Study Notes.xlsx - Lesson 7 Chapter 9 access...

Unformatted text preview: Lesson 7 - Chapter 9 access control (protection of EC information -- access control, encryption & PKI) active tokens attack authentication (3 concepts related to IA model - authentication, authorization and nonrepudiation) authorization (3 concepts related to IA model - authentication, authorization and nonrepudiation) availability (success & security of EC can be measured by 3 components confidentiality, integrity & availability CIA security triad) bometric control biometric systems botnet business continuity plan certificate authority (CA) ciphertext computer security incident management confidentiality (success & security of EC can be measured by 3 components confidentiality, integrity & availability CIA security triad) crackers cryptography cybercrime cybercriminal data breach (unintentional info disclosure, data leak or data loss) Data encryption Standard (DES) denial-of-service (DoS) attack digital certificate (signatures) digital envelope digital signature EC security programs email spam (unsolicited bulk email) encryption exposure firewall fraud hacker hash function honeynet identity fraud identity theft information security Information Assurance (IA) Information Assurance (IA) model integrity (success & security of EC can be measured by 3 components confidentiality, integrity & availability CIA security triad) Internet fraud Information systems security life cycle management intrusion detection system (IDS) macro virus malware message direct mules nonrepudiation (3 concepts related to IA model - authentication, authorization and nonrepudiation) packet (part of firewall) passive tokens personally identifiable info (PII) penetration test (risk assessment) phishing public key encryption public key infrastructure (PKI) risk secure socket layer (SSL) search engine spam symmetric system (part of encryption) 1 of 2 security systems social engineering spam spam site SSL (secure socket layer) stock market fraud splogs (spam blog site) spyware threat Trojan horse virtual private network (VPN) vulnerabilities vulnerability assessment (part of risk assessment) worm virus zombies EC defense strategies - major objectives EC security strategy framework security spending versus needs gap Assessing security needs (risk assessment) Defence 1: of EC systems: Six categories: Defence 2: Securing E-commerce networks: 1. Firewalls: Dual Firewall architecture (DMZ) Personal Firewalls Additional virus, malware and botnet protection 2. Virtual Private Networks (VPN) 3. Intrusion Detection System (IDS) Daling with DOS (denial of service) attacks 4. Honeynets and honeypots Email security Defense 3: General controls, internal controls, compliance and other defense Requiresmechanisms several controls: General controls: Application controls: General, administrative and other controls: Physical controls: administrative controls: Application controls and intelligent agents Intelligent agents: Protecting against spam Protecting against pop up ads Protecting against social engineering attacks Protecting against spyware Business continuity plan (see page 498 exhibit 9.16) then disaster recovery disaster avoidance Risk management and cost benefit analysis Enterprise e-commerce security Drivers of EC security Senior management commitment and support EC security policies and training EC security procedures & enforcement why is it difficult to stop internet crime 1. define e-commerce security. (Turban et al., p. 454) the protection of data, networks, computer programs, computer power, and other elements of computerized informa 2. describe the major computer and e-commerce security incidents. (Turban et al., pp. 454-457) information security, personal security, national security 3. explain the three major drivers of e-commerce security problems. (Turban et al., pp. 454-457) 1. The internet's vulnerable design 2. the shift to profit-induced crimes systems and the of insiders 4. discuss therols need for an e-commerce security strategy. (Turban et al., pp. 459-460) Computer security can be divided into 3 categories: 1. known as the cybercrimes defenses - changing improving its response to plan, new attack methodsexposure, and to new techno 5. define following2.e-commerce securityand terms: business continuity cybercrime, fraud, m risk, spam, vulnerability, hacker, cracker, and zombie (Turban et al., pp. 460-462) see above definitions 6. distinguish among the different types of security threats and provide examples. (Turban et al., pp. 460Unintentional - Human error: in the design of the hardware or information systems, in programming, testing, data c authorization instructions. Errors related can be atoresult of negligence inexperience or misunderstanding (eg. Not chan 1. List the and major security issues e-commerce. The major security issues related to e-commerce include: authentication authorization auditing confidentiality integrity availability nonrepudiation. 