e-com sample quistions-esecurity

8/7/2019 e-com sample quistions-esecurity

http://slidepdf.com/reader/full/e-com-sample-quistions-esecurity 1/6

1. Why is e-commerce security important?

The growth of electronic commerce has created the potential for new risks and abuses. Customers

routinely buy products, trade investments, and bank online using personal information such as credit

card, Social Security, and account numbers. A December 1999 study by Meridien Research found

that online credit card fraud cost merchants more than $400 million per year. Meridien estimates this

could rise to $60 billion annually by 2005.

Concerns over the privacy and security of online transactions prevent many from engaging in e-

commerce. In a recent IBM/Harris Poll, 94% of U.S. citizens said they were concerned about the

possible misuse of their personal information. Knowledge of e-commerce security can be a valuable

asset.

2. What are common disruptions to website stability?

The stability of an e-commerce website can be disrupted by the following:

* Power failure

* Fire, floods, and other natural disasters

* Computer viruses and hacker attacks

* Software glitches

* User error and system mismanagement.

All e-commerce sites will eventually be disrupted. Accordingly, e-commerce entrepreneurs must be

prepared. They should back up their data regularly and take other security precautions. A study by

IDC reported that organizations spent $6.2 billion on security consulting in 1999, which is expected to

increase to $14.8 billion by 2003.

3. What is the difference between external and internal threats?

External security threats originate from outside the organization, usually in the form of a hacker

breaking into a system. According to the U.S. Department of Justice, nine out of ten organizations

have experienced security breaches; cybercrime has doubled from 1998 to 1999.

Internal security threats come from inside an organization. They are difficult to defend against

because insiders have access to the organization's internal network (intranet). According to an article

published in Network World by S. Gaudin, 70-90% of the attacks on corporate networks are initiated

by insiders.

4. What motivates hackers?



Hackers are motivated by the following factors:

* Greed or monetary gain

* Ego; proof of their hacking ability

* Entertainment

* Spite or revenge

* Political causes.

5. What are the types of hacker attacks?

Hacker attacks fall into three categories:

* Denial of service

* Information or asset theft

* Information destruction.

A denial of service attack occurs when a hacker floods an Internet site with requests, overwhelming

the file server or communication channel and rendering the site inaccessible. In February 2000, both

the Yahoo and E-Trade websites were disrupted by denial of service attacks.

The theft of customer information can destroy the credibility of an e-business. Since credit cards are

used for 90% of all online payments, credit card numbers are a frequent target. According to the FBI,

1 million credit card numbers are stolen each year from online firms. For example, Egghead, an onlinecomputer retailer, lost security control of credit card numbers to a hacker who broke into the Egghead

customer database in December 2000.

Hackers not sophisticated enough to steal information from a system can more easily destroy

information, typically by introducing a virus into the system. A virus can be released as an e-mail

attachment. In May 2000, the "I Love You" virus caused an estimated $10-15 billion in damages.

6. What are the costs of computer-- related crimes?

Exhibit 1 displays the total cost of com puter crimes in the United States according to a 2001 CSI/FBI

survey. The survey reported a 114% increase in computer-related crimes from 1999 to 2000

(265,337,940 123,776,000 = 2.14). The FBI survey also predicts a 42% increase in computer-related

crime from 2000 to 2001.

7. How do computer viruses work?



A computer virus is program code that has been designed to copy itself into other such codes or

computer files. A virus attaches itself to other computer programs, usually in the computer's operating

system. In most cases, the corrupted programs continue to perform their intended functions while

executing the virus's instructions. Viruses can destroy f iles, data, programming code, software, and

other elements of a system.

A worm is similar to a virus except that worms do not need to be attached to another program to

spread: They can act independently. Worms and viruses generally enter a computer system through

e-mail attachments and diskettes. Users should not open attachments or disks unless they trust their

source.

8. What is the most common form of Internet protection?

The most common device for controlling access to an Internet site is the firewall. A firewall is usually a

specialized computer running firewall software that prevents unauthorized communications fromflowing between the Internet and an intranet.

9. How do firewalls work?

Firewalls use the following methods to secure a network:

* User authentication

* Access control lists (ACL)

* Dynamic packet filtering.

