Unit 06 - LO3

advertisement
E-Commerce
A/601/7313
LEVEL 3
LO3 - Understand the effects of
e-commerce on society
Learning Outcome (LO)
The learner will:
Pass
The assessment criteria are the
pass requirements for this unit.
The learner can:
1
Know the technologies
required for an ecommerce system
P1
Describe the
technologies required for
e-commerce
2
Understand the impact
of e-commerce on
organisations
P2
Explain the impact of
introducing an ecommerce system to an
organisation
M1 - Describe how
organisations promote
their business using ecommerce
3
Understand the effects
of e-commerce on
society
P3
Explain the potential
risks to an organisation
of committing to an ecommerce system
M2 - Explain solutions
for the potential risks of
using e-commerce
4
Be able to plan ecommerce strategies
P4
Review the regulations
governing e-commerce
P5
Examine the social
implications of ecommerce on society
P6
Plan an e-commerce
strategy
Scenario
Criteria
Tasks
1
2
3
4
5
Merit
For merit the evidence
must show that, in
addition to the pass
criteria, the learner is able
to:
Distinction
For distinction the
evidence must show that,
in addition to the pass
and merit criteria, the
learner is able to:
D1 - Compare the
benefits and drawbacks
of e-commerce to an
Organisation
M3 - Provide annotated
planning documentation
for your e-commerce
strategy
6
7
8
9
10
D2 - Evaluate your
e-commerce strategy
Assessment




P3 - Understand the effects of e-commerce on society
Learners need to understand the potential risks for e-commerce
systems, which should be set initially as research activities.
Learners could brainstorm risks and then discuss as a group to
identify risks that they may not have considered and look at the
different aspects and implications of each.
M2 – Understand the solutions for the potential risks of using ecommerce
The learners could then be encouraged in small groups to further
research risks allocated to them to see if they can find an
example of when the risk has happened or may have been
avoided, as well as find a solution or preventative method. The
small groups/pairs could then be encouraged to provide
feedback to the main group.
Scenario
Criteria
Scenario
Tasks
Criteria 1 Tasks
2 3
41
5 2 6 37
8
4
95
106
Assessment
7
8
Assessment


P3 - The assessment criterion P3 could be evidenced by
the use of a report, leaflet or presentation delivered by
the learner that could be supported by tutor observation
and/or recorded evidence. The learner is required to
explain the potential risks to an organisation of
committing to an e-commerce system, this could relate
to the business mentioned under assessment criterion
P2. The learner must consider all risks identified in the
teaching content.
M2 - The merit criterion M2 could be evidenced by the
learner providing a detailed explanation of the risks
identified under assessment criterion P3, and must give
examples to support their evidence and where possible
relating these to organisations and individuals that have
had these issues. Learners are also required to provide at
least a range of solutions or preventative methods for
each of the risks outlined for assessment criterion P3.
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment




Computer hacking is the practice of modifying computer hardware and software to
accomplish a goal outside of the creator’s original purpose. People who engage in
computer hacking activities are often called hackers. Since the word “hack” has long
been used to describe someone who is incompetent at his/her profession, some hackers
claim this term is offensive and fails to give appropriate recognition to their skills.
Computer hacking is most common among teenagers and young adults, although there
are many older hackers as well. Many hackers are true technology buffs who enjoy
learning more about how computers work and consider computer hacking an “art” form.
They often enjoy programming and have expert-level skills in one particular program.
For these individuals, computer hacking is a real life application of their problemsolving skills. It’s a chance to demonstrate their abilities, not an opportunity to harm
others.
Since a large number of hackers are self-taught prodigies, some corporations actually
employ computer hackers as part of their technical support staff. These individuals use
their skills to find flaws in the company’s security system so that they can be repaired
quickly. In many cases, this type of computer hacking helps prevent identity theft and
other serious computer-related crimes.
Computer hacking can also lead to other constructive technological developments, since
many of the skills developed from hacking apply to more mainstream pursuits. For
example, former hackers Dennis Ritchie and Ken Thompson went on to create the UNIX
operating system in the 1970s. This system had a huge impact on the development of
Linux, a free UNIX-like operating system. Shawn Fanning, the creator of Napster, is
another hacker well known for his accomplishments outside of computer hacking.
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment






