Chapter 9

E-Commerce Security and Fraud

As you read the textbook and go through this lesson, think about the following
questions:

What are the major forms of Internet crime?

What are the typical security measures used by e-commerce?
Why is the Internet vulnerable to attack?
What concerns might a consumer have when doing business online?
What concerns might a business have when selling products or services
online?
What are authentication, authorization, and nonrepudiation?
What are some common Internet attack methods?
What is phishing?
What three components can be used to measure security of the e-commerce
environment?
Why is it difficult to stop Internet crime?

Upon completion of this chapter, you will be able to:

1. Understand the importance and scope of security of information systems for
EC.
2. Describe the major concepts and terminology of EC security.
3. Learn about the major EC security threats, vulnerabilities, and technical
attacks.
4. Understand Internet fraud, phishing, and spam.
5. Describe the information assurance security principles.
6. Identify and assess major technologies and methods for securing EC access and
communications.
7. Describe the major technologies for protection of EC networks.
8. Describe various types of controls and special defense mechanisms.
9. Describe consumer and seller protection from fraud.
10. Describe the role of business continuity and disaster recovery planning.
11. Discuss EC securitys enterprisewide implementation issues.
12. Understand why it is not possible to stop computer crimes.

Answers to Pause/Break Section Review Questions

Section 9.1 Review Questions
1. Define computer security.
Computer security refers to the protection of data, networks, computer programs,
computer power, and other elements of computerized information systems.

2. List the major findings of the CSI 2010 survey.

The most expensive computer security incidents were those involving
financial fraud.
Virus incidents occurred most frequently.
Almost one in ten organizations reported they experienced a domain name
system (DNS) incident.
Twenty-seven percent of those surveyed responded positively to a question
regarding targeted attacks.
The vast majority of respondents said their organizations had a security
policy.
3. Describe the vulnerable design of the Internet.
The Internet and its network protocols were never intended for use by
untrustworthy people or criminals. They were designed to accommodate computerto-computer communications in a closed and trusted community.
4. Describe some profit-induced computer crimes.
Most popular is the theft of personal information such as credit card numbers, bank
accounts, Internet IDs, and passwords.
5. Define the Internet underground economy.
E-markets for stolen information made up of thousands of Web sites that sell credit
card numbers, social security numbers, other data such as numbers of bank
accounts, social network IDs, passwords, and much more.
6. Describe the dynamic nature of EC systems.
EC systems are changing all the time due to a stream of innovations. With changes
often come security problems.
7. What makes EC security management so difficult? What is the dilemma?
The defense of information systems and EC is getting more difficult. The attackers
change their strategies and attack methods all the time.

Section 9.2 Review Questions

1. List five major terms of EC security.

Business continuity plan

Cybercrime

Exposure
Fraud
Malware (malicious software)
Phishing
Risk
Social engineering
Spam
Vulnerability
Zombie

2. Describe the major unintentional security hazards.

Human error. Human error can occur in the design of the hardware or
information system.
Environmental hazards. These include earthquakes, severe storms (e.g.,
hurricanes, blizzards, or sand), floods, power failures or strong fluctuations,
fires (the most common hazard), explosions, radioactive fallout, and watercooling system failures.
Defects in the computer system. Defects can be the result of poor
manufacturing, defective materials, and outdated or poorly maintained
networks.

3. List five examples of intentional EC security crimes.

theft of data or hardware (e.g., laptops)
inappropriate use of data
deliberate manipulation in handling, entering, processing, transferring, or
programming data
vandalism
sabotage
malicious damage to computer resources
destruction from viruses
Internet fraud

4. Describe the security battleground, who participates, and how. What are the
possible results?
This battleground includes:
The attacks, the attackers, and their strategies
The items that are being attacked
The defenders and their methods and strategy
Each uses their tools to exert control, one group wins each battle.

5. Define hacker, cracker, and social engineering.

Hacker someone who gains unauthorized access to a computer system

Cracker a malicious hacker, who may represent a serious problem for a
corporation
Social engineering a collection of tactics used to manipulate people into
performing actions or divulging confidential information

6. List all security requirements and define authentication and authorization

requirements.

Authentication process to verify (assure) the real identity of an individual,

computer, computer program, or EC Web site
Authorization process of determining what the authenticated entity is
allowed to access and what operations it is allowed to perform

7. What is nonrepudiation?
Assurance that online customers or trading partners cannot falsely deny (repudiate)
their purchase or transaction.
8. Describe deterring, preventing, and detecting in EC security systems.

