Chapter 9 - Study Guide

Chapter 9

E-Commerce Security and Fraud

As you read the textbook and go through this lesson, think about the following

questions:

What are the major forms of Internet crime?

What are the typical security measures used by e-commerce?

Why is the Internet vulnerable to attack?

What concerns might a consumer have when doing business online?

What concerns might a business have when selling products or services

online?

What are authentication, authorization, and nonrepudiation?

What are some common Internet attack methods?

What is phishing?

What three components can be used to measure security of the e-commerce

environment?

Why is it difficult to stop Internet crime?

Upon completion of this chapter, you will be able to:

1. Understand the importance and scope of security of information systems for

EC.

2. Describe the major concepts and terminology of EC security.

3. Learn about the major EC security threats, vulnerabilities, and technical

attacks.

4. Understand Internet fraud, phishing, and spam.

5. Describe the information assurance security principles.

6. Identify and assess major technologies and methods for securing EC access and

communications.

7. Describe the major technologies for protection of EC networks.

8. Describe various types of controls and special defense mechanisms.

9. Describe consumer and seller protection from fraud.

10. Describe the role of business continuity and disaster recovery planning.

11. Discuss EC securitys enterprisewide implementation issues. 12. Understand why it is not possible to stop computer crimes.

Answers to Pause/Break Section Review Questions

Section 9.1 Review Questions

1. Define computer security.

Computer security refers to the protection of data, networks, computer programs,

computer power, and other elements of computerized information systems.

2. List the major findings of the CSI 2010 survey.

The most expensive computer security incidents were those involving financial fraud.

Virus incidents occurred most frequently.

Almost one in ten organizations reported they experienced a domain name system (DNS) incident.

Twenty-seven percent of those surveyed responded positively to a question regarding targeted attacks.

The vast majority of respondents said their organizations had a security policy.

3. Describe the vulnerable design of the Internet.

The Internet and its network protocols were never intended for use by

untrustworthy people or criminals. They were designed to accommodate computer-

to-computer communications in a closed and trusted community.

4. Describe some profit-induced computer crimes.

Most popular is the theft of personal information such as credit card numbers, bank

accounts, Internet IDs, and passwords.

5. Define the Internet underground economy.

E-markets for stolen information made up of thousands of Web sites that sell credit

card numbers, social security numbers, other data such as numbers of bank

accounts, social network IDs, passwords, and much more.

6. Describe the dynamic nature of EC systems.

EC systems are changing all the time due to a stream of innovations. With changes

often come security problems.

7. What makes EC security management so difficult? What is the dilemma?

The defense of information systems and EC is getting more difficult. The attackers

change their strategies and attack methods all the time.


1. List five major terms of EC security.

Business continuity plan

Cybercrime

Exposure

Fraud

Malware (malicious software)

Phishing

Risk

Social engineering

Spam

Vulnerability

Zombie

2. Describe the major unintentional security hazards.

Human error. Human error can occur in the design of the hardware or information system.

Environmental hazards. These include earthquakes, severe storms (e.g., hurricanes, blizzards, or sand), floods, power failures or strong fluctuations,

fires (the most common hazard), explosions, radioactive fallout, and water-

cooling system failures.

Defects in the computer system. Defects can be the result of poor manufacturing, defective materials, and outdated or poorly maintained

networks.

3. List five examples of intentional EC security crimes.

theft of data or hardware (e.g., laptops)

inappropriate use of data

deliberate manipulation in handling, entering, processing, transferring, or programming data

vandalism

sabotage

malicious damage to computer resources

destruction from viruses

Internet fraud

4. Describe the security battleground, who participates, and how. What are the

possible results?

This battleground includes:

The attacks, the attackers, and their strategies

The items that are being attacked

The defenders and their methods and strategy

Each uses their tools to exert control, one group wins each battle.

5. Define hacker, cracker, and social engineering.

Hacker someone who gains unauthorized access to a computer system

Cracker a malicious hacker, who may represent a serious problem for a corporation

Social engineering a collection of tactics used to manipulate people into performing actions or divulging confidential information

6. List all security requirements and define authentication and authorization

requirements.

Authentication process to verify (assure) the real identity of an individual, computer, computer program, or EC Web site

Authorization process of determining what the authenticated entity is allowed to access and what operations it is allowed to perform

7. What is nonrepudiation?

Assurance that online customers or trading partners cannot falsely deny (repudiate)

their purchase or transaction.