Hacking has many negative effects; Personal information may be leaked,
Intellectual Property could be stolen, and lives can be ruined.
There is no effective way to eliminate cracking. Any security measure
put out will be circumvented sooner or later (as an example, see the
iPhone 3G unlock). So the only way to keep unwanted criminals out is to
keep your software up-to-date and protected from the outside world,
i.e. firewalls. Cracking isn't always bad. Some people crack software or
security in order to learn how to prevent it. There is a difference
between good and bad though; White hat hackers vs. Black hat hackers.
Hacking can take many forms and the infiltration level can vary from
curiosity to espionage. Levels of hacking are usually only detected after
the fact. Setting systems on Subnet masks is useful but not foolproof,
firewalls involve degrees of encrypted security from 8bit to 64bit but
can still be accessed. We all know the story of the Norad hack from the
movie War Games but how close to the truth is hacking. Governments
have set up agencies like CIPAV or US-CERT to determine hacking and
security threats to governmental systems but businesses are less
prepared.
For information look at:
http://www.wired.com/threatlevel/2009/04/fbi-spyware-pro/
For a detailed explanation see:
http://technet.microsoft.com/hiin/magazine/2005.01.anatomyofahack(en-us).aspx
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment


Scenario
Criteria
Tasks
1
2
Most networks today are built on what is
called the eggshell principle: hard on the
outside and soft on the inside. This means
that if an attacker can gain a foothold onto
the network, the rest of the network
protections will usually fall like dominoes.
Once inside, the most difficult part is
often to figure out what to attack next and
where to go for the really juicy bits of
information. It does not have to be this
way. With the proper techniques, we as
network administrators can achieve two
crucial objectives: to make it much more
difficult to gain a foothold in the first
place and to make it much more difficult
to use that foothold to get anywhere else
on the network.
3
4
5
6
7
8
9
10
Assessment
P3.1 - Potential risks to an organisation - Viruses








Europe has Entered a ‘Cyber Cold War’ (Source: NATO,
FBI, McAfee & Serious Organized Crime Agency)
China Most Actively Spying, but with 120 Other
Countries !
NATO Said that All 26 of its Member Countries Have
Been Targeted by Cyber-Attacks (e.g.: Estonia)
Georgia’s Government Websites Fall Victim to CyberAttacks (DDoS & Defacements) … “Too Sophisticated for
Amateurs !”
Tibetan Government Web Site Injected with Malicious
Source-Code
Palin’s Yahoo Account Hacked in Less then 45 Minutes
Using Password Reset Functionality
Web Defacers Hacked into CERN Website of the LHC
(Large Hadron Collider)
UK Minister Confirms Cyber-Terrorists Attempting to
Take Out the National Grid (Aug ’08)
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment
P3.1 - Potential risks to an organisation - Viruses



Viruses have been the bane of IT and
companies since networks were
introduced into companies for
business transactions. Remember that
all computer viruses have been created
by someone for a purpose, whether it
is to annoy, destroy, deliberately bring
down a company or website.
computer virus n. A computer
program that is designed to replicate
itself by copying itself into the other
programs stored in a computer. It may
be benign or have a negative effect,
such as causing a program to operate
incorrectly or corrupting a computer's
memory.
All viruses are different so they all act
in a different way and have a different
purpose. On Symantec the threats are
defined daily according to the
possibility of risk and the exploit a
virus takes advantage on in its attack.
http://www.symantec.com/norton/secu
rity_response/threatexplorer/index.jsp
P3.1 - Task 1 – Define and explain the potential risk to an organisation’s
e-commerce system from hacking attacks and viruses.
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment
P3.2 - Potential risks to an organisation - Phishing




