Electronic Commerce: Security, Risk Management, and Control (Second Edition)

Marilyn Greenstein and Miklos Vasarhelyi. McGraw-Hill/Irwin. ISBN No. 0-07-241081-7.

Chapter 7

Multiple Choice Questions:

1) Cookies may be placed either in single or multiple files.:

a) True
b) False

Correct answer: a). Reference: Page 220.

2) Cookie files are:

a) Sometimes encrypted
b) Text files
c) Both (a) and (b) above
d) None of the above

Correct answer: c). Reference: Page 220.

3) A teenager visited a questionable website. Subsequently, his father’s credit

card numbers and other personal information are stolen from the personal
computer used by the teenager. Such attacks are often known as:

a) Man-after-me attacks
b) Cut-n-run attacks
c) Man-in-the-middle attacks
d) Such attacks have no common descriptors

Correct answer: c). Reference: Page 218.

4) “Web-bugs” and “cookies” are similar in as much as that they are both used to
track the websites visited by people.

a) True
b) False

Correct answer: a). Reference: Page 221.

5) Web browsers typically allow for cookies to be turned off by users.

a) True
b) False
Correct answer: a). Reference: Page: 221.

6) Web browsers typically allow for Web bugs to be turned off by users.

a) True
b) False

Correct answer: b). Reference: Page: 221.

7) Web bugs are considered to be more insidious than cookies:

a) True
b) False

Correct answer: a). Reference: Page: 221.

8) Web bugs are:

a) Separate programs launched by Java Virtual Machines

b) Embedded within the HTML code of a web page
c) Either (a) or (b) above
d) Both (a) or (b) above

Correct answer: b). Reference: Page 221.

9) The main reason given as justification for cookies is.

a) They improve server effectiveness

b) They improve server efficiency
c) They improve server speed
d) Both (b) and (c) above

Correct answer: d). Reference: Page 221.

10) Cookies typically have expiration dates associated with them.

a) True
b) False

Correct answer: a). Reference: Page 221.

11) An e-commerce server recently had its communication ports and memory
buffers hit with an overload of messages. This kept the server from receiving
and responding to legitimate messages. Such an attack is called a:

a) Data Theft attack

b) Data Block attack
c) Denial of Service attack
d) Hold-and-Forward attack

Correct answer: c). Reference: Page 224.

12) Syn flooding is a type of:

a) Data Theft attack

b) Data Block attack
c) Denial of Service attack
d) Hold-and-Forward attack

Correct answer: c). Reference: Page 224.

13) Distributed Denial of Service (DDoS) attacks are launched through:

a) Master-slave configurations of computers

b) Peer-to-peer configurations of computers
c) Both (a) or (b) above
d) Neither (a) nor (b) above

Correct answer: a). Reference: page 224.

14) In Distributed Denial of Service (DDoS) attacks the incoming illegitimate

requests are from:

a) A central IP address
b) Multiple distributed IP addresses
c) Peer-to-peer networks
d) None of the above

Correct answer: b). Reference: page 225.

15) Firewalls are mostly ineffective when it comes to preventing Distributed

Denial of Service attacks.

a) True
b) False
Correct answer: a). Reference: Page 225.

16) Intranet threats from current employees come mostly from:

a) Low-level employees
b) Mid-level managers
c) High-level managers
d) Both (b) and (c) above

Correct answer: d). Reference: Page 228.

17) The doctrine of Negligent Hiring Liability holds employers responsible for:

a) What they know about their employees

b) What they should have known about their employees
c) Both (a) and (b) above
d) None of the above

Correct answer: c). Reference: page 229.

18) ___________ systems are the predecessors to Extranets.

a) MRI
b) SET
c) Intranet
d) EDI

Correct answer: d). Reference: Page 235.

19) A group network that uses Internet technology to connect an organization to

its suppliers, customers, distribution service providers and other miscellaneous
business partners is called:

a) An Internet
b) An Intranet
c) An Extranet
d) All of the above

Correct answer: c). Reference: Page 235.

20) Extranets are ________ in scope than ____________, but are only a
subset of the _________.

a) Narrower; the Internet; Intranet

 b) Broader; Intranets; Internet
c) Narrower; Intranets; Internet
d) Broader; the Internet; Intranet

Correct answer: b). Reference: Page 235.

21) In electronic commerce, ensuring that a message received was in deed sent
by whom it claims to be sent by is called:

a) Proof of Delivery
b) Nonrepudiation
c) Message origin authentication
d) Message integrity

Correct answer: b). Reference: Page 239.

22) In electronic commerce, ensuring that a message received was exactly the
same message that was sent is called:

a) Proof of Delivery
b) Nonrepudiation
c) Message origin authentication
d) Ensuring message integrity

Correct answer: d). Reference: Page 239.

22) On a relative scale, macro viruses are more common than boot viruses.

a) True
b) False

Correct answer: a). Reference: Page 243.

23) Trojan horses are similar to other viruses except that:

a) They do not replicate

b) They can lie dormant for long periods of time
c) They incorporate themselves into program code or macro code without
consent.
d) They perform destructive and malicious acts

Correct answer: a). Reference: Page 244.

 Essay Questions:

1) Describe the manner in which denial of service attacks are launched. Include
all forms of such attacks.

While student answers to this question will vary, there are several sources
available on the Internet for students to learn about such attacks and their many
forms. Some of these sites are:
 http://www.cisco.com/warp/public/707/newsflash.html
 http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci557336,00.ht
ml
 http://www.ddosworld.com/

2) A computer servicing company develops a piece of limited use software with

built-in expiration dates. To discourage software piracy, buyers must accept
upfront a licensing agreement that stipulates they cannot copy the program.
After the software expires, a government agency comes looking to purchase an
updated version - only to find that it had a bootlegged copy in the first place. The
software developer never finds the copying culprit nor determines how many
illegal copies of its intellectual property were distributed. How could the
computer servicing company have prevented this in the first place?

