Chapter 9 Homework Splogs Can Weakened The Use More Advanced

Turban- 3e

Instructor’s Manual

Chapter 9

E-Commerce Security and Fraud Protection

Learning Objectives

Upon completion of this chapter, you will be able to:

1. Understand the importance and scope of security of information systems for EC.

3. Learn about the major EC security threats, vulnerabilities, and risks.

5. Describe the information assurance security principles.

6. Identify and assess major technologies and methods for securing EC

communications.

7. Describe the major technologies for protection of EC networks.

9. Describe the role of business continuity and disaster recovery planning.

11. Understand why it is not possible to stop computer crimes.

Content

Opening Case: How Seattle’s Hospital Survived a Bot Attack

9.1 The Information Security Problem

9.3 Technical Attack Methods

9.5 The Information Assurance Model and Defense Strategy

9.7 The Defense II: Securing E-Commerce Networks

9.9 Business Continuity, Security Auditing, and Risk Management

9.10 Implementing Enterprise-Wide E-Commerce Security

Managerial Issues

Closing Case: UBS PaineWebber’s Business Operations Debilitated by Malicious Code

Supplementary Videos for this Chapter

1. Phishing Scams in Plain English (3:05 min)

The increase use of social networks brings more criminal and Phishing methods.

2. Security: How Notorious Trojans hit Banks and Steal Your Money (10 slides)

This video illustrates how criminals can steal money from banks and what security

companies such as Symantec and Finjan can do to help.

Chapter 9

Page 2

Chapter 9

Page 3

Answers to Pause/Break Section Review Questions

Section 9.1 Review Questions

1. Define computer security.

2. List the major findings of the CSI 2008 survey.

• The most expensive computer security incidents were those involving financial fraud.

3. Describe the Internet vulnerability design.

4. Describe some profit-induced computer crimes.

5. Define the Internet underground economy.

6. Describe the dynamic nature of EC systems.

7. What makes EC security management so difficult? What is the dilemma?

Chapter 9

Page 4

Section 9.2 Review Questions

1. List five major terms of EC security.

• Business continuity plan

• Cybercrime

• Exposure

• Fraud

• Spam

• Vulnerability

• Zombie

2. Describe the major unintentional security hazards.

• Human error. Human error can occur in the design of the hardware or information

system.

• Environmental hazards. These include earthquakes, severe storms (e.g., hurricanes,

3. List five examples of intentional EC security crimes.

• theft of data or hardware (e.g., laptops)

• inappropriate use of data

4. Describe the security battleground, who participates, and how. What are the possible

results?

5. Define hacker, cracker, and social engineering.

• Hacker – someone who gains unauthorized access to a computer system

6. Define authentication and authorization requirements.

• Authentication – process to verify (assure) the real identity of an individual,

7. What is nonrepudiation?

8. Describe deterring, preventing, and detecting in EC security systems.

• Deterring measures – actions that will make criminals abandon their idea of attacking

a specific system (e.g., the possibility of losing a job for insiders)

Section 9.3 Review Questions

1. Describe the difference between a nontechnical and a technical cyber attack?

2. What are the major forms of malicious code?

3. What factors account for the increase in malicious code?

4. What are some of the major trends in malicious code?

5. Define worm and Trojan horse.

Worm – a software program that runs independently, consuming the resources of its

host in order to maintain itself, that is capable of propagating a complete working

version of itself onto another machine

6. How are DOS attacks perpetrated?

7. Describe botnet attacks.

Section 9.4 Review Questions

1. Define phishing.

The criminal, fraudulent process of attempting to acquire confidential information such

2. Describe the relationship of phishing to financial fraud.

3. Briefly describe some phishing tactics.

4. Describe spam and its methods.

5. Define splogs and explain how sploggers make money.

6. Why and how are social networks being attacked?

Section 9.5 Review Questions

1. What is information assurance? List its major components.

Information assurance is the protection of information against unauthorized access or

modification. Its components include:

• Confidentiality

• Integrity

2. Define confidentiality, integrity, and availability.

• Confidentiality – assurance of data privacy and accuracy; keeping private or sensitive

3. Describe the objectives and elements of EC strategy.

• Planning and organizing

Section 9.6 Review Questions

1. Define access control.

Mechanism that determines who can legitimately use a network resource.

