, and standardization presented earlier, it has a chance to provide the functionality and performance necessary in future mobile networks.

Kevin Rio
Krio Media
www.kriomedia.com

ProShow Gold’s Efficiency & Learnability

TABLE OF CONTENTS

1. Introduction
2. User Models
3. What is Learnability?
4. What is Efficiency?
5. Testing & Recommendations
6. Works Cited

1 – Introduction
ProShow Gold is a software suite that assists users in the production of both video compilations and slide shows. ProShow Gold is developed by the Photodex Corporation. This version of the software targets users with minimal experience in producing slide shows. The software’s website advertises ease of use that is brought upon by the systems drag-and-drop capability and also the hundreds of effects that can be implemented into the slide shows with the click of a button. The website feature list includes the over 260 transition effects, motion tweens, picture scaling, borders, and dozens of slide styles that can be implemented to improve slide show quality. It also advertises many output formats that both novices and professionals alike can utilize to share their compilations with friends, family, and colleagues. These output formats include CD, DVD, Blu-Ray, automatic YouTube uploads, streaming video, and output to major mobile devices, among others. These features are advertised as being usable by the most novice of computer users. The software suite also has companion software that is geared toward expert users and professional visual producers, which will be outside the scope of this article.
The usability of this software will be examined from the vantage point of an advanced beginner who is attempting to create a slideshow that utilizes many of the features listed on the PhotoDex website (Hackos & Redish, 1998). Concepts, such as layers and animation effects will not be explored in terms of their concepts, but instead in terms of how they can be applied to the work. The goal is that the product will allow a first time user to implement a good number of the features listed on their website. As the development of the slideshow becomes more complicated, the user will have a better mental modal of the software, which will result in an increase in productivity (Hackos & Redish, 1998). The main aspects of usability that will explored are efficiency and learnability, however if it is found that other usability goals are not met, they will be noted and described. If learning to use a certain feature takes an exceptionally long time, it may be said that they system is difficult to learn. If users are forced to work through complex menus and commands to locate a feature, the program may be labeled as inefficient. In the past, the majority of software systems comparable to ProShow Gold have targeted a more experienced market of users. Since the release of this version of their software, PhotoDex has attempted to target users with less experience in creating slide shows. This article will discuss if the interface meets expectations that a user has based on PhotoDex’s documentation related to learnability and efficiency.

2 – User Models
The ProShow Gold software is labeled as an easy to use piece of software with advanced functionality. Because the software targets users with very little experience, it is important that when creating the user interface PhotoDex understands how the individuals utilizing the software think. They must realize that these users do not understand graphic design and programming concepts. The users understand buttons, graphics, making selections, and controls. To make their new software successful, they must understand that the user does not care about the technology and architecture utilized behind the interface (Lanter & Essinger, 1991). Due to a computers abstract nature, it is often difficult for users to explore the system, which helps aide in their understanding of it. Through exploration, users are better able to understand the functions of what they are using, leading to improved learnability. A user’s mental model is their thinking related to functions that a system can accomplish and how, which are related to a users prior system experiences, knowledge, and preconceptions (Lanter & Essinger, 1991). For a system to be understood by the user, all functions must make sense and relate to existing knowledge. The way the user is introduced to the system is key with regards to learnability. If introduced poorly, the system cannot be related to existing knowledge. Internal and external factors play a role in a user’s model of the system. Internal factors, such as expectations for the software or its intended use play a role in how the user interacts with the system, while external factors include the interface that the user interacts with.
3 – What is Learnability?
Learnability as defined by Preece, Rogers, & Sharp (2007) is how easy a system is to learn to use. Users want to spend the minimal amount of time necessary to learn to use a system. They also want to exert the least amount of effort during this process. With software such as ProShow Gold and other production suites it is documented that the majority of users are prepared to spend a longer period of time learning to use the software because they understand the extra functionality that they gain from it (Preece, Rogers & Sharp, 2008). This section will examine learnability from the prospective of a user attempting to create a single slideshow for the first time.
4 – What is Efficiency?
Efficiency is how well the software and interface attempt to assist the user when completing tasks (Preece, Rogers & Sharp, 2008). The less number of menus a user has to navigate through or information that must be completed, the more efficient the system is. The efficiency of a system is most notable after the user has experience with it and understands how to complete tasks. If after the user has learned to navigate the system, it still requires a prolonged amount of time to complete a task, the system can be labeled as inefficient.
5 – Testing & Recommendations
When the software suite is first opened, the user is met with icons, white space, slider bars, menu systems, and pictures to navigate through. At first glance at the icons, only a few of them provide an understanding of the actual function of the button. This has an impact on the programs visibility, making it difficult for users to understand what they should do next and how to operate a certain function because the interface is not clear and it does not correlate with the user’s model (Norman 1988). Poorly designed buttons and icons also pose a challenge in that the user may not be able to remember what the item is for, influencing memorability. The user is met with thirteen icons, eight of which correctly depict the button’s functions, while five of them give no clues as to what they do unless the text is read. After being acquainted with the interface the user is able to simply create a new slide show, name it, and easily select which format the video will be presented on. One area that the software’s learnability excels is in the presentation of difficult to understand concepts. Because the software is geared towards novice users, it is apparent that PhotoDex put a considerable amount of time into ensuring that details that may be foreign to new users are explained. Explanations in the software range from visual images to plain text paragraphs or a combination of both. This is especially helpful when trying to export files to a viewable format, such as CD, DVD, streaming video, YouTube, and others. An effective explanation of the pros and cons of each are shown and images that depict the type of visual quality the viewer can expect are provided for better decision making.
Adding photos to the software was both inefficient and not easily learned. The only possible way to enter photos into the slide show is to drag them into the timeline. While this is a natural way for many individuals to transfer photos from one piece of software to another, there are many individuals who could become confused by this operation. There should be a method of adding pictures, possible by navigating through the computer folders without leaving the software interface, much like how the majority of individuals add photos to media sharing sites or emails. This method of adding pictures goes against many preconceived models of adding data to software suites, which has an unsatisfactory effect on efficiency, learnability and ease of use. However, once the photos are added, finding how to add styles and edit them is much easier. There are multiple ways of accessing the styles functions, which helps to fit within different models that a varying group of users may have. Learnability and ease of use in this area is soundly developed. Once within the menu system, it becomes more challenging to figure out how the system is organized and where specific tools are placed. This is a very feature rich application that targets new users in its advertisements. From this, it would be easy to gather that the most used and needed tools would be easily available for the user to find, but this is not the case. The menu system utilizes text based navigation and bombards the user with text that is both horizontal and vertical to the point of overwhelming the user. Learnability in respect to navigating and finding specific settings in the system is very poor.
Picture insertion, slide styles, setting altering, and format outputting are the areas that the majority of new users of the software will be dealing with. In terms of efficiency the software is excellent at providing users with the necessary tools to complete their tasks and, in most cases, ways of completing the tasks quickly. However, there are areas that the software interface requires improvements to be considered as fostering sound learnability principles. The menu system for editing slide characteristics is overwhelming and the system for adding pictures to the slide show may be easily learned by some, but for others who are more familiar with traditional styles of adding pictures will be confused.
In some cases the software does a poor job of building natural mappings that relate to the user’s existing experience. If the user’s expectations matched better with the software model, the software would be easily to master. Another advantage of the two models meshing is that the user no longer has to store their mental image in memory because the user interface is so intuitive that it is not necessary (Lanter & Essinger, 1991). The user’s memory can now be fully devoted to immediate tasks. The majority of the issues with the ProShow Gold software lie in the learnability realm. It is apparent that this version of the software is a stripped down version of the more full-featured application meant for slide show production professionals. It is noticeable in the difficulties that are met when attempting to alter specific settings, such as slide duration. This is a feature that anyone making a slide show with the software must edit, but the feature is difficult to locate and hidden within a difficult to navigate menu system. This area is where the majority of the user interface issues can be seen and where improvements should be made to make the software more user friendly.

