Design Chapter 9 Shoppers can rely on fraud protection provided

Introduction to Electronic Commerce, 3e (Turban)

Chapter 9 Electronic Commerce Security and Fraud Protection

9.1 True/False

1) According to the CSI Computer Crime and Security Survey, firewalls were the most

commonly used defense technologies in 2008.

2) According to the CSI Computer Crime Security Survey, the most frequently occurring

computer attacks were from viruses in 2008.

3) The Internet and its network protocols were never intended for use by untrustworthy people or

criminals.

4) The Internet was designed for maximum efficiency and security by providing for error

checking to ensure that the message was sent and received correctly.

5) The motives of hackers have shifted from the desire for fame and notoriety to advancing

personal and political agendas.

6) Keystroke logging captures and records user keystrokes.

7) Information security departments with huge workloads and limited budgets optimize their EC

security programs for efficiency and tend to work strategically.

8) Social engineering is an example of an unintentional threat.

9) Cybercrimes are intentional crimes carried out on the Internet.

10) Authentication provides the means to reconstruct what specific actions have occurred and

may help EC security investigators identify the person or program that performed unauthorized

actions.

11) An EC security strategy requires multiple layers of defense against risks from malware,

fraudsters, customers, and employees.

12) Detection measures are actions that will make criminals abandon their idea of attacking a

specific system.

13) Propagation method and payload are the two components of a virus.

14) Worms cannot spread via instant messages.

15) Internet fraud has grown even faster than the Internet itself.

16) Honeypots are blogs created solely for marketing purposes.

17) Confidentiality, integrity, and awareness are the three components of the CIA security triad.

18) Access control involves authorization and authentication.

19) Encryption algorithm is the mathematical formula used to encrypt plaintext into ciphertext,

and vice versa.

20) An intrusion detection system uses the public Internet to carry information but remains

private by using encryption, authentication, and access control to verify the identity of anyone

using the network.

21) Strong EC security makes online shopping more convenient for customers.

22) Shoppers can rely on fraud protection provided by credit card issuers to protect them from

identity theft.

23) Phishing is rampant because some people respond to it and make it profitable.

24) Preventing vulnerability during the EC design and pre-implementation stage is far more

expensive than mitigating problems later.

25) Due care in EC is those actions that a company is reasonably expected to take based on the

risks affecting its business and transactions.

9.2 Multiple Choice

1) Which of the following is the underlying reason why comprehensive EC security is necessary?

A) The Internet was designed for maximum efficiency without regard for its security or users

with malicious intent.

B) The shift toward profit-motivated crimes

C) Security costs and efforts from reacting to crises and paying for damages are greater than if an

EC strategy is in place.

D) Many companies fail to implement basic IT security management best practices, business

continuity plans, and disaster recovery plans.

2) The probability that a vulnerability will be known and used best describes

A) risk.

B) security breach.

C) exposure.

D) access point.

3) The process of verifying the real identity of an individual, computer, computer program, or

EC Web site best describes

A) integrity.

B) availability.

C) authentication.

D) nonrepudiation.

4) The assurance that an online customer or trading partner cannot falsely deny their purchase or

transaction is referred to as

A) integrity.

B) availability.

C) authentication.

D) nonrepudiation.

5) The protection of information systems against unauthorized access to or modification of

information that is stored, processed, or being sent over a network is referred to as

A) information assurance.

B) data integrity.

C) information integrity.

D) packet protection.

6) A botnet is

A) a huge number of hijacked Internet computers that have been set up to forward traffic,

including spam and viruses, to other computers on the Internet.

B) a piece of software code that inserts itself into a host or operating system to launch DOS

attacks.

C) a piece of code in a worm that spreads rapidly and exploits some known vulnerability.

D) a production system that looks like it does real work, but that acts as a decoy and is watched

to study how network intrusions occur.

7) ________ is the criminal, fraudulent process of attempting to acquire confidential information

by masquerading as a trustworthy entity.

