Chapter 9 - Study Guide

Chapter 9

E-Commerce Security and Fraud

As you read the textbook and go through this lesson, think about the following questions:
·        What are the major forms of Internet crime?
·        What are the typical security measures used by e-commerce?
·        Why is the Internet vulnerable to attack?
·        What concerns might a consumer have when doing business online?
·        What concerns might a business have when selling products or services online?
·        What are authentication, authorization, and nonrepudiation?
·        What are some common Internet attack methods?
·        What is phishing?
·        What three components can be used to measure security of the e-commerce environment?
·        Why is it difficult to stop Internet crime?

Upon completion of this chapter, you will be able to:
1. Understand the importance and scope of security of information systems for EC.
2. Describe the major concepts and terminology of EC security.
3. Learn about the major EC security threats, vulnerabilities, and technical attacks.
4. Understand Internet fraud, phishing, and spam.
5. Describe the information assurance security principles.
6. Identify and assess major technologies and methods for securing EC access and communications.
7. Describe the major technologies for protection of EC networks.
8. Describe various types of controls and special defense mechanisms.
9. Describe consumer and seller protection from fraud.
10. Describe the role of business continuity and disaster recovery planning.
11. Discuss EC security’s enterprisewide implementation issues.
12. Understand why it is not possible to stop computer crimes.

Answers to Pause/Break Section Review Questions

Section 9.1 Review Questions

1. Define computer security.   
Computer security refers to the protection of data, networks, computer programs, computer power, and other elements of computerized information systems.

2. List the major findings of the CSI 2010 survey.
·       The most expensive computer security incidents were those involving financial fraud.
·       Virus incidents occurred most frequently.
·       Almost one in ten organizations reported they experienced a domain name system (DNS) incident.
·       Twenty-seven percent of those surveyed responded positively to a question regarding “targeted attacks.”
·       The vast majority of respondents said their organizations had a security policy.

3. Describe the vulnerable design of the Internet.

The Internet and its network protocols were never intended for use by untrustworthy people or criminals. They were designed to accommodate computer-to-computer communications in a closed and trusted community.

4. Describe some profit-induced computer crimes.
Most popular is the theft of personal information such as credit card numbers, bank accounts, Internet IDs, and passwords.

5. Define the Internet underground economy.

E-markets for stolen information made up of thousands of Web sites that sell credit card numbers, social security numbers, other data such as numbers of bank accounts, social network IDs, passwords, and much more.

6. Describe the dynamic nature of EC systems.

EC systems are changing all the time due to a stream of innovations. With changes often come security problems.

7. What makes EC security management so difficult? What is the dilemma?

The defense of information systems and EC is getting more difficult. The attackers change their strategies and attack methods all the time.


Section 9.2 Review Questions

1. List five major terms of EC security.

·       Business continuity plan
·       Cybercrime
·       Exposure
·       Fraud
·       Malware (malicious software)
·       Phishing
·       Risk
·       Social engineering
·       Spam
·       Vulnerability
·       Zombie

2. Describe the major unintentional security hazards.

·       Human error. Human error can occur in the design of the hardware or information system.
·       Environmental hazards. These include earthquakes, severe storms (e.g., hurricanes, blizzards, or sand), floods, power failures or strong fluctuations, fires (the most common hazard), explosions, radioactive fallout, and water-cooling system failures.
·       Defects in the computer system. Defects can be the result of poor manufacturing, defective materials, and outdated or poorly maintained networks.

3. List five examples of intentional EC security crimes.

·       theft of data or hardware (e.g., laptops)
·       inappropriate use of data
·       deliberate manipulation in handling, entering, processing, transferring, or programming data
·       vandalism
·       sabotage
·       malicious damage to computer resources
·       destruction from viruses
·       Internet fraud


4. Describe the security battleground, who participates, and how. What are the possible results?

This battleground includes:
·       The attacks, the attackers, and their strategies
·       The items that are being attacked
·       The defenders and their methods and strategy

Each uses their tools to exert control, one group wins each battle.

5. Define hacker, cracker, and social engineering.

·       Hacker – someone who gains unauthorized access to a computer system
·       Cracker – a malicious hacker, who may represent a serious problem for a corporation
·       Social engineering – a collection of tactics used to manipulate people into performing actions or divulging confidential information

6. List all security requirements and define authentication and authorization requirements.

·       Authentication – process to verify (assure) the real identity of an individual, computer, computer program, or EC Web site
·       Authorization – process of determining what the authenticated entity is allowed to access and what operations it is allowed to perform

7. What is nonrepudiation?

Assurance that online customers or trading partners cannot falsely deny (repudiate) their purchase or transaction.

