1-Fraud refers to a business activity that relies on force or threats to deprive a person or company of property or other assets.
True False
2-The trend in online crimes shows that most new scammers and other con artists are not computer geniuses.
True False
3-Identity theft has become the primary concern of online shoppers.
True False
4-Defending against online cons and compensating for the damages caused by identity thieves have significantly increased the costs of EC.
True False
5-To minimize the risk of fraud from phishing and crimeware, EC retailers need to authenticate the buyer.
True False
6-An EC security strategy consists of firewalls and other types of technology to prevent and detect unauthorized use of the organization's brand, identity, Web site, e-mail, information, or other asset.
True False
7-Information assurance broadly refers to the protection of information systems against unauthorized access to information, unauthorized modification of information, and denial of service to authorized users.
True False
8-The EC industry ranks security over convenience. So the EC industry strives to enforce safeguards, such as passwords for credit card transactions, that make online shopping safer even if those safeguards make it more inconvenient for customers.
True False
9-Credit card issuers want to cooperate and share leads on criminal activity with each other and law enforcement even though prosecution with an uncertain outcome.
True False
10-Most U.S. Web hosting providers log all activity so, in most cases, they can identify the source IP address and source ISP with timestamps and other identifying information.
True False
11-Requiring stronger EC standards and information sharing by the credit card companies would not fix the security problems facing online retailers and shoppers.
True False
12-Spammers use zombie computers to distribute spam because it is both cheaper and less risky.
True False
13-According to the Mitre Corporation's list of Common Vulnerabilities and Exposures, two of the top five reported vulnerabilities were within Web applications.
True False
14-The legal standard of due care requires that a company take reasonable care to defend against risks affecting its EC business and online transactions.
True False
15-Because of the lack of source authentication and data integrity checking in DNS operations, Internet services are vulnerable to attacks.
True False
16-Experts believe that a strict e-business risk management program that was rigorously managed could not have prevented many of the data breaches.
True False
17-EC security programs have a life cycle during which their EC security requirements must be evaluated and adjusted annually.
True False
18-According to the CIA security triad, the success and security of EC depends on the confidentiality, integrity, and accessibility of information and the business Web site.
True False
19-Nonrepudiation is closely associated with authentication and assures that an online customer or trading partner cannot falsely deny their purchase or transaction.
True False
20-The FTC, SEC and other government agencies cannot impose harsh penalties on companies whose confidential data has been breached unless a company employee caused the breach.
True False
21-Phishing attacks rely on social engineering, which is a nontechnical attack that uses something to trick users into revealing information or performing an action that compromises a computer or network.
True False
22-The time-to-exploitation, which is the elapsed time between when a vulnerability is discovered and the time it is exploited, of most sophisticated spyware and worms has decreased from several months to a few weeks.
True False
23-Unlike denial of service (DOS) attacks, botnet attacks are less dangerous because they cannot disrupt a web site or EC application.
True False
24-The ability of a biometric system to identify a person depends on the existence of database of enrolled users that is searched for a match based on the person's biometric trait.
True False
25-Virtual private networks (VPNs) are a special category of software that can monitor activity across a network or on a host computer, watch for suspicious activity, and take automated action based on what it sees.
True False
26-The incidence of online fraud and identify theft has increased for each of the following reasons except:
Information is today's most valuable form of international currency.
New effective phishing scams and schemes being carried out by computer experts.
Scammers outsourcing work to programmers to seize control of computers or wireless networks.
Growth in EC sales and the number of shoppers with higher incomes.
27-Cyber cons have a negative effect on EC because con
artists have gone low-tech.
companies cannot expand their e-business to other countries with
underdeveloped legal systems.
a majority of potential customers do not shop online because they are too afraid of fraud to trust online merchants.
defending against these cons and compensating for damages significantly increase the costs of EC.
28-The U.S. agencies dedicated to eliminating fraud resulting from phishing and crimeware are:
The Group of Eight, VeriSign, and NameProtect.
The High-Tech Crime Network,
Anti-Phishing Working Group, and Internet Research Lab.
The High-Tech Crime Network, Anti-Phishing Working Group, and Federal Trade
Commission.
The Computer Security Institute, High-Tech Crime Network, and Anti-Phishing Working Group.
29-________ is a crimeware technique used to steal the identity of target companies to get the identities of their customers.
Social engineering. Phishing. Pretexting. Spamming.
30-Where do a huge majority, possibly as high as 95 percent, of hackers reside?
Turkey, China, Romania, or Brazil.
Russia, India, Germany, or Argentina.
In the G8 countries.
In South America.
31-The key reasons why EC criminals cannot be stopped include each of the following except:
Lack of cooperation from credit card issuers and foreign ISPs.
Strong EC security makes online shopping
inconvenient and
demanding on customers.
Sophisticated hackers use browsers to crack into Web sites.
Online shoppers do not take necessary
precautions to avoid becoming a victim.
32-It is currently known that if a front-end application such as a Web site is effectively secured, then
the data itself is secured by firewalls.
the data itself is secure because web applications are not targeted by attackers.
the data itself may not be secure because the
application may not function as planned.
the data itself may not be secure because back-end databases may not function as
planned.
33-A vulnerability is the estimated cost, loss, or damage that can result if a threat exploits a
vulnerability.
is a software bug.
is the probability that a weakness will be known and used.
is a weakness in software or other mechanisms that a hacker can use directly to gain access to a system or network.
34-The underlying reasons why a comprehensive EC security strategy is needed include all of the following except:
Managers
The Internet was designed for maximum efficiency without regard for its security or users with malicious intent.
Many companies fail to implement basic IT security management best practices, business continuity plans, and disaster recovery plans.
