Wilderness Trailhead, Inc. (WTI) is a retailer that offers hiking, rock-climbing, and survival gear for sale on its Web site. WTI targets the serious outdoor enthusiast and offers high-quality equipment at competitive prices. The company has been in business on the Web for eight years. It has grown rapidly and has been profitable since its first year of operations. WTI offers about 1200 different items for sale and has about 1000 visitors per day at its Web site. Because the company?s offerings are specialized and high quality, its average transaction size is much higher than other outdoor equipment stores. WTI makes about 200 sales each day on its site, with an average age transaction value of $372. WTI sells products primarily through its Web site (it does have a small retail outlet store for discontinued items in Bellingham, Washington) to customers in the United States and Canada. WTI ships orders from its two warehouses ? one in Vancouver, British Columbia, and a second on Shoreline, Washington. WTI accepts four major credit cards and processes its own credit card transactions. It stores records of all transactions on a database server that shares a small room with the Web server computer at WTI main offices in a small industrial park just outside of Bellingham. Harry Bogdosian, the manager of IT for WTI, has become increasingly concerned about the security of the company?s Web and database servers as the company has grown.

Part 1 WTI faces certain risks that arise from its storage of customer credit card numbers on its database server. List at least four specific threats to the database server?s security, and identify defenses, deterrents, or countermeasures that might reduce or eliminate the potential damage that could be caused by those threats.

Ans

Major threats to WTI database server include

Internal Risk:Risk to corporate information and intellectual property(data and other confidential information) from internal staff and trading partners. It is difficult to control how sensitive information will be handled by third parties or contract workers.

Money Thefts: Hackers, crackers and everyone with the knowledge of exploiting loopholes in a system once enter into the syatem, may feed the system(and users) with numerous bits of dubious information to extract confidential data(phishing) which may also include credit card numbers credit card numbers, security passwords, transaction details etc.

Identity thefts:Hackers often gain access to sensitive information like user accounts, user details, addresses, confidential personal information etc. For instance, one can effortlessly login to an online shopping mart under a stolen identity and make purchases worth thousands of dollars. He/she can then have the order delivered to an address other than the one listed on the records.

Virus Threat:Viruses, worms, Trojans are very deceptive methods of stealing information. These malicious agents can compromise the credibility of all eCommerce web solution services. viruses breed within the systems and multiply at astonishing speeds. They can potentially cripple the entire system. Trojan can run programs on the infected computer, access personal files, and modify and upload files.

Solutions

AuthenticationIdentification and elimination of non-genuine users should be carried out. Multi-level identification protocols like security questions, encrypted passwords(Encryption), biometrics and others should be used to confirm the identity of their customers.

Intrusion CheckAntivirus,firewall should be a strong one and be an updated version in the Database Server.These programs can restrict access to and from the system to pre-checked users/access points.

Educating UsersEducating users about safe practices can make the entire operation trouble free. Recent issues like phishing have been tackled to a good extent by informing genuine users of the perils of publishing their confidential information to unauthorized information seekers

------

Part 2 Write a security policy for the operation of the WTI database server. Be sure to consider the threats that exist because that server stores customer credit card numbers. You can use the links included. CERIAS/Purdue University http://www.cerias.purdue.edu/ Network Security Library http://secinf.net/ Information Security Policy World http://www.information-security-policies-and-standards.com/ Computer Security Resource Center: Policy Drivers http://csrc.nist.gov/drivers/index.html SANS Security Policy Project http://www.sans.org/newlook/resources/policies/policies.htm

Answer

WTI Security Policy

Wilderness Trailhead, Inc. ("WTI") is committed to protecting your personal information and privacy. This Privacy Statement applies exclusively to the Site of WTI.

WTI® is a Licensee of the TRUSTe Privacy Program. TRUSTe is an independent organization whose mission is to build users' trust and confidence in the Internet, by promoting the use of fair information practices.

Gather Information

You may simply browse our site for the products we provide for which we donot collect any personal information.

If you choose to provide us with your PII ("Personally Identifiable Information"), you are agreeing to the processing and storage of your information in the United States and countries outside of the United States which may have data protection laws that differ from laws in your country.

Use of Your Information

WTI may use, share, transfer, or disclose your PII and/or Usage Statistics, itself or in conjunction with third parties, for payment processing, fraud prevention, customer service, demographic studies, to tailor WTI®'s content and services to its users' needs, and to serve advertisements.

Email addresses are considered confidential. These are not sold or distributed to other parties nor do we do unsolicited mass-mailing advertisements.

Security
WTI uses multiple security procedures and practices to protect from unauthorized access, destruction, use, modification and disclosure the PII(Personally Identifiable Information) requested from users..

All PII is password protected. All passwords use 160 bit encryption.

WTI uses 128-bit secure socket layer (SSL) technology and digital certificates to encrypt and authenticate transactions (credit card and other payments). SSL creates a secured connection between our web servers and your browser, which protects against unauthorized access to transmitted data and supports data being sent only to intended recipients.

Our database logs important changes so that unauthorized transactions can be quickly reversed.

Our main servers are locked and hosted by a leading provider of Internet access to enterprises with mission-critical Internet application requirements. Access to the host environment is highly secure. Biometric scanning, 24/7 onsite staff monitoring, and other safeguards are utilized. In addition, back-up servers that are stripped of email addresses, passwords, and credit card information are located in an office that is locked outside of normal business hours.

Despite these security procedures and practices, as is the case with all computer networks connected to the Internet, WTI cannot guarantee the security of your PII or any other information provided over the Internet and will not be responsible for breaches of security.

Upadate of policy

We will let you know regarding any of the updated WTI policy either by mail or by phone.

Contact Us
If you have questions or suggestions regarding this Privacy Policy, please do contact us.