8. Describe deterring, preventing, and detecting in EC security systems.

Deterring measures actions that will make criminals abandon their idea of attacking a specific system (e.g., the possibility of losing a job for insiders)

Prevention measures ways to help stop unauthorized users (also known as intruders) from accessing any part of the EC system

Detection measures ways to determine whether intruders attempted to break into the EC system, whether they were successful, and what they may

have done

9. What is a security strategy, and why it is needed?

A security strategy is an overriding plan for maintaining IS security within an

organization. From it all other security plans arise.


1. Describe the difference between a nontechnical and a technical cyber attack?

A technical attack uses IT technology, whereas a nontechnical attack uses (or

attacks) standard security measures.

2. What are the major forms of malicious code?

Viruses

Worms

Macro viruses and worms

Trojan horses

3. What factors account for the increase in malicious code?

Mixing applications with executable code

Homogenous computing environments

Connectivity

Uneducated users

4. Define a virus and explain how it works.

A piece of software code that inserts itself into a host, including the operating

systems, in order to propagate; it requires that its host program be run to activate

it.

5. Define worm and Trojan horse.

Worm a software program that runs independently, consuming the resources of

its host in order to maintain itself, and is capable of propagating a complete

working version of itself onto another machine

Trojan horse a program that appears to have a useful function but contains a

hidden function that presents a security risk

6. Define DoS. How are DOS attacks perpetrated?

An attack on a Web site in which an attacker uses specialized software to send a

flood of data packets to the target computer with the aim of overloading its

resources. A denial of service attack occurs when an attacker gains illegal

administration access to as many computers on the Internet as possible and uses

these multiple computers to send a flood of data packets to a target computer.

7. Define server and page hijacking.

Gaining control of a web server or creating a rogue copy of a popular Web site

that shows contents similar to the original to a Web crawler. Once there, an

unsuspecting user is redirected to malicious Web sites.

8. Describe botnet attacks.

A huge number (e.g., hundreds of thousands) of hijacked Internet computers are

set up to forward traffic, including spam and viruses, to other computers on the

Internet.


1. Define phishing.

The criminal, fraudulent process of attempting to acquire confidential information

such as user names, passwords, and credit card details by masquerading as a

trustworthy entity such as a well-known bank, credit card company, a large social

network, or a telecommunication company, in an electronic communication,

usually via e-mail or IM.

2. Describe the relationship of phishing to financial fraud.

In many cases, phishing leads to financial fraud.

3. Briefly describe some phishing tactics.

Attackers pretend to be from reputable firms, and ask users to provide personal

information as a part of an existing relationship.

4. Describe spam and its methods.

Spam is sending or posting a large number of emails or other electronic records

indiscriminately.

5. Define splogs and explain how sploggers make money.

Short for spam blog, a splog is a site created solely for marketing purposes.

These sites steal content from other blogs with the hope of increasing their search

engine hits, which in turn increases the value of any advertising they have.

6. Why and how are social networks being attacked?

Social networks can be attacked in much the same way as individuals and Web

site currently are. They are an inviting target due to their size and growth.


1. What is information assurance? List its major components.

Information assurance is the protection of information against unauthorized access

or modification. Its components include:

Confidentiality

Integrity

Availability

Authentication

Authorization

Nonrepudiation

2. Define confidentiality, integrity, and availability.

Confidentiality assurance of data privacy and accuracy; keeping private or sensitive information from being disclosed to unauthorized individuals,

entities, or processes

Integrity assurance that stored data has not been modified without authorization; a message that was sent is the same message that was

received

Availability assurance that access to data, the Web site, or other EC data service is timely, available, reliable, and restricted to authorized users

3. Define authentication, authorization, and nonrepudiation.

Authentication requires evidence in the form of credentials.

Authorization requires comparing information about the person or program with access control information associated with the resource being

accessed.

Nonrepudiation is the concept of ensuring that a party in a dispute cannot repudiate or refute the validity of a statement or contract.

4. List the six objectives of EC strategy.

Prevention and deterrence.

Detection.

Containment (contain the damage).

Recovery.

Correction.

Awareness and compliance.

5. Discuss the gap between security spending and a companys security needs gap.

Because of the constantly changing threats, it is difficult to keep up with the costs

of security.