6 – Works Cited
Chao, G. (2009) “Human-Computer Interaction: Process and
Principles of Human- Computer Interface Design” Retrieved
on Apr 20, 2009 from http://doi.ieeecomputersociety
.org/10.1109/ICCAE.2009.23

Chisnell, D., Rubin, J. (2008). Handbook of Usability Testing.
Indiana: Wiley Publishing, Inc.

Chrusch, M. (2000, September). Seven great myths of usability.
Interactions, 13-16.

Essinger, R., Lanter, D (1991). User-Centered Graphical User
Interface Design for GIS. Retrieved on April 15, 2009 from

http://www.ncgia.ucsb.edu/Publications/Tech_Reports/91/91-6.pdf

Foley J. D., Wallace V. L. and Chan P. 1984. “The Human Factors
of Computer Graphics Interaction Techniques”, IEEE Computer
Graphics and Applications, 4(11) pp. 1348.

Preece, J., Rogers, Y., & Sharp, H. (2007).
Interaction Design. England: John Wiley & Sons, Ltd.

Enterprise Security Risk and Evaluation
Kevin Allen Rio
Krio Media, LLC
2008

The complexity of business systems architecture is the main contributor to poor systems security. Because of the complex nature of these systems, oftentimes security is not a primary focus when new systems architecture is being developed(Chorafas, 2004). The amount of code needed to develop an enterprise architecture solution often exceeds thirty million lines; not counting the other systems that it may be connected to. To help ensure that the best security practices are put into place, developers must account for security concerns early on during the drafting stage. Software complexity is also an area that must be explored because it leads to difficult to update software which enhances the security threats(Chorafas, 2004). Systems are at risk to countless types of attacks including malicious code, viruses, unauthorized database access, Trojan horses, denial of service attacks, firewall breaches, poor encryption leading to password and information theft, and buffer overflow attacks. The steps that are taken after an operating environment issue, such as power outages and hardware crashes must also be addressed because they can improve the chances that a threat will occur. There are security standards that should be met by users and systems to ensure the most secure operating environment possible(Chorafas, 2004). For example, systems should be developed that use sophisticated mechanisms for authorizing users to a system. This should go beyond the normal password and username setup that the majority of systems utilize. New tools and research methodologies are necessary to screen out unauthorized users and threats along with protection from DoS attacks that leave hundreds of websites nonfunctional each day. All systems should have measures in place that allow for system audits to be conducted with ease so that security breaches can be discovered in a timely manner. These are just a few of the many important security mechanisms that each system should have in place. Biometrics is an area that has been receiving attention as of late in terms of computer and systems security. The use of fingerprints, voice recognition, and iris identification are all areas that have been explored in terms of substituting passwords for data and information access(Chorafas, 2004). The advantage of biometrics is in the assessment that the computer conducts to identify if the person is authorized for access. Passwords do not provide this security in that they have no way of identifying if the person entering the password is the actual individual who is authorized to do so. Many issues have been raised when discussing biometrics, especially by the FBI due to issues related to criminals extracting the necessary parts for biometric scanning. Many believe that there are no perfect ways to completely secure systems based on these issues. It is essential that all implementations be universal in their identification and unique to each individual. Above all security solutions should be socially acceptable (Chorafas, 2004). The solutions presented must allow individuals to use the solutions on a daily basis without causing undue stress. If the user is not willing to use the system its viability immediately fails.