Phishing is an e-mail fraud method in which the perpetrator sends out legitimatelooking emails in an attempt to gather personal and financial information from
recipients. Typically, the messages appear to come from well known and
trustworthy Web sites. Those frequently spoofed by phishers include PayPal, eBay,
MSN, Yahoo, BestBuy, and America Online. A phishing expedition is a speculative
venture: the phisher puts the lure hoping to fool at least a few of the prey that
encounter the bait. Phishers use a number of different social engineering and email spoofing ploys to try to trick their victims.
In one typical case before the Federal Trade Commission (FTC), a 17-year-old
male sent out messages purporting to be from AOL that said there had been a
billing problem with recipients' AOL accounts. The e-mail used AOL logos and
contained legitimate links. If recipients clicked on the "AOL Billing Center" link,
they were taken to a spoofed AOL Web page that asked for personal information,
credit card numbers, personal identification numbers (PINs), social security
numbers, banking numbers, and passwords. This information was then used for
identity theft.
The Trojan infects and then waits for the victim to visit his or her bank
Information is gathered by injecting additional fields into the genuine bank web
page as it loads in the browser. No fake web sites are used.
The SSL connection between client and bank is valid (padlock is shown and
certificate chain is OK) Classical Anti virus software did not detect this threat
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment
P3.2 - Potential risks to an organisation – ID Theft
Identity Theft - In today’s society, people have a more common way to buy and
shop using credit cards instead of cash. They purchase goods and services online
instead of at a store. Instead of going to the bank people have online bank
accounts. We have the convenience and opportunity to purchase goods from
around the world, to pay our bills at two o'clock in the morning, or to check our
bank statement from home.
 Technology has brought about tremendous advances but technology has also
advanced the common criminal. This type of criminal steals someone's identity in
order to commit fraudulent acts through Phishing, bin rummaging, telephone
scams and hacking.
 Thieves are on the look out for our personal information so they can obtain credit
cards, bank loans, pay bills, take out mobile phones and more by using our
identity. Victims of identity theft suffer from damaged credit reports, drained
bank accounts and even a criminal record.
 Some identity thieves will give your personal information when they are arrested.
This causes embarrassment to you as it creates a criminal record. Often victims of
identity theft do not find out they have been victimised until they receive their
bank statement or credit card statement in the post or when they are turned
down for a loan or flat rental.
 Click here for examples
P3.2 - Task 2 – Define and explain the potential risk to an organisation’s ecommerce system from Fraud and Phishing scams and ID Theft.

Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment
P3.3 - Potential risks to an organisation – Piggybacking




