Download - HSN Risk Assessment Report

Running head: HSN RISK ASSESSMENT REPORT 1

Home Shopping Network Risk Assessment Report

Belinda Edwards

University of Maryland University College

August 19, 2010

HSN Risk Assessment Report 2

EXECUTIVE SUMMARY

A detailed risk assessment was performed on the security of the Home Shopping Network’s (HSN) internet and “shop by remote” functionality. HSN was established the “electronic retailing industry” in 1977 and is now considered the “world’s most widely distributed TV shopping network” (Endeca, 2002). The corporation has “grown into a global multichannel retailer that offers a live television broadcast that reaches 94 million homes – 24 hours a day, 7 days a week, 364 days a year – selling 50 million products annually (Endeca, 2002).

HSN Inc. (HSNI) major subsidiary, HSN.com streams in three channels: television, the internet, and mobile (Crowell, 2010). This assessment focuses primarily on the internet channel, but discusses system vulnerabilities within both the television and mobile channels. HSN.com provides its customers with an interactive shopping experience; offering consumers a video-guided shopping from it 13,000 online video library. HSN.com has been “rated as a Top-10 trafficked e-commerce website: #25 on Internet Retailer Top 100, with 2nd highest traffic growth behind only Amazon.com. HSN.com gets 200,000 unique users daily and 5 million page views per day” (Crowell, 2010).

The HSN call center is located in St. Petersburg, FL. HSN initially used an IBM System/36. Its main order entry system was written in a 4GL code generator called the Logic and Information Network Compiler (LINC)—since renamed Agile Business Suite by Unisys (Wikipedia, 2010). Since HSN currently processes approximately 44 million calls each year, HSN selected the GoldenGate solution to upgrade its CRM software. This migration also included a transition to Siebel CRM v8.0 and Oracle Database 10g. The HSN business model is demands zero downtime, therefore a systems upgrades must be performed in parallel with the old system (BusinessWire, 2008). It is assumed that the Oracle database 10g holds huge amount of sensitive customer data, such as username, passwords, pins, and credit card information for account access. HSN also utilizes Endeca’s InFront, a guided navigation and advanced search solution, to enable customers to easily navigate HSN.com’s online catalog of 13,000 products. The goal of this implementation is to increase impulse purchase, thus generating additional revenue.

HSN’s success and leadership in retail innovation attracts hackers and career criminals to exploit system vulnerabilities to steal personally identifiable information (PII) for identity theft activities. As a leader in multichannel retailing, HSN is a practical target for identity theft, bank and individual fraud, security breaches, and mobile phone replication. The HSN chief information assurance officer (CIAO) has the overwhelming task of securing systems and applications integrity, as well as protecting the confidentiality of customer data.

This assessment focused on system risks of the application, email, and web servers; end user systems, mobile devices, and cable and satellite service providers. High risks and impacts have been identified at the client side (SANS, 2010). Client (or end user) systems are especially vulnerable due to the customers not fully understanding the risks of delaying patch implementation (SANS, 2010). Customers, in addition to financial institutions, are susceptible to various phishing attacks that could result in the loss of valuable data, not just personally identifiable information (SANS, 2010). Data integrity could be compromised with any security breach. If a breach occurs, it could result in a negative impact on customer trust of systems availability and data confidentiality.


This evaluation offers recommendations of risk mitigation to each of the identified system vulnerabilities. The opinion is to address risks toward valuable data, which extends beyond personally identifiable information. The outlook is to secure HSN servers and customer data, partner (service provider) systems, ecommerce transactional data, and customer’s systems. For each service provider, it is important to insist on that all input received from remote sources is sanitized of data meaningful prior to storage in the backend database; (2) pledge appropriate layered protections to prevent/detect attacks aimed at web servers; (3) consider vulnerable applications, define actions within the incident response report and/or business continuity plan and remediated in a timely manner (SANS, 2010).