http://www.nytimes.com/2006/05/12/us/12vote.html

One of the most recently talked about security threats deals with the newest release of voting machines that allow users to vote using an electronic device. The newest wave of security threats are related to how the software updating system was developed. It is possible that the problem may have been corrected during the drafting stage of design if the developers had been planning for security concerns during early stages of development.

http://www.infosecwriters.com/text_resources/pdf/THyslip_Portable_Operating_System.pdf

The increasing popularity of Live CD’s and portable operating systems that leave no trace of boot up on a computer pose security risks. These Live CD’s can serve many different purposes, but some have been specifically created to pose security threats for password cracking, hard-drive forensics, and wireless internet sniffing/cracking. This pose increasingly difficult to trace security issues for enterprises, especially related to insider theft.

http://searchcio.techtarget.com/news/article/0,289142,sid182_gci1342890,00.html

Research has shown that many times after workers are laid off their accounts may still be active on the company’s systems. Known as orphan accounts, they can pose severe security risks to companies. Individuals may have grievances and the use of these accounts may seem like the perfect way to get retribution. Managers often overlook the problems that a laid off IT worker can cause. Upper-level managers must ensure that workers accounts have the proper rights management and are decommissioned after worker layoffs take place.
Chorafas, D. (2002). Enterprise Architecture and New Generation Information Systems. Boca Raton, FL: CRC Press, LLC.

McGovern, J., Ambler, S., Stevens, M., Linn, J.,Sharan, V., & Jo, E. (2004). A Practical Guide to Enterprise Architecture. Upper Saddle River, NJ: Pearson Education, Inc..

Enterprise Resource Planning
Kevin Allen Rio
Krio Media, LLC
www.krio.me
2008

The purpose of an ERP system is to integrate systems that serve the many departments in an enterprise. The ultimate goal of an ERP system is to develop a single system that can serve each departments specific requirements (Chorafas, 2004). It acts as an intersection point; bridging the gap between each individual system. An ERP system works to increase efficiency by removing the need to utilize resources outside of ones department. For example, after the implementation of an ERP system, an enterprises human resources department no longer needs to request and import logs from the finance department, because as soon as they are posted the human resources system is updated with the current information. No conversion of the document is required and no importing of information. The ERP system integrates and updates all sources without the need for time consuming projects. All software system are linked together so each department can see updates and projects from parts of the company. The most popular use of an ERP system is the processing of customer orders; termed the order fulfillment process (Chorafas, 2004). The back-end order process is completely automated. Once the program has fulfilled the necessary steps in a particular department the order is automatically routed to the next necessary system. System users can enter data into the ERP software to check the status of orders and at what stage it is in. Financial reporting, payroll, and employee benefits are all examples of areas where an ERP system can help automate the system processes of a company to make it more efficient. ERP has many uses, such as the integration of financial information. The ERP system takes from the many departments in an enterprise and can present financial information that is all encompassing. Decision makers are not required to evaluate divisions independently as ERP systems can combine this stored data. The standardization of human resources information is another area where an ERP system can be beneficial. This provides a single system where an employee’s information can be tracked and updated providing for ease in communication. ERP systems can also be used to track customer orders from the time the order is placed until it arrives to them. Using one piece of software to achieve this allows for much better tracking and communication between departments, increasing efficiency (Chorafas, 2004). These are all benefits of the implementation of an ERP system.
One area that ERP system put to the test is accountability (Chorafas, 2004). Each department must conform to the upmost standards because they can be monitored by other departments. Warehouses must ensure that they input their data in a timely manner because due to the constant communication between systems, other departments know when shipments are coming and if they are delaying their data entry. If they do not update consistently, sales may be halted and losses would ensue. This is an example of the need for proper training and how accountability and communication are put to the test is an ERP system. Studies show that the majority of enterprises that have implemented ERP systems conclude that without the system, their firm would not function efficiently enough to remain active (Chorafas, 2004).

http://www.cio.com/article/40323/ERP_definition_and_solutions?page=2#fix

The cost of ERP systems vary exponentially; some ranging from $300,000 to $15 million. The cost of an ERP system scales depending on the size or the enterprise and their revenues. A manufacturing company that earns approximately $50 million in revenues can expect to pay nearly $400,000 is ERP costs. Firms from different industries can expect to pay much different prices depending on their systems needs. The rewards from implementing ERP systems properly average $1.6 Million per year. On average it takes eight months after implementation to begin reaping the rewards of a new system.

http://www.intoweb.co.za/articles-define-erp.html

Decreasing redundancy is the goal is enterprise resource planning. ERP fulfills a wide range of business necessities through the standardization of systems among different divisions. ERP allows managers to oversee the company as a whole by taking different departments and combining their systems and data into one, allowing for seamless data sharing. The implementation of the ERP system is especially important. Often times, enterprises attempting to implement and ERP solution will fail because of improper planning and human errors.

http://www.qualitydigest.com/magazine/2008/oct/article/launching-enterprize-resource-planning-system.html

There are many reasons why an ERP implementation project can fail, but there are some constants that can be seen time and time again in many projects. One of these reasons is a poor testing phase due to pressure to release the system. Beta testing is an important piece of the ERP puzzle that is oftentimes ignored. Proper training is essential for ERP users and enterprises do not fully grasp the amount of training that is required to be successful and this is a common reason for systems failure.
Chorafas, D. (2002). Enterprise Architecture and New Generation Information Systems. Boca Raton, FL: CRC Press, LLC.