Deterring measures actions that will make criminals abandon their idea of
attacking a specific system (e.g., the possibility of losing a job for insiders)
Prevention measures ways to help stop unauthorized users (also known as
intruders) from accessing any part of the EC system
Detection measures ways to determine whether intruders attempted to
break into the EC system, whether they were successful, and what they may
have done

9. What is a security strategy, and why it is needed?

A security strategy is an overriding plan for maintaining IS security within an
organization. From it all other security plans arise.

Section 9.3 Review Questions

1. Describe the difference between a nontechnical and a technical cyber attack?
A technical attack uses IT technology, whereas a nontechnical attack uses (or
attacks) standard security measures.
2. What are the major forms of malicious code?

Viruses
Worms
Macro viruses and worms
Trojan horses

3. What factors account for the increase in malicious code?

Mixing applications with executable code

Homogenous computing environments
Connectivity
Uneducated users

4. Define a virus and explain how it works.

A piece of software code that inserts itself into a host, including the operating
systems, in order to propagate; it requires that its host program be run to activate
it.
5. Define worm and Trojan horse.
Worm a software program that runs independently, consuming the resources of
its host in order to maintain itself, and is capable of propagating a complete
working version of itself onto another machine
Trojan horse a program that appears to have a useful function but contains a
hidden function that presents a security risk
6. Define DoS. How are DOS attacks perpetrated?
An attack on a Web site in which an attacker uses specialized software to send a
flood of data packets to the target computer with the aim of overloading its
resources. A denial of service attack occurs when an attacker gains illegal
administration access to as many computers on the Internet as possible and uses
these multiple computers to send a flood of data packets to a target computer.
7. Define server and page hijacking.
Gaining control of a web server or creating a rogue copy of a popular Web site
that shows contents similar to the original to a Web crawler. Once there, an
unsuspecting user is redirected to malicious Web sites.
8. Describe botnet attacks.
A huge number (e.g., hundreds of thousands) of hijacked Internet computers are
set up to forward traffic, including spam and viruses, to other computers on the
Internet.

Section 9.4 Review Questions

1. Define phishing.
The criminal, fraudulent process of attempting to acquire confidential information
such as user names, passwords, and credit card details by masquerading as a
trustworthy entity such as a well-known bank, credit card company, a large social
network, or a telecommunication company, in an electronic communication,
usually via e-mail or IM.
2. Describe the relationship of phishing to financial fraud.
In many cases, phishing leads to financial fraud.
3. Briefly describe some phishing tactics.
Attackers pretend to be from reputable firms, and ask users to provide personal
information as a part of an existing relationship.
4. Describe spam and its methods.
Spam is sending or posting a large number of emails or other electronic records
indiscriminately.
5. Define splogs and explain how sploggers make money.
Short for spam blog, a splog is a site created solely for marketing purposes.
These sites steal content from other blogs with the hope of increasing their search
engine hits, which in turn increases the value of any advertising they have.
6. Why and how are social networks being attacked?
Social networks can be attacked in much the same way as individuals and Web
site currently are. They are an inviting target due to their size and growth.

Section 9.5 Review Questions

1. What is information assurance? List its major components.
Information assurance is the protection of information against unauthorized access
or modification. Its components include:
Confidentiality
Integrity

Availability
Authentication
Authorization
Nonrepudiation

2. Define confidentiality, integrity, and availability.

Confidentiality assurance of data privacy and accuracy; keeping private or
sensitive information from being disclosed to unauthorized individuals,
entities, or processes
Integrity assurance that stored data has not been modified without
authorization; a message that was sent is the same message that was
received
Availability assurance that access to data, the Web site, or other EC data
service is timely, available, reliable, and restricted to authorized users
3. Define authentication, authorization, and nonrepudiation.

Authentication requires evidence in the form of credentials.

Authorization requires comparing information about the person or program
with access control information associated with the resource being
accessed.
Nonrepudiation is the concept of ensuring that a party in a dispute cannot
repudiate or refute the validity of a statement or contract.

4. List the six objectives of EC strategy.

Prevention and deterrence.

Detection.
Containment (contain the damage).
Recovery.
Correction.
Awareness and compliance.