8. Describe deterring, preventing, and detecting in EC security systems.

·       Deterring measures – actions that will make criminals abandon their idea of attacking a specific system (e.g., the possibility of losing a job for insiders)
·       Prevention measures – ways to help stop unauthorized users (also known as “intruders”) from accessing any part of the EC system
·       Detection measures – ways to determine whether intruders attempted to break into the EC system, whether they were successful, and what they may have done

9. What is a security strategy, and why it is needed?

A security strategy is an overriding plan for maintaining IS security within an organization.  From it all other security plans arise.

Section 9.3 Review Questions

1. Describe the difference between a nontechnical and a technical cyber attack?

A technical attack uses IT technology, whereas a nontechnical attack uses (or attacks) standard security measures.

2. What are the major forms of malicious code?

·       Viruses
·       Worms
·       Macro viruses and worms
·       Trojan horses

3. What factors account for the increase in malicious code?

·       Mixing applications with executable code
·       Homogenous computing environments
·       Connectivity
·       Uneducated users

4. Define a virus and explain how it works.

A piece of software code that inserts itself into a host, including the operating systems, in order to propagate; it requires that its host program be run to activate it.

5. Define worm and Trojan horse.

Worm a software program that runs independently, consuming the resources of its host in order to maintain itself, and is capable of propagating a complete working version of itself onto another machine

Trojan horse a program that appears to have a useful function but contains a hidden function that presents a security risk

6. Define DoS. How are DOS attacks perpetrated?

An attack on a Web site in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources. A denial of service attack occurs when an attacker gains illegal administration access to as many computers on the Internet as possible and uses these multiple computers to send a flood of data packets to a target computer.

7. Define server and page hijacking.

Gaining control of a web server or creating a rogue copy of a popular Web site that shows contents similar to the original to a Web crawler. Once there, an unsuspecting user is redirected to malicious Web sites.

8.  Describe botnet attacks.

A huge number (e.g., hundreds of thousands) of hijacked Internet computers are set up to forward traffic, including spam and viruses, to other computers on the Internet.


Section 9.4 Review Questions

1. Define phishing.

The criminal, fraudulent process of attempting to acquire confidential information such as user names, passwords, and credit card details by masquerading as a trustworthy entity such as a well-known bank, credit card company, a large social network, or a telecommunication company, in an electronic communication, usually via e-mail or IM.

2. Describe the relationship of phishing to financial fraud.

In many cases, phishing leads to financial fraud.

3. Briefly describe some phishing tactics.

Attackers pretend to be from reputable firms, and ask users to provide personal information as a part of an existing relationship.

4. Describe spam and its methods.

Spam is sending or posting a large number of emails or other electronic records indiscriminately.

5. Define splogs and explain how sploggers make money.

Short for spam blog, a splog is a site created solely for marketing purposes.  These sites steal content from other blogs with the hope of increasing their search engine hits, which in turn increases the value of any advertising they have.

6. Why and how are social networks being attacked?

Social networks can be attacked in much the same way as individuals and Web site currently are.  They are an inviting target due to their size and growth.


Section 9.5 Review Questions

1. What is information assurance? List its major components.

Information assurance is the protection of information against unauthorized access or modification. Its components include:
·       Confidentiality
·       Integrity
·       Availability
·       Authentication
·       Authorization
·       Nonrepudiation

2. Define confidentiality, integrity, and availability.
·       Confidentiality assurance of data privacy and accuracy; keeping private or sensitive information from being disclosed to unauthorized individuals, entities, or processes
·       Integrity assurance that stored data has not been modified without authorization; a message that was sent is the same message that was received
·       Availability assurance that access to data, the Web site, or other EC data service is timely, available, reliable, and restricted to authorized users

3. Define authentication, authorization, and nonrepudiation.

·       Authentication requires evidence in the form of credentials.
·       Authorization requires comparing information about the person or program with access control information associated with the resource being accessed.
·       Nonrepudiation is the concept of ensuring that a party in a dispute cannot repudiate or refute the validity of a statement or contract.

4. List the six objectives of EC strategy.
·       Prevention and deterrence.
·       Detection.
·       Containment (contain the damage).
·       Recovery.
·       Correction.
·       Awareness and compliance.