McGovern, J., Ambler, S., Stevens, M., Linn, J.,Sharan, V., & Jo, E. (2004). A Practical Guide to Enterprise Architecture. Upper Saddle River, NJ: Pearson Education, Inc..

Usability Issues in Enterprise Architecture
Kevin Rio
Krio Media, LLC
www.krio.me
2008

Usability generally falls into two broad categories; a top-down approach and a bottom-up approach. The bottom-up perspective concentrates on the use of the product, such as a piece of software. This perspective details a products ease of use in terms of a user’s ability to become familiar with a systems user interface and other essential functions. When purchasing software, many companies will perform a learning curve analysis to estimate the time it will take its workers and other users to become accustomed to the system. When comparing different software packages, it is essential to keep the learning curve as flat as possible. A different approach is a top-down perspective, which analyzes a systems ability to perform its intended duty. This is a much broader definition of usability that is essential in determining a systems meaningfulness. Both are important in analyzing a systems usability, however it is important to not rely exclusively on one method. For example, a system may have a flat learning curve making it extremely usable; however it may not be useful. This shows that enterprise architects and analysts must view new systems from many angles when making decisions so that they can best judge how the new system will improve performance.
Many challenges are presented when attempting to ensure usability in a system. One way of ensuring a systems usability is by prioritizing the development of features based on the its value to users. This helps to ensure that the most used features of a system are concentrated upon during development. Another way of increasing usability is by ensuring that all members of the development team are communicating. This helps to fulfill the projects goals and increases usability as a result. Usability tests should be conducted regularly and the cost-benefits should be reported so management can evaluate the tests usefulness in financial terms. Usability should be the responsibility of a development team member, such as the project lead who can create usability goals rather than an outside promoter. These are all ways in which usability can be ensured during the development process. When attempting to design a system that fosters high-quality usability, there are techniques that can be utilized to accomplish this. The techniques can be spread across stages. During the requirements stage, necessary features are gathered an analyzed, a cost-benefit is performed, user surveys are taken, and rapid prototyping may be performed, along with many other activities for the purpose of providing a system with the best possible usability. Next, is the design, development, and testing stages where a functional system is created. Development concepts, such as JAD and parallel design, among others, can be implemented during this stage. During the final stage, deployment and refinements, testing has been completed and usage statistics are taken. Log files may be examined and interviews taken to ensure the system is performing as designed. These techniques have been found to be effective when attempting to design a system with high usability. Through the use of collaboration, extensive testing, job distribution, and strong user interaction, firms can ensure that they achieve high usability in their systems.

http://www.eelke.com/files/pubs/2005_ISD_gaps.pdf

There is often a gap between usability engineers and software engineers. This causes an inability to achieve the highest level of usability possible because many times architecture cannot be altered to allow for usability after software development has ensued. It is imperative that usability is in the forefront of development from the beginning so that software rewrite is never necessary. Firms often spend a large percentage of developmental costs on fixing usability issues that could have been predicted if proper usability techniques were utilized from the projects conception.

http://www.uxmatters.com/mt/archives/2008/12/the-user-experience-of-enterprise-software-matters.php

Since software developments inception, the buying market has demanded that applications foster strong usability. There is one market, however, that has not. Enterprise software has the poor stigma of being inefficient and difficult to learn and remember. The blame can most effectively be placed on the software selection process that businesses use. They are not assessing the usability of the products they purchase and because of this poor process; they are incurring significant long-term costs associated with usability.

http://www.useit.com/alertbox/enterprise.html

Usability goes beyond a single user operating a piece of software. It encompasses entire organizations attempting to utilize multiple types of applications. Usability has an effect on long-term costs that must be viewed from the enterprise level. Increasing usability at the enterprise level can have significant long-term cost improvements.
Chorafas, D. (2002). Enterprise Architecture and New Generation Information Systems. Boca Raton, FL: CRC Press, LLC.

McGovern, J., Ambler, S., Stevens, M., Linn, J.,Sharan, V., & Jo, E. (2004). A Practical Guide to Enterprise Architecture. Upper Saddle River, NJ: Pearson Education, Inc..

This article describes how working in virtual teams has evolved recently and ways that it can improve efficiency in the workplace.

Working in Virtual Teams

Kevin Rio

Krio Media, LLC

www.krio.me

2008

Technology leaders must possess a broad range of skills to make them effective. The ability to improve how teams and individuals interact, solve problems, and work effectively cannot be overlooked (McGovern et al., 2004). Having experience in the field in a necessity as it is not possible to effectively lead if individuals do not believe that the leader has never been in their place before. Leaders with strong technical skills help to improve an enterprise by ensuring that it adapts to changes and improvements in technology and research. Successful technology leaders understand that alternative strategies to develop software are essential to success. A technology leader must understand that development should concentrate on the user and providing the best experience possible through the delivery of useful software. Successful technology leaders also understand that it is important to keep software requirements to a minimum at the beginning of a project (McGovern et al., 2004). Software requirements should concentrate on providing only the absolutely necessary specifications as requirements tend to change during the course of most projects.

