《电子商务-管理与社交网络视角（第八版）》Chapter10

Chapter10E-CommerceSecurityandFraudIssuesandProtectionsLearningObjectivesUnderstandtheimportanceandscopeofsecurityofinformationsystemsforEC.DescribethemajorconceptsandterminologyofECsecurity.UnderstandaboutthemajorECsecuritythreats,vulnerabilities,andtechnicalattacks.UnderstandInternetfraud,phishing,andspam.Describetheinformationassurancesecurityprinciples.IdentifyandassessmajortechnologiesandmethodsforsecuringECaccessandcommunications.LearningObjectivesDescribethemajortechnologiesforprotectionofECnetworks.Describevarioustypesofcontrolsandspecialdefensemechanisms.Describeconsumerandsellerprotectionfromfraud.DiscussenterprisewideimplementationissuesforECsecurity.Understandwhyitissodifficulttostopcomputercrimes.TheInformation

SecurityProblem*InformationsecurityWhatIsECSecurity?TheStatusofComputerSecurityintheUnitedStatesPersonalSecurityNationalSecuritySecurityRisksfor2014and-2015MajorECSecurityManagementConcernsfor2011TheInformation

SecurityProblemCyberwarsandCyberespionageAcrossBordersCyberwarefareAttackingInformationSystemsTypesofAttacksCorporateespionagePoliticalespionageandwarfareTheInformation

SecurityProblemTheDriversofECSecurityProblemsTheInternet’sVulnerableDesignTheShifttoProfit-InducedCrimesTheIncreasedVolumeofWirelessActivitiesandtheNumberofMobileDevicesTheGlobalizationoftheAttackersThe*Darknet*InternetUndergroundEconomyTheInternetSilkRoad*Keystrokelogging(keylogging)TheExplosionofSocialNetworkingTheDynamicNatureofECSystemsandtheActsofInsidersTheSophisticationoftheAttacksTheCostofCyberCrimeBasicE-CommerceSecurityIssuesandLandscapeBasicSecurityTerminology*Businesscontinuityplan*Cybercrime*Cybercriminal*Exposure*Fraud*Malware(malicioussoftware)*Phishing*Risk*Socialengineering*Spam*Vulnerability*ZombieBasicE-CommerceSecurityIssuesandLandscapeTheECSecurityBattlegroundTheattacks,theattackers,andtheirstrategiesTheassetsthatarebeingattacked(thetargets)invulnerableareasThesecuritydefense,thedefenders,andtheirmethodsandstrategyTheECSecurityBattlegroundBasicE-CommerceSecurityIssuesandLandscapeTheThreats,Attacks,andAttackersUnintentionalThreatsHumanErrorEnvironmentalHazardsMalfunctionsintheComputerSystemIntentionalAttacksandCrimesTheCriminalsandMethods*Hacker*CrackerBasicE-CommerceSecurityIssuesandLandscapeTheTargetsoftheAttacksinVulnerableAreasVulnerableAreasAreBeingAttackedVulnerabilityInformationAttackingE-MailAttackingSmartphonesandWirelessSystemsTheVulnerabilityofRFIDChipsTheVulnerabilitiesinBusinessITandECSystemsPiratedVideos,Music,andOtherCopyrightedMaterialBasicE-CommerceSecurityIssuesandLandscapeECSecurityRequirements*Authentication*AuthorizationAuditingAvailability*NonrepudiationBasicE-CommerceSecurityIssuesandLandscapeTheDefense:Defenders,Strategy,andMethodsECDefenseProgramsandStrategy*ECsecuritystrategy*Deterrentmethods*Preventionmeasures*Detectionmeasures*Informationassurance(IA)PossiblePunishmentDefenseMethodsandTechnologiesRecoveryTechnicalMalwareAttackMethods:FromVirusestoDenialofServiceTechnicalandNontechnicalAttacks:AnOverviewTheMajorTechnicalAttackMethodsMalware(MaliciousCode):Viruses,Worms,andTrojanHorses*

Viruses*

WormsTheMajorTechnicalSecurityAttackMethodsTechnicalMalwareAttackMethods:FromVirusestoDenialofService*Macrovirus(macroworm)*TrojanhorseSomeRecentSecurityBugs:HeartbleedandCrytolocker*Denial-of-service(DoS)attackWebServerandWebPageHijacking*Pagehijacking*