5. Discuss the gap between security spending and a company’s security needs gap.
Because of the constantly changing threats, it is difficult to keep up with the costs of security.

6. Describe vulnerability assessment.

The process of identifying, quantifying, and prioritizing the vulnerabilities in a system.

7. List the six categories of defense in EC systems.

·       Defending access to computing systems, data flow, and EC transactions
·       Defending EC networks
·       General, administrative, and application controls
·       Protection against social engineering and fraud
·       Disaster preparation, business continuity, and risk management
·       Implementing enterprise-wide security programs


Section 9.6 Review Questions

1. Define access control.

Mechanism that determines who can legitimately use a network resource.

2. What are the basic elements of an authentication system?

·       A group or person to be authenticated
·       A distinguishing characteristic
·       A system proprietor
·       Authentication mechanism
·       Access control mechanism

3. Define biometric systems and list five of their methods.

Authentication systems that identify a person by measurement of a biological characteristic, such as fingerprints, iris (eye) patterns, facial features, or voice.  Example methods include:
·       Thumbprint or fingerprint
·       Retinal scan
·       Voice scan
·       Signature
·       Facial recognition

4. Define a symmetric (one-key) encryption.

An encryption system that uses the same key to encrypt and decrypt the message.

5. List some of the disadvantages of the symmetric system.

One disadvantage is that the security of the message as a whole is based on a single key, and that the message cannot be verified against a second key.

6. What are the key elements of PKI?

A pair of matched keys – a public key to encrypt a message and a private key to decrypt it, or vice versa

7. Describe the PKI process.

The process is detailed in Exhibit 9.11.

8. What role does a certificate authority play?

It is a verification that the holder of a public or private key is who they claim to be.  These certificates are issued by certificate authorities.


Section 9.7 Review Questions

1. List the basic types of firewalls and briefly describe each.

Packet-filtering routers – firewalls that filter data and requests moving from the public Internet to a private network based on the network addresses of the computer sending and receiving the request
Application-level proxies – firewall that permits requests for Web pages to move from the public Internet to the private network

2. What is a personal firewall? What is DMZ architecture?

A network node designed to protect an individual user’s desktop system from the public network by monitoring all the traffic that passes through the computer’s network interface card. DMZ is a popular defense system that includes two firewalls.

3. How does a VPN work what are its benefits to users?

A VPN is a network that uses the public Internet to carry information but remains private by using encryption to scramble the communications, authentication to ensure that information has not been tampered with, and access control to verify the identity of anyone using the network.  It allows users to safely access protected network assets.

4. Briefly describe the major types of IDSs.

Audit logs – show attempted logins and system use
Host-based IDS – watches for unauthorized file changes
Network-based IDS – examines network traffic

5. What is a honeynet? What is a honeypot?

Honeynet – method of evaluating vulnerabilities of a system using honeypots
Honeypot – systems used to study network intrusions

6. Describe e-mail security.

Complete e-mail security can include:
·       Antivirus and antispam
·       E-mail encryption
·       Outbound filtering

7. How can cloud computing help?

Cloud computing provides for better data integrity, while reducing costs.


Section 9.8 Review Questions

1. What are general controls? List the various types.

Controls established to protect the system regardless of the specific application. For example, protecting hardware and controlling access to the data center are independent of the specific application. 

2. What are administrative controls?

Administrative controls deal with issuing guidelines and monitoring compliance with the guidelines.

3. Define application controls.

Controls that are intended to protect specific applications.

4. How does one protect against spam?

Companies can protect against spam by filtering email and working with providers on policies. 

5. How does one protect against pop-ups?

Generally, through the use of pop-blocking tools in browsers and toolbars.

6. How does one protect against phishing, spyware, and malvertising?

These can be protected against through a combination of security applications and education.


Section 9.9 Review Questions

1. Why do organizations need a business continuity plan?

The purpose of a business continuity plan is to keep the business running after a disaster occurs. Each function in the business should have a valid recovery capability plan.

2. List three issues a business continuity plan should cover.

·       Understand business & IT requirements
·       Evaluate current capabilities
·       Develop continuity plan

3. Identify two factors that influence a company’s ability to recover from a disaster.

Two examples include proper planning and asset protection.

4. What types of devices are needed for disaster avoidance?

A variety of options are available to help avoid disasters.  The simplest is the use of uninterrupted power supply (UPS) systems to help avoid issues created by power outages.