Keeping a budget under close scrutiny and at a minimum also helps the development process as it ensures that only the necessary requirements are being developed and team members do not develop unnecessary functionality that will lengthen the process. Technology leaders understand that the end user may be the most important member of the development team. The customer will be the final decision maker of a products success or failure. Thus, they should be incorporated into the development process. Successful leaders understand that utilizing the customer to conduct tests and provide input as to the products ability to function as necessary is essential (McGovern et al., 2004). Technology leaders understand that they must lead by example and understanding. Their expertise in the field is their most important quality that cannot be substituted. Many enterprises fail to recognize this and cause the technology leader to clash with those who are uninformed and have no expertise in the field.

Many enterprises today believe that leadership can be created simply by participated in seminars instead of investing in the aforementioned qualities. Information technology leaders are faced with the task of having a strong understanding of both information technology and business. Other individuals in the company may assume understanding of how information technology should operate and its functions. Leaders understand that diversity is key in creating an environment for workers that fosters communication, adaptation, efficiency, problem solving, collaboration, agility (McGovern et al., 2004).

It is often necessary for a leader to create a virtual team to develop a project. This allows engineers, developers, and other personnel to work effectively and interactively even if they are located in different regions. Effective leaders understand the need to have diverse skill sets in each location and strong coordination between groups to ensure that costs remain low (Chorafas, 2004).

www.aporc.org/LNOR/6/ISORA2006F30.pdf

Globalization has changed the structure that many enterprises use to interact and complete daily business activities. Flexibility is considered an essential ability for all enterprises and a necessity of virtual teams. The need to establish an international presence drives enterprises to create virtual organizations with the goal of making them as effective as in house developers and users. Virtual teams allow enterprises to create a strong workforce from geographically diverse individuals.

sais.aisnet.org/2005/Thomas%20&%20Bostrom.pdf

The ways in which enterprises are improving their development are changing dramatically. The use of virtual teams has allowed them to change how they complete projects and the success rates of them. Technology support is essential in developing a successful virtual team. These supports can come from many tools, such as project management systems, scheduling systems, communication systems, and decision support systems. It is important for leaders to directly manage the methods of communication between teams and to foster information sharing between them.

http://www.effectivemeetings.com/technology/virtualteam/mci10.asp

Worker trends and studies have shown that alternative work practices, such as virtual teams are increasing job satisfaction, saving costs, and increasing productivity. Typical virtual worker teams consist of six individuals who meet once a week and believe that this type of coordination helps to lower enterprise costs.

Works Cited

Chorafas, D. (2002). Enterprise Architecture and New Generation Information Systems. Boca Raton, FL: CRC Press, LLC.

McGovern, J., Ambler, S., Stevens, M., Linn, J.,Sharan, V., & Jo, E. (2004). A Practical Guide to Enterprise Architecture. Upper Saddle River, NJ: Pearson Education, Inc..

This article describes the differences between enterprise and systems architecture.

Enterprise vs. Systems Architecture: A Description

By: Kevin Rio

Krio Media, LLC

www.krio.me

2008

The primary purpose of enterprise architecture is to align the implementation of technology to the company’s business strategy (Chorafas, 2002). Effective enterprise architecture manages areas of business, such as research and development, production, delivery, and developing workstations that have multiple functions and can utilize differing platforms and server protocols. Solutions should lower costs in specific business areas, such as production and distribution while increasing product reliability and service dependability. The enterprise architecture should ensure that work is being assigned to individuals based on specific criteria and that the system is communicating properly with on-line users and meeting sound systems practices, such as security measures. The enterprise architecture must be able to meet the needs of an ever changing economy by allowing for future updates and growth.

The purpose of systems architecture differs in that it does not directly attempt to improve the business strategy. Instead its purpose is to provide a basis for planning, provide direction in terms of computing systems and communication environments, provide seamless integration between software and hardware, and ensure that technological integration will be made in such a way as not to interrupt how individuals work and how machines operate (Chorafas, 2004). A machines operation speed and its capabilities are all concentrations of systems architecture. Individuals should be able to operate technology in a consistent manner and have all the necessary components readily available. An important goal of systems architecture is to enable users to be more productive and work more quickly. Improving system efficiency and reducing a company’s information technology costs are a main systems architecture concern along with the business functions that technology must support, such as software, networks, and computer stations (Chorafas, 2004).

The difference between these the two types of technological integrations is sometimes hard to see. One important difference is that enterprise architecture focuses directly on meeting the needs of business functions and allowing for future improvements. On the other hand, systems architecture somewhat ignores business integration and concentrates on the needs of the user and how to improve user experiences with technology. The concentration of enterprise architecture is areas such as transaction processing and statistics reporting while systems architecture will concentrate on creating easy to navigate user interfaces and improving network communication speed. Solving technical issues through layered architectural methods is a key component of systems architecture, while improving business operations is important in enterprise architecture (Chorafas, 2004).

http://www.niwotridge.com/Essays/WhatisSystemArchitecture.htm

Systems architecture lays the blueprints for all future IT implementations. One main purpose of systems architecture is to arrange units so that the most utility can be gained from the system. The systems architecture lays a framework that sets guidelines and rules for future applications and upgrades. This plays a key role in future expansions where it is imperative that components be added or upgraded. It is essential that architects do not limit the architecture to the extent that future upgrades are not possible. Through the implementations of an enterprise strategy in systems architecture, business activities are streamlined and redundancies are reduced. Focusing on how data and the business processes interact with each other must be at the forefront of the architects mind when blending systems and enterprise architecture. Another advantage of adopting systems architecture to improve IT services is that complexity will be reduced due to redundancy being eliminated, allowing systems to work more efficiently. Strong systems architecture implementation allows for integration between a large number of users. This compatibility allows for better communication between users.

http://enterprisearchitecture.nih.gov/About/What/

Enterprise architecture describes the benefits and other influences that technology will have on a business. It describes the interrelationships between many of the core components of a business, such as managers, stakeholders, and networks, among other things.  Enterprise technology takes into account the entire organization. An effective form of enterprise architecture allows a business to quickly respond to changes and allows for smooth transitions that the changes require.

http://www.itbusinessedge.com/blogs/mia/?p=209

Many individuals have different meanings for the title enterprise architect.  On one extreme, the enterprise architect is one who takes business goals and attempts to implement procedures to meet those goals. In this case, the individual does not necessary use technology unless it is essential. On the other hand, an enterprise architect is someone who attempts to minimize costs and makes information technology services more efficient. Essentially, the most agreed upon role for an enterprise architect is someone who attempts to align both business and information technology.

