Documente Academic
Documente Profesional
Documente Cultură
Exposure
Fraud
Malware (malicious software)
Phishing
Risk
Social engineering
Spam
Vulnerability
Zombie
Human error. Human error can occur in the design of the hardware or
information system.
Environmental hazards. These include earthquakes, severe storms (e.g.,
hurricanes, blizzards, or sand), floods, power failures or strong fluctuations,
fires (the most common hazard), explosions, radioactive fallout, and watercooling system failures.
Defects in the computer system. Defects can be the result of poor
manufacturing, defective materials, and outdated or poorly maintained
networks.
4. Describe the security battleground, who participates, and how. What are the
possible results?
This battleground includes:
The attacks, the attackers, and their strategies
The items that are being attacked
The defenders and their methods and strategy
Each uses their tools to exert control, one group wins each battle.
7. What is nonrepudiation?
Assurance that online customers or trading partners cannot falsely deny (repudiate)
their purchase or transaction.
8. Describe deterring, preventing, and detecting in EC security systems.
Deterring measures actions that will make criminals abandon their idea of
attacking a specific system (e.g., the possibility of losing a job for insiders)
Prevention measures ways to help stop unauthorized users (also known as
intruders) from accessing any part of the EC system
Detection measures ways to determine whether intruders attempted to
break into the EC system, whether they were successful, and what they may
have done
Viruses
Worms
Macro viruses and worms
Trojan horses
Availability
Authentication
Authorization
Nonrepudiation
5. Discuss the gap between security spending and a companys security needs gap.
Because of the constantly changing threats, it is difficult to keep up with the costs
of security.
6. Describe vulnerability assessment.
The process of identifying, quantifying, and prioritizing the vulnerabilities in a
system.
7. List the six categories of defense in EC systems.
Thumbprint or fingerprint
Retinal scan
Voice scan
Signature
Facial recognition
3. Identify two factors that influence a companys ability to recover from a disaster.
Two examples include proper planning and asset protection.
4. What types of devices are needed for disaster avoidance?
A variety of options are available to help avoid disasters. The simplest is the use of
uninterrupted power supply (UPS) systems to help avoid issues created by power
outages.
5. How can you calculate expected loss?
Using risk management analysis, it is possible to estimate losses based on different
scenarios.
6. List two ethical issues associated with security programs.
Examples include constant monitoring of activities and possible invasion of
privacy.
2. What is a benefit of using the risk exposure model for EC security planning?
It allows the firm to allocate capital at the areas of greatest organizational
importance.
3. Why should every company implement an acceptable use policy?
Student responses will vary, but these policies help to define parameters and are
useful in planning.
4. Why is training required?
Since systems are unique and changing, it is important to train staff on their
acceptable use and policy.
5. List the six major reasons why it is difficult to stop computer crimes.
They may be completely unable to recreate the information that was lost.
2. Why are regulators requiring that companies implement BC/DR plans?
To ensure that companies are able to recover, and fulfill their obligations.
6. Enter idesia-biometrics.com and look at its product. Discuss these benefits over
other biometrics.
Student searches and opinions will vary.
7. Enter trendsecure.com and find a tool called HijackThis. Try the free tool. Find
an online forum that deals with it. Discuss the benefits and limitations.
Student searches and opinions will vary.
8. Find information about the Zeus Trojan. Discuss why it is so effective as a
financial data stealer.Why is it so difficult to mitigate this Trojan? Hint: See
Falliere and Chien (2009).
Student searches and opinions will vary.
9. Find information about the scareware social engineering method. Why do you
think it is so effective?
Student searches and opinions will vary.
10. The National Vulnerability Database (NVD) is a comprehensive cybersecurity
database that integrates all publicly available U.S. government vulnerability
resources and provides references to industry resources. Visit nvd.nist.gov and
review 10 of the recent CVE vulnerabilities. For each vulnerability, list its
published date, CVSS severity, impact type, and the operating system or software
with the vulnerability.
Student searches and opinions will vary.
Topics for Class Discussion and Debates
1. Survey results on the incidence of cyber attacks paint a mixed picture; some
surveys show increases, others show decreases. What factors could account for
the differences in the reported results?
Student opinions will vary. The major issue may be how many attacks are
reported.
2. A business wants to share its customer account database with its trading
partners, while at the same time providing prospective buyers with access to
marketing materials on its Web site. Assuming that the business is responsible for
running all these systems, what types of security components (e.g., firewalls,
VPNs, etc.) could be used to ensure that the partners and customers have access
to the account information and others do not? What type of network
administrative procedures will provide the appropriate security?