Table of Contents

EXECUTIVE SUMMARY.............................................................................................................2INTRODUCTION...........................................................................................................................6

The Purpose.................................................................................................................................6Scope of the risk assessment........................................................................................................6

RISK ASSESSMENT APPROACH...............................................................................................6The Participants...........................................................................................................................6The Techniques Used...................................................................................................................6The Risk Model............................................................................................................................7

Threat Likelihood...................................................................................................................................7

Impact Definitions.................................................................................................................................8

Risk Level Matrix..................................................................................................................................8

Description of Risk Levels.....................................................................................................................9

SYSTEM CHARACTERIZATION..............................................................................................10The Proposed HSN Network System Architecture.....................................................................10Technology Components............................................................................................................11Users..........................................................................................................................................12

THREAT STATEMENT...............................................................................................................12RISK ASSESSMENT RESULTS.................................................................................................13

Observation 1: Client side software remains unpatched..........................................................13Observation 2: Web applications are vulnerable to SQL injections........................................13Observation 3: Customer identifiable data is vulnerable to phishing attacks.........................14Observation 4: User data and account information could be stolen from various service provider databases.....................................................................................................................14Observation 5: User data and account information could be stolen during mobile ecommerce transactions................................................................................................................................15Observation 6: E-commerce transactional data could be stolen.............................................16Observation 7: “Shop by Remote” exposes operating system procedures within the cable industry......................................................................................................................................17Observation 8: HSN.com is subject to denial of service attacks..............................................17Observation 9: Power failure due to a natural disaster affect business processing................18Observation 10: HSN.com is subject to man in the middle (MITM) attacks............................18

SUMMARY...................................................................................................................................19REFERENCES..............................................................................................................................19

Figures

Figure 1: Proposed HSN Network Architecture............................................................................10


Tables

Table 1: Threat Likelihood Definitions..........................................................................................7Table 2: Magnitude of Impact Definitions......................................................................................8Table 3: Risk Level Matrix..............................................................................................................8Table 4: Risk Scale and Necessary Actions....................................................................................9


INTRODUCTION

The Purpose

The purpose of this risk assessment is to identify threats and vulnerabilities applicable to the three HSN channels: television, the internet, and mobile. The HSN.com site is the primary source of revenue generation, although there are four store fronts throughout Florida.

Scope of the risk assessment

HSN has three channels: internet, mobile, and television. The risk assessment will review vulnerabilities against all three channels. Due to the nature of interoperability HSN has with its customers, financial institutions, mobile and cable service providers, this document will evaluate threats which in each arena.

Unfortunately, the amount of application, email, and web servers at use at the call center site is currently unknown. However, what is known are the types of software purchased to maintain and search data held in repository at the corporation. It is assumed that HSN has a secured, layered architecture for its systems processing and forms the basis for this assessment report. This risk assessment will also emphasize manmade and natural disasters, touching on business continuity planning. This is important should a natural disaster occur near their headquarters in St. Petersburg, Florida. A risk assessment of the physical HSN campus is out of scope for this paper. Malign actors can impact customer trust, affecting their perception of data confidentiality and systems integrity and availability (CIA).

RISK ASSESSMENT APPROACH

The Participants

This assessment is based on information obtained though academic and industry sources; limited information was gained from HSN itself.

The Techniques Used

This risk assessment is based upon information and methodologies learned during the course of this semester. Information was gathered from public domains and sought to involve the various industries engaged in multichannel retail, including financial, cable, and telephony. Articles from academic journals provided the techniques from which the threat and vulnerability assessments were performed, concentrating on information assurance. Industry articles formed the basis to understand various techniques used to comply with the information assurance techniques presented.


Vulnerability sources used for this assessment include:

• SANS Top cyber security risks (http://www.sans.org/top-cyber-security-risks/)

• Information Assurance Technical Framework (https://www.iad.gov/library/iacf.cfm

• Risk Management Guide for Information Technology Systems

• Visa PCI – Complying with Payment Card Industry (PCI) Standards (http://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/dce93ca8c1f384d6862571420036f06c/5ac115c55f9c851d8825727b007f697f/$FILE/Visa%20PCI%20%E2%80%93%20Complying%20with%20Payment%20Card%20Industry%20Standards.pdf.