5. Discuss the gap between security spending and a companys security needs gap.
Because of the constantly changing threats, it is difficult to keep up with the costs
of security.
6. Describe vulnerability assessment.
The process of identifying, quantifying, and prioritizing the vulnerabilities in a
system.
7. List the six categories of defense in EC systems.

Defending access to computing systems, data flow, and EC transactions

Defending EC networks
General, administrative, and application controls
Protection against social engineering and fraud
Disaster preparation, business continuity, and risk management
Implementing enterprise-wide security programs

Section 9.6 Review Questions

1. Define access control.
Mechanism that determines who can legitimately use a network resource.
2. What are the basic elements of an authentication system?

A group or person to be authenticated

A distinguishing characteristic
A system proprietor
Authentication mechanism
Access control mechanism

3. Define biometric systems and list five of their methods.

Authentication systems that identify a person by measurement of a biological
characteristic, such as fingerprints, iris (eye) patterns, facial features, or voice.
Example methods include:

Thumbprint or fingerprint

Retinal scan

Voice scan

Signature

Facial recognition

4. Define a symmetric (one-key) encryption.

An encryption system that uses the same key to encrypt and decrypt the message.
5. List some of the disadvantages of the symmetric system.
One disadvantage is that the security of the message as a whole is based on a single
key, and that the message cannot be verified against a second key.

6. What are the key elements of PKI?

A pair of matched keys a public key to encrypt a message and a private key to
decrypt it, or vice versa
7. Describe the PKI process.
The process is detailed in Exhibit 9.11.
8. What role does a certificate authority play?
It is a verification that the holder of a public or private key is who they claim to be.
These certificates are issued by certificate authorities.

Section 9.7 Review Questions

1. List the basic types of firewalls and briefly describe each.
Packet-filtering routers firewalls that filter data and requests moving from the
public Internet to a private network based on the network addresses of the computer
sending and receiving the request
Application-level proxies firewall that permits requests for Web pages to move
from the public Internet to the private network
2. What is a personal firewall? What is DMZ architecture?
A network node designed to protect an individual users desktop system from the
public network by monitoring all the traffic that passes through the computers
network interface card. DMZ is a popular defense system that includes two
firewalls.
3. How does a VPN work what are its benefits to users?
A VPN is a network that uses the public Internet to carry information but remains
private by using encryption to scramble the communications, authentication to
ensure that information has not been tampered with, and access control to verify the
identity of anyone using the network. It allows users to safely access protected
network assets.
4. Briefly describe the major types of IDSs.
Audit logs show attempted logins and system use
Host-based IDS watches for unauthorized file changes
Network-based IDS examines network traffic

5. What is a honeynet? What is a honeypot?

Honeynet method of evaluating vulnerabilities of a system using honeypots
Honeypot systems used to study network intrusions
6. Describe e-mail security.
Complete e-mail security can include:
Antivirus and antispam
E-mail encryption
Outbound filtering
7. How can cloud computing help?
Cloud computing provides for better data integrity, while reducing costs.

Section 9.8 Review Questions

1. What are general controls? List the various types.
Controls established to protect the system regardless of the specific application. For
example, protecting hardware and controlling access to the data center are
independent of the specific application.
2. What are administrative controls?
Administrative controls deal with issuing guidelines and monitoring compliance
with the guidelines.
3. Define application controls.
Controls that are intended to protect specific applications.
4. How does one protect against spam?
Companies can protect against spam by filtering email and working with providers
on policies.
5. How does one protect against pop-ups?
Generally, through the use of pop-blocking tools in browsers and toolbars.
6. How does one protect against phishing, spyware, and malvertising?

These can be protected against through a combination of security applications and

education.

Section 9.9 Review Questions

1. Why do organizations need a business continuity plan?
The purpose of a business continuity plan is to keep the business running after a
disaster occurs. Each function in the business should have a valid recovery
capability plan.
2. List three issues a business continuity plan should cover.

Understand business & IT requirements

Evaluate current capabilities
Develop continuity plan

3. Identify two factors that influence a companys ability to recover from a disaster.
Two examples include proper planning and asset protection.
4. What types of devices are needed for disaster avoidance?
A variety of options are available to help avoid disasters. The simplest is the use of
uninterrupted power supply (UPS) systems to help avoid issues created by power
outages.
5. How can you calculate expected loss?
Using risk management analysis, it is possible to estimate losses based on different
scenarios.
6. List two ethical issues associated with security programs.
Examples include constant monitoring of activities and possible invasion of
privacy.