Over half of UK internet users have admitted using other people's WiFi networks to piggyback onto the internet. It is estimated that 54 per
cent of respondents had used someone else's wireless internet access
without permission. Even Google.
Many internet-enabled homes fail properly to secure their wireless
connection with passwords and encryption, allowing passers-by and
neighbours to 'steal' their internet access. Although most businesses
have security measures in place to protect their Wi-Fi networks, the
protections a lot of companies take is too light to stop a determined
piggy-backer.
Piggy backing occurs when a user with a laptop or Wi-Fi connection
connects to an unprotected network server. Routers can be protected
by a WEP key or WPA protection through 16 or 32 bit encryption and
network protocols. But a lot of modems made by the same company
have the same initial password to connect to the routers
administrative functions or have no WEP or WPA protection set,
allowing a user to connect and download without restrictions in the
same way a user could user an unprotected Wi-Fi hotspot.
The worst case scenario is an external user connecting not just to the
internet through the Wi-Fi but to the network, allowing a user access
and control over stored files leading to deletion, corruption and
industrial espionage.
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment
P3.3 - Potential risks to an organisation – DDos
Denial-of-service attacks come in a variety of forms and aim at a variety of services. There are
three basic types of attack:
◦ consumption of scarce, limited, or non-renewable resources
◦ destruction or alteration of configuration information
◦ physical destruction or alteration of network components
Consumption of Scarce Resources
Computers and networks need certain things to operate: network bandwidth, memory and disk
space, CPU time, data structures, access to other computers and networks, and certain
environmental resources such as power, cool air, or even water.
 Network Connectivity Denial-of-service attacks are most frequently executed against network
connectivity. The goal is to prevent hosts or networks from communicating on the network. An
example of this type of attack is the "SYN flood" attack described in
http://www.cert.org/advisories/CA-1996-21.html
 In this type of attack, the attacker begins the process of establishing a connection to the victim
machine, but does it in such a way as to prevent the ultimate completion of the connection. In
the meantime, the victim machine has reserved one of a limited number of data structures
required to complete the impending connection. The result is that legitimate connections are
denied while the victim machine is waiting to complete bogus "half-open" connections.
 You should note that this type of attack does not depend on the attacker being able to
consume your network bandwidth. In this case, the intruder is consuming kernel data
structures involved in establishing a network connection. The implication is that an intruder
can execute this attack from a dial-up connection against a machine on a very fast network.
(This is a good example of an asymmetric attack.)
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment
P3.3 - Potential risks to an organisation – DDos
Bandwidth Consumption
An intruder may also be able to consume all the available bandwidth on your network
by generating a large number of packets directed to your network. Typically, these
packets are ICMP ECHO packets, but in principle they may be anything. Further, the
intruder need not be operating from a single machine; he may be able to coordinate or
co-opt several machines on different networks to achieve the same effect.
Consumption of Other Resources
In addition to network bandwidth, intruders may be able to consume other resources
that your systems need in order to operate. For example, in many systems, a limited
number of data structures are available to hold process information (process
identifiers, process table entries, process slots, etc.). An intruder may be able to
consume these data structures by writing a simple program or script that does
nothing but repeatedly create copies of itself. Many modern operating systems have
quota facilities to protect against this problem, but not all do. Further, even if the
process table is not filled, the CPU may be consumed by a large number of processes
and the associated time spent switching between processes. Consult your operating
system vendor or operating system manuals for details on available quota facilities for
your system.
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment
P3.3 - Potential risks to an organisation – DDos
Using Your Own Resources Against You
An intruder can also use your own resources against you in
unexpected ways. One example is described in
http://www.cert.org/advisories/CA-1996-01.html
In this attack, the intruder uses forged UDP packets to connect
the echo service on one machine to the charged service on
another machine. The result is that the two services consume all
available network bandwidth between them. Thus, the network
connectivity for all machines on the same networks as either of
the targeted machines may be affected.
P3.3 - Task 3 – Define and explain the potential risk to
an organisation’s e-commerce system from DDos
attacks and Piggybacking.
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment
Page Jacking or Spyware is software that collects and transmits user specific behaviour and
information, with or without permission. Sometimes, permission to collect and transmit is
assumed to have been given simply by the act of installing software or loading a Web page.
Like ads, data collection can be okay if done with consent or for a reasonable purpose. For
example, software that transmits user specific information for the legitimate purpose of
confirming eligibility for updates or upgrades should not be classed as spyware. Programmers
are entitled to ensure that their software is not being pirated, and that the users of pirated
software are not receiving the same benefits as legitimate users.
Pagejacking and Spyware is a type of software intrusive camera that can be installed on
computers, and which collects small pieces of information about users without their knowledge.
The presence of spyware is typically hidden from the user, and can be difficult to detect.
Typically, spyware is secretly installed on the user's personal computer. Sometimes, however,
spywares such as keyloggers are installed by the owner of a shared, corporate, or public
computer on purpose in order to secretly monitor other users, registering key presses and
passwords.
While the term spyware suggests software that secretly monitors the user's computing, the
functions of spyware extend well beyond simple monitoring. Spyware programs can collect
various types of personal information, such as Internet surfing habits and sites that have been
visited, but can also interfere with user control of the computer in other ways, such as installing
additional software and redirecting Web browser activity. Spyware is known to change computer
settings, resulting in slow connection speeds, different home pages, and/or loss of Internet
connection or functionality of other programs.
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment






CoolWebSearch, a group of programs, takes advantage of Internet Explorer vulnerabilities. The
package directs traffic to advertisements on Web sites including coolwebsearch.com. It displays
pop-up ads, rewrites search engine results, and alters the infected computer's hosts file to
direct DNS lookups to these sites.
HuntBar, aka WinTools, was installed by an ActiveX drive-by download at affiliate Web sites, or
by advertisements displayed by other spyware programs—an example of how spyware can
install more spyware. These programs add toolbars to Internet Explorer, track browsing
behaviour, redirect rival references, and display advertisements.
MyWebSearch has a plug-in that displays a search toolbar near the top of a browser window,
and it spies to report user search-habits. MyWebSearch is notable for installing over 210
computer settings, such as over 210 MS Windows registry keys/values. Beyond the browser, it
has settings to affect Outlook, email, HTML, XML, etc.
Zango (formerly 180 Solutions) transmits detailed information to advertisers about the Web
sites which users visit. It also alters HTTP requests for rival advertisements linked from a Web
site, so that the advertisements make unearned profit for the 180 Solutions company. It opens
pop-up ads that cover over the Web sites of competing companies.
Zlob trojan, or just Zlob, downloads itself to a computer via an ActiveX codec and reports
information back to the company. Some information can be the search-history, the Websites
visited, and even keystrokes. More recently, Zlob has been known to hijack routers set to
defaults.
P3.4 - Task 4 – Define and explain the potential risk to an organisation’s e-commerce system
from Spyware attack.
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment
Choosing a secure password is one of the easiest and least expensive
ways to guard against unauthorized access. Unfortunately, too many
people prefer to use an easy-to-remember password.
 If your password is obvious to you, however, it may also be easy for a
hacker to figure out. The following guidelines for selecting passwords
should be part of your organisation’s security policy. It is especially
important for network administrators to choose difficult passwords, and
also to keep passwords confidential and to change them frequently.
 Tips for making and keeping passwords secure include the following:
◦ Always change system default passwords after installing new programs
or equipment. For example, after installing a router, the default
administrator’s password on the router might be set by the
manufacturer to be “1234” or the router’s model number.
◦ Do not use any word that might appear in a dictionary. Hackers can use
programs that try a combination of your user ID and every word in a
dictionary to gain access to the network. This is known as a dictionary
attack, and it is typically the first technique a hacker uses when trying
to guess a password (besides asking the user for her password).

Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment
◦ Do not use familiar information, such as your name, nickname, birth date,
anniversary, pet’s name, child’s name, spouse’s name, user ID, phone
number, address, or any other words or numbers that others might
associate with you.
◦ Make the password longer than eight characters—the longer, the better.
Some operating systems require a minimum password length (often, eight
characters), and some might also restrict the password to a maximum
length.
◦ Choose a combination of letters and numbers; add special characters,
such as exclamation marks or hyphens, if allowed. Also, if passwords are
case sensitive, use a combination of uppercase and lowercase letters.
◦ Change your password at least every 60 days, or more frequently, if
desired. If you are a network administrator, establish controls through the
NOS to force users to change their passwords at least every 60 days. If
you have access to sensitive data, change your password even more
frequently.
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment
◦ Do not write down your password or share it with others.
◦ Do not reuse passwords after they have expired.
◦ Use different passwords for different applications. For example,
choose separate passwords for your e-mail program, online banking,
remote access connection, dial-up connection, and so on. That way, if
someone learns one of your passwords she won’t necessarily be able to
access all of your secured accounts.
 Password guidelines should be clearly communicated to everyone in
your organization through your security policy. Although users might
grumble about choosing a combination of letters and numbers and
changing their passwords frequently, you can assure them that the
company’s financial and personnel data is safer as a result. No matter
how much your colleagues protest, do not back down from your
password requirements. Many companies mistakenly require employees
only to use a password, and don’t help them choose a good one. This
oversight increases the risk of security breaches.
P3.5 - Task 5 – Define and explain the potential risk to an organisation’s
e-commerce system from losing or inadequate use of Passwords.
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment
Returns – All purchases on the Internet except food have a cooling
off period under the Distance Sale Regulation. This will apply if:
 you bought certain goods and services which the law says aren't
covered by a cooling-off period
 you're a business buyer
 you bid for something in an online auction
 you bought from a private individual
 you agreed for a service, such as broadband, to start straight
away. This depends on when the trader gives you certain
information.
It is not uncommon for users in shop to buy things for an occasion
and then return them after use for a full refund. On the internet this
is more difficult to police and more difficult to confront. In a high
street shop they can check it there and then.
The 7 day cooling off period needs to take into consideration the
time it takes to post and return, in theory from the moment the user
declares that they are returning it then the period comes to an end.
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment
If you bought any of the following goods or services, you will not have an automatic
right to a cooling-off period:
 something personalised or made-to-order
 something perishable - for example, food or flowers
 newspapers or magazines
 a CD, DVD or computer software where the security seal has been broken
 something bought by bidding through an online auction
 something that’s price is dependent on changes in the financial market -for
example, central heating oil
 a new service that starts immediately - for example, paying for access to a
website
 accommodation, transport, catering and leisure services to be delivered on a
specific date - for example, train tickets, hotel and restaurant bookings, taxis
and theatre tickets
 gaming, betting or lottery services
 timeshare agreements
 something where the trader has informed you before finalising the contract in
writing or email that you will not be allowed to cancel once the service has
begun.
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment
Payments – People generally do not trust payment
systems on line, the added security often adds to these
problems rather than alleviated the issue. Having an
amazon account, playing apps and accidently tapping for
more fruit drop lives can rack up an automatic bill. Buy
now in e-bay commits the user to buy but still has a
back out clause.
There are thousands of cases on the internet of children
running up bills on their parents online accounts, of
children accidently buying goods off e-bay.
Similarly keeping track of payments and how much
money spent is easier on the high street because the
payments are more personal
Click on the images on the right for examples.
P3.6 - Task 6 – Define and explain the potential risk to
an organisation’s e-commerce system from Payments
and Return issues.
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment

P3.7 - Task 7 - Create a table listing all the various types of
threats to the an e-commerce system and their data. In a second
column, describe in detail the nature of the threat.
Threats to Company
Data
Nature of the Threat
Risk of Damage
Impact and response
A Virus Attack
External attack running the
risk of corrupting data.
Medium to data, High to
Customer Account Information
Payment and
Returns issues
Identity Theft of a
Staff Member
External
Piggybacking on
Network
Successful Hacking
attempt
Successful Denial of
Service Attack
Loss of control
through Spyware
and Malware
Password Theft
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment
 A firewall is a security-conscious router that sits between the Internet and your network with
a single purpose: preventing external attacks. The firewall acts as a security guard between
the Internet and your Network. All network traffic into and out of the system must pass
through the firewall, which prevents unauthorised access to the network. Some type of
firewall is a must-have if your network has a connection to the Internet, whether that
connection is broadband, T1, or some other high-speed connection. Without it, sooner or
later a hacker will discover and breach your unprotected network.
 You can set up a firewall using two basic ways. The easiest way is to purchase a firewall
program, which is basically a self-contained router with built-in firewall features like one
Alarm or Sophos. Most firewall appliances include a Web-based interface that enables you to
connect to the firewall from any computer on your network using a browser. You can then
customise the firewall settings to suit your needs.
 Alternatively, you can set up a server computer to function as a firewall computer (SSL). The
server can run just about any network operating system, but most dedicated firewall systems
run Linux. Whether you use a firewall appliance or a firewall computer,
the firewall must be located between your network and the Internet,
firewall is connected to a network hub, which is, in turn, connected to
the other computers on the network. The other end of the firewall
is connected to the Internet. As a result, all traffic from the LAN
to the Internet and vice versa must travel through the firewall.
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment


SSL (Secure Sockets Layer) is a method of
encrypting TCP/IP transmissions – including Web
pages and data entered into Web forms - en route
between the client and server using public key
encryption technology. If you trade stocks
or purchase goods on the Web, for example,
you are most likely using SSL to transmit your
order information. SSL is popular and used widely.
The most recent versions of Web browsers, such as
Firefox and Internet Explorer, include SSL client
support in their software.
If you have used the Web, you have probably noticed that URLs for most Web
pages begin with the HTTP prefix, which indicates that the request is handled
by TCP/IP port 80 using the HTTP protocol. When Web page URLs begin with
the prefix HTTPS (which stands for HTTP over Secure Sockets Layer or HTTP
Secure), they require that their data be transferred from server to client and
vice versa using SSL encryption. HTTPS uses the TCP port number 443, rather
than port 80. After an SSL connection has been established between a Web
server and client, the client’s browser indicates this by showing a padlock in
the lower-right corner of the screen in the browser’s status bar, in the URL
textbox, or elsewhere.
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment




Each time a client and server establish an SSL connection, they
also establish a unique SSL session, or an association between the
client and server that is defined by an agreement on a specific set
of encryption techniques. An SSL session allows the client and
server to continue to exchange data securely as long as the client
is still connected to the server.
An SSL session is created by the SSL handshake protocol, one of
several protocols within SSL, and perhaps the most significant. As
its name implies, the handshake protocol allows the client and
server to authenticate (or introduce) each other and establishes
terms for how they will securely exchange data.
For example, when you are connected to the Web and you decide
to open your bank’s account access URL, your browser initiates
an SSL connection with the hand shake protocol.
M2.1 - Task 8 – Define and explain how Firewalls and SSL security
can protect information on an organisation’s e-commerce
system.
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment


A digital certificate is a password-protected and
encrypted file that holds an individual’s
identification information, including a public key. In
the context of digital certificates, the individual’s
public key verifies the sender’s digital signature. An
organisation that issues and maintains digital
certificates is known as a CA (certificate authority).
For example, on the Internet, certificate authorities
such as VeriSign will, for a fee, keep your digital
certificate on their server and ensure to all who want
to send encrypted messages to you (for example, an
order via your e-commerce site) that the certificate
is indeed yours.
The use of certificate authorities to associate public
keys with certain users is known as PKI (public key
infrastructure).
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment
Encryption refers to the process of translating plain text information into a secret code
so that unauthorized users can’t read the data. Encryption isn’t new. Secret agents
have long used codebooks to encode messages, and breaking the code has always
been one of the top priorities of counter-intelligence.
Both Windows 2000 Server and Windows Server 2003 have a feature called Encrypted
File System, or EFS for short, that lets you save data on disk in an encrypted form. This
prevents others from reading your data even if they manage to get their hands on
your files.
Encryption is especially useful in environments where the server can’t be physically
secured. If a thief can steal the server computer (or just its hard drive), he or she may
be able to crack through the Windows security features and gain access to the data on
the hard drive by using low-level disk diagnostic tools. If the files are stored in
encrypted form, however, the thief’s efforts will be wasted because the files will be
unreadable.
All forms of encryption use some sort of key to encrypt and decrypt the data. In World
War II and Cold War spy movies, the key is a codebook that has a list of code words or
phrases that match up to real words or phrases.
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment




◦
The most basic type of data encryption, called synchronous data encryption, uses numeric keys that are used to
apply complex mathematical operations to the source data in order to translate the data into encrypted form.
These operations are reversible, so if you know the key, you can reverse the process and decrypt the data. For
example, suppose that the encryption technique is as simple as shifting every letter of the alphabet up by the
value of the key. Thus, if the key is 3, then A becomes D, B becomes E, etc. The message “Elementary, my dear
Watson” becomes “Hohphqwdub, pb ghdu Zdwvrq.” This message is incomprehensible, unless you know the key.
Then, reconstructing the original message is easy.
The actual keys and algorithms used for cryptography are much more complicated. Keys are typically binary
numbers of 40 or 128 bits. The classic dilemma of cryptography is this: How can I securely send the key to the
person with whom I want to exchange messages? The answer is you can’t. You can’t encrypt the key, because the
other person would need to know the key in order to decrypt it. That’s where public key encryption comes into
play. Public key encryption is a technique in which two keys are used: a private key and a public key. The keys are
related to each other mathematically. Either of the keys can be used to encrypt the data, but the encryption
process isn’t completely reversible: You have to have the private key in order to decrypt the data.
Other Methods include:
◦ transposition - characters switched around
◦ Substitution - characters replaced by other characters
Cryptography serves 3 purposes:
◦ Helps to identify authentic users
◦ Prevents alteration of the message
◦ Prevents unauthorised users from reading the message
Encryption Keys
◦ Sent with, sent after, kept on network of user and client.
Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment
The best way to protect your network from virus infection is to use an antivirus program. These
programs have a catalogue of several thousand known viruses that they can detect and remove. In
addition, they can spot the types of changes that viruses typically make to your computer’s files, thus
decreasing the likelihood that some previously unknown virus will go undetected. The two best known
antivirus programs for Windows are Norton AntiVirus and McAfee’s VirusScan.
The people who make antivirus programs have their fingers on the pulse of the virus world and
frequently release updates to their software to combat the latest viruses. Because virus writers are
constantly developing new viruses, your antivirus software is next to worthless unless you keep it up to
date by downloading the latest updates (Dat files). The following are several approaches to deploying
antivirus protection on your network:




