CH.5

Questions and Answers

What is the purpose of a proxy server?

To filter packets based on security policies

To handle all communications originating from or being sent to the Internet (correct)

To perform security audits and risk assessments

To implement access controls and authorization policies

What is the primary goal of a firewall?

To implement a security policy to filter packets (correct)

To perform authentication and authorization

To manage risk through technology and policies

To provide anti-virus protection

What is the easiest and least expensive way to prevent threats to system integrity?

Implementing access controls and authorization policies

Installing anti-virus software (correct)

Using a firewall to filter packets

Performing security audits and risk assessments

What is a critical component of managing risk?

All of the above

What is a key element of a security plan?

All of the above

What is the estimated amount spent by companies worldwide on security hardware, software, and services?

$60 billion

What is the primary purpose of encryption?

To secure channels of communication

What is social engineering?

Manipulating individuals into divulging confidential information

What is hacktivism?

A type of hacking motivated by political or social activism

What is identity theft?

The unauthorized use of another person's identity

What is the primary purpose of a firewall?

To protect networks from unauthorized access

What is the primary purpose of a VPN?

To create a secure, encrypted connection

What is phishing?

E-mail scams to trick individuals into divulging confidential information

What is sniffing?

An eavesdropping program that monitors information traveling over a network

What is a major weakness of public key encryption?

Computationally slow, decreased transmission speed, and increased processing time

What is the primary function of a digital certificate?

To identify a subject's public key and other details

What is a limitation of PKI?

It is ineffective against insider threats

What is the primary function of SSL and TLS?

To establish a secure, negotiated client-server session

What is a benefit of using digital envelopes?

Use of symmetric key encryption for document encryption

What is a concern related to the protection of private keys?

Individuals may not protect them properly

What is the primary function of a VPN?

To allow remote users to securely access an internal network

What is a limitation of encryption?

It does not protect the storage of private keys

What is a significant challenge in achieving e-commerce security?

Balancing security with ease of use

What is a key point of vulnerability in the e-commerce environment?

All of the above

What is a common type of malicious code that can threaten e-commerce security?

All of the above

What is a factor to consider when evaluating the effectiveness of e-commerce security measures?

All of the above

What is a challenge in reporting e-commerce security breaches?

Reporting issues

What is a type of underground economy marketplace?

Stolen information stored on underground economy servers

What is a concern related to e-commerce security?

Both A and B

What is a key element of achieving good e-commerce security?

All of the above

What type of hacking involves disrupting, defacing, or destroying a website?

Cybervandalism

Which type of security threat involves losing control over corporate information to outsiders?

Data breach

What is the term for hackers who target merchant servers and use data to establish credit under false identities?

Credit card fraudsters

Which type of security threat involves flooding a website with useless traffic to overwhelm the network?

Denial of service (DoS) attack

What is the term for an eavesdropping program that monitors information traveling over a network?

Sniffer

Which type of security threat involves using email scams to trick users into revealing sensitive information?

Phishing

What is the primary purpose of encryption in protecting internet communications?

To prevent unauthorized access

What is the term for security issues that arise from the use of mobile devices to access the internet?

Mobile platform security issues

What is the primary benefit of using symmetric key encryption?

It is widely used and has a high level of security

What is a characteristic of public key encryption?

It uses a pair of mathematically related keys

What is the purpose of a hash function in public key encryption?

To produce a fixed-length number called a message or hash digest

What is a benefit of using digital signatures?

It provides authentication and nonrepudiation

What is an advantage of using Advanced Encryption Standard (AES)?

It is widely used and has a high level of security

What is a limitation of public key encryption?

It is slower than symmetric key encryption

What is a benefit of using encryption?

It provides confidentiality and integrity

What is a characteristic of symmetric key encryption?

It requires a different set of keys for each transaction

What percentage of online payments in 2012 were made using credit cards in the United States?

44%

Which of the following is an example of an online stored value system?

PayPal

What is the primary mechanism used in mobile payment systems to enable sharing of data between devices?

Near field communication (NFC)

What is the primary characteristic of digital cash?

It is based on an algorithm that generates unique tokens

What is the primary purpose of Electronic Billing Presentment and Payment (EBPP) systems?

To enable online payments for monthly bills

What percentage of all bill payments are made using EBPP systems?

50%

What is the dominant EBPP business model?

Biller-direct

What is the primary limitation of online credit card payments?

Security, merchant risk, and cost

What is the primary goal of laws and public policy tools for identifying, tracing, and prosecuting cybercriminals?

To establish a system for reporting and investigating cybercrimes

What is the characteristic of cash as a payment system?

It is instantly convertible into other forms of value

What type of payment system accumulates expenditures and to which consumers make period payments?