Section 9.10 Review Questions

1. If senior management is not committed to EC security, how might that impact the
e-business?
Student answers will vary, but lack of management support generally leads to the
failure of an initiative.

2. What is a benefit of using the risk exposure model for EC security planning?
It allows the firm to allocate capital at the areas of greatest organizational
importance.
3. Why should every company implement an acceptable use policy?
Student responses will vary, but these policies help to define parameters and are
useful in planning.
4. Why is training required?
Since systems are unique and changing, it is important to train staff on their
acceptable use and policy.
5. List the six major reasons why it is difficult to stop computer crimes.

Would Make Shopping Inconvenient

Lack of Cooperation from Credit Card Issuers
Shoppers Negligence
Design and Architecture Issues
Ignoring EC Security Best Practices
Lack of Due Care in Business Practices

Answers to EC Application Case Questions

EC Application Case 9.1:
INTERNET STOCK FRAUD AIDED BY SPAM
1. Why might people buy the penny stocks promoted in an e-mail message from an
unknown source?
Individuals may be looking to make some quick, easy money.
2. Use Google or Bing to find out what can be done to filter image spam.
Student searches and results will vary.

EC Application Case 9.2:

BUSINESS CONTINUITY AND DISASTER RECOVERY
1. Why might a company that had a significant data loss not be able to recover?

They may be completely unable to recreate the information that was lost.
2. Why are regulators requiring that companies implement BC/DR plans?
To ensure that companies are able to recover, and fulfill their obligations.

Answers to Discussion Questions

1. Consider how a hacker might trick people into giving him their user IDs and
passwords to their Amazon.com accounts. What are some of the ways that a hacker
might accomplish this? What crimes can be performed with such information?
Student responses will vary. The most common approach would probably be a
phishing email, indicating a need to verify account information by going to a
false Web site.
2. B2C EC sites continue to experience DOS attacks. How are these attacks
perpetrated? Why is it so difficult to safeguard against them? What are some of the
things a site can do to mitigate such attacks?
DOS attacks come from many computers (zombies) at the same time. It is
therefore difficult to isolate just the attackers IP address and shut off traffic from
it. Use of a firewall may help mitigate these attacks.
3. How are botnet identity theft attacks and Web site hijacks perpetrated? Why are
they so dangerous to e-commerce?
Student answers will vary. Attacks are generally perpetrated by infecting large
numbers of computer systems (botnets) or controlling data entering and exiting
other Web sites (hijacks). Both are dangerous because they steal personal
information that can later be used for identity theft. This represents a danger to EC
because it pushes away potential customers.
4. Discuss some of the difficulties of eliminating online financial fraud.
The primary difficulties are the constantly changing attacks, and individuals lack of
understanding of security.
5. Some companies prefer not to have disaster recovery plans. Under what
circumstances does this make sense? Discuss.
This does not make sense, all companies should be able to recover their data in the
event of an emergency.

6. Enter idesia-biometrics.com and look at its product. Discuss these benefits over
other biometrics.
Student searches and opinions will vary.
7. Enter trendsecure.com and find a tool called HijackThis. Try the free tool. Find
an online forum that deals with it. Discuss the benefits and limitations.
Student searches and opinions will vary.
8. Find information about the Zeus Trojan. Discuss why it is so effective as a
financial data stealer.Why is it so difficult to mitigate this Trojan? Hint: See
Falliere and Chien (2009).
Student searches and opinions will vary.
9. Find information about the scareware social engineering method. Why do you
think it is so effective?
Student searches and opinions will vary.
10. The National Vulnerability Database (NVD) is a comprehensive cybersecurity
database that integrates all publicly available U.S. government vulnerability
resources and provides references to industry resources. Visit nvd.nist.gov and
review 10 of the recent CVE vulnerabilities. For each vulnerability, list its
published date, CVSS severity, impact type, and the operating system or software
with the vulnerability.
Student searches and opinions will vary.
Topics for Class Discussion and Debates
1. Survey results on the incidence of cyber attacks paint a mixed picture; some
surveys show increases, others show decreases. What factors could account for
the differences in the reported results?
Student opinions will vary. The major issue may be how many attacks are
reported.
2. A business wants to share its customer account database with its trading
partners, while at the same time providing prospective buyers with access to
marketing materials on its Web site. Assuming that the business is responsible for
running all these systems, what types of security components (e.g., firewalls,
VPNs, etc.) could be used to ensure that the partners and customers have access
to the account information and others do not? What type of network
administrative procedures will provide the appropriate security?