By including built-in expiration dates, the computer servicing company

attempted to reduce the risk associated with software piracy. Also, by making the
buyer accept a licensing agreement, promising not to copy the software, the
company is alerting the customer to the illegality of piracy in hopes of preventing
it.
There are a few other ways it could have prevented bootlegging of its
software. If the software came on a compact disk, the company could require the
disk be inserted into the computer in order to access the software. For example,
several computer games install certain files on the hard drive, but not all files.
The compact disk must be inserted before the game will start. This prevents
illegal copying because the physical disk must be present to get access to the
files.
A dongle is an external piece of hardware that comes with the software,
which connects to a port on the computer. The presence of this dongle allows the
buyer to use the software. If the software doesn’t detect a dongle, it doesn’t work.
This is very effective way to prevent software piracy.
This question is also indicative of what Microsoft wants to do. To prevent
piracy, Microsoft would like to sell on-line subscriptions instead of software. For
example, a user would subscribe to Microsoft Office just like he/she subscribes to
phone service. As long as the monthly bill is paid, the user gets access to Office.
There would be no more physical software to buy, therefore nothing to pirate; just
a monthly fee to pay in order to access Microsoft Office. In this arrangement, it
would be impossible to illegally copy software. Microsoft has also attempted to
prevent piracy by making the software record and recognize specific computer
settings. If the settings are materially different, the software shuts down. This is
worrisome, however, because if a user changes his computer structure too
much, the software may shut down.

3) A computer servicing company develops a piece of limited use software with

built-in expiration dates. To discourage software piracy, buyers must accept
upfront a licensing agreement that stipulates they cannot copy the program.
After the software expires, a government agency comes looking to purchase an
updated version - only to find that it had a bootlegged copy in the first place. The
software developer never finds the copying culprit nor determines how many
illegal copies of its intellectual property were distributed. Could the government
agency have detected its bootlegged copy earlier? How? How would it have
obtained a bootlegged copy to begin with?

The government agency should have a good inventory of its software

applications, and maintain this inventory. License documentation should be an
integral part of this effort.

The government agency could have detected its bootlegged copy of the
software earlier through periodic software audits. These audits use software that
grabs an unused port on the network interface and tries to communicate with
other ports to try and identify duplicate serial numbers from the same software.

The pirated software could have been obtained a variety of ways. The
government agency could have obtained it through a third party, or an employee.
A reseller may have distributed multiple copies of a single software package to
different customers. Some deeply discounted computers may be pre-loaded with
software that is not licensed. Some resellers knowingly sell counterfeit versions
of software to unsuspecting customers. Also, an employee of the government
agency could have installed unauthorized copies of the software on company
computers or illegally downloaded software from the Internet. “Warez” is
commercial software that has been pirated and made available to the public via
the Internet or an electronic bulletin board. Crackers break the software’s
protection and then share illegal copies of the software. Then they distribute it
around the world via the Internet.

Indicators of reseller piracy are multiple users with the same serial
number, lack of original documentation, or an incomplete set, and nonmatching
documentation. Questions the government agency could ask itself are:
1.) Was this software purchased from a reputable dealer?
2.) Did the software come with the original license agreement?
3.) Did the software come in an original floppy disk/CD package?
4.) Did the Windows operating system come with the Certificate of Authenticity?
 Proper procedures, good software inventory management, and employee
education could help this government agency deal with piracy issues.

4) External perpetrators often use e-mail spoofing and social engineering to

obtain passwords? Should this be of concern to a firm's external auditors?
Why?

Email spoofing is a form of identity theft: it is the act of sending an email

in someone else's name, making it appear as if the message has been sent from
that other person. Email spoofing occurs when a perpetrator, either from inside
the Intranet or externally from the Internet, poses as another valid user. Email
spoofing is often an attempt to trick the user into making a damaging statement
or releasing sensitive information (such as passwords). Spoofing is a technique
that is frequently used by perpetrators of e-mail hoaxes to hide their identities
and point the blame at somebody else. It is a favorite with spammers, but also
used by hackers.

Social engineering is a method used by intruders to obtain passwords,

network operating system, and firewall configuration data from employees willing
to help others do their jobs. People are the weakest link in security controls.
Email spoofing and social engineering should be of concern to a firm's external
auditors because they are signs that the firm’s internal controls are not adequate.
Companies and organizations that host e-mail servers can install firewall filters to
try to detect spoofed e-mails. A firewall has a router that rejects external
message packets that have an internal network source address. But because
such filters seriously degrade system performance they are not widely used.
Authentication and encryption techniques can be used to reduce email spoofing
but they make e-mail use more complex and less efficient. Encryption and
authentication technologies may make life more difficult for spoofers, but they
also impede honest e-mail users. Email spoofing can also be prevented and
detected with digital signatures.

Important internal controls include: never providing sensitive or classified

information over the phone, never providing one’s passwords to other users, and
clearly communicating corporate computer policies to all employees. External
auditors must: (1) know the exact number of Intranets and servers, (2) be aware
of the data and processing methods contained on each Intranet, (3) understand
the configuration and internetworking infrastructure, and (4) assess the security
methods used. Accountants have always assessed the integrity of the
transaction processing systems and internal controls. Now accountants must
understand the risks imposed by networked systems, including password
security. External auditors must evaluate the adequacy of internal controls over
Intranets and be aware of the risks imposed by employees. Email spoofing and
social engineering occur because of gaps in security.

Reference: Pages 233-235.