2. What are the basic elements of an authentication system?

3. What is a passive token? An active token?

4. Define biometric systems and list five of their methods.

Authentication systems that identify a person by measurement of a biological

characteristic, such as fingerprints, iris (eye) patterns, facial features, or voice. Example

methods include:

• Thumbprint or fingerprint

5. Describe the five basic components of encryption.

6. What are the key elements of PKI?

7. What are the basic differences between symmetric and asymmetric encryption?

8. What role does a certificate authority play?

9. What is the SSL protocol?

Section 9.7 Review Questions

1. List the basic types of firewalls and briefly describe each.

Packet-filtering routers – firewalls that filter data and requests moving from the public

2. What is a personal firewall?

3. How does a VPN work?

4. Briefly describe the major types of IDSs.

5. What is a honeynet? What is a honeypot?

6. Describe pen testing.

Section 9.8 Review Questions

1. What are general controls? List the various types.

2. List the various biometric controls. What are their functions?

Authentication systems that identify a person by measurement of a biological

characteristic, such as fingerprints, iris (eye) patterns, facial features, or voice. Example

methods include:

3. Define access control.

4. Distinguish between application controls and internal controls.

5. How does one protect against spam? Against splogs?

6. How does one protect against pop-ups?

Section 9.9 Review Questions

1. Why do organizations need a business continuity plan?

2. List three issues a business continuity plan should cover.

3. Identify two factors that influence a company’s ability to recover from a disaster

4. What types of devices are needed for disaster avoidance?

5. How can expected loss be calculated?

6. List two ethical issues associated with security programs.

Chapter 9

Page 12

Section 9.10 Review Questions

1. If senior management is not committed to EC security, how might that impact the

e-business?

2. What is a benefit of using the risk exposure model for EC security planning?

3. Why should every company implement an acceptable use policy?

4. Why is training required?

5. List the six major reasons why it is difficult to stop computer crimes.

• Would Make Shopping Inconvenient

• Lack of Cooperation from Credit Card Issuers

Answers to EC Application Case Questions

EC Application Case 9.1: INTERNET STOCK FRAUD AIDED BY SPAM

1. Speculate why people might buy the penny stocks promoted in an e-mail message

from an unknown source.

2. Use the Internet (Google) to find what can be done to filter image spam.

Student searches and results will vary.

Chapter 9

Page 13

EC Application Case 9.2: BUSINESS CONTINUITY AND DISASTER

RECOVERY

1. Why might a company that had a significant data loss not be able to recover?

2. Why are regulators requiring that companies implement BC/DR plans?

Answers to Individual Discussion Questions

1. Consider how a hacker might trick people into giving him their user IDs and

passwords to their Amazon.com accounts. What are some of the ways that a hacker might

accomplish this? What crimes can be performed with such information?

2. B2C EC sites continue to experience DOS attacks. How are these attacks perpetrated?

Why is it so difficult to safeguard against them? What are some of the things a site can do

to mitigate such attacks?

3. All EC sites share common security threats and vulnerabilities. Discuss these threats

and vulnerabilities and some of the security policies that can be implemented to mitigate

them. Do you think that B2C Web sites face different threats and vulnerabilities than B2B

sites? Explain.

EC sites are vulnerable to the following major types of security attacks: Operating system

4. How are botnet identity theft attacks and Web site hijacks perpetrated? Why are they

so dangerous to e-commerce?

5. Discuss some of the difficulties of eliminating online financial fraud.

6. Some companies prefer not to have disaster recovery plans. Under what

circumstances does this make sense? Discuss.

7. Enter http://idesia-biometrics.com/and look at their product. Discuss these benefits

over other biometrics.

Domain is not in use.

8. Enter trendsecure.com and find a tool called fihijack this”. Try the free tool. Find an

online forum that deals with it. Discuss the benefits and limitations.

Student searches and opinions will vary.

Answers to Class Discussion Questions

1. Survey results on the incidence of cyber attacks paint a mixed picture; some surveys

show increases, others show decreases. What factors could account for the differences in

results?

2. A business wants to share its customer account database with its trading partners and

customers, while at the same time providing prospective buyers with access to marketing

materials on its Web site. Assuming that the business is responsible for running all of

Chapter 9

Page 15

these network components, what type of security components (e.g., firewalls, VPNs, etc.)

could be used to ensure that the partners and customers have access to the account

information and others do not? What type of network configuration (e.g., bastion

gateway server) will provide the appropriate security?

3. Why is it so difficult to fight computer criminals? What strategies can be

implemented by financial institutions, airlines, and other heavy users of EC?

