电子商务概论 英文版 第二版 课件3

Introduction to Electronic Commerce, 3e (Turban)Chapter 9 Electronic Commerce Security and Fraud Protection9.1 True/False1) According to the CSI Computer Crime and Security Survey, firewalls were the most commonly used defense technologies in 2008.Answer: FALSEDiff: 1 Page Ref: 3322) According to the CSI Computer Crime Security Survey, the most frequently occurring computer attacks were from viruses in 2008.Answer: TRUEDiff: 1 Page Ref: 3333) The Internet and its network protocols were never intended for use by untrustworthy people or criminals.Answer: TRUEDiff: 1 Page Ref: 3344) The Internet was designed for maximum efficiency and security by providing for error checking to ensure that the message was sent and received correctly.Answer: FALSEDiff: 2 Page Ref: 3345) The motives of hackers have shifted from the desire for fame and notoriety to advancing personal and political agendas.Answer: FALSEDiff: 2 Page Ref: 3346) Keystroke logging captures and records user keystrokes.Answer: TRUEDiff: 1 Page Ref: 3357) Information security departments with huge workloads and limited budgets optimize their EC security programs for efficiency and tend to work strategically.Answer: FALSEDiff: 2 Page Ref: 3368) Social engineering is an example of an unintentional threat.Answer: FALSEDiff: 2 Page Ref: 3379) Cybercrimes are intentional crimes carried out on the Internet.Answer: TRUEDiff: 1 Page Ref: 33910) Authentication provides the means to reconstruct what specific actions have occurred and may help EC security investigators identify the person or program that performed unauthorized actions. Answer: FALSEDiff: 2 Page Ref: 34011) An EC security strategy requires multiple layers of defense against risks from malware, fraudsters, customers, and employees.Answer: TRUEDiff: 1 Page Ref: 34112) Detection measures are actions that will make criminals abandon their idea of attacking a specific system.Answer: FALSEDiff: 2 Page Ref: 34113) Propagation method and payload are the two components of a virus.Answer: TRUEDiff: 1 Page Ref: 34214) Worms cannot spread via instant messages.Answer: FALSEDiff: 2 Page Ref: 34315) Internet fraud has grown even faster than the Internet itself.Answer: TRUEDiff: 2 Page Ref: 34816) Honeypots are blogs created solely for marketing purposes.Answer: FALSEDiff: 2 Page Ref: 35117) Confidentiality, integrity, and awareness are the three components of the CIA security triad. Answer: FALSEDiff: 3 Page Ref: 35318) Access control involves authorization and authentication.Answer: TRUEDiff: 2 Page Ref: 35519) Encryption algorithm is the mathematical formula used to encrypt plaintext into ciphertext, and vice versa.Answer: TRUEDiff: 2 Page Ref: 35720) An intrusion detection system uses the public Internet to carry information but remains private by using encryption, authentication, and access control to verify the identity of anyone using the network.Answer: FALSEDiff: 3 Page Ref: 36321) Strong EC security makes online shopping more convenient for customers.Answer: FALSEDiff: 2 Page Ref: 37422) Shoppers can rely on fraud protection provided by credit card issuers to protect them from identity theft.Answer: FALSEDiff: 2 Page Ref: 37423) Phishing is rampant because some people respond to it and make it profitable.Answer: TRUEDiff: 1 Page Ref: 37424) Preventing vulnerability during the EC design and pre-implementation stage is far more expensive than mitigating problems later.Answer: FALSEDiff: 2 Page Ref: 37425) Due care in EC is those actions that a company is reasonably expected to take based on the risks affecting its business and transactions.Answer: TRUEDiff: 2 Page Ref: 3759.2 Multiple Choice1) Which of the following is the underlying reason why comprehensive EC security is necessary?A) The Internet was designed for maximum efficiency without regard for its security or users with malicious intent.B) The shift toward profit-motivated crimesC) Security costs and efforts from reacting to crises and paying for damages are greater than if an EC strategy is in place.D) Many companies fail to implement basic IT security management best practices, business continuity plans, and disaster recovery plans.Answer: CDiff: 3 Page Ref: 3362) The probability that a vulnerability will be known and used best describesA) risk.B) security breach.C) exposure.D) access point.Answer: ADiff: 2 Page Ref: 3373) The process of verifying the real identity of an individual, computer, computer program, or EC Web site best describesA) integrity.B) availability.C) authentication.D) nonrepudiation.Answer: CDiff: 2 Page Ref: 3404) The assurance that an online customer or trading partner cannot falsely deny their purchase or transaction is referred to asA) integrity.B) availability.C) authentication.D) nonrepudiation.Answer: DDiff: 2 Page Ref: 3405) The protection of information systems against unauthorized access to or modification of information that is stored, processed, or being sent over a network is referred to asA) information