Student opinions will vary. The system required would need to meet strenuous
security requirements due to the nature of information available and the number
of integration points.
3. Why is it so difficult to fight computer criminals? What strategies can be
implemented by financial institutions, airlines, and other heavy users of EC?
Student opinions will vary. The discussion will focus on intentions and budgets
to address them.
4. All EC sites share common security threats and vulnerabilities. Do you think
that B2C Web sites face different threats and vulnerabilities than B2B sites?
Explain.
Student opinions will vary. The discussion will focus on both the areas of
weakness and the types of attacks directed at them.
5. Why is phishing so difficult to control? What can be done? Discuss.
Student opinions will vary. The debate will focus on training and its
effectiveness.
6. Debate: The best strategy is to invest very little and only in proven technologies
such as encryption and firewalls.
Student opinions will vary. The debate will focus on the issues of costs versus
risk.
7. Debate: Can the underground Internet marketplace be controlled? Why or why
not?
Student opinions will vary. The debate will focus on individual motivations and
the cost of products.
8. Debate: Is taking your fingerprints or other biometrics to assure EC security a
violation of your privacy?
Student opinions will vary. The debate will be on the extent of privacy.
9. A body scan at airports created a big debate. Debate both points of this issue
and relate it to EC security.
Student opinions will vary. The debate will focus on privacy versus security.
Internet Exercises
(Note: URLs may change over time; please check the Internet Exercises on
the Turban Web site for possible updates:
www.pearsonhighered.com/turban.)
1. Your B2C site has been hacked. List two organizations where you would report
this incident so that they can alert other sites. How do you do this, and what type of
information do you have to provide?
Student responses will vary based on the location of the hack.
2. Connect to the Internet. Determine the IP address of your computer by visiting at
least two Web sites that provide that feature. You can use a search engine to locate
Web sites or visit ip-adress.com or whatismyipaddress.com. What other
information does the search reveal about your connection? Based on this
information, how could a company or hacker use that information?
Student results and reports will vary based on date of research and sites selected.
3. Enter the site of Perimeter eSecurity and find the white paper Institutional
Identity Theft. Compare institutional identity theft with personal identity theft.
How can a company protect itself against identity theft?
Student results and reports will vary based on date of research. Potential solutions
selected will also vary.
4. The National Strategy to Secure Cyberspace provides a series of actions and
recommendations for each of its five national priorities. Search and download a
copy of the strategy online. Selecting one of the priorities, discuss in detail the
actions and recommendations for that priority.
Student results and reports will vary based on date of research and which priority is
evaluated.
5. The Symantec Internet Security Threat Report provides details about the trends
in attacks and vulnerabilities in Internet security. Obtain a copy of the report and
summarize the major findings of the report for both attacks and vulnerabilities.
Student results and reports will vary based on date of research.
6. Enter perimeterusa.com and look for a white paper titled Top 9 Network
Security Threats in 2009. Summarize these threats. Then look for a paper titled
The ABCs of Social Engineering. Summarize the suggested defense.
Student opinions and reports will vary based on what threats are compared.
3. Given the problems of CNB and its solutions, what is an even better defense
mechanism? (Use Sections 9.6 through 9.10, and what you can find on the Web.)
Student opinions will vary may include the use of a firewall/DMZ.
4. List the major security problems faced by BankWest and relate them to the attack
methods described in Sections 9.2 through 9.4.
It appears that phishing scams were the primary issue.
5. In what ways has BankWest solved the fraud schemes?
It has focused on user education on the nature and current trends of scams.
6. Given the problems of BankWest and its solutions, what is an even better defense
mechanism?
Opinions will vary, but software-based phishing blockers might be added.
Practice Test
1) According to the CSI Computer Crime and Security Survey, firewalls were
the most commonly used defense technologies in 2008.
Answer: FALSE
2) According to the CSI Computer Crime Security Survey, the most
frequently occurring computer attacks were from viruses in 2008.
Answer: TRUE
3) The Internet and its network protocols were never intended for use by
untrustworthy people or criminals.
Answer: TRUE
4) Keystroke logging captures and records user keystrokes.
Answer: TRUE
5) Cybercrimes are intentional crimes carried out on the Internet.
Answer: TRUE
6) An EC security strategy requires multiple layers of defense against risks
from malware, fraudsters, customers, and employees.
Answer: TRUE
7) Detection measures are actions that will make criminals abandon their idea
of attacking a specific system.