Chorafas, D. (2002). Enterprise Architecture and New Generation Information Systems. Boca Raton, FL: CRC Press, LLC.

McGovern, J., Ambler, S., Stevens, M., Linn, J.,Sharan, V., & Jo, E. (2004). A Practical Guide to Enterprise Architecture. Upper Saddle River, NJ: Pearson Education, Inc..

Background

There are a multitude of possible scenarios where sensitive data can be stolen or misplaced when processing an online transaction. The methods used to steal and compromise sensitive data is dynamic and ever changing. Their purpose is to target applications and architectures that are widely used, such as instant messaging, email, standardized shopping carts, redundant coding schemes, database programs, and security techniques and encryption. Security concerns should be discussed during the design stages of systems development to ensure it is addressed properly (Chorafas, 2004). One reason for the multitude of security concerns faced by users is that the internet was not developed with security in mind, thus many of the techniques security professionals are putting into place are reactionary and hackers are using these same methods. Traditional E-commerce security can be broken down into a three-tier model where the client, server, and database are described separately (Shwan, 2006). To gather an understanding for the threats against E-Commerce applications, we must also explore security concerns that threaten all systems.

Client Security Overview

Attackers have a few choices when deciding whom to target when attempting to steal sensitive information. They can target the consumer, their computer, the connection between the computer and the E-Commerce site, or the web server and the services that allow it to run properly (Khusial, McKegney, 2005).

The purpose of client side security is to safeguard information stored on a system from individuals and malware that attempt to gain unsanctioned access to data. Protection from this type of unauthorized intrusion must be handled by both software and hardware (Shwan, 2006). The use of biometrics to gain access to systems, secure access controls, and digital signatures are examples of techniques used to ensure client side security. Security methods related to communication should also be addressed at both the local network and internet levels. Clients must ensure that all communications have encryption enabled to safeguard transactions from software, such as spoofer programs, sniffers, Trojans, and backdoors. Consumers’ computers are often targeted because of their relatively scarce security settings (Khusial, McKegney, 2005). Users often disable security settings because of conflicts or computer vendors do not enable them to ensure ease of use.

Secure systems have four categories that they follow to ensure data safeguards (Khusial, McKegney, 2005). First, the system utilizes authentication methods to verify that the user is permitted to utilize the system. Second, authorization dictates how much of the system the user is permitted to use to safeguard certain files and important data. Third, encryption ensures that data cannot be read by users who may be attempting to gather files from a transaction. Lastly, auditing is used to keep logs of all transactions and connections for the purpose of detecting breaches and ensuring that a system is performing efficiently.

Server Security Overview

The majority of experts agree that the most effective way of reducing threats against a server is by separating the web server from the server database and application servers. Due to the web server having a direct connection to the internet, it is the gateway between users and an E-Commerce site, thus the majority of threats will attempt to gain access through this portal. All sensitive information, such as consumer accounts, passwords, addresses, credit card numbers, and social security numbers should not be stored on the web server (Shwan, 2006). If it is absolutely necessary to do so, the information should be encrypted to the highest standards. Like the client side machine, both physical and logical controls should be put into place to protect the system. Operating system selection, web server software, and their configurations play an important role when setting up a web server.

There are six types of vulnerabilities in any type of website and E-Commerce system (Woody, 2003). The methods used in a system’s design, implementation, and configuration, along with its resources, users, and business processes are each at risk for vulnerabilities (Woody, 2003). In the FBI Computer Crime and Security Survey conducted in 2003, professionals from IT security fields throughout the US where surveyed to which 78% responded that they had detected internet security breaches, while 30% detected breaches from internal sources (Woody, 2003). The most likely sources of attacks were independent hackers with the intention of gaining profit, current and former disgruntled employees, competitive firms, and foreign espionage agencies.

Application Servers and Databases Overview

Application servers further enhance security by handling communication between the web server and the database server. When the web server makes a request for sensitive information from the database, the application server handles the request so a direct link to the database is not permitted, which could create a security risk. E-Commerce databases often house information pertaining to thousands of individuals, thus they are at an elevated risk for intrusion. Methods of disaster recovery must be in place to ensure quick recovery from an attack or vulnerability.

Types of Attacks

Social Engineering

One of the most common attacks does not involve knowledge of any type of computer system. Tricking shoppers into revealing sensitive information by posing as a system administrator or customer service representative is known as social engineering. Social engineers use surveillance and a consumer’s limited knowledge of computer systems to their advantage by collecting information that would allow them to access private accounts.

Port Scanners

>Attackers can use port scanners to ascertain entry points into a system and use various techniques to steal information. This type of software sends signals to a machine or router and records the message the machine responds with to ascertain information and entry points (Cobb, 2007). The main purpose of a port scanner is to gather information related to hardware and software that a system is running so that a plan of attack can be developed.