A) Spamming

B) Pretexting

C) Social engineering

D) Phishing

8) Assurance that stored data has not been modified without authorization and a message that

was sent is the same message that was received is referred to as

A) integrity.

B) availability.

C) authentication.

D) nonrepudiation.

9) The success and security of EC is measured by

A) encryption, functionality, and privacy.

B) quality, reliability, and speed.

C) authentication, authorization, and nonrepudiation.

D) confidentiality, integrity, and availability.

10) The mechanism that determines who can legitimately use a network resource best describes

A) access control.

B) confidentiality.

C) key encryption.

D) digital envelope.

11) Each of the following is a true statement about access control except:

A) Access control determines which persons, programs, or machines can legitimately use a

network resource and which resources he, she,or it can use.

B) Access control lists (ACLs) define users’ rights, such as what they are allowed to read, view,

write, print, copy, delete, execute, modify, or move.

C) All resources need to be considered together to identify the rights of users or categories of

users.

D) After a user has been identified, the user must be authenticated.

12) Fingerprint scanners, facial recognition systems, and voice recognition are examples of

________ that recognize a person by some physical trait.

A) biometric systems

B) human firewalls

C) intrusion detection systems

D) access control lists

13) Encryption components include each of the following except

A) encryption algorithm.

B) key value.

C) ciphertext.

D) internal control environment.

14) A scheme for securing e-payments using public key encryption and various technical

components best describes

A) message digesting.

B) Data Encryption Standard.

C) public key infrastructure.

D) key space.

15) A method of encryption that uses a pair of matched keys, including a public key to encrypt a

message and a private key to decrypt it, describes

A) data encryption standard.

B) public asymmetric key encryption.

C) symmetric private key encryption.

D) paired key encryption.

16) Security functions or characteristics of digital signatures include each of the following

except:

A) A digital signature is the electronic equivalent of a personal signature, which can be forged.

B) Digital signatures are based on public keys for authenticating the identity of the sender of a

message or document.

C) Digital signatures ensure that the original content of an electronic message or document is

unchanged.

D) Digital signatures are portable.

17) A summary of a message, converted into a string of digits after the hash has been applied,

best describes

A) digital signature.

B) hash.

C) message digest.

D) digital envelope.

18) The combination of the encrypted original message and the digital signature, using the

recipient’s public key, best describes

A) digital envelope.

B) message digest.

C) hash.

D) digital signature.

19) The ________ was invented by Netscape to use standard certificates for authentication and

data encryption to ensure privacy or confidentiality.

A) certificate authority

B) public key infrastructure

C) secure socket layer

D) digital envelope

20) Which of the following is not an advantage of virtual private networks (VPN) for data

communications?

A) They are less expensive than private leased lines because they use the public Internet to carry

information.

B) They ensure the confidentiality and integrity of the data transmitted over the Internet without

requiring encryption.

C) They can reduce communication costs dramatically because VPN equipment is cheaper than

other remote solutions.

D) Remote users can use broadband connections rather than make long distance calls to access

an organization’s private network.

21) A method used to ensure confidentiality and integrity of data transmitted over the Internet by

encrypting data packets, sending them in packets across the Internet, and decrypting them at the

destination address best describes

A) packet control.

B) transport layer security.

C) protocol tunneling.

D) packet segmentation.

22) A special category of software that can monitor activity across a network or on a host

computer, watch for suspicious activity, and take automated action based on what it sees best

describes

A) honeynet.

B) intrusion detection system.

C) firewall.

D) virtual private network.

23) Which of the following are controls established to protect the system regardless of the

application?

A) general controls

B) application controls

C) broad controls

D) systems controls

24) A method of evaluating the security of a computer system or a network by simulating an

attack from a malicious source best describes

A) beta test.

B) stress test.

C) penetration test.

D) intrusion test.

25) Software applications that have some degree of reactivity, autonomy, and adaptability best

describes

A) EC avatars.

B) EC bots.

C) worms.

D) intelligent agents.

26) The work atmosphere that a company sets for its employees describes

A) acceptable use policy.