Student opinions will vary. The system required would need to meet strenuous
security requirements due to the nature of information available and the number
of integration points.
3. Why is it so difficult to fight computer criminals? What strategies can be
implemented by financial institutions, airlines, and other heavy users of EC?
Student opinions will vary. The discussion will focus on intentions and budgets
to address them.
4. All EC sites share common security threats and vulnerabilities. Do you think
that B2C Web sites face different threats and vulnerabilities than B2B sites?
Explain.
Student opinions will vary. The discussion will focus on both the areas of
weakness and the types of attacks directed at them.
5. Why is phishing so difficult to control? What can be done? Discuss.
Student opinions will vary. The debate will focus on training and its
effectiveness.
6. Debate: The best strategy is to invest very little and only in proven technologies
such as encryption and firewalls.
Student opinions will vary. The debate will focus on the issues of costs versus
risk.
7. Debate: Can the underground Internet marketplace be controlled? Why or why
not?
Student opinions will vary. The debate will focus on individual motivations and
the cost of products.
8. Debate: Is taking your fingerprints or other biometrics to assure EC security a
violation of your privacy?
Student opinions will vary. The debate will be on the extent of privacy.
9. A body scan at airports created a big debate. Debate both points of this issue
and relate it to EC security.
Student opinions will vary. The debate will focus on privacy versus security.

Internet Exercises
(Note: URLs may change over time; please check the Internet Exercises on
the Turban Web site for possible updates:
www.pearsonhighered.com/turban.)
1. Your B2C site has been hacked. List two organizations where you would report
this incident so that they can alert other sites. How do you do this, and what type of
information do you have to provide?
Student responses will vary based on the location of the hack.
2. Connect to the Internet. Determine the IP address of your computer by visiting at
least two Web sites that provide that feature. You can use a search engine to locate
Web sites or visit ip-adress.com or whatismyipaddress.com. What other
information does the search reveal about your connection? Based on this
information, how could a company or hacker use that information?
Student results and reports will vary based on date of research and sites selected.
3. Enter the site of Perimeter eSecurity and find the white paper Institutional
Identity Theft. Compare institutional identity theft with personal identity theft.
How can a company protect itself against identity theft?
Student results and reports will vary based on date of research. Potential solutions
selected will also vary.
4. The National Strategy to Secure Cyberspace provides a series of actions and
recommendations for each of its five national priorities. Search and download a
copy of the strategy online. Selecting one of the priorities, discuss in detail the
actions and recommendations for that priority.
Student results and reports will vary based on date of research and which priority is
evaluated.
5. The Symantec Internet Security Threat Report provides details about the trends
in attacks and vulnerabilities in Internet security. Obtain a copy of the report and
summarize the major findings of the report for both attacks and vulnerabilities.
Student results and reports will vary based on date of research.
6. Enter perimeterusa.com and look for a white paper titled Top 9 Network
Security Threats in 2009. Summarize these threats. Then look for a paper titled
The ABCs of Social Engineering. Summarize the suggested defense.
Student opinions and reports will vary based on what threats are compared.

7. Enter security firm finjan.com and find examples of underground Internet

activities in five different countries. Prepare a summary.
Student results and reports will vary based on date of research.
8. Enter ftc.gov/bcp/edu/microsites/idtheft, identytheft.info, idtheftcenter.org, and
identytheftprotection.org. Find information about: the prevention, protection
against, cases about, and survival of identity theft. Write a report.
Student results and reports will vary based on date of research and the content
selected.
9. Enter verisign.com and find information about PKI and encryption. Write a
report.
Student results and reports will vary based on date of research. The use of keybased encryption will be evaluated.
10. Enter gfi.com/emailsecuritytest and similar sites. Write some guidelines for
protecting your PC.
Student reports will vary based on their perceptions of the threats.
11. Enter hijackthis.com. Do a free scan of your computer. Comment on the report
you received.
Student results and reports will vary based on date of research and report received.
12. Enter blackhat.com. Find out what they are about. Summarize some of their
activities.
Student results and reports will vary based on date of research.
13. Enter bsimm.com/community. Describe the activities of the community and how
it helps to fight cybercrime.
Student results and reports will vary based on date of research and activities
selected.

Team Assignments and Role Playing

1. Assignment for the Opening Case
Read the opening case and answer the following questions:
a. What kind of attack was it?