6. Describe vulnerability assessment.

The process of identifying, quantifying, and prioritizing the vulnerabilities in a

system.

7. List the six categories of defense in EC systems.

Defending access to computing systems, data flow, and EC transactions

Defending EC networks

General, administrative, and application controls

Protection against social engineering and fraud

Disaster preparation, business continuity, and risk management

Implementing enterprise-wide security programs


1. Define access control.

Mechanism that determines who can legitimately use a network resource.

2. What are the basic elements of an authentication system?

A group or person to be authenticated

A distinguishing characteristic

A system proprietor

Authentication mechanism

Access control mechanism

3. Define biometric systems and list five of their methods.

Authentication systems that identify a person by measurement of a biological

characteristic, such as fingerprints, iris (eye) patterns, facial features, or voice.

Example methods include:

Thumbprint or fingerprint

Retinal scan

Voice scan

Signature

Facial recognition

4. Define a symmetric (one-key) encryption.

An encryption system that uses the same key to encrypt and decrypt the message.

5. List some of the disadvantages of the symmetric system.

One disadvantage is that the security of the message as a whole is based on a single

key, and that the message cannot be verified against a second key.

6. What are the key elements of PKI?

A pair of matched keys a public key to encrypt a message and a private key to decrypt it, or vice versa

7. Describe the PKI process.

The process is detailed in Exhibit 9.11.

8. What role does a certificate authority play?

It is a verification that the holder of a public or private key is who they claim to be.

These certificates are issued by certificate authorities.


1. List the basic types of firewalls and briefly describe each.

Packet-filtering routers firewalls that filter data and requests moving from the public Internet to a private network based on the network addresses of the computer

sending and receiving the request

Application-level proxies firewall that permits requests for Web pages to move from the public Internet to the private network

2. What is a personal firewall? What is DMZ architecture?

A network node designed to protect an individual users desktop system from the public network by monitoring all the traffic that passes through the computers network interface card. DMZ is a popular defense system that includes two

firewalls.

3. How does a VPN work what are its benefits to users?

A VPN is a network that uses the public Internet to carry information but remains

private by using encryption to scramble the communications, authentication to

ensure that information has not been tampered with, and access control to verify the

identity of anyone using the network. It allows users to safely access protected

network assets.

4. Briefly describe the major types of IDSs.

Audit logs show attempted logins and system use Host-based IDS watches for unauthorized file changes Network-based IDS examines network traffic

5. What is a honeynet? What is a honeypot?

Honeynet method of evaluating vulnerabilities of a system using honeypots Honeypot systems used to study network intrusions

6. Describe e-mail security.

Complete e-mail security can include:

Antivirus and antispam

E-mail encryption

Outbound filtering

7. How can cloud computing help?

Cloud computing provides for better data integrity, while reducing costs.


1. What are general controls? List the various types.

Controls established to protect the system regardless of the specific application. For

example, protecting hardware and controlling access to the data center are

independent of the specific application.

2. What are administrative controls?

Administrative controls deal with issuing guidelines and monitoring compliance

with the guidelines.

3. Define application controls.

Controls that are intended to protect specific applications.

4. How does one protect against spam?

Companies can protect against spam by filtering email and working with providers

on policies.

5. How does one protect against pop-ups?

Generally, through the use of pop-blocking tools in browsers and toolbars.

6. How does one protect against phishing, spyware, and malvertising?

These can be protected against through a combination of security applications and

education.


1. Why do organizations need a business continuity plan?

The purpose of a business continuity plan is to keep the business running after a

disaster occurs. Each function in the business should have a valid recovery

capability plan.

2. List three issues a business continuity plan should cover.

Understand business & IT requirements

Evaluate current capabilities

Develop continuity plan

3. Identify two factors that influence a companys ability to recover from a disaster.

Two examples include proper planning and asset protection.

4. What types of devices are needed for disaster avoidance?

A variety of options are available to help avoid disasters. The simplest is the use of

uninterrupted power supply (UPS) systems to help avoid issues created by power

outages.

5. How can you calculate expected loss?

Using risk management analysis, it is possible to estimate losses based on different

scenarios.

6. List two ethical issues associated with security programs.

Examples include constant monitoring of activities and possible invasion of

privacy.


1. If senior management is not committed to EC security, how might that impact the

e-business?