Packet Sniffers

The connection between a user’s computer and the web server can be “sniffed” to gather an abundance of data concerning a user including credit card information and passwords. A packet sniffer is used to gather data that is passed through a network (Bradley, 2005). It is very difficult to detect packet sniffers because their function is to capture network traffic as they do not manipulate the data stream. The use of a Secure Socket Layer connection is the best way to ensure that attackers utilizing packet sniffers cannot steal sensitive data.

Password Cracking

Password cracking can involve different types of vulnerabilities and decrypting techniques; however, the most popular form of password cracking is a brute force attempt. Brute force password attacks are used to crack an individual’s username and password for a specific website by scanning thousands of common terms, words, activities, and names until a combination of them is granted access to a server. Brute force cracking takes advantage of systems that do not require strong passwords, thus users will often use common names and activities making it simple for a password cracker to gain access to a system. Other password cracking methods include using hash tables to decrypt password files that may divulge an entire systems user name and password list.

Trojans

Trojan software is considered to be the most harmful in terms of E-Commerce security due to its ability to secretly connect and send confidential information. These programs are developed for the specific purpose of communicating without the chance of detection. Trojans can be used to filter data from many different clients, servers, and database systems. Trojans can be installed to monitor emails, instant messages, database communications, and a multitude of other services. The percentage of personal computers with Trojan software installed was a staggering 31% in 2006 with a steady increase from years before (Webroot, 2006).

Denial of Service Attacks

Denial of service attacks are used to overload a server and render it useless. The server is asked repeatedly to perform tasks that require it to use a large amount of resources until it can no longer function properly. The attacker will install virus or Trojan software onto an abundance of user PC’s and instruct them to perform the attack on a specific server. Denial of service attacks can be used by competitors to interrupt the service of another E-Commerce retailer or by attackers who want to bring down a web server for the purpose of disabling some type of security feature. Once the server is down, they may have access to other functions of a server, such as the database or a user’s system. This allows the attacker the means to install software or disable other security features.

Server Bugs

Server bugs are often found and patched in a timely fashion that does not allow an attacker to utilize the threat against an E-Commerce web site. However, system administrators are often slow to implement the newest updates, thus allowing an attacker sufficient time to generate a threat. With the millions of web servers in use around the world, thousands often go without timely patches, leaving them vulnerable to an onslaught of server bugs and threats (Khusial, McKegney, 2005).

Super User Exploits

Super user exploits allow attackers to gain control of a system as if they were an administrator. They often use scripts to manipulate a database or a buffer overflow attack that cripples a system, much like a Denial of Service attack for the purpose of gaining control of the system. Users can create scripts that manipulate a browser into funneling information from sources, such as databases.

Web Development Best Practices

There are specific practices that web developers and E-Commerce administrators can utilize on their sites to minimize security threats and improve customer satisfaction. Customer passwords should never be stored directly on the web server in either plain text or encrypted form. A more appropriate method is to use a one-way hashing algorithm to ensure that passwords are not able to be gathered (Khusial, McKegney, 2005). Benefits can also be gathered from the employment of ethical hackers to analyze and report system vulnerabilities. Using previously identified password standards, such as the Federal Information Processing Standards, web developers can ensure that password cracking attempts will be futile. It is imperative that systems be patched within a reasonable amount of time and that systems administrators are up to date on the newest developments in internet security.

Security Methods

Web developers and security professionals must implement and utilize effective security techniques and policies. Technology management must follow the three R’s of security – recognize, resist, and recover (Woody, 2003). Sound security practices include the use of firewalls, threat detection, encryptions, authentication methods, software updates, and penetration testing.

Firewalls

A firewall’s primary use is to filter out communications that may be threatening to a system. It limits traffic to a system and only allows pre-determined activity to pass through its filter. Firewalls can also be configured so that connections are only authenticated if they are from a specific source machine.

Secure Socket Layer (SSL)

Secure Socket Layer is a form of encryption between a client and a host (shopper and web server). All communications when visiting a page with confidential information, such as social security numbers and credit cards, are encrypted before they are sent over the internet. Even if a hacker is able to intercept data packets from the information being exchanged, the hacker would require tools that could decrypt the files. Secure Socket Layer encryption gives individuals browsing a website more confidence that their purchase will be secure, leading to more sales and revenue (Papa, 2001).This makes having a Secure Socket Layer essential for all E-Commerce websites. It is the de facto standard in internet and E-Commerce security. An SSL certificate resides on a secure server to encrypt data and authenticate a website. It also contains data that identifies the certificate owner and the domain that it is registered to. The Secure Socket Layer plays no role in ensuring that data is not intercepted by a hacker; it only ensures that the information will be useless to them.

One-Way Hashing Algorithms

Secure one-way hash functions use a fingerprint on each data packet so that both a web server and client can verify data integrity. One-Way hash functions serve many purposes, such as encryption, integrity checking, and authentication. MD5 is an example of a one-way hash algorithm that can be used to ensure files downloaded from the internet have not been infected with malicious code (Spitzer, 2001). System administrators often use a MD5 algorithm to deliver large files or when downloading updates for systems to ensure the integrity of the data so that they do not install software that may have Trojans or other harmful code.

Transport Layer Security

The purpose of Transport Layer Security, much like Secure Socket Layer, is to ensure attackers cannot access confidential information. TLS ensures that no eavesdropping, tampering, or message forgery is possible (Diaz et al., 2001).