Answer: FALSE
8) Internet fraud has grown even faster than the Internet itself.
Answer: TRUE
B) Pretexting
C) Social engineering
D) Phishing
18) ________ is the process of determining what the authenticated entity is
allowed to access and what operations it is allowed to perform.
Answer: Authorization
19) ________ is the assurance that online customers or trading partners
cannot falsely deny their purchase or transaction.
Answer: Nonrepudiation
20) ______________ is the assurance that data are accurate or that a message
has not been altered.
Answer: Integrity
21) ________ is the assurance of data privacy.
Answer: Confidentiality
22) ________ is the process of scrambling a message in such a way that it is
difficult, expensive, or time-consuming for an unauthorized person to
unscramble it.
Answer: Encryption
23) ________ are barriers between a trusted network or PC and the
untrustworthy Internet.
Answer: Firewalls
24) Compare current motives of hackers to those of the past.
Answer: In the early days of EC, many hackers simply wanted to gain fame or
notoriety by defacing Web sites or gaining root, which means gaining unrestricted
access to a network. Criminals and criminal gangs are now profit oriented, and their
tactics are not limited to the online world.
25) List and briefly describe the three components of the CIA security triad.
Answer: The CIA triad includes confidentiality, integrity, and availability.
Confidentiality is the assurance of data privacy. The data or transmitted message is
encrypted so that it is readable only by the person for whom it is intended. The
confidentiality function prevents unauthorized disclosure of information. Integrity
is the assurance that data are accurate or that a message has not been altered. It
means that stored data has not been modified without authorization; a message that
was sent is the same message that was received. Availability is the assurance that
access to data, the Web site, or other EC data service is timely, available, reliable,
and restricted to authorized users.
26) List the six major objectives of EC defense strategies.
Chapter Test
1. Preventing vulnerability during the EC design and pre-implementation stage
is far more expensive than mitigating problems later.
A. True
B. False
2. Phishing is rampant because some people respond to it and make it profitable.
A. True
B. False
3. Access control involves authorization and authentication.
A. True
B. False
4. The key reasons why EC criminals cannot be stopped include each of the
following except:
9. A summary of a message, converted into a string of digits after the hash has
been applied, best describes:
A. digital envelope.
B. hash.
C. message digest.
D. digital signature.
10. A law that makes it a crime to send commercial e-mail messages with false or
misleading message headers or misleading subject lines is:
A. SSL.
B. EEA.
C. DCMA.
D. CAN-SPAM.
11. The work atmosphere that a company sets for its employees describes:
A. standard of due care.
B. internal control environment.
C. acceptable use policy.
D. internal politics.
12. The combination of the encrypted original message and the digital signature,
using the recipient's public key, best describes:
A. digital envelope.
B. digital signature.
C. hash.
D. message digest.
13. The success and security of EC is measured by:
confidentiality, integrity, and availability.
quality, reliability, and speed.
encryption, functionality, and privacy.
authentication, authorization, and nonrepudiation.
14. Each of the following is a true statement about access control except:
A. All resources need to be considered together to identify the rights of users or
categories of users.
B. Access control lists (ACLs) define users' rights, such as what they are allowed
to read, view, write, print, copy, delete, execute, modify, or move.
C. Access control determines which persons, programs, or machines can
legitimately use a network resource and which resources he, she, or it can use.
D. After a user has been identified, the user must be authenticated.
15. Assurance that stored data has not been modified without authorization and
a message that was sent is the same message that was received is referred to as:
A. nonrepudiation.
B. availability.
C. authentication.
D. integrity.
16. The motives of hackers have shifted from the desire for fame and notoriety
to advancing personal and political agendas.
A. True
B. False
17. Keystroke logging captures and records user keystrokes.
A. True
B. False
18. Cybercrimes are intentional crimes carried out on the Internet.
A. True
B. False
19. Social engineering is an example of an unintentional threat.
A. True
B. False
20. Authentication provides the means to reconstruct what specific actions have
occurred and may help EC security investigators identify the person or program
that performed unauthorized actions.
A. True
B. False
21. The process of verifying the real identity of an individual, computer,
computer program, or EC Web site best describes:
A. authentication.
B. nonrepudiation.
C. availability.
D. integrity.
22. Encryption components include each of the following except:
A. key value.
B. encryption algorithm.
C. ciphertext.
D. internal control environment.
23. Protecting information and information systems from unauthorized access,
use, disclosure, disruption, modification, perusal, inspection, recording, or
destruction best defines:
A. anti-virus protection.
B. security audit.
C. incident management.
D. information security.