Student answers will vary, but lack of management support generally leads to the

failure of an initiative.

2. What is a benefit of using the risk exposure model for EC security planning?

It allows the firm to allocate capital at the areas of greatest organizational

importance.

3. Why should every company implement an acceptable use policy?

Student responses will vary, but these policies help to define parameters and are

useful in planning.

4. Why is training required?

Since systems are unique and changing, it is important to train staff on their

acceptable use and policy.

5. List the six major reasons why it is difficult to stop computer crimes.

Would Make Shopping Inconvenient

Lack of Cooperation from Credit Card Issuers

Shoppers Negligence

Design and Architecture Issues

Ignoring EC Security Best Practices

Lack of Due Care in Business Practices

Answers to EC Application Case Questions

EC Application Case 9.1:

INTERNET STOCK FRAUD AIDED BY SPAM

1. Why might people buy the penny stocks promoted in an e-mail message from an

unknown source?

Individuals may be looking to make some quick, easy money.

2. Use Google or Bing to find out what can be done to filter image spam.

Student searches and results will vary.

EC Application Case 9.2:

BUSINESS CONTINUITY AND DISASTER RECOVERY

1. Why might a company that had a significant data loss not be able to recover?

They may be completely unable to recreate the information that was lost.

2. Why are regulators requiring that companies implement BC/DR plans?

To ensure that companies are able to recover, and fulfill their obligations.

Answers to Discussion Questions

1. Consider how a hacker might trick people into giving him their user IDs and

passwords to their Amazon.com accounts. What are some of the ways that a hacker

might accomplish this? What crimes can be performed with such information?

Student responses will vary. The most common approach would probably be a

phishing email, indicating a need to verify account information by going to a false Web site.

2. B2C EC sites continue to experience DOS attacks. How are these attacks

perpetrated? Why is it so difficult to safeguard against them? What are some of the

things a site can do to mitigate such attacks?

DOS attacks come from many computers (zombies) at the same time. It is

therefore difficult to isolate just the attackers IP address and shut off traffic from it. Use of a firewall may help mitigate these attacks.

3. How are botnet identity theft attacks and Web site hijacks perpetrated? Why are

they so dangerous to e-commerce?

Student answers will vary. Attacks are generally perpetrated by infecting large

numbers of computer systems (botnets) or controlling data entering and exiting

other Web sites (hijacks). Both are dangerous because they steal personal

information that can later be used for identity theft. This represents a danger to EC

because it pushes away potential customers.

4. Discuss some of the difficulties of eliminating online financial fraud.

The primary difficulties are the constantly changing attacks, and individuals lack of

understanding of security.

5. Some companies prefer not to have disaster recovery plans. Under what

circumstances does this make sense? Discuss.

This does not make sense, all companies should be able to recover their data in the

event of an emergency.

6. Enter idesia-biometrics.com and look at its product. Discuss these benefits over

other biometrics.

Student searches and opinions will vary.

7. Enter trendsecure.com and find a tool called HijackThis. Try the free tool. Find

an online forum that deals with it. Discuss the benefits and limitations.


8. Find information about the Zeus Trojan. Discuss why it is so effective as a

financial data stealer.Why is it so difficult to mitigate this Trojan? Hint: See

Falliere and Chien (2009).


9. Find information about the scareware social engineering method. Why do you

think it is so effective?


10. The National Vulnerability Database (NVD) is a comprehensive cybersecurity

database that integrates all publicly available U.S. government vulnerability

resources and provides references to industry resources. Visit nvd.nist.gov and

review 10 of the recent CVE vulnerabilities. For each vulnerability, list its

published date, CVSS severity, impact type, and the operating system or software

with the vulnerability.


Topics for Class Discussion and Debates

1. Survey results on the incidence of cyber attacks paint a mixed picture; some

surveys show increases, others show decreases. What factors could account for

the differences in the reported results?

Student opinions will vary. The major issue may be how many attacks are

reported.

2. A business wants to share its customer account database with its trading

partners, while at the same time providing prospective buyers with access to

marketing materials on its Web site. Assuming that the business is responsible for

running all these systems, what types of security components (e.g., firewalls,

VPNs, etc.) could be used to ensure that the partners and customers have access

to the account information and others do not? What type of network

administrative procedures will provide the appropriate security?