Database Encryption Techniques

The majority of security implementations target the outside defenses of a system. They attempt to isolate the server and not allow incoming transmissions. This is effective against outside intruders, however, often times administrators forget the many attacks originate from inside of an enterprise or E-Commerce department. The database is where the majority of important enterprise files reside, thus it is imperative that they be kept safe. Secure encryption techniques must be put into place that also protect the security keys and allow access only to specific individuals. Thus, it is important to also consider things such as access management, event logging, and auditing (RSA Security, 2006). Encryption strategies must be put into place so that it is not possible for disgruntled employees to gain access to system keys. There are two main methods of database encryption. The first encrypts the files inside of the database, which does not affect outside applications; however, it requires intensive processing and risks the data being stolen outside of the database. Another solution is to encrypt the data when it exits the database. This is considered to be a more secure solution because keys are not stored along with the text, but instead on a piece of hardware

It is imperative that E-Commerce firms create a risk-aware culture that instructs workers of security threats and best security practices. The need for user training is essential as often times individuals have no clue that their actions pose major security threats to their website. Actions, such as users who use unencrypted communication methods for transmitting confidential data, may not understand that they can cripple an enterprise. It does not matter how secure a system is if the individuals who are using it are not educated and understand what to do in security situations.

Effective Password Policies

The implementation of password policies that help to diminish a password crackers’ effectiveness is essential. Accounts should be locked out after a certain number of consecutive wrong username and password combinations. This ensures that users utilizing a brute force attack will not be able to consecutively attempt login combinations. Their IP address will be blacklisted on the web server. Minimum password lengths and maximum occurrences of a specific character are two of many ways to increase E-Commerce security (Khusial, McKegney, 2005).

Analysis

There is no end to the need to secure data on an E-Commerce system. The threats that these systems face on a daily basis is staggering and the number of different types of threats and manipulation tactics used by hackers ensures that E-Commerce systems must be monitored and updated constantly with new technologies, encryption methods, employer education, and best practices. Based on my research, I have recommendations for E-Commerce firms who require that a security project be undertaken to ensure data security. First, a team must be organized that is comprised of system users, managers, and designers to ensure that guidelines are created that help the project get organized. The security team will ensure that the project remains on target and proper decisions are made. Next, requirements must be defined so that there is firm understanding of the purpose of the security solution. For an E-Commerce store, data security related to consumer information would most likely be at the forefront of the discussions and requirements. A solution for the requirements must be found that is flexible and ensures scalability for future applications.

Through my research, I have isolated key areas that must be concentrated on when choosing the correct type of data security model. These key areas include data that is in motion, which movies through networks and over the internet. Also, data at rest must be examined, which is stored on servers, PC’s, and other storage devices. Access controls must also be put into place that ensure individuals are authorized to view and transfer data. Finally, data integrity must be assured through the protection of security keys that can authorize access to an encrypted server or piece of data.

When searching for a security solution, there are recommendations I have gathered based on my research. It is essential that the solution provide easy integration into an existing system, thus it must allow for efficient bandwidth use and the ability for administrators to use without altering the current operations. This ensures a low total cost of ownership and provides flexibility so that it can be integrated with other software that might improve administrative performance. Security systems should have extensive customization features and the highest levels of security that meet governmental regulations. It must also allow for logging and the following of an audit trail. All solutions should be created using standard based systems to ensure that they can be utilized with software from other leading security firms. Solutions should ensure that data integrity be placed at the forefront of operations by only storing access keys in hardware.

Ensuring that E-Commerce firms follow these security methods will keep prying eyes from reaching a consumers sensitive information and keep the E-Commerce firm from losing or compromising important business practices. It is important for individuals to understand that the internet is ever-changing and new research and methods of compromising data are discovered every day that could potentially allow access to private data. With the use of best website practices and strong security techniques there is a very small chance that an educated end user will be affected. The majority of individuals affected on a daily basis are those who have no knowledge related to information security, thus they are left exposed to the multitude of threats waiting specifically for users such as themselves on the internet. As the research and comments have shown, E-Commerce is not secure and everyday there are security breaches around the world where information is stolen. It is important for individuals to understand that while this does in fact happen, E-Commerce is still more secure than commerce in the real-world. When at a restaurant and someone leaves their card on the table, or when ordering from a catalog, there are inherent risks involved that may allow any individual to copy the credit card information and use it at a later time. In contrast, when you order online, that information is transmitted over a secure connection that only a determined and well-trained individual can gain access to; as long as the user takes proper security precautions. It is important to understand for users of E-Commerce systems that a system that has been configured properly is almost impossible to gain access to.

Summary

A firm understanding of E-Commerce security features, methods, and threats allows both users and security administrators to trust the system that they are working with. If proper techniques are used to secure and use a system, it is almost impossible for an unauthorized user to gain access. On the other hand, the multitude of hacking and cracking applications available pose a serious threat to E-Commerce applications and it is important to understand their uses and the threats that they pose. Just as important, especially for administrators, is to understand and gather information on a daily basis related to the newest research regarding security. Because the internet is ever-changing, it is essential that individuals stay up to date on the newest occurrences that might affect the systems that they are using and divulging their confidential information to.

Convincing E-Commerce firms to take the important step of ensuring data security is essential for systems administrators. These individuals must present to managers the data that shows the high rate of data theft and the whirlwind of problems it leaves behind for firms and consumers. The reiteration of the importance of user training cannot be said enough. A system is only as secure as the individuals who are accessing it. The highest encryption standards will not hold up if an individual is allowed access to the key that ensures its security, thus user education must take place to diminish the ability of individuals to access such files and documents.