Chapter 9
E-Commerce Security and Fraud
As you read the
textbook and go through this lesson, think about the following questions:
·
What are the major forms of Internet crime?
·
What are the typical security measures used by
e-commerce?
·
Why is the Internet vulnerable to attack?
·
What concerns might a consumer have when doing
business online?
·
What concerns might a business have when selling
products or services online?
·
What are authentication, authorization, and
nonrepudiation?
·
What are some common Internet attack methods?
·
What is phishing?
·
What three components can be used to measure
security of the e-commerce environment?
·
Why is it difficult to stop Internet crime?
Upon
completion of this chapter, you will be able to:
1.
Understand the importance and scope of security of information systems for EC.
2.
Describe the major concepts and terminology of EC security.
3.
Learn about the major EC security threats, vulnerabilities, and technical
attacks.
4.
Understand Internet fraud, phishing, and spam.
5.
Describe the information assurance security principles.
6.
Identify and assess major technologies and methods for securing EC access and communications.
7.
Describe the major technologies for protection of EC networks.
8.
Describe various types of controls and special defense mechanisms.
9.
Describe consumer and seller protection from fraud.
10.
Describe the role of business continuity and disaster recovery planning.
11.
Discuss EC security’s enterprisewide implementation issues.
12.
Understand why it is not possible to stop computer crimes.
Answers to Pause/Break Section Review Questions
Section 9.1 Review
Questions
1.
Define computer security.
Computer security
refers to the protection of data, networks, computer programs, computer power,
and other elements of computerized information systems.
2.
List the major findings of the CSI 2010 survey.
· The most expensive computer security
incidents were those involving financial fraud.
· Virus incidents occurred most frequently.
· Almost one in ten organizations reported they
experienced a domain name system (DNS) incident.
· Twenty-seven percent of those surveyed
responded positively to a question regarding “targeted attacks.”
· The vast majority of respondents said their
organizations had a security policy.
3. Describe
the vulnerable design of the Internet.
The Internet and its network protocols were
never intended for use by untrustworthy people or criminals. They were designed
to accommodate computer-to-computer communications in a closed and trusted
community.
4. Describe some profit-induced computer
crimes.
Most popular is the theft of personal information such as credit card
numbers, bank accounts, Internet IDs, and passwords.
5. Define the Internet
underground economy.
E-markets for stolen information made up of thousands of Web sites that
sell credit card numbers, social security numbers, other data such as numbers
of bank accounts, social network IDs, passwords, and much more.
6. Describe the dynamic nature
of EC systems.
EC systems are changing all the time due to a stream of innovations. With
changes often come security problems.
7. What makes EC security
management so difficult? What is the dilemma?
The defense of information systems and EC is getting more difficult. The
attackers change their strategies and attack methods all the time.
Section 9.2 Review Questions
1.
List five major terms of EC security.
· Business continuity plan
· Cybercrime
· Exposure
· Fraud
· Malware (malicious software)
· Phishing
· Risk
· Social engineering
· Spam
· Vulnerability
· Zombie
2.
Describe the major unintentional security hazards.
· Human error. Human error can occur in the
design of the hardware or information system.
· Environmental hazards. These include
earthquakes, severe storms (e.g., hurricanes, blizzards, or sand), floods,
power failures or strong fluctuations, fires (the most common hazard),
explosions, radioactive fallout, and water-cooling system failures.
· Defects in the computer system. Defects can
be the result of poor manufacturing, defective materials, and outdated or
poorly maintained networks.
3.
List five examples of intentional EC security crimes.
· theft of data or hardware (e.g., laptops)
· inappropriate use of data
· deliberate manipulation in handling,
entering, processing, transferring, or programming data
· vandalism
· sabotage
· malicious damage to computer resources
· destruction from viruses
· Internet fraud
4.
Describe the security battleground, who participates, and how. What are the
possible results?
This battleground includes:
· The attacks, the attackers, and their
strategies
· The items that are being attacked
· The defenders and their methods and strategy
Each uses their tools to exert control, one
group wins each battle.
5.
Define hacker, cracker, and social engineering.
· Hacker – someone who gains unauthorized
access to a computer system
· Cracker – a malicious hacker, who may
represent a serious problem for a corporation
· Social engineering – a collection of tactics
used to manipulate people into performing actions or divulging confidential
information
6. List
all security requirements and define authentication and authorization
requirements.
· Authentication – process to verify (assure)
the real identity of an individual, computer, computer program, or EC Web site
· Authorization – process of determining what
the authenticated entity is allowed to access and what operations it is allowed
to perform
7.