35-The protection of information systems against unauthorized access to or modification of information that is stored, processed, or being sent over a network is referred to as
________.
Information defense. Information security triad. Information integrity. Information assurance.
36-The success and security of EC depends on the ________ of information and the business Web site.
authentication,
37-The basic security concepts relating to customers and other users are:
authorization,
38-Digital signatures or digital certificates:
are used to validate the sender and time stamp of the transaction so it cannot be later claimed that the transaction was unauthorized or invalid.
have been compromised by phishers and spammers.
provide complete confidence that the transactions are secure.
a and b
39-The most cost-effective approach to EC security is to develop and implement a strategy that
requires digital signatures or digital certificates for all transactions.
depends on the trust and and overrides of
accounting controls.
40-To be effective, an acceptable use policy (AUP) needs
to specify rules for to inform all users of their to be written by to be incorporated
firewalls, access control lists, monitoring, and intrusion detection systems.
responsibilities when using company networks, computer equipment, wireless devices, and customer data.
41-In 2005, human error was responsible for almost ________ percent information security breaches in organizations.
40 10 20 60
42-Which of the following statements about hardware and software security defenses is false?
After the EC security program and policies are defined and risk assessment completed, then the software and hardware needed to support and enforce them can be put in place.
Hardware and software security defenses protect against irresponsible business practices or corrupt management.
If firewalls and antivirus software are not upgraded and monitored
constantly, they will not remain useful.
There is no single hardware or software solution for all companies.
43-Social engineering attacks are:
no longer considered to be serious Internet threats due to the increased security of MySpace, LinkedIn, and YouTube.
are a combination of technical and nontechnical attacks.
take advantage of Web 2.0 applications like social networking sites, blogs, wikis and RSS feeds.
an example of technical attacks requiring software or systems knowledge.
44-A technique known as web page hijacking downloads what appears to
be an "important document," but which contains a trojan, a program that gives the sender control of the infected machine.
enables a malicious Web master to displace the pages of an EC Web site in the Search Engine Results Pages (SERPS) to redirect customers to another site.
enables online gambling that are actually fronts for international money laundering operations.
causes a high volume of search engine traffic similar to a denial of service attack.
45-A botnet is:
a piece of software code that inserts itself into a host or operating system to launch DOS
attacks.
a collection of a few hundred hijacked Internet computers that have been set up to forward traffic, including spam and viruses, to other computers on the Internet.
a piece of code in a worm that spreads rapidly and exploits some known
vulnerability.
a coordinated network of computers that can scan for and
compromise other computers and launch DOS attacks.
46-Which technologies are designed and used to secure EC communications across a network?
PINs, cryptocards, and point-of-sale systems.
Plastic cards with magnetic strips, intrusion detection systems, and progressive tokens.
AUPs, ACLs, and network login IDs.
Access control lists, tokens, passwords, and biometric systems.
47-Public key infrastructure (PKI) is an authentication method
that encrypts and decrypts large amounts of data effectively.
that is based on the Data Encryption Standard, which is the standard symmetric
encryption algorithm supported by U.S. government agencies.
that uses
encryption keys ranging from 64 bits to 128 bits.
that has become the cornerstone for secure e-payments and intranet applications.
48-Secure Socket Layer (SSL), which is also known as Transport Layer Security (TLS):
is designed to handle all steps in the validation of credit card protocols for securing e-commerce used by Microsoft and Netscape.
was invented by Microsoft to use standard certificates for authentication and data
encryption to ensure privacy or confidentiality.
49-Access to a network ought to be based on:
the policy of least privilege where access to network resources are blocked and permitted only when needed to conduct business.
role-specific security protocols where access is limited by a user's level of trust.
the policy of need-to-know where access by all non-employees is blocked.
the policy of acceptable use where access is restricted by the firewall.
50-Which of the following does not correctly describe what firewalls protect against?
Some programs have bugs or special features that create application
backdoors, which allowing for remote access.
Spammers often use SMTP session hijacking to redirect e-mail through the SMTP server of an unsuspecting host, which helps hide their identity.
Remote logins occur when an unauthorized users connects to a PC and gains control of it.
Macros are the electronic equivalent of junk mail.
51-Firewalls that filter requests from the Internet to a private network based on the IP address of the computer sending or receiving those requests are called:
packet-filtering routers. application-level proxies. bastion gateways. IP blockers.
52-All of the following are important security functions of proxy servers except:
They improve network performance.
They hide the IP addresses of a company's internal computers.
They help control outbound traffic to a network.
They help control inbound traffic to a network.
53-The advantages of virtual private networks (VPN) for data communications include all of the following except:
They can reduce communication costs dramatically because VPN equipment is cheaper than other remote solutions.
They are less expensive than private leased lines because they use the public Internet to carry information.
They ensure the confidentiality and integrity of the data transmitted over the Internet without requiring encyption.
Remote users can use broadband connections rather than make long distance calls to access an organization's private network.
54-A host-based intrusion detection system (IDS):
Resides on the server that is being monitored where it can detect whether critical or security-related files have been tampered with or whether a user has
attempted to access files that he or she is not authorized to
Consists of information system resources–
firewalls, routers, Web servers, database servers, and files that look like production systems, but do no real work.
Can perform certain actions when an attack occurs, such as terminating network connections based on security policies.
Uses rules to analyze suspicious activity at the perimeter of a network or at key locations in the network
use.
55-In the United States, which the federal laws place legal limits on monitoring activity?
The Wiretap Act and CFAA
The Wiretap Act and the Pen Register, Trap, and Trace Devices statute
The Computer Fraud and Abuse Act (CFAA) and the First Amendment.
The USA PATRIOT Act and CFAA