• Center for Strategic and International Studies (http://csis.org/files/publication/Twenty_Critical_Controls_for_Effective_Cyber_Defense_CAG.pdf)

The Risk Model

The risk models used in this assessment are based upon the NIST Publication 800-30: Risk Management Guide for Information Technology Systems (Stoneburner, et. al, 2001).

Threat Likelihood

There are multiple factors that affect the probability of a threat being exploited into a system vulnerability. Per the NIST Pub 800-30, these factors include:

• Threat-source motivation and capability

• Nature of the vulnerability

• Existence and effectiveness of current controls.The likelihood of these vulnerabilities being exploited is listed in the table below.

Threat Impact Impact Definition

HIGH

The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.

MEDIUM

The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability

LOW The threat-source lacks motivation or capability, or controls are in place to prevent, or at least

http://csis.org/files/publication/Twenty_Critical_Controls_for_Effective_Cyber_Defense_CAG.pdf

http://csis.org/files/publication/Twenty_Critical_Controls_for_Effective_Cyber_Defense_CAG.pdf

http://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/dce93ca8c1f384d6862571420036f06c/5ac115c55f9c851d8825727b007f697f/$FILE/Visa%20PCI%20%E2%80%93%20Complying%20with%20Payment%20Card%20Industry%20Standards.pdf



https://www.iad.gov/library/iacf.cfm

http://www.sans.org/top-cyber-security-risks/


Threat Impact Impact Definitionsignificantly impede, the vulnerability from being exercised

Table 1: Threat Likelihood Definitions


Impact Definitions

The assessment analyzed the adverse impact resulting from a successful exploitation of system vulnerability. The magnitude impact is based on data value and sensitivity, as well as system mission within HSN and its partner environments. The table below is based upon examples presented in the NIST Pub 800-30, and was the guide used to assess system treats.

Impact Magnitude Impact Definition

HIGH

Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources by HSN and its partner service providers within the financial, cable, and telephony industries; (2) may significantly violate, harm, or impede HSN sales and could negatively impact the reputation of the multichannel retail leader.

MEDIUM

Exercise of the vulnerability (1) may result in the costly loss of major tangible assets or resources by HSN and its partner service providers within the financial, cable, and telephony industries; (2) may violate, harm, or impede HSN revenues and could negatively impact the reputation of the multichannel retail leader.

LOW

Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources HSN and its partner service providers within the financial, cable, and telephony industries; or (2) may noticeably affect the mission, reputation, or interest of the multichannel retail leader.

Table 2: Magnitude of Impact Definitions

Risk Level Matrix

The risk level matrix calculates the probability of each threat likelihood level and offers a value for each impact level. It provides a measurement from which to evaluate systems risk. The table is adapted from the NIST 800-30 publication.

Threat Likelihood ImpactLOW (10) MEDUIM (50) HIGH (100)

HIGH (1.0) 10 50 100MEDIUM (0.5) 5 25 50HIGH (0.1) 1 5 10Table 3: Risk Level Matrix


Description of Risk Levels

The risk scale listed below represents the risk level to which an IT system, facility, or procedure might be exposed if a given vulnerability were exercised. The risk scale presents actions adopted by the HSN chief information assurance officer, and enforced by its technical staff and systems stakeholders. The table is adapted from the NIST 800-30 publication.

Risk Level Risk Description and Necessary Actions

HIGH

Immediate, corrective action is required for any system observed at high risk. Actions detailed within the incident response report must be executed immediately.

MEDIUM

Corrective actions must be taken against any system observed as medium risk. The incident response report must address actions to be executed within a reasonable time period.

LOW

The HSN CIAO should develop an observation is described as low risk, the systems DAA must determine whether corrective actions are still required or decide to accept the risk.

Table 4: Risk Scale and Necessary Actions


SYSTEM CHARACTERIZATION

The Proposed HSN Network System Architecture

The following diagram is an assumption of Home Shopping Network’s network architecture. HSN does not publically disclose its proprietary information.