What is nonrepudiation?
Assurance that online customers or trading
partners cannot falsely deny (repudiate) their purchase or transaction.
8.
Describe deterring, preventing, and detecting in EC security systems.
· Deterring measures – actions that will make
criminals abandon their idea of attacking a specific system (e.g., the
possibility of losing a job for insiders)
· Prevention measures – ways to help stop
unauthorized users (also known as “intruders”) from accessing any part of the
EC system
· Detection measures – ways to determine
whether intruders attempted to break into the EC system, whether they were
successful, and what they may have done
9. What is a security strategy,
and why it is needed?
A security strategy is an overriding plan for maintaining IS security
within an organization. From it all
other security plans arise.
Section 9.3 Review Questions
1. Describe the
difference between a nontechnical and a technical cyber attack?
A technical attack uses
IT technology, whereas a nontechnical attack uses (or attacks) standard
security measures.
2.
What are the major forms of malicious code?
· Viruses
· Worms
· Macro
viruses and worms
· Trojan
horses
3.
What factors account for the increase in malicious code?
· Mixing
applications with executable code
· Homogenous
computing environments
· Connectivity
· Uneducated
users
4.
Define a virus and explain how it works.
A piece
of software code that inserts itself into a host, including the operating
systems, in order to propagate; it requires that its host program be run to activate
it.
5.
Define worm and Trojan horse.
Worm – a software program that runs
independently, consuming the resources of its host in order to maintain itself,
and is capable of propagating a complete working version of itself onto another
machine
Trojan
horse – a program that
appears to have a useful function but contains a hidden function that presents
a security risk
6. Define DoS. How
are DOS attacks perpetrated?
An attack on a Web site
in which an attacker uses specialized software to send a flood of data packets
to the target computer with the aim of overloading its resources. A denial of
service attack occurs when an attacker gains illegal administration access to
as many computers on the Internet as possible and uses these multiple computers
to send a flood of data packets to a target computer.
7.
Define server and page hijacking.
Gaining
control of a web server or creating a rogue copy of a popular Web site that shows
contents similar to the original to a Web crawler. Once there, an unsuspecting
user is redirected to malicious Web sites.
8.
Describe botnet attacks.
A huge
number (e.g., hundreds of thousands) of hijacked Internet computers are set up
to forward traffic, including spam and viruses, to other computers on the
Internet.
Section 9.4 Review Questions
1.
Define phishing.
The
criminal, fraudulent process of attempting to acquire confidential information
such as user names, passwords, and credit card details by masquerading as a
trustworthy entity such as a well-known bank, credit card company, a large
social network, or a telecommunication company, in an electronic communication,
usually via e-mail or IM.
2.
Describe the relationship of phishing to financial fraud.
In many
cases, phishing leads to financial fraud.
3.
Briefly describe some phishing tactics.
Attackers
pretend to be from reputable firms, and ask users to provide personal
information as a part of an existing relationship.
4.
Describe spam and its methods.
Spam is
sending or posting a large number of emails or other electronic records
indiscriminately.
5.
Define splogs and explain how sploggers make money.
Short for
spam blog, a splog is a site created solely for marketing purposes. These sites steal content from other blogs
with the hope of increasing their search engine hits, which in turn increases
the value of any advertising they have.
6.
Why and how are social networks being attacked?
Social
networks can be attacked in much the same way as individuals and Web site
currently are. They are an inviting
target due to their size and growth.
Section 9.5 Review Questions
1. What is information assurance? List
its major components.
Information assurance is the protection of information
against unauthorized access or modification. Its components include:
·
Confidentiality
·
Integrity
·
Availability
·
Authentication
·
Authorization
·
Nonrepudiation
2. Define
confidentiality, integrity, and availability.
·
Confidentiality – assurance of data privacy and accuracy; keeping private or
sensitive information from being disclosed to unauthorized individuals,
entities, or processes
·
Integrity – assurance that stored data has not been modified without
authorization; a message that was sent is the same message that was received
·
Availability – assurance that access to data, the Web site, or other EC data
service is timely, available, reliable, and restricted to authorized users
3.
Define authentication, authorization, and nonrepudiation.
· Authentication
requires evidence in the form of credentials.
· Authorization
requires comparing information about the person or program with access control
information associated with the resource being accessed.
· Nonrepudiation is
the concept of ensuring that a party in a dispute cannot repudiate or refute
the validity of a statement or contract.
4.
List the six objectives of EC strategy.
· Prevention and
deterrence.
· Detection.
· Containment
(contain the damage).
· Recovery.
· Correction.