2. Explain the three main drivers for e-commerce security issues and attacks. There are many drivers that have contributed to the raise of e-Commerce attacks and threats. The main ones are th vulnerable (open community, virtualmodel? and global network, of source control), the shift to profit-induced crim 3. What design is the information insurance What are itslack components? The information assurance model provides guidelines and framework supporting the protection of e-commerce secu risks and attacks, and unauthorized access or manipulation of data. It has six main Confidentiality: theany assurance that data is kept private and confidential to only thosecomponents: who are allowed to access Integrity: the assurance that the data is accurate or the message has not been changed or modified without auth Availability: the assurance that access to data, e-commerce system or other business services is timely, accessible restricted to only authorized users. that the person accessing the data or the system is allowed to do so and is a real Authentication: the assurance Authorization: the assurance that only an authenticated person can access and perform transactions. Non-repudiation: the assurance that the users or trading partners cannot falsely deny the transaction. 4. Provide examples of technical cyber attacks. Which ones are the most prevalent in the Internet space, an A technical cyber attack uses IT technology and usually takes a methodical approach. Examples of technical cyber a denial-of-service (DoS) attack, distributed (DDoS) attacks, and malicious code (viruses, worms, ma 1. What is an authentication system?denial-of-service List its key elements. An authentication system helps a company identify the legitimate parties to a transaction. It determines the actions t perform to complete the transaction. The basic elements of an authentication system include: groupinororder person to be authenticated distinguishing characteristic system proprietor authentication mechanism access control mechanism. 2. Describe the characteristics of a public/private key system, and compare it to a symmetric (private) key s In the public/private key system, the public key is open to anyone, while the private key is kept secret. The sender ne receiver’s publicpenetration key in ordertests for the receiver to how decode thecan encrypted their privateinfrastructure key. With the sym 3. Describe and explain they be usedmessages to ensurewith e-commerce sec A penetration test is a method of evaluating the security of an e-commerce infrastructure by simulating an attack from source. The testand consists of analyzing system for any potential vulnerabilities and attacks, from the perspective o 4. Describe compare the rolethe of certificates, digital signatures, and digital envelopes. A certificate is a document issued by a trusted third party (e.g., certificate authority) and is designed to authenticate keys. Itsignature contains is information theauthenticate entity, the certificate’s expiry date, the entity’s key. Digital a method about used to the sender’s identity byand applying public public key cryptography in revers verify that the document did indeed originate from the person whose signature is attached and that the document ha Digital envelopes are used to send private messages that can be understood only by a specific recipient. The sende message using theand recipient’s (Mary’s) public keypublic and sends to Mary.inMary, by using her private key to authority. decrypt the Digital signatures digital envelopes both use keys itprovided the certificate by the certificate 5. Explain the role of a certificate authority (CA). Why is a CA necessary? A certificate authority (CA) issues certificates to users. The CA manages the entire life cycle of the certificate includin scrapping, renewal, and replacement. The certificate authority also provides the certificate display function. The CA 6. In Turban et al., answer questions 1, 3, and 4 in Section 9.7 Review (p. 492) and question 5 in Section 9.10 Review Question 1 (page 492) A firewall is a network node that consists of both hardware and software. It serves to isolate a private network from p There are two basic types of firewalls: packet-filtering routers and application-level proxies. The packet-filtering route control by using simple rules (e.g., source and destination IP addresses, source and destination of port numbers, pa determine which packets to allow through. In contrast, application-level proxies use dual network cards and special s repackage acceptable packets and allow them onto the internal network. Review Question 3 (page 492) A virtual private network (VPN) is a secure and encrypted connection between two points on the Internet. VPN can b communication within distributed networks (such as financial branch offices and corporate headquarters) and among remotely or using mobile devices to access their workplace. VPN uses the public Internet to carry information but rem using encryption to scramble the