It was a botnet attack.

b. Why was it difficult to stop it and to recover?
The infection was spread through all computers, and was self-spreading.
c. What do you think motivated Maxwell to conduct the attack?
Opinions will vary it does not appear to be a financial motivation.
d. After the incident, the hospital added more layers of defense. Why did
they not have it before?
They were either unaware they needed it, or unwilling to dedicate the
budget to it.
e. After reading Section 9.7, what do you think can be done on top of what
has been done to prevent the incident?
Employee education may also have helped stop its spread.
f. Is the punishment severe enough to deter others? Why or why not?
Student opinion will vary.
2. Assign teams to report on the major spam and scam threats. Examine examples
provided by ftc.gov, the Symantec report on the state of spam(2009), and white
papers from IBM,Verisign, and other security firms.
Student reports will vary based on the topic assigned.
3. Several personal firewall products are available. A list of these products can be
found at firewallguide.com/software.htm. Assign each team three products from
the list. Each team should prepare a detailed review and comparison of each of the
products they have been assigned.
Student reports will vary based on the products evaluated.
4. Enter symantec.com/business/security_response/whitepapers.jsp and find the
white papers: (1) The Risks of Social Networking and (2) The Rise of PDF
Malware. Prepare a summary of both and find how they relate to each other.
Student responses and opinions will vary.

5. Watch the video Cyber Attacks and Extortion at search

security.techtarget.com/video/0,297151,sid14_gci1345344,00.html.Answer the
following questions:
a. Why are there more extortions online today? How are they
accomplished?
b. What is involved in targeted e-mail attacks?
c. What is an SQL injection attack?
Student responses and opinions will vary. This is an interesting video with details
that students will respond to differently.
6. Data leaks can be a major problem. Find all the major defense methods. Check
all major security vendors (e.g., Symantec). Find white papers and Webinars on the
subject.
Student responses and opinions will vary.
7. Each team is assigned to one method of fighting against online fraud. Each
method should deal with a different type of fraud (e.g., banking [try IBMs ZTIC],
identify suspicious e-mails, dealing with cookies in Web browsers, credit card
protection, securing wireless networks, installing antiphishing protection for your
browser with phishing filter, and so forth).
Student responses and opinions will vary based on the method assigned.

Answers to End-of-Chapter Real-World Case Questions: HOW

TWO BANKS STOPPED SCAMS, SPAMS, AND
CYBERCRIMINALS
1. List the major security problems of CNB of Oklahoma and relate them to the
attack methods described in Section 9.2 through 9.4.
Many of the attack methods are represented including malware, spam, and viruses.
2. In what ways has CNB solved the e-mail problems? (List specific problems and
solutions).

Malware blocked Web sites, blocked the ability to download executables

Viruses scanning at the server and desktop level
Security use of encryption

3. Given the problems of CNB and its solutions, what is an even better defense
mechanism? (Use Sections 9.6 through 9.10, and what you can find on the Web.)
Student opinions will vary may include the use of a firewall/DMZ.

4. List the major security problems faced by BankWest and relate them to the attack
methods described in Sections 9.2 through 9.4.
It appears that phishing scams were the primary issue.
5. In what ways has BankWest solved the fraud schemes?
It has focused on user education on the nature and current trends of scams.
6. Given the problems of BankWest and its solutions, what is an even better defense
mechanism?
Opinions will vary, but software-based phishing blockers might be added.

Practice Test
1) According to the CSI Computer Crime and Security Survey, firewalls were
the most commonly used defense technologies in 2008.
Answer: FALSE
2) According to the CSI Computer Crime Security Survey, the most
frequently occurring computer attacks were from viruses in 2008.
Answer: TRUE
3) The Internet and its network protocols were never intended for use by
untrustworthy people or criminals.
Answer: TRUE
4) Keystroke logging captures and records user keystrokes.
Answer: TRUE
5) Cybercrimes are intentional crimes carried out on the Internet.
Answer: TRUE
6) An EC security strategy requires multiple layers of defense against risks
from malware, fraudsters, customers, and employees.
Answer: TRUE
7) Detection measures are actions that will make criminals abandon their idea
of attacking a specific system.
Answer: FALSE
8) Internet fraud has grown even faster than the Internet itself.
Answer: TRUE