Internet Exercises

(Note: URLs may change over time; please check the Internet Exercises on the

1. The National Vulnerability Databases (NVD) are a comprehensive cybersecurity

vulnerability database that integrates all publicly available U.S. government

vulnerability resources and provides references to industry resources. Visit nvd.nist.gov

and review 10 of the recent CVE vulnerabilities. For each vulnerability, list its publish

date, CVSS severity, impact type, and the operating system or software with the

vulnerability.

2. The Common Vulnerabilities and Exposures Board (cve.mitre.org) maintains a list of

common security vulnerabilities. Review the list. How many vulnerabilities are there?

Based on the list, which system components appear to be most vulnerable to attack?

What impact do these vulnerable components have on EC?

3. Your B2C site has been hacked. List two organizations where you would report this

incident so that they can alert other sites. How do you do this, and what type of

information do you have to provide?

4. Connect to the Internet. Determine the IP address of your computer by visiting at least

two Web sites that provide that feature. You can use a search engine to locate Web sites

or visit ip-adress.com or whatismyipaddress.com. What other information does the

Chapter 9

Page 16

search reveal about your connection? Based on this information, how could a company

or hacker use that information?

5. Select a single type of physiological biometric system. Using the Internet, identify at

least two commercial vendors offering these systems. Based on the information you

found, what are the major features of the systems? Which of the systems would you select

and why?

6. The National Strategy to Secure Cyberspace provides a series of actions and

recommendations for each of its five national priorities. Search and download a copy of

the strategy online. Selecting one of the priorities, discuss in detail the actions and

recommendations for that priority.

Student results and reports will vary based on date of research.

7. The Symantec Internet Security Threat Report provides details about the trends in

attacks and vulnerabilities in Internet security. Obtain a copy of the report and

summarize the major findings of the report for both attacks and vulnerabilities.

Student results and reports will vary based on date of research.

8. Enter perimeterusa.com and look for a white paper titled fiTop 9 Network Security

Threats in 2009.” Summarize these threats. Then look for a paper titled fiThe ABC’s of

Social Engineering.” Summarize the suggested defense.

Student opinions and reports will vary.

Top 9 Network Security Threats in 2009 is currently located at:

http://www.perimeterusa.com/knowledge-center/company-news/press-releases/

Listed threats include:

• Malicious Insiders (Rising Threat)

• Malware (Steady Threat)

• Exploited Vulnerabilities (Weakening Threat)

9. Enter security firm finjan.com and find examples of underground Internet activities in

five different countries. Prepare a summary.

10. Enter identitytheft.info/breaches09.aspx and identify security breaches in 2009.

11. Enter verisign.com and find information about PKI and encryption. Write a report.

Student results and reports will vary based on date of research.

12. Enter gfi.com/emailsecuritytest and similar sites. Write some guidelines for

protecting your PC.

Student results and reports will vary based on date of research.

Team Assignments and Role Playing

1. Assign teams to report on the major spam and scam threats. Examine examples

provided by ftc.gov, the Symantec report on the state of spam (2009), and white papers

from IBM, Verisign, and other security firms.

Student reports will vary.

2. Several personal firewall products are available. A list of these products can be found

at firewallguide.com/software.htm. Assign each team three products from the list. Each

team should prepare a detailed review and comparison of each of the products they have

been assigned.

Student reports will vary.

3. Assign each team member a different B2C or B2B Web site. Have each team prepare

a report summarizing the site’s security assets, threats, and vulnerabilities. Prepare a

brief security risk management plan for the site.

Student reports will vary.

4. Address the following topics in a class discussion:

Chapter 9

Page 18

a. Some claim that the best strategy is to invest very little and only in proven technologies

such as encryption and firewalls. Discuss.

b. Can the underground Internet marketplace be controlled? Why or why not?

c. Why is phishing so difficult to control? What can be done? Discuss.

d. How secure is your e-mail?

Student responses and opinions will vary.

Answers to End-of-Chapter Real-World Case Questions: UBS

PaineWebber’s Business Operations Debilitated by Malicious Code

1. What might have been some fired flags” indicating that Duronio was a disgruntled

employee? Would any of those red flags also indicate that he would sabotage the network

for revenge?

2. How could this disaster have been prevented? What policies, procedures, or

technology could have prevented such an attack by an employee with full network

access?

3. Did UBS have a disaster recovery plan in place for an enterprise wide network crash?

4. Do you agree with the defense lawyer’s argument that anyone could have planted the

logic bomb because UBS’s computer security had considerable holes?

5. Given the breadth of known vulnerabilities, what sort of impact will any set of security

standards have on the rise in cyberattacks?