5. How can you calculate expected loss?

Using risk management analysis, it is possible to estimate losses based on different scenarios.

6. List two ethical issues associated with security programs.

Examples include constant monitoring of activities and possible invasion of privacy.


Section 9.10 Review Questions

1. If senior management is not committed to EC security, how might that impact the e-business?

Student answers will vary, but lack of management support generally leads to the failure of an initiative.

2. What is a benefit of using the risk exposure model for EC security planning?

It allows the firm to allocate capital at the areas of greatest organizational importance.

3. Why should every company implement an acceptable use policy?

Student responses will vary, but these policies help to define parameters and are useful in planning.

4. Why is training required?

Since systems are unique and changing, it is important to train staff on their acceptable use and policy.

5. List the six major reasons why it is difficult to stop computer crimes.

·       Would Make Shopping Inconvenient
·       Lack of Cooperation from Credit Card Issuers
·       Shoppers’ Negligence
·       Design and Architecture Issues
·       Ignoring EC Security Best Practices
·       Lack of Due Care in Business Practices


Answers to EC Application Case Questions

EC Application Case 9.1:

INTERNET STOCK FRAUD AIDED BY SPAM


1. Why might people buy the penny stocks promoted in an e-mail message from an unknown source?

Individuals may be looking to make some quick, easy money.

2. Use Google or Bing to find out what can be done to filter image spam.

Student searches and results will vary.

 

EC Application Case 9.2:

BUSINESS CONTINUITY AND DISASTER RECOVERY

 

1. Why might a company that had a significant data loss not be able to recover?


They may be completely unable to recreate the information that was lost.

2. Why are regulators requiring that companies implement BC/DR plans?

 

To ensure that companies are able to recover, and fulfill their obligations.


Answers to Discussion Questions

1. Consider how a hacker might trick people into giving him their user IDs and passwords to their Amazon.com accounts. What are some of the ways that a hacker might accomplish this? What crimes can be performed with such information?

Student responses will vary.  The most common approach would probably be a phishing email, indicating a need to “verify” account information by going to a false Web site.

2.  B2C EC sites continue to experience DOS attacks. How are these attacks perpetrated? Why is it so difficult to safeguard against them? What are some of the things a site can do to mitigate such attacks?

DOS attacks come from many computers (zombies) at the same time.  It is therefore difficult to isolate just the attacker’s IP address and shut off traffic from it.  Use of a firewall may help mitigate these attacks.

3. How are botnet identity theft attacks and Web site hijacks perpetrated? Why are they so dangerous to e-commerce?

Student answers will vary.  Attacks are generally perpetrated by infecting large numbers of computer systems (botnets) or controlling data entering and exiting other Web sites (hijacks).  Both are dangerous because they steal personal information that can later be used for identity theft.  This represents a danger to EC because it pushes away potential customers.

4. Discuss some of the difficulties of eliminating online financial fraud.
The primary difficulties are the constantly changing attacks, and individuals lack of understanding of security.

5. Some companies prefer not to have disaster recovery plans. Under what circumstances does this make sense? Discuss.

This does not make sense, all companies should be able to recover their data in the event of an emergency.

6. Enter idesia-biometrics.com and look at its product. Discuss these benefits over other biometrics.

Student searches and opinions will vary.

7. Enter trendsecure.com and find a tool called HijackThis. Try the free tool. Find an online forum that deals with it. Discuss the benefits and limitations.

Student searches and opinions will vary.

8. Find information about the Zeus Trojan. Discuss why it is so effective as a financial data stealer.Why is it so difficult to mitigate this Trojan? Hint: See Falliere and Chien (2009).

Student searches and opinions will vary.

9. Find information about the scareware social engineering method. Why do you think it is so effective?

Student searches and opinions will vary.

10. The National Vulnerability Database (NVD) is a comprehensive cybersecurity database that integrates all publicly available U.S. government vulnerability resources and provides references to industry resources. Visit nvd.nist.gov and review 10 of the recent CVE vulnerabilities. For each vulnerability, list its published date, CVSS severity, impact type, and the operating system or software with the vulnerability.

Student searches and opinions will vary.

Topics for Class Discussion and Debates

1. Survey results on the incidence of cyber attacks paint a mixed picture; some surveys show increases, others show decreases. What factors could account for the differences in the reported results?

Student opinions will vary.  The major issue may be how many attacks are reported.