Student opinions will vary. The system required would need to meet strenuous

security requirements due to the nature of information available and the number

of integration points.

3. Why is it so difficult to fight computer criminals? What strategies can be

implemented by financial institutions, airlines, and other heavy users of EC?

Student opinions will vary. The discussion will focus on intentions and budgets

to address them.

4. All EC sites share common security threats and vulnerabilities. Do you think

that B2C Web sites face different threats and vulnerabilities than B2B sites?

Explain.

Student opinions will vary. The discussion will focus on both the areas of

weakness and the types of attacks directed at them.

5. Why is phishing so difficult to control? What can be done? Discuss.

Student opinions will vary. The debate will focus on training and its

effectiveness.

6. Debate: The best strategy is to invest very little and only in proven technologies

such as encryption and firewalls.

Student opinions will vary. The debate will focus on the issues of costs versus

risk.

7. Debate: Can the underground Internet marketplace be controlled? Why or why

not?

Student opinions will vary. The debate will focus on individual motivations and

the cost of products.

8. Debate: Is taking your fingerprints or other biometrics to assure EC security a

violation of your privacy?

Student opinions will vary. The debate will be on the extent of privacy.

9. A body scan at airports created a big debate. Debate both points of this issue

and relate it to EC security.

Student opinions will vary. The debate will focus on privacy versus security.

Internet Exercises (Note: URLs may change over time; please check the Internet Exercises on

the Turban Web site for possible updates:

www.pearsonhighered.com/turban.)

1. Your B2C site has been hacked. List two organizations where you would report

this incident so that they can alert other sites. How do you do this, and what type of

information do you have to provide?

Student responses will vary based on the location of the hack.

2. Connect to the Internet. Determine the IP address of your computer by visiting at

least two Web sites that provide that feature. You can use a search engine to locate

Web sites or visit ip-adress.com or whatismyipaddress.com. What other

information does the search reveal about your connection? Based on this

information, how could a company or hacker use that information?

Student results and reports will vary based on date of research and sites selected.

3. Enter the site of Perimeter eSecurity and find the white paper Institutional Identity Theft. Compare institutional identity theft with personal identity theft. How can a company protect itself against identity theft?

Student results and reports will vary based on date of research. Potential solutions

selected will also vary.

4. The National Strategy to Secure Cyberspace provides a series of actions and

recommendations for each of its five national priorities. Search and download a

copy of the strategy online. Selecting one of the priorities, discuss in detail the

actions and recommendations for that priority.

Student results and reports will vary based on date of research and which priority is

evaluated.

5. The Symantec Internet Security Threat Report provides details about the trends

in attacks and vulnerabilities in Internet security. Obtain a copy of the report and

summarize the major findings of the report for both attacks and vulnerabilities.

Student results and reports will vary based on date of research.

6. Enter perimeterusa.com and look for a white paper titled Top 9 Network Security Threats in 2009. Summarize these threats. Then look for a paper titled The ABCs of Social Engineering. Summarize the suggested defense.

Student opinions and reports will vary based on what threats are compared.

7. Enter security firm finjan.com and find examples of underground Internet

activities in five different countries. Prepare a summary.


8. Enter ftc.gov/bcp/edu/microsites/idtheft, identytheft.info, idtheftcenter.org, and

identytheftprotection.org. Find information about: the prevention, protection

against, cases about, and survival of identity theft. Write a report.

Student results and reports will vary based on date of research and the content

selected.

9. Enter verisign.com and find information about PKI and encryption. Write a

report.

Student results and reports will vary based on date of research. The use of key-

based encryption will be evaluated.

10. Enter gfi.com/emailsecuritytest and similar sites. Write some guidelines for

protecting your PC.

Student reports will vary based on their perceptions of the threats.

11. Enter hijackthis.com. Do a free scan of your computer. Comment on the report

you received.

Student results and reports will vary based on date of research and report received.

12. Enter blackhat.com. Find out what they are about. Summarize some of their

activities.


13. Enter bsimm.com/community. Describe the activities of the community and how

it helps to fight cybercrime.

Student results and reports will vary based on date of research and activities

selected.

Team Assignments and Role Playing

1. Assignment for the Opening Case

Read the opening case and answer the following questions:

a. What kind of attack was it?

It was a botnet attack.

b. Why was it difficult to stop it and to recover?

The infection was spread through all computers, and was self-spreading.

c. What do you think motivated Maxwell to conduct the attack?