· Awareness and
compliance.
5.
Discuss the gap between security spending and a company’s security needs gap.
Because of the constantly changing threats,
it is difficult to keep up with the costs of security.
6.
Describe vulnerability assessment.
The process of identifying, quantifying, and
prioritizing the vulnerabilities in a system.
7.
List the six categories of defense in EC systems.
·
Defending
access to computing systems, data flow, and EC transactions
·
Defending
EC networks
·
General,
administrative, and application controls
·
Protection
against social engineering and fraud
·
Disaster
preparation, business continuity, and risk management
·
Implementing
enterprise-wide security programs
Section 9.6 Review Questions
1.
Define access control.
Mechanism that determines who
can legitimately use a network resource.
2.
What are the basic elements of an authentication system?
·
A group or person to be
authenticated
·
A distinguishing
characteristic
·
A system proprietor
·
Authentication mechanism
·
Access control mechanism
3.
Define biometric systems and list five of their methods.
Authentication systems that identify a person by measurement of a biological characteristic, such as fingerprints, iris (eye) patterns, facial features, or voice. Example methods include:
·
Thumbprint or fingerprint
·
Retinal scan
·
Voice scan
·
Signature
·
Facial recognition
4.
Define a symmetric (one-key) encryption.
An encryption system that uses the same key
to encrypt and decrypt the message.
5.
List some of the disadvantages of the symmetric system.
One disadvantage is that the security of the
message as a whole is based on a single key, and that the message cannot be
verified against a second key.
6.
What are the key elements of PKI?
A
pair of matched keys – a public key to encrypt a message and a private key to
decrypt it, or vice versa
7.
Describe the PKI process.
The process is detailed in Exhibit 9.11.
8.
What role does a certificate authority play?
It is
a verification that the holder of a public or private key is who they claim to
be. These certificates are issued by
certificate authorities.
Section 9.7 Review Questions
1. List
the basic types of firewalls and briefly describe each.
Packet-filtering
routers – firewalls that filter data and requests moving from the public
Internet to a private network based on the network addresses of the computer
sending and receiving the request
Application-level
proxies – firewall that permits requests for Web pages to move from the public
Internet to the private network
2. What
is a personal firewall? What is DMZ architecture?
A network
node designed to protect an individual user’s desktop system from the public
network by monitoring all the traffic that passes through the computer’s
network interface card. DMZ is a popular defense system that includes two
firewalls.
3. How
does a VPN work what are its benefits to users?
A VPN is
a network that uses the public Internet to carry information but remains
private by using encryption to scramble the communications, authentication to
ensure that information has not been tampered with, and access control to
verify the identity of anyone using the network. It allows users to safely access protected
network assets.
4.
Briefly describe the major types of IDSs.
Audit logs – show attempted logins and system use
Host-based IDS – watches for unauthorized file
changes
Network-based IDS – examines network traffic
5.
What is a honeynet? What is a honeypot?
Honeynet – method of evaluating vulnerabilities of a
system using honeypots
Honeypot – systems used to study network intrusions
6. Describe e-mail security.
Complete e-mail security can include:
·
Antivirus
and antispam
·
E-mail
encryption
·
Outbound
filtering
7. How can cloud computing
help?
Cloud computing provides for better data integrity, while reducing costs.
Section 9.8 Review Questions
1.
What are general controls? List the various types.
Controls established to protect the system
regardless of the specific application. For example, protecting hardware and
controlling access to the data center are independent of the specific
application.
2.
What are administrative controls?
Administrative controls deal with issuing guidelines and monitoring
compliance with the guidelines.
3. Define
application controls.
Controls that are intended to protect specific applications.
4.
How does one protect against spam?
Companies can protect against spam by
filtering email and working with providers on policies.
5.
How does one protect against pop-ups?
Generally, through the use of pop-blocking
tools in browsers and toolbars.
6.
How does one protect against phishing, spyware, and malvertising?
These can be protected against through a
combination of security applications and education.
Section 9.9 Review Questions
1.
Why do organizations need a business continuity plan?
The purpose of a business continuity plan is
to keep the business running after a disaster occurs. Each function in the
business should have a valid recovery capability plan.
2.
List three issues a business continuity plan should cover.
· Understand business & IT requirements
· Evaluate current capabilities
· Develop continuity plan
3.
Identify two factors that influence a company’s ability to recover from a
disaster.
Two examples include proper planning and
asset protection.
4.
What types of devices are needed for disaster avoidance?
A variety of options are available to help avoid disasters. The simplest is the use of uninterrupted
power supply (UPS) systems to help avoid issues created by power outages.