2. A business wants to share its customer account database with its trading partners, while at the same time providing prospective buyers with access to marketing materials on its Web site. Assuming that the business is responsible for running all these systems, what types of security components (e.g., firewalls, VPNs, etc.) could be used to ensure that the partners and customers have access to the account information and others do not? What type of network administrative procedures will provide the appropriate security?

Student opinions will vary.  The system required would need to meet strenuous security requirements due to the nature of information available and the number of integration points.

3. Why is it so difficult to fight computer criminals? What strategies can be implemented by financial institutions, airlines, and other heavy users of EC?

Student opinions will vary.  The discussion will focus on intentions and budgets to address them.

4. All EC sites share common security threats and vulnerabilities. Do you think that B2C Web sites face different threats and vulnerabilities than B2B sites? Explain.

Student opinions will vary.  The discussion will focus on both the areas of weakness and the types of attacks directed at them.

5. Why is phishing so difficult to control? What can be done? Discuss.

Student opinions will vary.  The debate will focus on training and its effectiveness.

6. Debate: The best strategy is to invest very little and only in proven technologies such as encryption and firewalls.

Student opinions will vary.  The debate will focus on the issues of costs versus risk.

7. Debate: Can the underground Internet marketplace be controlled? Why or why not?

Student opinions will vary.  The debate will focus on individual motivations and the cost of products.

8. Debate: Is taking your fingerprints or other biometrics to assure EC security a violation of your privacy?

Student opinions will vary.  The debate will be on the extent of privacy.

9. A body scan at airports created a big debate. Debate both points of this issue and relate it to EC security.

Student opinions will vary.  The debate will focus on privacy versus security.


Internet Exercises
(Note: URLs may change over time; please check the Internet Exercises on the Turban Web site for possible updates: www.pearsonhighered.com/turban.)

1. Your B2C site has been hacked. List two organizations where you would report this incident so that they can alert other sites. How do you do this, and what type of information do you have to provide?

Student responses will vary based on the location of the hack.

2. Connect to the Internet. Determine the IP address of your computer by visiting at least two Web sites that provide that feature. You can use a search engine to locate Web sites or visit ip-adress.com or whatismyipaddress.com. What other information does the search reveal about your connection? Based on this information, how could a company or hacker use that information?

Student results and reports will vary based on date of research and sites selected.

3.  Enter the site of Perimeter eSecurity and find the white paper “Institutional Identity Theft.” Compare institutional identity theft with personal identity theft. How can a company protect itself against identity theft?

Student results and reports will vary based on date of research.  Potential solutions selected will also vary.

4. The National Strategy to Secure Cyberspace provides a series of actions and recommendations for each of its five national priorities. Search and download a copy of the strategy online. Selecting one of the priorities, discuss in detail the actions and recommendations for that priority.

Student results and reports will vary based on date of research and which priority is evaluated.

5. The Symantec Internet Security Threat Report provides details about the trends in attacks and vulnerabilities in Internet security. Obtain a copy of the report and summarize the major findings of the report for both attacks and vulnerabilities.

Student results and reports will vary based on date of research.

6. Enter perimeterusa.com and look for a white paper titled “Top 9 Network Security Threats in 2009.” Summarize these threats. Then look for a paper titled “The ABC’s of Social Engineering.” Summarize the suggested defense.

Student opinions and reports will vary based on what threats are compared.

7. Enter security firm finjan.com and find examples of underground Internet activities in five different countries. Prepare a summary.

Student results and reports will vary based on date of research.

8. Enter ftc.gov/bcp/edu/microsites/idtheft, identytheft.info, idtheftcenter.org, and identytheftprotection.org. Find information about: the prevention, protection against, cases about, and survival of identity theft. Write a report.

Student results and reports will vary based on date of research and the content selected.

9. Enter verisign.com and find information about PKI and encryption. Write a report.

Student results and reports will vary based on date of research.  The use of key-based encryption will be evaluated.

10. Enter  gfi.com/emailsecuritytest and similar sites. Write some guidelines for protecting your PC.

Student reports will vary based on their perceptions of the threats.

11. Enter hijackthis.com. Do a free scan of your computer. Comment on the report you received.

Student results and reports will vary based on date of research and report received.

12. Enter blackhat.com. Find out what they are about. Summarize some of their activities.

Student results and reports will vary based on date of research.

13. Enter bsimm.com/community. Describe the activities of the community and how it helps to fight cybercrime.

Student results and reports will vary based on date of research and activities selected.