Accumulating balance payment system

What is the primary concern of government regulators in payment systems?

Security and trust

What is the primary goal of financial intermediaries in payment systems?

Maximizing profit

What is the primary concern of consumers in payment systems?

Convenience and reliability

Which of the following is an example of a stored value payment system?

Gift certificate

What is the primary goal of private and public cooperation in payment systems?

To provide a framework for private and public cooperation

Study Notes

Protecting Networks

• A firewall is a hardware or software that uses security policy to filter packets and has two main methods: packet filters and application gateways.
• Proxy servers handle all communications originating from or being sent to the Internet.

Protecting Servers and Clients

• System security enhancements include upgrades and patches.
• Anti-virus software is the easiest and least expensive way to prevent threats to system integrity, but it requires daily updates.

Management Policies, Business Procedures, and Public Laws

• Worldwide, companies spend $60 billion on security hardware, software, and services.
• Managing risk includes technology, effective management policies, and public laws and active enforcement.

A Security Plan: Risk Management Policies

• A security plan includes risk assessment, security policy, implementation plan, and security audit.
• Security organization, access controls, authentication procedures, authorization policies, and authorization management systems are all part of the security plan.

Common Security Threats

• Potentially unwanted programs (PUPs) include browser parasites, adware, and spyware.
• Phishing threats include e-mail scams, social engineering, and identity theft.
• Hacking threats include hackers vs. crackers, types of hackers (white, black, grey hats), and hacktivism.
• Cybervandalism involves disrupting, defacing, or destroying a website.
• Data breaches involve losing control over corporate information to outsiders.
• Credit card fraud/theft, spoofing, spam, denial of service (DoS) attacks, and distributed denial of service (DDoS) attacks are all common security threats.
• Sniffing threats involve eavesdropping programs that monitor information traveling over a network.
• Insider attacks, poorly designed server and client software, social network security issues, mobile platform security issues, and cloud security issues are all common security threats.

Technology Solutions

• Protecting internet communications involves encryption.
• Securing channels of communication involves SSL and VPNs.
• Protecting networks involves firewalls.
• Protecting servers and clients involves various security solutions.

Digital Envelopes

• Digital envelopes use symmetric key encryption to encrypt documents and public key encryption to encrypt and send symmetric keys.
• Addressing weaknesses of public key encryption include computationally slow, decreased transmission speed, and increased processing time.
• Addressing weaknesses of symmetric key encryption include insecure transmission lines.

Digital Certificates and Public Key Infrastructure (PKI)

• Digital certificates include the name of the subject/company, subject's public key, digital certificate serial number, expiration date, issuance date, and digital signature of the CA.
• Public Key Infrastructure (PKI) includes digital certificate procedures, CAs, and PGP.

Limits to Encryption Solutions

• Encryption does not protect storage of private keys.
• PKI is not effective against insiders, employees, and protection of private keys by individuals may be haphazard.
• There is no guarantee that verifying computer of merchant is secure.
• CAs are unregulated, self-selecting organizations.

Securing Channels of Communication

• Secure Sockets Layer (SSL) and Transport Layer Security (TLS) establish a secure, negotiated client-server session in which URL of requested document, along with contents, is encrypted.
• Virtual Private Network (VPN) allows remote users to securely access internal network via the Internet.

E-commerce Security Environment

• The overall size and losses of cybercrime are unclear due to reporting issues, with 46% of respondents in a 2011 CSI survey detecting a breach in the last year.
• Stolen information is stored on underground economy servers.

Achieving Good E-commerce Security

• To achieve the highest degree of security, new technologies, organizational policies and procedures, and industry standards and government laws are necessary.
• Other factors to consider include the time value of money, the cost of security vs. potential loss, and the fact that security often breaks at the weakest link.

The Tension Between Security and Ease of Use

• The more security measures added, the more difficult a site is to use, and the slower it becomes.
• Public safety and criminal uses of the internet, such as the use of technology by criminals to plan crimes or threaten nation-states, are also a concern.