Figure 1: Proposed HSN Network Architecture


Technology Components

The table below contains assumed system components, based upon information discovered from various industry case studies presented by BusinessWire, Endeca, and Microsoft.

Tier ComponentsConsumer/End User Internet Access via PC

Internet Access via LaptopInternet Access via Smart PhoneSatellite or High Definition Television

Web Server UnknownApplication Server Oracle Siebel CRM v8.0

User service applicationEndeca InFront“Shop by Remote” application360 Degree Fashion application

Database Oracle Database 10gSystem Monitor and Management Systems monitoring application

Intrusion detection applicationTechnologies Oracle Database

Cookie data collection Web beacons data collectionMicrosoft SilverlightInformation System Smooth StreamingMicrosoft Expression BlendMicrosoft Visual Studio 2008Microsoft .NET FrameworkMicrosoft Internet Information Services


Users

Data Description

Consumer/User

Customer who watches and/or purchases from the HSN inventory of approximately 13,000 products

Service providers/partner organizations

Home Shopping Network Cable and/or satellite provider Financial service provider Mobile telephony service providerAll contribute to the processing cycle to successfully complete a purchase

HSN System Administrators

HSN employee responsible with maintaining system and network integrity and availability, which will enforce data credibility

Service provider network administrators

Employees at partner organizations who are also responsible for maintaining systems and network integrity and availability, which will enforce data credibility

Third-party developers

Employee and independent personnel, responsible for developing secure applications for use by the HSN

HSN Chief Information Assurance Officer (CIAO)

Responsible for establishing and enforcing security standards specific to system implementation and maintenance (O&M) and application development

Purchase processing system

HSN information system comprised of interactive voice response (IVR), call center technology, transaction processing

THREAT STATEMENT

HSN is the leader of global multichannel retailing. Their profile as a leader for retail innovation makes HSN a practical target for identity theft, bank and consumer fraud, security breaches, and mobile phone replication, which would attract threat sources from hackers, and career criminals, all of whom have various motivations. This risk assessment identified the common threat from humans, but also spoke of natural threats. Each table lists the references considered when evaluating threats and vulnerabilities.


RISK ASSESSMENT RESULTS

Observation 1: Client side software remains unpatched.

Threat SourceHackers, Career Criminals, Developers, “Friends”

Vulnerability User computerImpact High. Computers are compromisedRisk Rating High.

Likelihood

High. Occurs when users access infected websites and/or download infected files; provides attacker with access to “

Existing Controls

User education on the importance of patch installation

Service providers maintain intrusion detection capabilities

Service providers maintain a layers approach

Recommended Controls

Service providers must maintains intrusion detection and system monitoring capabilities

Service providers must keep operating systems patches updated

Reference SANS, 2010.

Observation 2: Web applications are vulnerable to SQL injections.

Threat Source Hacker, career criminal, mobile app developers

VulnerabilityCommon flaws in application development, client-side exploits (inefficient system patches)

ImpactHigh. Trusted website become malicious, infecting visitors

Risk Rating High.

Likelihood

High, most website owners fail to scan for common flaws; secure code development is not enforced, thus aiding in vulnerabilities

Existing Controls

On-going penetration (Pen) testing User input validation prior to system

processing User authentication

Recommended Controls Data from external sources must be sanitized prior to insertion into backend database

Multiple layers of security (i.e. firewall,


data encryption, intrusion detection mechanism)

Reference SANS, 2010, UMUC Sample report 1

Observation 3: Customer identifiable data is vulnerable to phishing attacks between service partners.

Threat Source Hackers, “Friends”, Career CriminalsVulnerability User unawareness, Web session controlImpact High. Consumer data could be compromised.

Risk Rating

High. Consumer data could be divulged, resulting in identify theft and loss of consumer trust

Likelihood High.