Team Assignments and Role Playing

1. Assignment for the Opening Case
Read the opening case and answer the following questions:
a. What kind of attack was it?

It was a botnet attack.

b. Why was it difficult to stop it and to recover?

The infection was spread through all computers, and was self-spreading.

c. What do you think motivated Maxwell to conduct the attack?

Opinions will vary – it does not appear to be a financial motivation.

d. After the incident, the hospital added more layers of defense. Why did they not have it before?

They were either unaware they needed it, or unwilling to dedicate the budget to it.

e. After reading Section 9.7, what do you think can be done on top of what has been done to prevent the incident?

Employee education may also have helped stop its spread.

f. Is the punishment severe enough to deter others? Why or why not?

Student opinion will vary.

2. Assign teams to report on the major spam and scam threats. Examine examples provided by ftc.gov, the Symantec report on the state of spam(2009), and white papers from IBM,Verisign, and other security firms.

Student reports will vary based on the topic assigned.

3. Several personal firewall products are available.  A list of these products can be found at firewallguide.com/software.htm.  Assign each team three products from the list.  Each team should prepare a detailed review and comparison of each of the products they have been assigned.

Student reports will vary based on the products evaluated.

4. Enter symantec.com/business/security_response/whitepapers.jsp and find the white papers: (1) “The Risks of Social Networking” and (2) “The Rise of PDF Malware.” Prepare a summary of both and find how they relate to each other.

Student responses and opinions will vary.

5. Watch the video “Cyber Attacks and Extortion” at search security.techtarget.com/video/0,297151,sid14_gci1345344,00.html.Answer the following questions:
a. Why are there more extortions online today? How are they accomplished?
b. What is involved in targeted e-mail attacks?
c. What is an SQL injection attack?

Student responses and opinions will vary. This is an interesting video with details that students will respond to differently.

6. Data leaks can be a major problem. Find all the major defense methods. Check all major security vendors (e.g., Symantec). Find white papers and Webinars on the subject.

Student responses and opinions will vary.

7. Each team is assigned to one method of fighting against online fraud. Each method should deal with a different type of fraud (e.g., banking [try IBM’s ZTIC], identify suspicious e-mails, dealing with cookies in Web browsers, credit card protection, securing wireless networks, installing antiphishing protection for your browser with phishing filter, and so forth).

Student responses and opinions will vary based on the method assigned.

 

Answers to End-of-Chapter Real-World Case Questions: HOW TWO BANKS STOPPED SCAMS, SPAMS, AND CYBERCRIMINALS


1. List the major security problems of CNB of Oklahoma and relate them to the attack methods described in Section 9.2 through 9.4.

Many of the attack methods are represented including malware, spam, and viruses.

2. In what ways has CNB solved the e-mail problems? (List specific problems and solutions).

·       Malware – blocked Web sites, blocked the ability to download executables
·       Viruses – scanning at the server and desktop level
·       Security – use of encryption

3. Given the problems of CNB and its solutions, what is an even better defense mechanism? (Use Sections 9.6 through 9.10, and what you can find on the Web.)

Student opinions will vary – may include the use of a firewall/DMZ.

4. List the major security problems faced by BankWest and relate them to the attack methods described in Sections 9.2 through 9.4.

It appears that phishing scams were the primary issue.

5. In what ways has BankWest solved the fraud schemes?

It has focused on user education on the nature and current trends of scams.

6. Given the problems of BankWest and its solutions, what is an even better defense mechanism?

Opinions will vary, but software-based phishing blockers might be added.

Practice Test

1) According to the CSI Computer Crime and Security Survey, firewalls were the most commonly used defense technologies in 2008. 
Answer:  FALSE

2) According to the CSI Computer Crime Security Survey, the most frequently occurring computer attacks were from viruses in 2008.
Answer:  TRUE

3) The Internet and its network protocols were never intended for use by untrustworthy people or criminals.
Answer:  TRUE

4) Keystroke logging captures and records user keystrokes.
Answer:  TRUE

5) Cybercrimes are intentional crimes carried out on the Internet.
Answer:  TRUE

6) An EC security strategy requires multiple layers of defense against risks from malware, fraudsters, customers, and employees. 
Answer:  TRUE

7) Detection measures are actions that will make criminals abandon their idea of attacking a specific system.
Answer:  FALSE