B) internal control environment.

C) internal politics.

D) standard of due care.

27) A law that makes it a crime to send commercial e-mail messages with false or misleading

message headers or misleading subject lines is

A) EEA.

B) DCMA.

C) SSL.

D) CAN-SPAM.

28) According to an InformationWeek survey, the majority of security challenges for

corporations include

A) managing the complexity of security.

B) preventing data breaches from outside attackers.

C) enforcing security policies.

D) all of the above.

29) Which of the following is a policy that informs users of their responsibilities when using

company networks, wireless devices, and customer data?

A) business impact analysis

B) business plan

C) acceptable use policy

D) EC security program

30) The key reasons why EC criminals cannot be stopped include each of the following except:

A) Sophisticated hackers use browsers to crack into Web sites.

B) Strong EC security makes online shopping inconvenient and demanding on customers.

C) There is lack of cooperation from credit card issuers and foreign ISPs.

D) Online shoppers do not take necessary precautions to avoid becoming a victim.

9.3 Fill in the Blank

1) Computer security categories include ________, ________, and ________.

2) A ________ is a plan that keeps the business running after a disaster occurs.

3) ________ is the estimated cost, loss, or damage that can result if a threat exploits a

vulnerability.

4) Any business activity that uses deceitful practices or devices to deprive another of property or

other rights is known as ________.

5) ________ is a crimeware technique to steal the identity of a target company to get the

identities of its customers.

6) ________ is a nontechnical attack that uses a ruse to trick users into revealing information or

performing an action that compromises a computer or network.

7) ________ are computers infected with malware that are under the control of a spammer,

hacker, or other criminal.

8) ________ are weaknesses in software or other mechanisms that threaten the confidentiality,

integrity, or availability of an asset.

9) A ________ is a malicious hacker who may represent a serious problem for a corporation.

10) ________ is a process to verify the real identity of an entity, which could be an individual,

computer, computer program, or EC Web site.

11) ________ is the process of determining what the authenticated entity is allowed to access

and what operations it is allowed to perform.

12) ________ is the assurance that online customers or trading partners cannot falsely deny their

purchase or transaction.

13) ________ is the protection of information systems against unauthorized access to or

modification of information whether in storage, processing, or in transit, and against the denial of

service to authorized users, including those measures necessary to detect, document, and counter

such threats.

14) A ________ attack is an attack on a Web site in which an attacker uses specialized software

to send a flood of data packets to the target computer with the aim of overloading its resources.

15) A ________ is a program that appears to have a useful function but contains a hidden

function that presents a security risk.

16) A ________ is a huge number of hijacked Internet computers that have been set up to

forward traffic, including spam and viruses, to other computers on the Internet.

17) ________ is the assurance that data are accurate or that a message has not been altered.

18) ________ is the assurance of data privacy.

19) ________ consist of all the policies, procedures, documents, standards, hardware, software,

training, and personnel that work together to protect information, the ability to conduct business,

and other assets.

20) ________ is the process of scrambling a message in such a way that it is difficult, expensive,

or time-consuming for an unauthorized person to unscramble it.

21) ________ is a mathematical computation that is applied to a message, using a private key, to

encrypt the message.

22) ________ are barriers between a trusted network or PC and the untrustworthy Internet.

23) ________ are information system resources, such as firewalls, routers, Web servers, database

servers and files, that only look like production systems to attract hackers and study their

attempts to attack a network.

24) ________ is an exercise that determines the impact of losing the support of an EC resource

to an organization and establishes the escalation of that loss over time, identifies the minimum

resources needed to recover, and prioritizes the recovery of processes and supporting systems.

25) ________ is care that a company is reasonably expected to take based on the risks affecting

its EC business and online transactions.

1) Compare current motives of hackers to those of the past.

2) List and briefly describe the three components of the CIA security triad.

3) List the six major objectives of EC defense strategies.

4) Briefly discuss the five encryption components.

5) Briefly describe four major components for protecting internal information flow inside an

organization.