5.
How can you calculate expected loss?
Using risk management analysis, it is
possible to estimate losses based on different scenarios.
6.
List two ethical issues associated with security programs.
Examples include constant monitoring of
activities and possible invasion of privacy.
Section 9.10 Review Questions
1. If senior management is not
committed to EC security, how might that impact the e-business?
Student answers will vary, but lack of management support
generally leads to the failure of an initiative.
2. What is a benefit of using the risk
exposure model for EC security planning?
It allows the firm to allocate capital at the areas of
greatest organizational importance.
3. Why
should every company implement an acceptable use policy?
Student
responses will vary, but these policies help to define parameters and are useful
in planning.
4.
Why is training required?
Since systems are unique and changing, it is
important to train staff on their acceptable use and policy.
5.
List the six major reasons why it is difficult to stop computer crimes.
· Would Make Shopping Inconvenient
· Lack of Cooperation from Credit Card Issuers
· Shoppers’ Negligence
· Design and Architecture Issues
· Ignoring EC Security Best Practices
· Lack of Due Care in Business Practices
Answers to EC Application Case Questions
EC Application Case 9.1:
INTERNET STOCK FRAUD AIDED BY SPAM
1. Why might people buy the penny stocks promoted in an e-mail
message from an unknown source?
Individuals may be
looking to make some quick, easy money.
2. Use Google or Bing to find out what can be done to filter image spam.
Student
searches and results will vary.
EC Application Case 9.2:
BUSINESS CONTINUITY AND DISASTER RECOVERY
1. Why might a company that had a significant data loss not be able to recover?
They may be completely unable to
recreate the information that was lost.
2. Why are regulators requiring that companies implement BC/DR plans?
To ensure that companies are able
to recover, and fulfill their obligations.
Answers to Discussion
Questions
1. Consider
how a hacker might trick people into giving him their user IDs and passwords to
their Amazon.com accounts. What are some of the ways that a hacker might
accomplish this? What crimes can be performed with such information?
Student responses will vary. The
most common approach would probably be a phishing email, indicating a need to
“verify” account information by going to a false Web site.
2. B2C EC sites continue to experience DOS
attacks. How are these attacks perpetrated? Why is it so difficult to safeguard
against them? What are some of the things a site can do to mitigate such
attacks?
DOS attacks come from many computers (zombies) at the same time. It is therefore difficult to isolate just the
attacker’s IP address and shut off traffic from it. Use of a firewall may help mitigate these
attacks.
3. How are
botnet identity theft attacks and Web site hijacks perpetrated? Why are they so
dangerous to e-commerce?
Student answers will vary. Attacks
are generally perpetrated by infecting large numbers of computer systems
(botnets) or controlling data entering and exiting other Web sites
(hijacks). Both are dangerous because
they steal personal information that can later be used for identity theft. This represents a danger to EC because it
pushes away potential customers.
4. Discuss some of the difficulties
of eliminating online financial fraud.
The primary difficulties are the constantly
changing attacks, and individuals lack of understanding of security.
5. Some companies
prefer not to have disaster recovery plans. Under what circumstances does this
make sense? Discuss.
This does not make sense, all companies
should be able to recover their data in the event of an emergency.
6. Enter idesia-biometrics.com and look at
its product. Discuss these benefits over other biometrics.
Student searches and opinions will vary.
7. Enter trendsecure.com and find a tool
called HijackThis. Try the free tool. Find an online forum that deals with it.
Discuss the benefits and limitations.
Student searches and opinions will vary.
8. Find information about the Zeus Trojan.
Discuss why it is so effective as a financial data stealer.Why is it so difficult
to mitigate this Trojan? Hint: See Falliere and Chien (2009).
Student searches and opinions will vary.
9. Find information about the scareware
social engineering method. Why do you think it is so effective?
Student searches and opinions will vary.
10. The National Vulnerability Database
(NVD) is a comprehensive cybersecurity database that integrates all publicly
available U.S.
government vulnerability resources and provides references to industry resources.
Visit nvd.nist.gov and review 10 of the recent CVE vulnerabilities. For each
vulnerability, list its published date, CVSS severity, impact type, and the
operating system or software with the vulnerability.
Student searches and opinions will vary.
Topics for Class Discussion and Debates
1. Survey results on the incidence of
cyber attacks paint a mixed picture; some surveys show increases, others show
decreases. What factors could account for the differences in the reported
results?
Student opinions will vary. The major issue may be how many attacks are
reported.