assurance.B) data integrity.C) information integrity.D) packet protection.Answer: ADiff: 2 Page Ref: 3416) A botnet isA) a huge number of hijacked Internet computers that have been set up to forward traffic, including spam and viruses, to other computers on the Internet.B) a piece of software code that inserts itself into a host or operating system to launch DOS attacks.C) a piece of code in a worm that spreads rapidly and exploits some known vulnerability.D) a production system that looks like it does real work, but that acts as a decoy and is watched to study how network intrusions occur.Answer: ADiff: 2 Page Ref: 3457) ________ is the criminal, fraudulent process of attempting to acquire confidential information by masquerading as a trustworthy entity.A) SpammingB) PretextingC) Social engineeringD) PhishingAnswer: DDiff: 2 Page Ref: 3468) Assurance that stored data has not been modified without authorization and a message that was sent is the same message that was received is referred to asA) integrity.B) availability.C) authentication.D) nonrepudiation.Answer: ADiff: 2 Page Ref: 3539) The success and security of EC is measured byA) encryption, functionality, and privacy.B) quality, reliability, and speed.C) authentication, authorization, and nonrepudiation.D) confidentiality, integrity, and availability.Answer: DDiff: 3 Page Ref: 35310) The mechanism that determines who can legitimately use a network resource best describesA) access control.B) confidentiality.C) key encryption.D) digital envelope.Answer: ADiff: 1 Page Ref: 35511) Each of the following is a true statement about access control except:A) Access control determines which persons, programs, or machines can legitimately use a network resource and which resources he, she,or it can use.B) Access control lists (ACLs) define users' rights, such as what they are allowed to read, view, write, print, copy, delete, execute, modify, or move.C) All resources need to be considered together to identify the rights of users or categories of users.D) After a user has been identified, the user must be authenticated.Answer: CDiff: 2 Page Ref: 355-35612) Fingerprint scanners, facial recognition systems, and voice recognition are examples of________ that recognize a person by some physical trait.A) biometric systemsB) human firewallsC) intrusion detection systemsD) access control listsAnswer: ADiff: 2 Page Ref: 35613) Encryption components include each of the following exceptA) encryption algorithm.B) key value.C) ciphertext.D) internal control environment.Answer: DDiff: 2 Page Ref: 35714) A scheme for securing e-payments using public key encryption and various technical components best describesA) message digesting.B) Data Encryption Standard.C) public key infrastructure.D) key space.Answer: CDiff: 2 Page Ref: 35815) A method of encryption that uses a pair of matched keys, including a public key to encrypt a message and a private key to decrypt it, describesA) data encryption standard.B) public asymmetric key encryption.C) symmetric private key encryption.D) paired key encryption.Answer: BDiff: 2 Page Ref: 35816) Security functions or characteristics of digital signatures include each of the following except:A) A digital signature is the electronic equivalent of a personal signature, which can be forged.B) Digital signatures are based on public keys for authenticating the identity of the sender of a message or document.C) Digital signatures ensure that the original content of an electronic message or document is unchanged.D) Digital signatures are portable.Answer: ADiff: 3 Page Ref: 35917) A summary of a message, converted into a string of digits after the hash has been applied, best describesA) digital signature.B) hash.C) message digest.D) digital envelope.Answer: CDiff: 2 Page Ref: 35918) The combination of the encrypted original message and the digital signature, using the recipient's public key, best describesA) digital envelope.B) message digest.C) hash.D) digital signature.Answer: ADiff: 2 Page Ref: 35919) The ________ was invented by Netscape to use standard certificates for authentication and data encryption to ensure privacy or confidentiality.A) certificate authorityB) public key infrastructureC) secure socket layerD) digital envelopeAnswer: CDiff: 2 Page Ref: 36120) Which of the following is not an advantage of virtual private networks (VPN) for data communications?A) They are less expensive than private leased lines because they use the public Internet to carry information.B) They ensure the confidentiality and integrity of the data transmitted over the Internet without requiring encryption.C) They can reduce communication costs dramatically because VPN equipment is cheaper than other remote solutions.D) Remote users can use broadband connections rather than make long distance calls to access an organization's private network.Answer: BDiff: 3 Page Ref: 36221) A method used to ensure confidentiality and integrity of data transmitted over the Internet by encrypting data