You can install antivirus software on each network user’s computer. This technique would be the
most effective if you could count on all your users to keep their antivirus software up to date.
Because that’s an unlikely proposition, you may want to adopt a more reliable approach to virus
protection.
Managed antivirus services place antivirus client software on each client computer in your network.
Then, an antivirus server automatically updates the clients on a regular basis to make sure that
they’re kept up to date.
Server-based antivirus software protects your network servers from viruses. For example, you can
install antivirus software on your mail server to scan all incoming mail for viruses and remove them
before your network users ever see them.
Some firewall appliances include antivirus enforcement checks that don’t allow your users to access
the Internet unless their antivirus software is up to date. This type of firewall provides the best
antivirus protection available.
M2.2 - Task 9 – Define and explain how Antivirus software, Encryption and Digital Certificates can
protect information on an organisation’s e-commerce system.
Antivirus
Scenario
Criteria
Digital Certificate
Tasks
1
2
3
4
5
6
7
Encrytption
8
9
10
Assessment
Since the Internet first went public in 1992 there has been case after case of
attack, breaches, viruses, and incident and even with new technologies, improved
security, SSL, cloud computing and biometrics, the problems continue. Viruses are
not such a threat as they used to be but the American Government still used one
to disable the Iranian Nuclear program in 2012.
 Firewalls have been improved immeasurably but Sony was still hacked. Single
fraudsters like Kevin Mitnick are more rare but LulzSec has recently hacked the
Twitter Accounts of North Korea. High profile cases are known like Wikileaks and
the recent Facebook hack but the best forms are rarely caught. Click here and
here for recent news.
M2.3 – Task 10 - Research the impact that 3 different cases of website security
breaches have had on society.
Three cases should be discussed from the three categories, at least one from each
category, discussing the threat, the impact on society and how the threat was
resolved.
 Case examples could include:
◦ Viruses, Trojans and Worms (Sobor, iloveyou, Lovesan)
◦ Hackers (Adrian Lamo, Kevin Mitnick, MafiaBoy) Sony, Facebook and Twitter
◦ Identity theft (Abraham Abdallah)
◦ Phishing (Nigerian Oil, 180 Solutions)

Scenario
Criteria
Tasks
1
2
3
4
5
6
7
8
9
10
Assessment
P3.1 - Task 1 – Define and explain the potential risk to an organisation’s ecommerce system from hacking attacks and viruses.
P3.2 - Task 2 – Define and explain the potential risk to an organisation’s ecommerce system from Fraud and Phishing scams and ID Theft.
P3.3 - Task 3 – Define and explain the potential risk to an organisation’s ecommerce system from DDos attacks and Piggybacking.
P3.4 - Task 4 – Define and explain the potential risk to an organisation’s ecommerce system from Spyware attack.
P3.5 - Task 5 – Define and explain the potential risk to an organisation’s ecommerce system from losing or inadequate use of Passwords.
P3.6 - Task 6 – Define and explain the potential risk to an organisation’s ecommerce system from Payments and Return issues.
P3.7 - Task 7 - List all the various types of threats to the an e-commerce system and
their data and describe in detail the nature of the threat.
M2.1 - Task 8 – Define and explain how Firewalls and SSL security can protect
information on an organisation’s e-commerce system.
M2.2 - Task 9 – Define and explain how Antivirus software, Encryption and Digital
Certificates can protect information on an organisation’s e-commerce system.
M2.3 – Task 10 - Research the impact that 3 different cases of website security
breaches have had on society.
Scenario
Criteria
Scenario
Tasks
Criteria 1 Tasks
2 3
41
5 2 6 37
8
4
95
106
Assessment
7
8
Assessment
Download