8) Internet fraud has grown even faster than the Internet itself.
Answer:  TRUE

9) Confidentiality, integrity, and awareness are the three components of the CIA security triad.
Answer:  FALSE

10) Encryption algorithm is the mathematical formula used to encrypt plaintext into ciphertext, and vice versa.
Answer:  TRUE

11) Strong EC security makes online shopping more convenient for customers.
Answer:  FALSE

12) Shoppers can rely on fraud protection provided by credit card issuers to protect them from identity theft. 
Answer:  FALSE

13) Phishing is rampant because some people respond to it and make it profitable.
Answer:  TRUE

14) Which of the following is the underlying reason why comprehensive EC security is necessary?
A) The Internet was designed for maximum efficiency without regard for its security or users with malicious intent.
B) The shift toward profit-motivated crimes
C) Security costs and efforts from reacting to online attacks and paying for damages are greater than if an EC security strategy is in place.
D) Many companies fail to implement basic IT security management best practices, business continuity plans, and disaster recovery plans.

15) The process of verifying the real identity of an individual, computer, computer program, or EC Web site best describes:
A) integrity.
B) authentication.
C) availability.
D) nonrepudiation.

16) The assurance that an online customer or trading partner cannot falsely deny their purchase or transaction is referred to as:
A) integrity.
B) availability.
C) authentication.
D) nonrepudiation.

17) ________ is the criminal, fraudulent process of attempting to acquire confidential information by masquerading as a trustworthy entity.
A) Spamming
B) Pretexting
C) Social engineering
D) Phishing

18) ________ is the process of determining what the authenticated entity is allowed to access and what operations it is allowed to perform.
Answer:  Authorization 
19) ________ is the assurance that online customers or trading partners cannot falsely deny their purchase or transaction.
Answer:  Nonrepudiation

20) ______________ is the assurance that data are accurate or that a message has not been altered.
Answer:  Integrity 

21) ________ is the assurance of data privacy.
Answer:  Confidentiality

22) ________ is the process of scrambling a message in such a way that it is difficult, expensive, or time-consuming for an unauthorized person to unscramble it.
Answer:  Encryption

23) ________ are barriers between a trusted network or PC and the untrustworthy Internet.
Answer:  Firewalls

24) Compare current motives of hackers to those of the past. 
Answer:  In the early days of EC, many hackers simply wanted to gain fame or notoriety by defacing Web sites or gaining root, which means gaining unrestricted access to a network. Criminals and criminal gangs are now profit oriented, and their tactics are not limited to the online world. 

25) List and briefly describe the three components of the CIA security triad.
Answer:  The CIA triad includes confidentiality, integrity, and availability. Confidentiality is the assurance of data privacy. The data or transmitted message is encrypted so that it is readable only by the person for whom it is intended. The confidentiality function prevents unauthorized disclosure of information. Integrity is the assurance that data are accurate or that a message has not been altered. It means that stored data has not been modified without authorization; a message that was sent is the same message that was received. Availability is the assurance that access to data, the Web site, or other EC data service is timely, available, reliable, and restricted to authorized users.

26) List the six major objectives of EC defense strategies.
Answer:  Prevention and deterrence, detection, containment, recovery, correction, and awareness and compliance are the six objectives.

27) Briefly discuss the five encryption components.
Answer:  The five components are plaintext, encryption algorithm, key or key value, key space, and ciphertext. Plaintext is the original message or document that is created by the user and is in human-readable form. The encryption algorithm is the set of procedures or mathematical functions used to encrypt or decrypt a message. The key or key value is the secret value used with the algorithm to transform the message. Key space refers to the large number of possible key values created by the algorithm to use when transforming the message. Ciphertext is the message or document that has been encrypted into unreadable form.

28) Briefly describe four major components for protecting internal information flow inside an organization.
Answer:  Firewall, virtual private network, intrusion detection system, and honeynet and honeypot are four components. A firewall is a single point between two or more networks where all traffic must pass; the device authenticates, controls, and logs all traffic. A virtual private network is a network that uses the public Internet to carry information but remains private by using encryption to scramble the communications, authentication to ensure that information has not been tampered with, and access control to verify the identity of anyone using the network. Intrusion detection systems are a special category of software that monitor activity across a network or on a host computer, watch for suspicious activity, and take automated action based on what it sees. A honeynet is a network of honeypots, and honeypots act as decoys and are watched to study how network intrusions occur.