Opinions will vary it does not appear to be a financial motivation.

d. After the incident, the hospital added more layers of defense. Why did

they not have it before?

They were either unaware they needed it, or unwilling to dedicate the

budget to it.

e. After reading Section 9.7, what do you think can be done on top of what

has been done to prevent the incident?

Employee education may also have helped stop its spread.

f. Is the punishment severe enough to deter others? Why or why not?

Student opinion will vary.

2. Assign teams to report on the major spam and scam threats. Examine examples

provided by ftc.gov, the Symantec report on the state of spam(2009), and white

papers from IBM,Verisign, and other security firms.

Student reports will vary based on the topic assigned.

3. Several personal firewall products are available. A list of these products can be

found at firewallguide.com/software.htm. Assign each team three products from

the list. Each team should prepare a detailed review and comparison of each of the

products they have been assigned.

Student reports will vary based on the products evaluated.

4. Enter symantec.com/business/security_response/whitepapers.jsp and find the

white papers: (1) The Risks of Social Networking and (2) The Rise of PDF Malware. Prepare a summary of both and find how they relate to each other.

Student responses and opinions will vary.

5. Watch the video Cyber Attacks and Extortion at search security.techtarget.com/video/0,297151,sid14_gci1345344,00.html.Answer the

following questions:

a. Why are there more extortions online today? How are they

accomplished?

b. What is involved in targeted e-mail attacks?

c. What is an SQL injection attack?

Student responses and opinions will vary. This is an interesting video with details

that students will respond to differently.

6. Data leaks can be a major problem. Find all the major defense methods. Check

all major security vendors (e.g., Symantec). Find white papers and Webinars on the

subject.

Student responses and opinions will vary.

7. Each team is assigned to one method of fighting against online fraud. Each

method should deal with a different type of fraud (e.g., banking [try IBMs ZTIC], identify suspicious e-mails, dealing with cookies in Web browsers, credit card

protection, securing wireless networks, installing antiphishing protection for your

browser with phishing filter, and so forth).

Student responses and opinions will vary based on the method assigned.

Answers to End-of-Chapter Real-World Case Questions: HOW

TWO BANKS STOPPED SCAMS, SPAMS, AND

CYBERCRIMINALS

1. List the major security problems of CNB of Oklahoma and relate them to the

attack methods described in Section 9.2 through 9.4.

Many of the attack methods are represented including malware, spam, and viruses.

2. In what ways has CNB solved the e-mail problems? (List specific problems and

solutions).

Malware blocked Web sites, blocked the ability to download executables

Viruses scanning at the server and desktop level

Security use of encryption

3. Given the problems of CNB and its solutions, what is an even better defense

mechanism? (Use Sections 9.6 through 9.10, and what you can find on the Web.)

Student opinions will vary may include the use of a firewall/DMZ.

4. List the major security problems faced by BankWest and relate them to the attack

methods described in Sections 9.2 through 9.4.

It appears that phishing scams were the primary issue.

5. In what ways has BankWest solved the fraud schemes?

It has focused on user education on the nature and current trends of scams.

6. Given the problems of BankWest and its solutions, what is an even better defense

mechanism?

Opinions will vary, but software-based phishing blockers might be added.

Practice Test

1) According to the CSI Computer Crime and Security Survey, firewalls were

the most commonly used defense technologies in 2008.

Answer: FALSE

2) According to the CSI Computer Crime Security Survey, the most

frequently occurring computer attacks were from viruses in 2008.

Answer: TRUE

3) The Internet and its network protocols were never intended for use by

untrustworthy people or criminals.

Answer: TRUE

4) Keystroke logging captures and records user keystrokes.

Answer: TRUE

5) Cybercrimes are intentional crimes carried out on the Internet.

Answer: TRUE

6) An EC security strategy requires multiple layers of defense against risks

from malware, fraudsters, customers, and employees.

Answer: TRUE

7) Detection measures are actions that will make criminals abandon their idea

of attacking a specific system.

Answer: FALSE

8) Internet fraud has grown even faster than the Internet itself.

Answer: TRUE

9) Confidentiality, integrity, and awareness are the three components of the

CIA security triad.

Answer: FALSE

10) Encryption algorithm is the mathematical formula used to encrypt

plaintext into ciphertext, and vice versa.