communications, authentication to ensure that the information has not been tampe from a legitimate source, and access control to verify the identity of anyone using the network. Review Question 4 (page 492) An intrusion detection system (IDS) is special security software that can monitor activities across the network or on a There are two types of IDS: host based and network based. A host-based IDS resides on the server or other host sy monitored and is good at detecting critical breaches or security threats such as an attempt to access security files or access. A network-based IDS uses rules to analyze suspicious activity at the perimeter of a network or at key locatio network. Review Question 5 (page 504) The following are the six major reasons why it is difficult to stop computer crimes (refer to Turban et al., pp. 503-50 With a tension between making shipping convenient and ensuring an adequate level of security, enforcing safeguard system and create friction. There is a lack of cooperation between credit card issuers and ISPs. Shoppers are sometimes negligent, relying on protection offered by credit card issuers rather than taking necessary protect themselves from being victimized. Some firms ignore e-commerce security best practices. Businesses may fail to develop a comprehensive security pl and recovery plans), best practices, and business continuity plans. Most importantly, senior management commitme Design and architecture issues occur when IS staff do not properly design and develop software, applications, and s as leaving scripts in the code can allow easy access to hackers. Computer crime can be the result of a lack of due care in business practices such as dealings with external partners outsourcing, business partnerships, leasing, and so on. Lesson 8 - Chapter 10 address verification system (AVS) contact card contactless (proximity) card credit card e-billing e-cheque e-micropayments letter of credit (LC) payment service provider (PSP) private key encryption public key encryption purchasing card secure socket layer (SSL) smart card smart card reader smart card operating system stored-value card virtual credit card Types of smart cards: 1. contact card: 2. contactless (proximity) card: Hybrid cards EPROM, EEPROM 1. Why are traditional payment systems inadequate for e-commerce? Since traditional paper-based payment systems involve physical delivery, they are expensive and slow. In addition, b complete an online transaction without an electronic payment scheme. 2. What participants and procedures are involved in online credit card systems? The key players in the electronic credit card system are cardholder, merchant, card issuer, acquirer, and card brand. steps: a. An issuer (usually a bank) issues a credit card to a cardholder. b. The cardholder presents the card to a merchant in order to pay for a product or service. c. The merchant asks for approval from the card brand company. When the transaction is approved, the merchan d. The merchant sells the slip to their acquirer (usually a bank). e. The acquiring bank requests that the card brand clear the slip and reimburse the acquirer for the amount of the f. The card brand requests payment for the amount of the sale from the issuer. g. Periodically, the issuer bills the amount to the cardholder, or automatically deducts the amount from the cardho 3. What is a smart card? For what types of applications could they be used? A smart card is a plastic payment card with an embedded computer chip that can store data and, in some instances, computer programs. Smart cards are used in conjunction with loyalty card programs, health care delivery, transporta personal identification. In the future, smart cards may be applied to information technology, electronic money, and ot 4. What methods of electronic payment would you recommend for a firm offering health care products onlin An online business should be open to all types of customers and should certainly accept most major credit cards. Ho main customers are seniors, options could vary based on the customer’s location. For example, seniors living in Can use their own credit card to purchase products. E-cheques could be an alternative for those who do not have access Since most e-cash systems are tied to a credit card, they would not be a viable alternative in such cases. 5. Compare e-cash and debit cards. A supply of e-cash is usually delivered by way of a stored-value card. The value is stored in software called an electr may be located on a PC or smart card. A debit card, on the other hand, is a physical card that provides authorization money in the customer’s account and transfer to the merchant’s account. 6. Suggest the best method of electronic payment for a company that wishes to control its office supply pur A purchase card is a good option in such situations. A special-purpose payment card issued to a company’s employe solely for the purchase of nonstrategic materials and services up to a pre-set dollar limit. These cards allow the com of the amount each employee can spend as well as perform bill consolidation and payment reconciliation and suppo In addition, they help the company control its expenses and spending by compiling detailed reports. 