packets, sending them in packets across the Internet, and decrypting them at the destination address best describesA) packet control.B) transport layer security.C) protocol tunneling.D) packet segmentation.Answer: CDiff: 2 Page Ref: 36222) A special category of software that can monitor activity across a network or on a host computer, watch for suspicious activity, and take automated action based on what it sees best describesA) honeynet.B) intrusion detection system.C) firewall.D) virtual private network.Answer: BDiff: 2 Page Ref: 36323) Which of the following are controls established to protect the system regardless of the application?A) general controlsB) application controlsC) broad controlsD) systems controlsAnswer: ADiff: 2 Page Ref: 36424) A method of evaluating the security of a computer system or a network by simulating an attack from a malicious source best describesA) beta test.B) stress test.C) penetration test.D) intrusion test.Answer: CDiff: 2 Page Ref: 36425) Software applications that have some degree of reactivity, autonomy, and adaptability best describesA) EC avatars.B) EC bots.C) worms.D) intelligent agents.Answer: DDiff: 2 Page Ref: 36526) The work atmosphere that a company sets for its employees describesA) acceptable use policy.B) internal control environment.C) internal politics.D) standard of due care.Answer: BDiff: 2 Page Ref: 36627) A law that makes it a crime to send commercial e-mail messages with false or misleading message headers or misleading subject lines isA) EEA.B) DCMA.C) SSL.D) CAN-SPAM.Answer: DDiff: 2 Page Ref: 36728) According to an InformationWeek survey, the majority of security challenges for corporations includeA) managing the complexity of security.B) preventing data breaches from outside attackers.C) enforcing security policies.D) all of the above.Answer: DDiff: 1 Page Ref: 37229) Which of the following is a policy that informs users of their responsibilities when using company networks, wireless devices, and customer data?A) business impact analysisB) business planC) acceptable use policyD) EC security programAnswer: CDiff: 2 Page Ref: 37330) The key reasons why EC criminals cannot be stopped include each of the following except:A) Sophisticated hackers use browsers to crack into Web sites.B) Strong EC security makes online shopping inconvenient and demanding on customers.C) There is lack of cooperation from credit card issuers and foreign ISPs.D) Online shoppers do not take necessary precautions to avoid becoming a victim.Answer: ADiff: 2 Page Ref: 3749.3 Fill in the Blank1) Computer security categories include ________, ________, and ________.Answer: threats, defenses, managementDiff: 3 Page Ref: 3362) A ________ is a plan that keeps the business running after a disaster occurs.Answer: business continuity planDiff: 2 Page Ref: 3373) ________ is the estimated cost, loss, or damage that can result if a threat exploits a vulnerability. Answer: ExposureDiff: 1 Page Ref: 3374) Any business activity that uses deceitful practices or devices to deprive another of property or other rights is known as ________.Answer: fraudDiff: 1 Page Ref: 3375) ________ is a crimeware technique to steal the identity of a target company to get the identities of its customers.Answer: PhishingDiff: 2 Page Ref: 3376) ________ is a nontechnical attack that uses a ruse to trick users into revealing information or performing an action that compromises a computer or network.Answer: Social engineeringDiff: 2 Page Ref: 3377) ________ are computers infected with malware that are under the control of a spammer, hacker, or other criminal.Answer: ZombiesDiff: 2 Page Ref: 3388) ________ are weaknesses in software or other mechanisms that threaten the confidentiality, integrity, or availability of an asset.Answer: VulnerabilitiesDiff: 2 Page Ref: 3389) A ________ is a malicious hacker who may represent a serious problem for a corporation. Answer: crackerDiff: 2 Page Ref: 33910) ________ is a process to verify the real identity of an entity, which could be an individual, computer, computer program, or EC Web site.Answer: AuthenticationDiff: 2 Page Ref: 34011) ________ is the process of determining what the authenticated entity is allowed to access and what operations it is allowed to perform.Answer: AuthorizationDiff: 2 Page Ref: 34012) ________ is the assurance that online customers or trading partners cannot falsely deny their purchase or transaction.Answer: NonrepudiationDiff: 3 Page Ref: 34013) ________ is the protection of information systems against unauthorized access to or modification of information whether in storage, processing, or in transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.Answer: Information assuranceDiff: 2 Page Ref: 34114) A ________ attack is an attack on a Web site in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources. Answer: denial of serviceDiff: 2 Page Ref: 34415) A ________ is a program that appears to have a useful function but contains a hidden function that presents