2. A business wants to share its customer
account database with its trading partners, while at the same time providing
prospective buyers with access to marketing materials on its Web site. Assuming
that the business is responsible for running all these systems, what types of security
components (e.g., firewalls, VPNs, etc.) could be used to ensure that the
partners and customers have access to the account information and others do
not? What type of network administrative procedures will provide the
appropriate security?
Student opinions will vary. The system required would need to meet
strenuous security requirements due to the nature of information available and
the number of integration points.
3. Why is it so difficult to fight
computer criminals? What strategies can be implemented by financial
institutions, airlines, and other heavy users of EC?
Student opinions will vary. The discussion will focus on intentions and
budgets to address them.
4. All EC sites share common security
threats and vulnerabilities. Do you think that B2C Web sites face different
threats and vulnerabilities than B2B sites? Explain.
Student opinions will vary. The discussion will focus on both the areas
of weakness and the types of attacks directed at them.
5. Why is phishing so difficult to
control? What can be done? Discuss.
Student opinions will vary. The debate will focus on training and its
effectiveness.
6. Debate: The best strategy is to invest
very little and only in proven technologies such as encryption and firewalls.
Student opinions will vary. The debate will focus on the issues of costs
versus risk.
7. Debate: Can the underground Internet
marketplace be controlled? Why or why not?
Student opinions will vary. The debate will focus on individual
motivations and the cost of products.
8. Debate: Is taking your fingerprints or
other biometrics to assure EC security a violation of your privacy?
Student opinions will vary. The debate will be on the extent of privacy.
9. A body scan at airports created a big
debate. Debate both points of this issue and relate it to EC security.
Student opinions will vary. The debate will focus on privacy versus security.
Internet Exercises
(Note:
URLs may change over time; please check the Internet Exercises on the Turban
Web site for possible updates: www.pearsonhighered.com/turban.)
1. Your B2C site has
been hacked. List two organizations where you would report this incident so
that they can alert other sites. How do you do this, and what type of
information do you have to provide?
Student responses
will vary based on the location of the hack.
2. Connect to the Internet. Determine
the IP address of your computer by visiting at least two Web sites that provide
that feature. You can use a search engine to locate Web sites or visit ip-adress.com or whatismyipaddress.com. What other
information does the search reveal about your connection? Based on this
information, how could a company or hacker use that information?
Student results and reports will vary based on date of
research and sites selected.
3. Enter
the site of Perimeter eSecurity and find the white paper “Institutional
Identity Theft.” Compare institutional identity theft with personal identity
theft. How can a company protect itself against identity theft?
Student results and reports will vary based on date of
research. Potential solutions selected
will also vary.
4. The National Strategy to Secure Cyberspace provides a series of actions and
recommendations for each of its five national priorities. Search and download a
copy of the strategy online. Selecting one of the priorities, discuss in detail
the actions and recommendations for that priority.
Student results and reports will vary based on date of
research and which priority is evaluated.
5. The Symantec Internet Security Threat Report provides details about
the trends in attacks and vulnerabilities in Internet security. Obtain a copy
of the report and summarize the major findings of the report for both attacks
and vulnerabilities.
Student results and reports will vary based on date of
research.
6.
Enter perimeterusa.com and look for a white paper titled “Top 9 Network
Security Threats in 2009.” Summarize these threats. Then look for a paper
titled “The ABC’s of Social Engineering.” Summarize the suggested defense.
Student opinions and reports will
vary based on what threats are compared.
7.
Enter security firm finjan.com and find examples of underground Internet
activities in five different countries. Prepare a summary.
Student results and reports will vary based on date of
research.
8.
Enter ftc.gov/bcp/edu/microsites/idtheft, identytheft.info, idtheftcenter.org,
and identytheftprotection.org. Find information about: the prevention,
protection against, cases about, and survival of identity theft. Write a report.
Student results and reports will vary based on date of
research and the content selected.
9.
Enter verisign.com and find information about PKI and encryption. Write a
report.
Student results and reports will vary based on date of
research. The use of key-based
encryption will be evaluated.
10.
Enter gfi.com/emailsecuritytest and
similar sites. Write some guidelines for protecting your PC.
Student reports will vary based on their perceptions of
the threats.
11.
Enter hijackthis.com. Do a free scan of your computer. Comment on the report
you received.
Student results and reports will vary based on date of
research and report received.
12.
Enter blackhat.com. Find out what they are about. Summarize some of their
activities.
Student results and reports will vary based on date of
research.
13.
Enter bsimm.com/community. Describe the activities of the community and how it
helps to fight cybercrime.
Student results and reports will vary based on date of
research and activities selected.