9) Confidentiality, integrity, and awareness are the three components of the

CIA security triad.
Answer: FALSE
10) Encryption algorithm is the mathematical formula used to encrypt
plaintext into ciphertext, and vice versa.
Answer: TRUE
11) Strong EC security makes online shopping more convenient for customers.
Answer: FALSE
12) Shoppers can rely on fraud protection provided by credit card issuers to
protect them from identity theft.
Answer: FALSE
13) Phishing is rampant because some people respond to it and make it
profitable.
Answer: TRUE
14) Which of the following is the underlying reason why comprehensive EC
security is necessary?
A) The Internet was designed for maximum efficiency without regard for its
security or users with malicious intent.
B) The shift toward profit-motivated crimes
C) Security costs and efforts from reacting to online attacks and paying for
damages are greater than if an EC security strategy is in place.
D) Many companies fail to implement basic IT security management best practices,
business continuity plans, and disaster recovery plans.
15) The process of verifying the real identity of an individual, computer,
computer program, or EC Web site best describes:
A) integrity.
B) authentication.
C) availability.
D) nonrepudiation.
16) The assurance that an online customer or trading partner cannot falsely
deny their purchase or transaction is referred to as:
A) integrity.
B) availability.
C) authentication.
D) nonrepudiation.
17) ________ is the criminal, fraudulent process of attempting to acquire
confidential information by masquerading as a trustworthy entity.
A) Spamming

B) Pretexting
C) Social engineering
D) Phishing
18) ________ is the process of determining what the authenticated entity is
allowed to access and what operations it is allowed to perform.
Answer: Authorization
19) ________ is the assurance that online customers or trading partners
cannot falsely deny their purchase or transaction.
Answer: Nonrepudiation
20) ______________ is the assurance that data are accurate or that a message
has not been altered.
Answer: Integrity
21) ________ is the assurance of data privacy.
Answer: Confidentiality
22) ________ is the process of scrambling a message in such a way that it is
difficult, expensive, or time-consuming for an unauthorized person to
unscramble it.
Answer: Encryption
23) ________ are barriers between a trusted network or PC and the
untrustworthy Internet.
Answer: Firewalls
24) Compare current motives of hackers to those of the past.
Answer: In the early days of EC, many hackers simply wanted to gain fame or
notoriety by defacing Web sites or gaining root, which means gaining unrestricted
access to a network. Criminals and criminal gangs are now profit oriented, and their
tactics are not limited to the online world.
25) List and briefly describe the three components of the CIA security triad.
Answer: The CIA triad includes confidentiality, integrity, and availability.
Confidentiality is the assurance of data privacy. The data or transmitted message is
encrypted so that it is readable only by the person for whom it is intended. The
confidentiality function prevents unauthorized disclosure of information. Integrity
is the assurance that data are accurate or that a message has not been altered. It
means that stored data has not been modified without authorization; a message that
was sent is the same message that was received. Availability is the assurance that
access to data, the Web site, or other EC data service is timely, available, reliable,
and restricted to authorized users.
26) List the six major objectives of EC defense strategies.

Answer: Prevention and deterrence, detection, containment, recovery, correction,

and awareness and compliance are the six objectives.
27) Briefly discuss the five encryption components.
Answer: The five components are plaintext, encryption algorithm, key or key
value, key space, and ciphertext. Plaintext is the original message or document that
is created by the user and is in human-readable form. The encryption algorithm is
the set of procedures or mathematical functions used to encrypt or decrypt a
message. The key or key value is the secret value used with the algorithm to
transform the message. Key space refers to the large number of possible key values
created by the algorithm to use when transforming the message. Ciphertext is the
message or document that has been encrypted into unreadable form.
28) Briefly describe four major components for protecting internal
information flow inside an organization.
Answer: Firewall, virtual private network, intrusion detection system, and
honeynet and honeypot are four components. A firewall is a single point between
two or more networks where all traffic must pass; the device authenticates,
controls, and logs all traffic. A virtual private network is a network that uses the
public Internet to carry information but remains private by using encryption to
scramble the communications, authentication to ensure that information has not
been tampered with, and access control to verify the identity of anyone using the
network. Intrusion detection systems are a special category of software that monitor
activity across a network or on a host computer, watch for suspicious activity, and
take automated action based on what it sees. A honeynet is a network of honeypots,
and honeypots act as decoys and are watched to study how network intrusions
occur.