Security Threats in the E-commerce Environment

• Three key points of vulnerability in the e-commerce environment are:
  • Clients
  • Servers
  • Communications pipeline (internet communications channels)

Common Security Threats

• Malicious code threats include:
  • Viruses
  • Worms
  • Trojan horses
  • Drive-by downloads
  • Backdoors
  • Bots, botnets
  • Threats at both client and server levels
• Potentially unwanted programs (PUPs) include:
  • Browser parasites
  • Adware
  • Spyware
• Phishing threats include:
  • Email scams
  • Social engineering
  • Identity theft
• Hacking threats include:
  • Hackers vs. crackers
  • Types of hackers: white, black, grey hats
  • Hacktivism
• Cybervandalism involves disrupting, defacing, or destroying a website.
• Data breach involves losing control over corporate information to outsiders.
• Credit card fraud/theft involves hackers targeting merchant servers and using data to establish credit under false identity.
• Spoofing (pharming) involves hackers setting up fake websites to trick users into revealing sensitive information.
• Spam (junk) websites and denial of service (DoS) attacks are also common threats.
• Distributed denial of service (DDoS) attacks involve hackers flooding a site with useless traffic to overwhelm the network.
• Sniffing threats involve eavesdropping programs that monitor information traveling over a network.
• Insider attacks, poorly designed server and client software, social network security issues, mobile platform security issues, and cloud security issues are also concerns.

Technology Solutions

• Protecting internet communications involves:
  • Encryption
• Securing channels of communication involves:
  • SSL, VPNs
• Protecting networks involves:
  • Firewalls
• Protecting servers and clients involves:
  • Various security measures

E-commerce Payment Systems

• Credit cards are a popular payment method, with 44% of online payments in 2012 (U.S.).
• Debit cards are another popular payment method, with 28% of online payments in 2012 (U.S.).
• Limitations of online credit card payment include:
  • Security, merchant risk
  • Cost
  • Social equity
• Alternative online payment systems include:
  • Online stored value systems (e.g., PayPal)
  • Other alternatives (e.g., Amazon Payments, Google Checkout, Bill Me Later, WUPay, Dwolla, Stripe)

Mobile Payment Systems

• The use of mobile phones as payment devices is established in Europe, Japan, and South Korea, and is expanding in the United States.
• Near field communication (NFC) is a short-range wireless technology for sharing data between devices.
• Mobile payment systems include:
  • Google Wallet
  • PayPal
  • Square

Digital Cash and Virtual Currencies

• Digital cash is based on an algorithm that generates unique tokens that can be used in the "real" world (e.g., Bitcoin).
• Virtual currencies circulate within internal virtual worlds (e.g., Linden Dollars in Second Life, Facebook Credits).

Electronic Billing Presentment and Payment (EBPP)

• Online payment systems for monthly bills involve:
  • Biller-direct (dominant model)
  • Consolidator
• Both models are supported by EBPP infrastructure providers.

Encryption

• Encryption transforms data into cipher text readable only by the sender and receiver, securing stored information and information transmission.
• Encryption provides four of the six key dimensions of e-commerce security:
  • Message integrity
  • Nonrepudiation
  • Authentication
  • Confidentiality

Symmetric Key Encryption

• Symmetric key encryption uses the same digital key to encrypt and decrypt a message.
• Requires a different set of keys for each transaction.
• The strength of encryption depends on the length of the binary key used to encrypt data.

Public Key Encryption

• Public key encryption uses two mathematically related digital keys:
  • Public key (widely disseminated)
  • Private key (kept secret by owner)
• Both keys are used to encrypt and decrypt a message.

Public Key Encryption using Digital Signatures and Hash

• Hash function: Digests produce a fixed-length number called a message or hash digest.
• Hash digest of a message is sent to the recipient along with the message to verify integrity.
• Hash digest and message are encrypted with the recipient's public key, and the entire cipher text is then encrypted with the recipient's private key, creating a digital signature, for authenticity and nonrepudiation.

The Role of Laws and Public Policy

• Laws that give authorities the power to identify, trace, and prosecute cybercriminals include:
  • National Information Infrastructure Protection Act of 1996
  • USA Patriot Act
  • Homeland Security Act
• Private and private-public cooperation involves:
  • CERT Coordination Center
  • US-CERT
• Government policies and controls on encryption software include:
  • OECD, G7/G8, Council of Europe, Wassener Arrangement

Types of Payment Systems

• Cash is the most common form of payment, instantly convertible into other forms of value, with no float.
• Checking transfer involves transferring funds from a checking account to a merchant's account.
• Credit card payment involves credit card associations, issuing banks, and processing centers.
• Stored value payment involves depositing funds into an account, from which funds are paid out or withdrawn as needed.
• Accumulating balance payment involves accounts that accumulate expenditures and to which consumers make period payments.

Payment System Stakeholders

• Consumers want:
  • Low-risk
  • Low-cost
  • Refutable
  • Convenience
  • Reliability
• Merchants want:
  • Low-risk
  • Low-cost
  • Irrefutable
  • Secure
  • Reliable
• Financial intermediaries want:
  • Secure
  • Low-risk
  • Maximizing profit
• Government regulators want:
  • Security
  • Trust
  • Protecting participants and enforcing reporting

Description

This quiz covers the protection of networks and systems, including firewalls, proxy servers, and securing operating systems.