Page 316 - Introduction to Electronic Commerce and Social Commerce
P. 316

10.3  Technical Malware Attack Methods: From Viruses to Denial of Service                       303

              Authentication and nonrepudiation are potential defenses  hackers and help the defense. Unfortunately, in many cases
           against phishing and identity theft.  To protect and ensure  the punishment is too light to deter the cybercriminals.
           trust in EC transactions, digital signatures, or digital certifi-
           cates, are often added to validate the senders and the times of   Defense Methods and Technologies
           the transactions so buyers are not able to deny that they
           authorized a transaction or that it never occurred.  There are hundreds of security defense methods, technolo-
                                                              gies, and vendors and these can be classified in different ways
                                                              so their analyses and selection may be difficult. We introduce
             The Defense: Defenders, Strategy,                only some of them later in this chapter.
           and Methods
                                                              Recovery
           Everybody should be concerned about security. However, in  In security battles, there are winners and losers in each secu-
           a company, the information systems department and security  rity episode, but it is difficult to win the security war. There are
           vendors provide the technical side, while management pro-  many reasons for this. On the other hand, organizations and
           vides the administrative aspects. Such activities are done via  individuals usually recover after a security breach. Recovery
           security and strategy procedures that users need to follow.  is especially critical in cases of a disaster or a major attack,
                                                              and it must be speedy. Organizations need to continue their
             EC Defense Programs and Strategy                 business until the information systems are fully restored, and
                                                              they need to restore them fast. This is accomplished by acti-
           An  EC security strategy consists of multiple layers of  vating business continuity and disaster recovery plans.
           defense that includes several methods. This defense aims to   Because of the complexity of EC and network security,
           deter, prevent, and detect unauthorized entry into an organi-  comprehensive coverage requires an entire book, or even sev-
           zation’s  computer  and  information systems.  Deterrent  eral books. Here we cover only selected topics. Those readers
           methods are countermeasures that make criminals abandon  interested in a more comprehensive discussion should see the
           their idea of attacking a specific system (e.g., a possible  Pearson/Prentice Hall Security Series of security books and
           deterrent is a realistic expectation of being caught and pun-  also conduct a Google search.
           ished). Prevention measures help stop unauthorized people
           from accessing the EC system (e.g., by using authentication
           devices and firewalls or by using intrusion prevention which   SECTION 10.2  REVIEW QUESTIONS
           is, according to TechTarget, “a preemptive approach to net-
           work security used to identify potential threats and respond    1.  List five major EC security terms.
           to them swiftly”).  Detection measures help find security    2.  Describe the major unintentional security hazards.
           breaches in computer systems. Usually this means to find out    3.  List five examples of intentional EC security crimes.
           whether intruders are attempting (or have attempted) to    4.  Describe the security battleground, who participates,
           break into the EC system, whether they were successful,   and how. What are the possible results?
           whether they are still damaging the system, and what dam-    5.  Define hacker and cracker.
           age they may have done.                              6.  List all security requirements and define authentication
                                                                 and authorization requirements.
           Information Assurance                                7.  What is nonrepudiation?
           Making sure that a customer is safe and secure while shop-    8.  Describe vulnerability and provide some examples of
           ping online is a crucial part of improving the online buyer’s   potential attacks.
           experience. Information assurance (IA) is measures taken    9.  Describe deterring, preventing, and detecting in EC secu-
           to protect information systems and their processes against all   rity systems.
           risks.                                               10.  What is a security strategy, and why it is needed?


             Possible Punishment
                                                              10.3   TECHNICAL MALWARE ATTACK
           A part of the defense is to deter criminals by punishing them   METHODS: FROM VIRUSES
           heavily if they are caught. Judges now are giving more and   TO DENIAL OF SERVICE
           harsher  punishments than a decade  ago. For  example, in
           March 2010, a federal judge sentenced 28-year-old  TJX  There are  many  ways  criminals  attack  information  systems
           hacker Albert Gonzalez to 20 years in prison for his role in  and users. Here, we cover only major representative methods.
           stealing millions of credit and debit card numbers and selling   It is helpful to distinguish between two common types
           them. Such severe sentences send a powerful message to  of attacks—technical (which we discuss in this section)
   311   312   313   314   315   316   317   318   319   320   321