Existing Controls

Banks are implementing “Trusteer” software to ensure session are blocked from being redirected to phishing sites

Trusteer warns users when visiting phishing sites

Service providers authenticate users, utilizing preference security questions


Service enhance user authentication procedures, modernizing security questions towards preference questions

Service provides continue to comply with FCC rule prohibiting landline and cellular phone companies from asking biographical questions (pretexting)

Service provider infrastructure must ensure inter-machine processing communication and authentication

ReferenceLitan, 2010; Pickert, 2008; KnowledgeLeader, 2010

Observation 4: User data and account information could be stolen from various service provider databases

Threat Source Career criminalVulnerability Web, Application, Email ServersImpact High. Personally Identifiable Information

could be compromised, Consumer trust could


be lostRisk Rating High.

Likelihood

High, attackers are interested in gaining access to valuable data types, not just consumer information.

Existing Controls

Service providers maintain compliance with Data Breach Notification Act (S. 139)

Service providers maintain emphasis on securing critical customer personal data

Service providers limit usage of external media usage (i.e. CDs, thumb drives)


Payment Card Industry (PCI) is a leading authority for merchants to learn about data security threats and mechanisms to prevent attacks. They host a Security Council

o Encourage/enforce certifications for system security, developers (SCCLP) and network administrators (SSCP)

o Service providers should become PCI DSS-certified

Reference Kumar, 2009; SANS, 2010; PCI, 2006.

Observation 5: User data and account information could be stolen during mobile ecommerce transactions

Threat Source Hacker, career criminalVulnerability User unawareness

Impact

High. PII data (name, address, mobile phone number, mobile contacts, HSN and financial account number) can be captured and used

Risk Rating High.

Likelihood

High, as mobile commerce is in its infancy. As the medium becomes commonplace (as Gartner projects by 2014), security policy procedures will improve.

Existing Controls User Authentication Session keys, used to secure customer

interaction and/or automatically logoff due to inactivity

System files, transaction logs, backup files (kept distinctly by service providers )


Software patches, applied by both customers and service providers

System and configuration file security (maintained by service providers)

Physical security Operating system security – applies to

customer and service providers, means systems are installed on securely configured and maintained system

Intrusion detection – applies to customer and service providers, means systems are monitored for unauthorized access

Privacy policy must be maintained, enforced, and updated per legislative changes – applies to service providers


Operating system security must improve within mobile phone industry, breaches have increased as customers increased usage of mobile apps

Customers and service providers must maintain timeliness of applying security patches

Privacy policy must be maintained, enforced, and updated per legislative changes – applies to service providers

Reference KnowledgeLeader, 2010.

Observation 6: E-commerce transactional data could be stolen.

Threat Source Hackers, Career CriminalsVulnerability Financial transaction data storage

ImpactHigh. Consumer and financial information could be obtained, modified, and reused.

Risk Rating

High. Consumer data could be divulged, resulting in identify theft and loss of consumer trust

Likelihood Medium.

Existing Controls

Financial industry complies with Data Security Standard (DSS), initially implemented in 2004

Financial industry recently approved PCI security standards for data storage

Service providers must build and maintain secure network

Financial service provider must protect cardholder data



Service providers should maintain strong access control methods

Service providers must test and monitor networks on a regular basis

A report on compliance (ROC) audit of financial service providers should be performed, annually, at a minimum

Reference Bess, 2008; PCI, 2006.

Observation 7: “Shop by Remote” exposes operating system procedures within the cable industry.

Threat Source Hackers, Career Criminals

VulnerabilityConsumer telephone, cable, and financial service

Impact High. Consumer data could be compromisedRisk Rating Medium.

Likelihood

Low (for now). Attackers would need to infiltrate cable infrastructure to obtain data sent over lines to HSN,

Existing Controls

Strong user authentication procedures are used by all service providers

Consumers must register for the ‘shop by remote’ service, by providing personally identifiable information (i.e. name, address, credit card, email address)


Data sent from cable providers should be encrypted when sent to HSN

Standards must be established and enforced for ‘shop by demand’ functionality between HSN and all cable outlet

Reference Spangler, 2010; Arlen, 2010.

Observation 8: HSN.com is subject to denial of service attacks.