Team Assignments and Role Playing
1.
Assignment for the Opening Case
Read
the opening case and answer the following questions:
a. What kind of attack was it?
It was a botnet
attack.
b. Why was it difficult to stop it and to
recover?
The infection was
spread through all computers, and was self-spreading.
c. What do you think motivated Maxwell to
conduct the attack?
Opinions will vary
– it does not appear to be a financial motivation.
d.
After the incident, the hospital added more layers of defense. Why did they not
have it before?
They were either
unaware they needed it, or unwilling to dedicate the budget to it.
e.
After reading Section 9.7, what do you think can be done on top of what has
been done to prevent the incident?
Employee education
may also have helped stop its spread.
f. Is the punishment severe enough to deter
others? Why or why not?
Student opinion
will vary.
2. Assign
teams to report on the major spam and scam threats. Examine examples provided
by ftc.gov, the Symantec report on the state of spam(2009), and white papers
from IBM,Verisign, and other security firms.
Student reports
will vary based on the topic assigned.
3. Several personal firewall products are
available. A list of these products can
be found at firewallguide.com/software.htm. Assign each team three products from the
list. Each team should prepare a
detailed review and comparison of each of the products they have been assigned.
Student reports
will vary based on the products evaluated.
4. Enter symantec.com/business/security_response/whitepapers.jsp and
find the white papers: (1) “The Risks of Social Networking” and (2) “The Rise
of PDF Malware.” Prepare a summary of both and find how they relate to each
other.
Student responses
and opinions will vary.
5. Watch the video “Cyber Attacks and
Extortion” at search security.techtarget.com/video/0,297151,sid14_gci1345344,00.html.Answer
the following questions:
a. Why are
there more extortions online today? How are they accomplished?
b. What is involved in targeted e-mail
attacks?
c. What is an SQL injection attack?
Student responses
and opinions will vary. This is an interesting video with details that
students will respond to differently.
6. Data leaks can be a major problem.
Find all the major defense methods. Check all major security vendors (e.g.,
Symantec). Find white papers and Webinars on the subject.
Student responses
and opinions will vary.
7. Each team is assigned to one method
of fighting against online fraud. Each method should deal with a different type
of fraud (e.g., banking [try IBM’s ZTIC], identify suspicious e-mails, dealing
with cookies in Web browsers, credit card protection, securing wireless
networks, installing antiphishing protection for your browser with phishing
filter, and so forth).
Student responses
and opinions will vary based on the method assigned.
Answers to End-of-Chapter Real-World Case Questions: HOW TWO BANKS STOPPED SCAMS, SPAMS, AND CYBERCRIMINALS
1. List the major security problems of CNB of
Oklahoma and
relate them to the attack methods described in Section 9.2 through 9.4.
Many of the attack
methods are represented including malware, spam, and viruses.
2. In what ways has CNB solved the e-mail problems?
(List specific problems and solutions).
· Malware – blocked Web sites, blocked the
ability to download executables
· Viruses – scanning at the server and desktop
level
· Security – use of encryption
3. Given the problems of CNB and its
solutions, what is an even better defense mechanism? (Use Sections 9.6 through
9.10, and what you can find on the Web.)
Student opinions
will vary – may include the use of a firewall/DMZ.
4. List the major security problems faced by BankWest
and relate them to the attack methods described in Sections 9.2 through 9.4.
It appears that
phishing scams were the primary issue.
5. In what ways has BankWest solved the fraud
schemes?
It has focused on
user education on the nature and current trends of scams.
6. Given the problems of BankWest and its
solutions, what is an even better defense mechanism?
Opinions will
vary, but software-based phishing blockers might be added.
Practice Test
1) According to the CSI Computer Crime and Security Survey, firewalls
were the most commonly used defense technologies in 2008.
Answer: FALSE
2) According to the CSI Computer Crime Security Survey, the most
frequently occurring computer attacks were from viruses in 2008.
Answer: TRUE
3) The Internet and its
network protocols were never intended for use by untrustworthy people or
criminals.
Answer: TRUE
4) Keystroke logging captures and records user keystrokes.
Answer: TRUE
5) Cybercrimes are intentional crimes carried out on the Internet.
Answer: TRUE
6) An EC security strategy requires multiple layers of defense against
risks from malware, fraudsters, customers, and employees.
Answer: TRUE
7) Detection measures are actions that will make criminals abandon
their idea of attacking a specific system.
Answer: FALSE
8) Internet fraud has grown even faster than the Internet itself.
Answer: TRUE
9) Confidentiality, integrity, and awareness are the three components
of the CIA security triad.