Answer: TRUE

11) Strong EC security makes online shopping more convenient for customers.

Answer: FALSE

12) Shoppers can rely on fraud protection provided by credit card issuers to

protect them from identity theft.

Answer: FALSE

13) Phishing is rampant because some people respond to it and make it

profitable.

Answer: TRUE

14) Which of the following is the underlying reason why comprehensive EC

security is necessary?

A) The Internet was designed for maximum efficiency without regard for its

security or users with malicious intent.

B) The shift toward profit-motivated crimes

C) Security costs and efforts from reacting to online attacks and paying for

damages are greater than if an EC security strategy is in place.

D) Many companies fail to implement basic IT security management best practices,

business continuity plans, and disaster recovery plans.

15) The process of verifying the real identity of an individual, computer,

computer program, or EC Web site best describes:

A) integrity.

B) authentication.

C) availability.

D) nonrepudiation.

16) The assurance that an online customer or trading partner cannot falsely

deny their purchase or transaction is referred to as:

A) integrity.

B) availability.

C) authentication.

D) nonrepudiation.

17) ________ is the criminal, fraudulent process of attempting to acquire

confidential information by masquerading as a trustworthy entity.

A) Spamming

B) Pretexting

C) Social engineering

D) Phishing

18) ________ is the process of determining what the authenticated entity is

allowed to access and what operations it is allowed to perform.

Answer: Authorization

19) ________ is the assurance that online customers or trading partners

cannot falsely deny their purchase or transaction.

Answer: Nonrepudiation

20) ______________ is the assurance that data are accurate or that a message

has not been altered.

Answer: Integrity

21) ________ is the assurance of data privacy.

Answer: Confidentiality

22) ________ is the process of scrambling a message in such a way that it is

difficult, expensive, or time-consuming for an unauthorized person to

unscramble it.

Answer: Encryption

23) ________ are barriers between a trusted network or PC and the

untrustworthy Internet.

Answer: Firewalls

24) Compare current motives of hackers to those of the past.

Answer: In the early days of EC, many hackers simply wanted to gain fame or

notoriety by defacing Web sites or gaining root, which means gaining unrestricted

access to a network. Criminals and criminal gangs are now profit oriented, and their

tactics are not limited to the online world.

25) List and briefly describe the three components of the CIA security triad.

Answer: The CIA triad includes confidentiality, integrity, and availability.

Confidentiality is the assurance of data privacy. The data or transmitted message is

encrypted so that it is readable only by the person for whom it is intended. The

confidentiality function prevents unauthorized disclosure of information. Integrity

is the assurance that data are accurate or that a message has not been altered. It

means that stored data has not been modified without authorization; a message that

was sent is the same message that was received. Availability is the assurance that

access to data, the Web site, or other EC data service is timely, available, reliable,

and restricted to authorized users.

26) List the six major objectives of EC defense strategies.

Answer: Prevention and deterrence, detection, containment, recovery, correction,

and awareness and compliance are the six objectives.

27) Briefly discuss the five encryption components.

Answer: The five components are plaintext, encryption algorithm, key or key

value, key space, and ciphertext. Plaintext is the original message or document that

is created by the user and is in human-readable form. The encryption algorithm is

the set of procedures or mathematical functions used to encrypt or decrypt a

message. The key or key value is the secret value used with the algorithm to

transform the message. Key space refers to the large number of possible key values

created by the algorithm to use when transforming the message. Ciphertext is the

message or document that has been encrypted into unreadable form.

28) Briefly describe four major components for protecting internal

information flow inside an organization.

Answer: Firewall, virtual private network, intrusion detection system, and

honeynet and honeypot are four components. A firewall is a single point between

two or more networks where all traffic must pass; the device authenticates,

controls, and logs all traffic. A virtual private network is a network that uses the

public Internet to carry information but remains private by using encryption to

scramble the communications, authentication to ensure that information has not

been tampered with, and access control to verify the identity of anyone using the

network. Intrusion detection systems are a special category of software that monitor

activity across a network or on a host computer, watch for suspicious activity, and

take automated action based on what it sees. A honeynet is a network of honeypots,

and honeypots act as decoys and are watched to study how network intrusions

occur.

Chapter Test

1. Preventing vulnerability during the EC design and pre-implementation stage

is far more expensive than mitigating problems later.