Threat Source Hackers, Career Criminals

VulnerabilityServers: application, email, web, network devices

Impact

High. Consumer access to the virtual marketplace is denied, thus resulting in loss of revenue

Risk Rating High.Likelihood Medium. It is not clear whether HSN.com has


been attacked, but it is always possible, especially since HSN is the world’s largest television shopping network.

Existing Controls Unknown


Protect communications network Enforce intrusion detection measures (i.e.

firewalls) Impose access controls Impose secure development procedures Encourage certification for systems

developers and administratorsReference UMUC Sample report 1, NSA, 2001.

Observation 9: Power failure due to a natural disaster affects business processing.

Threat Source Natural Disaster

VulnerabilityAll equipment that requires power and cooling to perform

Impact

Medium. HSN headquarters is located in central Florida; home to its call center broadcasting and studio facilities.

Risk Rating Medium.

Likelihood

Medium. It is not clear whether HSN.com has been attacked, but it is always possible, especially since HSN is the world’s largest multichannel retailer

Existing Controls

Business continuity plans (BCP) Backup/secondary locations for broadcasting

and studio facilities, cal center processing Backup ecommerce systems regularly Recovery procedures should tested regularly to

validate the backup integrity


Test the actions outlined in the business continuity plan quarterly

BCP should be modified to address current threats, treating is as a “living document”

Reference KnowledgeLeader, 2010; Pfleeger, 2007

Observation 10: HSN.com is subject to man in the middle (MITM) attacks.


Threat Source Hackers, Career CriminalsVulnerability End user and network systemsImpact High. Consumer data could be compromisedRisk Rating High.

Likelihood

High. Consumers could become victims via receipt of phishing emails, encouraging dissemination of identifiable information

Existing Controls Unknown


Users must immediately implement security patches

Users must employ firewall technology Data encryption measure should be

employed, including PKI certifications

ReferenceUMUC Sample report 1, KnowledgeLeader, 2010

SUMMARY

For the past thirty years, the industry has grown at a compound rate of only just over one percent a year. Tapping into the enormous potential sales in India and China will bring a new boom. The auto industry will consequently be much larger in 2020, around sixty-five percent larger, in terms of production. China has already become a strong player in manufacturing global automotive electronics. Chinese automakers are also buying factory equipment from top international suppliers. Competitive Chinese suppliers are looking to start manufacturing and selling in overseas markets (International Trade Administration, 2009, p. 32). “By 2020 the auto industry will have reached an annual production of 100 million vehicles [a year], mostly due to demand in Asia,” says Dr. Carl Hahn, a former chairman of Volkswagen AG (The Economist Intelligence Unit, 2006, p. 25).

REFERENCES

Arlen, G. (2010). HSN's remote shopping sparks new interactivity. TVtechnology.com. Retrieved August 17, 2010 from http://www.tvtechnology.com/article/10840.

Bess, J. (2008). Visa PCI – Complying with payment card industry standards. Retrieved August 8, 2010 from http://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/dce93ca8c1f384d6862571420036f06c/5ac115c55f9c851d8825727b007f697f/$FILE/Visa%20PCI%20%E2%80%93%20Complying%20with%20Payment%20Card%20Industry%20Standards.pdf.

BusinessWire. (2008, September 15). HSN deploys GoldenGate software for zero-downtime migration of Oracle's Siebel CRM application. Retrieved August 18, 2010 from http://findarticles.com/p/articles/mi_m0EIN/is_2008_Sept_15/ai_n28094247/.

http://findarticles.com/p/articles/mi_m0EIN/is_2008_Sept_15/ai_n28094247/




http://www.tvtechnology.com/article/10840


Crowell, G. (2010). E-Commerce video strategies with the Home Shopping Network. Retrieved August 18, 2010 from http://www.reelseo.com/video-commerce-hsn/.

Endeca. (2002). World’s largest television shopping network HSN selects Endeca InFrontTMfor enriched online customer experience. Retrieved August 18, 2010 from http://www.endeca.com/83dc77d1-b5c8-4fcc-b927-e60fa173054b/news-and-events-press-releases-archive-details.htm.