Chapter Test
1. Preventing vulnerability during the EC design and pre-implementation stage
is far more expensive than mitigating problems later.
A. True
B. False
2. Phishing is rampant because some people respond to it and make it profitable.
A. True
B. False
3. Access control involves authorization and authentication.
A. True
B. False
4. The key reasons why EC criminals cannot be stopped include each of the
following except:

A. Online shoppers do not take necessary precautions to avoid becoming a

victim.
B. Strong EC security makes online shopping inconvenient and demanding on
customers.
C. Sophisticated hackers use browsers to crack into Web sites.
D. There is lack of cooperation from credit card issuers and foreign ISPs.
5. The assurance that an online customer or trading partner cannot falsely deny
their purchase or transaction is referred to as:
A. nonrepudiation.
B. integrity.
C. availability.
D. authentication.
6. Fingerprint scanners, facial recognition systems, and voice recognition are
examples of ________ that recognize a person by some physical trait.
A. access control lists
B. human firewalls
C. biometric systems
D. intrusion detection systems
7. ________ is the criminal, fraudulent process of attempting to acquire
confidential information by masquerading as a trustworthy entity.
A. Phishing
B. Pretexting
C. Social engineering
D. Spamming
8. A botnet is:
A. a huge number of hijacked Internet computers that have been set up to
forward traffic, including spam and viruses, to other computers on the
Internet.
B. a piece of code in a worm that spreads rapidly and exploits some known
vulnerability.
C. a production system that looks like it does real work, but that acts as a decoy
and is watched to study how network intrusions occur.
D. a piece of software code that inserts itself into a host or operating system to
launch DOS attacks.

9. A summary of a message, converted into a string of digits after the hash has
been applied, best describes:
A. digital envelope.
B. hash.
C. message digest.
D. digital signature.
10. A law that makes it a crime to send commercial e-mail messages with false or
misleading message headers or misleading subject lines is:
A. SSL.
B. EEA.
C. DCMA.
D. CAN-SPAM.
11. The work atmosphere that a company sets for its employees describes:
A. standard of due care.
B. internal control environment.
C. acceptable use policy.
D. internal politics.
12. The combination of the encrypted original message and the digital signature,
using the recipient's public key, best describes:
A. digital envelope.
B. digital signature.
C. hash.
D. message digest.
13. The success and security of EC is measured by:
confidentiality, integrity, and availability.
quality, reliability, and speed.
encryption, functionality, and privacy.
authentication, authorization, and nonrepudiation.
14. Each of the following is a true statement about access control except:
A. All resources need to be considered together to identify the rights of users or
categories of users.
B. Access control lists (ACLs) define users' rights, such as what they are allowed
to read, view, write, print, copy, delete, execute, modify, or move.
C. Access control determines which persons, programs, or machines can
legitimately use a network resource and which resources he, she, or it can use.
D. After a user has been identified, the user must be authenticated.
15. Assurance that stored data has not been modified without authorization and
a message that was sent is the same message that was received is referred to as:
A. nonrepudiation.

B. availability.
C. authentication.
D. integrity.
16. The motives of hackers have shifted from the desire for fame and notoriety
to advancing personal and political agendas.
A. True
B. False
17. Keystroke logging captures and records user keystrokes.
A. True
B. False
18. Cybercrimes are intentional crimes carried out on the Internet.
A. True
B. False
19. Social engineering is an example of an unintentional threat.
A. True
B. False
20. Authentication provides the means to reconstruct what specific actions have
occurred and may help EC security investigators identify the person or program
that performed unauthorized actions.
A. True
B. False
21. The process of verifying the real identity of an individual, computer,
computer program, or EC Web site best describes:
A. authentication.
B. nonrepudiation.
C. availability.
D. integrity.
22. Encryption components include each of the following except:
A. key value.
B. encryption algorithm.
C. ciphertext.
D. internal control environment.
23. Protecting information and information systems from unauthorized access,
use, disclosure, disruption, modification, perusal, inspection, recording, or
destruction best defines:
A. anti-virus protection.
B. security audit.
C. incident management.
D. information security.

24. The protection of information systems against unauthorized access to or

modification of information that is stored, processed, or being sent over a
network is referred to as:
A. data integrity.
B. human firewall.
C. information assurance.
D. information integrity.
25. An attack on a website in which an attacker uses specialized software to send
a flood of data packets to the target computer with the aim of overloading its
resources best describes:
A. botnet infestation.
B. denial-of-service attack.
C. cyberhijacking.
D. cyberraid.