Answer: FALSE
10) Encryption algorithm is the mathematical formula used to encrypt
plaintext into ciphertext, and vice versa.
Answer: TRUE
11) Strong EC security makes online shopping more convenient for
customers.
Answer: FALSE
12) Shoppers can rely on fraud protection provided by credit card
issuers to protect them from identity theft.
Answer: FALSE
13) Phishing is rampant because some people respond to it and make it
profitable.
Answer: TRUE
14) Which of the following is the underlying reason why comprehensive
EC security is necessary?
A) The Internet was designed for
maximum efficiency without regard for its security or users with malicious
intent.
B) The shift toward
profit-motivated crimes
C) Security costs and efforts from reacting to online
attacks and paying for damages are greater than if an EC security strategy is
in place.
D) Many companies fail to implement
basic IT security management best practices, business continuity plans, and
disaster recovery plans.
15) The process of verifying the real identity of an individual,
computer, computer program, or EC Web site best describes:
A) integrity.
B) authentication.
C) availability.
D) nonrepudiation.
16) The assurance that an online customer or trading partner cannot
falsely deny their purchase or transaction is referred to as:
A) integrity.
B) availability.
C) authentication.
D) nonrepudiation.
17) ________ is the criminal, fraudulent process of attempting to
acquire confidential information by masquerading as a trustworthy entity.
A) Spamming
B) Pretexting
C) Social engineering
D) Phishing
18) ________ is the process of determining what the authenticated
entity is allowed to access and what operations it is allowed to perform.
Answer: Authorization
19) ________ is the assurance that online customers or trading partners
cannot falsely deny their purchase or transaction.
Answer: Nonrepudiation
20) ______________ is the assurance that data are accurate or that a
message has not been altered.
Answer: Integrity
21) ________ is the assurance of data privacy.
Answer: Confidentiality
22) ________ is the process of scrambling a message in such a way that
it is difficult, expensive, or time-consuming for an unauthorized person to
unscramble it.
Answer: Encryption
23) ________ are barriers between a trusted network or PC and the
untrustworthy Internet.
Answer: Firewalls
24) Compare current motives of hackers to those of the past.
Answer: In the early days of EC, many hackers simply
wanted to gain fame or notoriety by defacing Web sites or gaining root, which
means gaining unrestricted access to a network. Criminals and criminal gangs
are now profit oriented, and their tactics are not limited to the online
world.
25) List and briefly describe the three components of the CIA security
triad.
Answer: The CIA triad includes confidentiality,
integrity, and availability. Confidentiality is the assurance of data privacy.
The data or transmitted message is encrypted so that it is readable only by the
person for whom it is intended. The confidentiality function prevents
unauthorized disclosure of information. Integrity is the assurance that data
are accurate or that a message has not been altered. It means that stored data
has not been modified without authorization; a message that was sent is the
same message that was received. Availability is the assurance that access to
data, the Web site, or other EC data service is timely, available, reliable,
and restricted to authorized users.
26) List the six major objectives of EC defense strategies.
Answer: Prevention and deterrence, detection,
containment, recovery, correction, and awareness and compliance are the six
objectives.
27) Briefly discuss the five encryption components.
Answer: The five components are plaintext, encryption
algorithm, key or key value, key space, and ciphertext. Plaintext is the
original message or document that is created by the user and is in
human-readable form. The encryption algorithm is the set of procedures or
mathematical functions used to encrypt or decrypt a message. The key or key
value is the secret value used with the algorithm to transform the message. Key
space refers to the large number of possible key values created by the
algorithm to use when transforming the message. Ciphertext is the message or
document that has been encrypted into unreadable form.
28) Briefly describe four major components for protecting internal
information flow inside an organization.
Answer: Firewall, virtual private network, intrusion
detection system, and honeynet and honeypot are four components. A firewall is
a single point between two or more networks where all traffic must pass; the
device authenticates, controls, and logs all traffic. A virtual private network
is a network that uses the public Internet to carry information but remains
private by using encryption to scramble the communications, authentication to
ensure that information has not been tampered with, and access control to
verify the identity of anyone using the network. Intrusion detection systems
are a special category of software that monitor activity across a network or on
a host computer, watch for suspicious activity, and take automated action based
on what it sees. A honeynet is a network of honeypots, and honeypots act as
decoys and are watched to study how network intrusions occur.
Chapter
Test
1. Preventing vulnerability during the EC design and pre-implementation
stage is far more expensive than mitigating problems later.
A.
True
B.
False
2. Phishing is rampant because some people respond to it and make it
profitable.