Stoneburner, G., Goguen, A., & Feringa, A. (2001). Risk management guide for information technology systems. NIST 800-30. Retrieved May 30, 2010 from UMUC WebTycho.

Litan, A. (2010, June 4). Banks distribute Trusteer and other security software, but need to domore. Gartner.com. Retrieved June 27, 2010 from http://my.gartner.com.ezproxy.umuc.edu/portal/server.pt?open=512&objID=260&mode=2&PageID=3460702&resId=1381017&ref=QuickSearch&sthkw=transactional+security.

KnowledgeLeader. (2010). E-commerce security best practice guidelines. Retrieved August 8, 2010 from http://www.auditnet.org/articles/eCom%20Sec%20Best%20Practices.doc.

Kumar, P. (2010, January 18). E-Commerce data security 2010: Learning From 2009's debacles.Retrieved June 27, 2010 from http://www.ecommercetimes.com/story/E-Commerce-Data-Security-2010-Learning-From-2009s-Debacles-69129.html.

NSA. (2001). Defense in depth. Retrieved August 16, 2010 from http://www.nsa.gov/ia/_files/support/defenseindepth.pdf.

PCI. (2006). Visa PCI – complying with payment card industry standards. Retrieved August 8,2010 from http://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/dce93ca8c1f384d6862571420036f06c/5ac115c55f9c851d8825727b007f697f/$FILE/Visa%20PCI%20%E2%80%93%20Complying%20with%20Payment%20Card%20Industry%20Standards.pdf.

Pickert, K. (2008, September 24). Those crazy internet security questions. Time.com. RetrievedJuly 7, 2010 from http://www.time.com/time/business/article/0,8599,1843984,00.html.

Pfleeger, C. P., & Pfleeger, S. L. (2007). Security in computing. 4th Edition. Upper Saddle River, NJ: Prentice Hall.

SANS. (2010). The top cyber security risks. Retrieved August 16, 2010 from http://www.sans.org/top-cyber-security-risks/.

Spangler, T. (2010, July 28). HSN secures 'shop by remote' patent. Retrieved August 17, 2010from http://www.broadcastingcable.com/article/455320-HSN_Secures_Shop_By_Remote_Patent.php.

http://www.broadcastingcable.com/article/455320-HSN_Secures_Shop_By_Remote_Patent.php

http://www.broadcastingcable.com/article/455320-HSN_Secures_Shop_By_Remote_Patent.php

http://www.sans.org/top-cyber-security-risks/

http://www.time.com/time/business/article/0,8599,1843984,00.html




http://www.nsa.gov/ia/_files/support/defenseindepth.pdf

http://www.ecommercetimes.com/story/E-Commerce-Data-Security-2010-Learning-From-2009s-Debacles-69129.html

http://www.ecommercetimes.com/story/E-Commerce-Data-Security-2010-Learning-From-2009s-Debacles-69129.html

http://www.auditnet.org/articles/eCom%20Sec%20Best%20Practices.doc

http://my.gartner.com.ezproxy.umuc.edu/portal/server.pt?open=512&objID=260&mode=2&PageID=3460702&resId=1381017&ref=QuickSearch&sthkw=transactional+security



http://www.endeca.com/83dc77d1-b5c8-4fcc-b927-e60fa173054b/news-and-events-press-releases-archive-details.htm

http://www.endeca.com/83dc77d1-b5c8-4fcc-b927-e60fa173054b/news-and-events-press-releases-archive-details.htm

http://www.reelseo.com/video-commerce-hsn/


UMUC. (2010). Sample risk assessment report 1. Retrieved May 30, 2010 from UMUC WebTycho.

UMUC. (2010). Sample risk assessment report 2. Retrieved May 30, 2010 from UMUC WebTycho.

Wikipedia. (2010). Home Shopping Network. Retrieved June 27, 2010, from http://en.wikipedia.org/w/index.php?title=Home_Shopping_Network&oldid=370138844

http://en.wikipedia.org/w/index.php?title=Home_Shopping_Network&oldid=370138844

Download - HSN Risk Assessment Report

Top Related