When firewalls enforce user authentication protocols, users must ask the firewall for entry into the

system by inputting identification codes such as user names and passwords. The firewall checks an

ACL that verifies the user's identity.

A firewall can also check data packets via dynamic packet filtering. Data is routed over the Internet in

packets under the TCP/IP (transmission control protocol/Internet protocol) model, developed by the

U.S. Department of Defense in 1972. The packets have headers that identify the information.

Firewalls can monitor these packets and reject any without proper identification.

10. What are common forms of user authentication?

The following is a list of ways a firewall can verify the identity of a party requesting permission to enter

a system:

* Password authentication-the simplest and most common method of authentication



* Key and card authentication-such as bankcards and credit cards

* Biometric authentication-such as fingerprints, retina scanners, DNA analysis, face recognition, and

voiceprints

* Digital signatures and certificates-- codes that uniquely identify the sender of an electronicallytransmitted message and allow an encoded reply to be sent.

11. What is cryptography?

Cryptography is the process of encoding and decoding messages to prevent unauthorized parties

from reading the contents (see Exhibit 2). The encryption and decryption processes involve the

substitution, transposition, or mathematical manipulation of the characters comprising the message.

12. How is encryption used in e-commerce?

Encryption is primarily used when transmitting confidential messages. It is also used to transmit data

such as electronic payments, credit card numbers, and other personal information.

13. What are common types of encryption?

Information about the certificate holder

* The certificate holder's public key and corresponding private key

* Information about the certifying authority

* The certifying authority's digital signature

* An expiration date.

Digital certificates are very secure. Even if a hacker steals a digital certificate, he must also steal the

private key from the receiver to decrypt the message.

16. What role do log files and computer auditing play in e-commerce security?

Log files store data on network activity. They are usually kept by a firewall program and should keep

track of the following network activity:

* All login attempts, both sucessful and unsuccessful

* Files copied, downloaded, moved, or deleted

* Programs launched.



Auditors can use embedded audit mod ules to achieve continuous real-time online auditing of Internet

transactions. The audit module can be configured to evalu ate control risk based on given risk

parameters. When a transaction meets the parameter criteria, it is listed in a log file and reported to

the auditor Ibr for further review.

17. What are common e-commerce security protocols?

Most small e-businesses rely on established Internet transaction providers for their payment and

security systems. The two most common security protocols are secure sockets layer (SSL) and

secure electronic transaction (SET).

SSL was developed by Netscape. It uses public key cryptography to secure messages from web

browsers (clients) to Internet transaction servers (e.g., Amazon.com). SSL also uses digital

certificates to verify the identity of the server.

SET was developed by Visa International and is used by credit card companies. SET uses digital

certificates to identify the client (buyer), server (merchant), and merchant bank. SET employs public

key cryptography to secure the messages between the three entities as they are transmitted over the

Internet.

18. What is WebTrust?

WebTrust is an attest-level engagement provided by specially licensed public accounting firms.

During the engagement, the WebTrust practitioner "audits" the online business to verify compliancewith the program's principles and criteria, which address matters such as privacy, security, availability,

confidentiality, consumer redress, and business practices.

At the client's request, the WebTrust practitioner often provides preparatory consulting advice. If the

business meets the WebTrust principles and criteria, the web site can display the WebTrust seal of

approval, which is hyperlinked to information about the site's business practice disclosures, the report

of the independent accountant, management's assertions, and a digital certificate that authenticates

the seal.

19. What are steps to prepare for e-commerce security work?

Before offering Internet security services, consider the following steps:

EXHIBIT 2

* Get the proper training

* Become a certified WebTrust provider



* Conduct a cost-benefit analysis

* Consider internal control issues

* Consult the company's strategic planning

* Consider the company's technical expertise.

The following items, explored more fully in the WebTrust standards, arise as part of any Internet

security system:

* The importance of the data or business function

* The various types of risk

* The cost of the security systems, internal controls, and protections that would reduce the risk of loss

* A cost-benefit analysis

* The implementation and auditing of the system

* The maintenance and upgrading of the system.

e-com sample quistions-esecurity

Documents