A. True B. False

2. Phishing is rampant because some people respond to it and make it profitable.

A. True B. False

3. Access control involves authorization and authentication.

A. True B. False

4. The key reasons why EC criminals cannot be stopped include each of the

following except:

A. Online shoppers do not take necessary precautions to avoid becoming a victim.

B. Strong EC security makes online shopping inconvenient and demanding on customers.

C. Sophisticated hackers use browsers to crack into Web sites. D. There is lack of cooperation from credit card issuers and foreign ISPs.

5. The assurance that an online customer or trading partner cannot falsely deny

their purchase or transaction is referred to as:

A. nonrepudiation. B. integrity. C. availability. D. authentication.

6. Fingerprint scanners, facial recognition systems, and voice recognition are

examples of ________ that recognize a person by some physical trait.

A. access control lists B. human firewalls C. biometric systems D. intrusion detection systems

7. ________ is the criminal, fraudulent process of attempting to acquire

confidential information by masquerading as a trustworthy entity.

A. Phishing B. Pretexting C. Social engineering D. Spamming

8. A botnet is:

A. a huge number of hijacked Internet computers that have been set up to forward traffic, including spam and viruses, to other computers on the

Internet.

B. a piece of code in a worm that spreads rapidly and exploits some known vulnerability.

C. a production system that looks like it does real work, but that acts as a decoy and is watched to study how network intrusions occur.

D. a piece of software code that inserts itself into a host or operating system to launch DOS attacks.

9. A summary of a message, converted into a string of digits after the hash has

been applied, best describes:

A. digital envelope. B. hash. C. message digest. D. digital signature.

10. A law that makes it a crime to send commercial e-mail messages with false or

misleading message headers or misleading subject lines is:

A. SSL. B. EEA. C. DCMA. D. CAN-SPAM.

11. The work atmosphere that a company sets for its employees describes:

A. standard of due care. B. internal control environment. C. acceptable use policy. D. internal politics.

12. The combination of the encrypted original message and the digital signature,

using the recipient's public key, best describes:

A. digital envelope. B. digital signature. C. hash. D. message digest.

13. The success and security of EC is measured by:

confidentiality, integrity, and availability.

quality, reliability, and speed.

encryption, functionality, and privacy.

authentication, authorization, and nonrepudiation.

14. Each of the following is a true statement about access control except:

A. All resources need to be considered together to identify the rights of users or categories of users.

B. Access control lists (ACLs) define users' rights, such as what they are allowed to read, view, write, print, copy, delete, execute, modify, or move.

C. Access control determines which persons, programs, or machines can legitimately use a network resource and which resources he, she, or it can use.

D. After a user has been identified, the user must be authenticated.

15. Assurance that stored data has not been modified without authorization and

a message that was sent is the same message that was received is referred to as:

A. nonrepudiation.

B. availability. C. authentication. D. integrity.

16. The motives of hackers have shifted from the desire for fame and notoriety

to advancing personal and political agendas.

A. True B. False

17. Keystroke logging captures and records user keystrokes.

A. True B. False

18. Cybercrimes are intentional crimes carried out on the Internet.

A. True B. False

19. Social engineering is an example of an unintentional threat.

A. True B. False

20. Authentication provides the means to reconstruct what specific actions have

occurred and may help EC security investigators identify the person or program

that performed unauthorized actions.

A. True B. False

21. The process of verifying the real identity of an individual, computer,

computer program, or EC Web site best describes:

A. authentication. B. nonrepudiation. C. availability. D. integrity.

22. Encryption components include each of the following except:

A. key value. B. encryption algorithm. C. ciphertext. D. internal control environment.

23. Protecting information and information systems from unauthorized access,

use, disclosure, disruption, modification, perusal, inspection, recording, or

destruction best defines:

A. anti-virus protection. B. security audit. C. incident management. D. information security.

24. The protection of information systems against unauthorized access to or

modification of information that is stored, processed, or being sent over a

network is referred to as:

A. data integrity. B. human firewall. C. information assurance. D. information integrity.

25. An attack on a website in which an attacker uses specialized software to send

a flood of data packets to the target computer with the aim of overloading its

resources best describes:

A. botnet infestation. B. denial-of-service attack. C. cyberhijacking. D. cyberraid.

Chapter 9 - Study Guide

Documents

Transcript of Chapter 9 - Study Guide