A.
True
B.
False
3. Access control involves authorization and authentication.
A.
True
B.
False
4. The key reasons why EC criminals cannot be stopped include each of
the following except:
A.
Online shoppers do not take necessary precautions to
avoid becoming a victim.
B.
Strong EC security makes online shopping inconvenient
and demanding on customers.
C.
Sophisticated
hackers use browsers to crack into Web sites.
D.
There is lack of cooperation from credit card issuers
and foreign ISPs.
5. The assurance that an online customer or trading partner cannot
falsely deny their purchase or transaction is referred to as:
A.
nonrepudiation.
B.
integrity.
C.
availability.
D.
authentication.
6. Fingerprint scanners, facial recognition systems, and voice
recognition are examples of ________ that recognize a person by some physical
trait.
A.
access control lists
B.
human firewalls
C.
biometric
systems
D.
intrusion detection systems
7. ________ is the criminal, fraudulent process of attempting to
acquire confidential information by masquerading as a trustworthy entity.
A.
Phishing
B.
Pretexting
C.
Social engineering
D.
Spamming
8. A botnet is:
A.
a
huge number of hijacked Internet computers that have been set up to forward
traffic, including spam and viruses, to other computers on the Internet.
B.
a piece of code in a worm that spreads rapidly and
exploits some known vulnerability.
C.
a production system that looks like it does real work,
but that acts as a decoy and is watched to study how network intrusions occur.
D. a
piece of software code that inserts itself into a host or operating system to
launch DOS attacks.
9. A summary of a message, converted into a string of digits after the
hash has been applied, best describes:
A.
digital envelope.
B.
hash.
C.
message
digest.
D.
digital signature.
10. A law that makes it a crime to send commercial e-mail messages with
false or misleading message headers or misleading subject lines is:
A.
SSL.
B.
EEA.
C.
DCMA.
D.
CAN-SPAM.
11. The work atmosphere that a company sets for its employees
describes:
A.
standard of due care.
B.
internal
control environment.
C.
acceptable use policy.
D.
internal politics.
12. The combination of the encrypted original message and the digital
signature, using the recipient's public key, best describes:
A.
digital
envelope.
B.
digital signature.
C.
hash.
D.
message digest.
13. The success and security of EC is measured by:
confidentiality,
integrity, and availability.
quality, reliability, and speed.
encryption, functionality, and privacy.
authentication, authorization, and nonrepudiation.
14. Each of the following is a true statement about access control
except:
A. All resources need to be
considered together to identify the rights of users or categories of users.
B.
Access control lists (ACLs) define users' rights, such
as what they are allowed to read, view, write, print, copy, delete, execute,
modify, or move.
C.
Access control determines which persons, programs, or
machines can legitimately use a network resource and which resources he, she,
or it can use.
D.
After a user has been identified, the user must be
authenticated.
15. Assurance that stored data has not been modified without
authorization and a message that was sent is the same message that was received
is referred to as:
A.
nonrepudiation.
B.
availability.
C.
authentication.
D.
integrity.
16. The motives of hackers have
shifted from the desire for fame and notoriety to advancing personal and
political agendas.
A.
True
B.
False
17. Keystroke logging captures and records user keystrokes.
A.
True
B.
False
18. Cybercrimes are intentional crimes carried out on the Internet.
A.
True
B.
False
19. Social engineering is an example of an unintentional threat.
A.
True
B.
False
20. Authentication provides the means to reconstruct what specific
actions have occurred and may help EC security investigators identify the
person or program that performed unauthorized actions.
A.
True
B.
False
21. The process of verifying the real identity of an individual,
computer, computer program, or EC Web site best describes:
A.
authentication.
B.
nonrepudiation.
C.
availability.
D.
integrity.
22. Encryption components include each of the following except:
A.
key value.
B.
encryption algorithm.
C.
ciphertext.
D.
internal
control environment.
23. Protecting information and information systems from unauthorized
access, use, disclosure, disruption, modification, perusal, inspection, recording,
or destruction best defines:
A.
anti-virus protection.
B.
security audit.
C.
incident management.
D.
information security.
24. The protection of information systems
against unauthorized access to or modification of information that is stored,
processed, or being sent over a network is referred to as:
A.
data integrity.
B.
human firewall.
C.
information assurance.
D.
information
integrity.
25. An attack on a website in which an
attacker uses specialized software to send a flood of data packets to the
target computer with the aim of overloading its resources best describes:
A.
botnet
infestation.
B.
denial-of-service attack.
C.
cyberhijacking.
D.
cyberraid.