BotnetsMalvertisingHowaComputerVirusCanSpreadNontechnicalMethods:FromPhishingtoSpamandFraudSocialEngineeringandFraudSocialPhishing*Phishing*PharmingFraudandScamsonTheInternetExamplesofTypicalOnlineFraudAttacksE-MailScamsTop10AttacksandRemedies*IdentityTheftandIdentifyFraudCyberBankRobberiesSocialEngineering:FromPhishingtoFinancialFraudandCrimeHowPhishingIsAccomplishedNontechnicalMethods:FromPhishingtoSpamandFraudSpamAttacks*E-mailspamTypicalExamplesofSpamming*SpywareSocialNetworkingMakesSocialEngineeringEasyHowHackersAreAttackingSocialNetworksSpaminSocialNetworksandintheWeb2.0Environment*Searchenginespam*Splog*DataBreach(Leak)TheInformationAssuranceModelAndDefenseStrategyConfidentiality,Integrity,andAvailability*Confidentiality*Integrity*AvailabilityAuthentication,Authorization,andNonrepudiationTheInformationAssuranceModelAndDefenseStrategyE-CommerceSecurityStrategyThePhasesofSecurityDefensePreventionanddeterrence(preparation)InitialresponseDetectionContainment(containthedamage)EradicationRecoveryCorrectionAwarenessandcomplianceSecuritySpendingVersusNeedsGapE-CommerceSecurityStrategyFrameworkTheInformationAssuranceModelAndDefenseStrategyTheDefenseSideofECSystemsDefendingaccesstocomputingsystems,dataflow,andECtransactionsDefendingECnetworksGeneral,administrative,andapplicationcontrolsProtectionagainstsocialengineeringandfraudDisasterpreparation,businesscontinuity,andriskmanagementImplementingenterprisewidesecurityprogramsConductavulnerabilityassessmentandapenetrationtestAssessingVulnerabilitiesandSecurityNeeds*Vulnerabilityassessment*Penetrationtest(pentest)TheDefenseI:AccessControl,Encryption,andPKI*AccessControlAuthorizationandAuthenticationBiometricSystems*Biometricauthentication*BiometricsystemsEncryptionandtheOne-Key(Symmetric)System*Encryption*Plaintext*Ciphertext*Encryptionalgorithm*Key(keyvalue)*Keyspace*Symmetric(Private)KeyEncryptionSymmetric(Private)KeyEncryptionTheDefenseI:AccessControl,Encryption,andPKI*Publickeyinfrastructure(PKI)*Public(asymmetric)keyencryption*Publickey*PrivatekeyThePKIProcess:DigitalSignaturesandCertificateAuthorities*Digitalsignatures*Hashfunction*Messagedigest*Digitalenvelope*Certificateauthorities(CAs)SecureSocketLayer(SSL)OtherTopicsandMethodsofDefenseDigitalSignatureTheDefenseII:SecuringE-CommerceNetworks*Firewalls*PacketsTheDualFirewallArchitecture:TheDMZ*PersonalFirewalls*Virtualprivatenetwork(VPN)*Protocoltunneling*IntrusionDetectionSystems

(IDS)CloudComputingPreventsDoSAttacksHoneynetsandHoneypots*Honeynet*HoneypotsE-MailSecurityTheTwoFirewalls:DMZArchitectureTheDefenseIII:GeneralControls,Spam,PopUps,Fraud,AndSocialEngineeringControls*Generalcontrols*ApplicationcontrolsGeneral,Administrative,andOtherControlsPhysicalControlsAdministrativeControlsProtectingAgainstSpam*CAN-SPAMActMajorDefenseControlsTheDefenseIII:GeneralControls,Spam,PopUps,Fraud,AndSocialEngineeringControlsProtectingYourComputerfromPop-UpAdsToolsforStoppingoratLeastMinimizingPop-UpsProtectingagainstOtherSocialEngineeringAttacksProtectingagainstPhishingProtectingagainstMalvertisingProtectingAgainstSpywareProtectingAgainstCyberwarsTheDefenseIII:GeneralControls,Spam,PopUps,Fraud,AndSocialEngineeringControlsFraudProtectionBusinessContinuity,DisasterRecovery,andRiskManagementRisk-ManagementandCost-BenefitAnalysisBusinessContinuityServicesandITRecoveryProcessImplementingEnterprisewideE-CommerceSecurityTheDriversofECSecurityManagementSeniorManagementCommitmentandSupportECSecurityPoliciesandTrainingCyberThreatIntelligence(CTI)ECRiskAnalysisandEthicalIssues*Businessimpactanalysis(BIA)EthicalIssuesEnterprisewide

ECSecurityandPrivacyModelImplementingEnterprisewideE-CommerceSecurityWhyIsItDifficulttoStopInternetCrime?MakingShoppingInconvenientLackofCooperationbyBusinessPa