7. What is mobile payment? Give examples of types of mobile payment transactions. Mobile payment refers to payment transactions initiated or confirmed using a person’s cell phone or smartphone. Mo usually used for buying music, videos, ringtones, online games, transportation fares, parking tickets, books, magazin products and services. # of factors in determining what e-payment achieves critical mass they include: Independence Interoperability and portability security - how safe is the transfer anonymity divisibility Ease of use transaction fees international support regulations payment cards 3 types: credit card charge cards debit cards Processing cards online two phases: authorization: settlement: 3 basic configuration for this to occur: Lesson 9 - Chapter 6 Bluetooth CRM e-trade & real estate geographical information system (GIS) global positioning system (GPS) location-based m-commerce l-commerce real time location system (RTLS) mobile banking (m-banking) mobile commerce (m-commerce) mobile computing mobile devices mobile web mobile enterprise mobile portal mobile worker microbrowser personal area network (PAN) personal digital assistant (PDA) PRM pervasive computing radio frequency identification (RFID) sensor network smartphone short message service (sms) ubiquitous computing wireless application protocol (WAP) wireless local area network (WLAN) wireless wide area network (WWAN) 4 enterprise applications created to meet specific business needs: major users of m-commerce include: shift paradigm from traditional ecommerce to mobile commerce Benefits of m-commerce Infrastructure - components & services of mobile computing automatic vehicle location - avl location based service social location based marketing 1. What are the key technologies and devices (infrastructure) that support m-commerce applications? There are a number of technologies and devices that support m-commerce. A partial list includes wireless portable c tablet PC, personal digital assistant (PDA), Blackberry, Palmtop, and smart phone. 2. What are the major drivers of m-commerce? The eight major forces driving m-commerce are widespread availability of more powerful devices handset culture service economy vendor's push mobile workforce increased mobility improved price/performance improved bandwidth. 3. Explain how the banking industry could benefit from m-commerce. What key issues should be address Many of the services and value activities offered by the banking industry could benefit from m-commerce. First, m-co communicate with customers by enabling customers to use their mobile handsets to access account balances and r regarding loans, expenses, and portfolios. In addition, m-commerce can help facilitate banking transactions such as SMS, buying goods and services, accessing virtual cash, and so on. The major issues are related to security of data and the system, confidentiality and privacy of communication and tra reliability and connectivity, customer support, and other ethical issues. 4. How might wireless communications support intrabusiness activities? Intrabusiness activities include all the business activities and processes within an organization. By providing mobile communicate efficiently and on time, productivity can increase, customer service levels can improve, and employee increase. In addition, mobile services are important in supporting and facilitating sales force mobilization and job dis that take place between units within the organization, including design, production, delivery, sales, support, and so o 5. Compare m-commerce and l-commerce. M-commerce and l-commerce are both commercial activities that take place electronically with wireless devices. T are matters of scope and time. M-commerce can be used in global application of business activities such as bankin support. However, l-commerce is restricted to the location and time in which commercial activities and services are of GPS-enabled services for navigation, mapping, tracking, and so forth. 6. What are the similarities and differences between ubiquitous and pervasive computing? Ubiquitous and pervasive computing are both computer capabilities and infrastructure that support information app a broad range of network-based services, including Internet-based e-commerce services embedded in objects aroun computing help automate processes and facilitate transactions. The main difference between them is that ubiquitous computing is embedded in mobile environment, whereas perva applications that are not typically mobile. As explained in the textbook, both concepts can be used interchangeably. B around us, whether mobile or not, including cars, tools, appliances, clothing, and other consumer goods that commu interconnected networks. 7. Give examples of sensor n...
View Full Document