a security risk.Answer: Trojan horseDiff: 2 Page Ref: 34416) A ________ is a huge number of hijacked Internet computers that have been set up to forward traffic, including spam and viruses, to other computers on the Internet.Answer: botnetDiff: 2 Page Ref: 34517) ________ is the assurance that data are accurate or that a message has not been altered. Answer: IntegrityDiff: 2 Page Ref: 35318) ________ is the assurance of data privacy.Answer: ConfidentialityDiff: 2 Page Ref: 35319) ________ consist of all the policies, procedures, documents, standards, hardware, software, training, and personnel that work together to protect information, the ability to conduct business, and other assets.Answer: EC security programsDiff: 2 Page Ref: 35520) ________ is the process of scrambling a message in such a way that it is difficult, expensive, or time-consuming for an unauthorized person to unscramble it.Answer: EncryptionDiff: 2 Page Ref: 35721) ________ is a mathematical computation that is applied to a message, using a private key, to encrypt the message.Answer: HashDiff: 2 Page Ref: 35922) ________ are barriers between a trusted network or PC and the untrustworthy Internet. Answer: FirewallsDiff: 1 Page Ref: 36123) ________ are information system resources, such as firewalls, routers, Web servers, database servers and files, that only look like production systems to attract hackers and study their attempts to attack a network.Answer: HoneypotsDiff: 2 Page Ref: 36324) ________ is an exercise that determines the impact of losing the support of an EC resource to an organization and establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting systems. Answer: Business impact analysisDiff: 2 Page Ref: 37325) ________ is care that a company is reasonably expected to take based on the risks affecting its EC business and online transactions.Answer: Standard of due careDiff: 2 Page Ref: 3759.4 Essay1) Compare current motives of hackers to those of the past.Answer: In the early days of EC, many hackers simply wanted to gain fame or notoriety by defacing Web sites or gaining root, which means gaining unrestricted access to a network. Criminals and criminal gangs are now profit oriented, and their tactics are not limited to the online world.Diff: 1 Page Ref: 3342) List and briefly describe the three components of the CIA security triad.Answer: The CIA triad includes confidentiality, integrity, and availability. Confidentiality is the assurance of data privacy. The data or transmitted message is encrypted so that it is readable only by the person for whom it is intended. The confidentiality function prevents unauthorized disclosure of information. Integrity is the assurance that data are accurate or that a message has not been altered. It means that stored data has not been modified without authorization; a message that was sent is the same message that was received. Availability is the assurance that access to data, the Web site, or other EC data service is timely, available, reliable, and restricted to authorized users.Diff: 2 Page Ref: 352-3533) List the six major objectives of EC defense strategies.Answer: Prevention and deterrence, detection, containment, recovery, correction, and awareness and compliance are the six objectives.Diff: 2 Page Ref: 354-3554) Briefly discuss the five encryption components.Answer: The five components are plaintext, encryption algorithm, key or key value, key space, and ciphertext. Plaintext is the original message or document that is created by the user and is in human-readable form. The encryption algorithm is the set of procedures or mathematical functions used to encrypt or decrypt a message. The key or key value is the secret value used with the algorithm to transform the message. Key space refers to the large number of possible key values created by the algorithm to use when transforming the message. Ciphertext is the message or document that has been encrypted into unreadable form.Diff: 2 Page Ref: 3575) Briefly describe four major components for protecting internal information flow inside an organization.Answer: Firewall, virtual private network, intrusion detection system, and honeynet and honeypot are four components. A firewall is a single point between two or more networks where all traffic must pass; the device authenticates, controls, and logs all traffic. A virtual private network is a network that uses the public Internet to carry information but remains private by using encryption to scramble the communications, authentication to ensure that information has not been tampered with, and access control to verify the identity of anyone using the network. Intrusion detection systems are a special category of software that monitor activity across a network or on a host computer, watch for suspicious activity, and take automated action based on what it sees. A honeynet is a network of honeypots, and honeypots act as decoys and are watched to study how network intrusions occur.Diff: 3 Page Ref: 361-363。