Chapter Test

1. Preventing vulnerability during the EC design and pre-implementation stage is far more expensive than mitigating problems later.
A.    True
B.    False

2. Phishing is rampant because some people respond to it and make it profitable.
A.    True
B.    False

3. Access control involves authorization and authentication.
A.    True
B.    False

4. The key reasons why EC criminals cannot be stopped include each of the following except:
A.    Online shoppers do not take necessary precautions to avoid becoming a victim.
B.    Strong EC security makes online shopping inconvenient and demanding on customers.
C.    Sophisticated hackers use browsers to crack into Web sites.
D.    There is lack of cooperation from credit card issuers and foreign ISPs.

5. The assurance that an online customer or trading partner cannot falsely deny their purchase or transaction is referred to as:
A.    nonrepudiation.
B.    integrity.
C.    availability.
D.    authentication.

6. Fingerprint scanners, facial recognition systems, and voice recognition are examples of ________ that recognize a person by some physical trait.
A.    access control lists
B.    human firewalls
C.    biometric systems
D.    intrusion detection systems

7. ________ is the criminal, fraudulent process of attempting to acquire confidential information by masquerading as a trustworthy entity.
A.    Phishing
B.    Pretexting
C.    Social engineering
D.    Spamming

8.  A botnet is:
A.    a huge number of hijacked Internet computers that have been set up to forward traffic, including spam and viruses, to other computers on the Internet.
B.    a piece of code in a worm that spreads rapidly and exploits some known vulnerability.
C.    a production system that looks like it does real work, but that acts as a decoy and is watched to study how network intrusions occur.
D.    a piece of software code that inserts itself into a host or operating system to launch DOS attacks.
9. A summary of a message, converted into a string of digits after the hash has been applied, best describes:
A.    digital envelope.
B.    hash.
C.    message digest.
D.    digital signature.

10. A law that makes it a crime to send commercial e-mail messages with false or misleading message headers or misleading subject lines is:
A.    SSL.
B.    EEA.
C.    DCMA.
D.    CAN-SPAM.

11. The work atmosphere that a company sets for its employees describes:
A.    standard of due care.
B.    internal control environment.
C.    acceptable use policy.
D.    internal politics.

12. The combination of the encrypted original message and the digital signature, using the recipient's public key, best describes:
A.    digital envelope.
B.    digital signature.
C.    hash.
D.    message digest.

13. The success and security of EC is measured by:
    confidentiality, integrity, and availability.
    quality, reliability, and speed.
    encryption, functionality, and privacy.
    authentication, authorization, and nonrepudiation.

14. Each of the following is a true statement about access control except:
A.    All resources need to be considered together to identify the rights of users or categories of users.
B.    Access control lists (ACLs) define users' rights, such as what they are allowed to read, view, write, print, copy, delete, execute, modify, or move.
C.    Access control determines which persons, programs, or machines can legitimately use a network resource and which resources he, she, or it can use.
D.    After a user has been identified, the user must be authenticated.

15. Assurance that stored data has not been modified without authorization and a message that was sent is the same message that was received is referred to as:
A.    nonrepudiation.
B.    availability.
C.    authentication.
D.    integrity.

16.  The motives of hackers have shifted from the desire for fame and notoriety to advancing personal and political agendas.
A.    True
B.    False
17. Keystroke logging captures and records user keystrokes.
A.    True
B.    False

18. Cybercrimes are intentional crimes carried out on the Internet.
A.    True
B.    False

19. Social engineering is an example of an unintentional threat.
A.    True
B.    False

20. Authentication provides the means to reconstruct what specific actions have occurred and may help EC security investigators identify the person or program that performed unauthorized actions.
A.    True
B.    False

21. The process of verifying the real identity of an individual, computer, computer program, or EC Web site best describes:
A.    authentication.
B.    nonrepudiation.
C.    availability.
D.    integrity.

22. Encryption components include each of the following except:
A.    key value.
B.    encryption algorithm.
C.    ciphertext.
D.    internal control environment.

23. Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording, or destruction best defines:
A.    anti-virus protection. 
B.    security audit. 
C.    incident management. 
D.    information security. 

24. The protection of information systems against unauthorized access to or modification of information that is stored, processed, or being sent over a network is referred to as: 
A.    data integrity. 
B.    human firewall. 
C.    information assurance. 
D.    information integrity. 

25. An attack on a website in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources best describes: 
A.    botnet infestation. 
B.    denial-of-service attack. 
C.    cyberhijacking. 
D.    cyberraid.