Module/Week 11 & 12:

DESCRIPTIVE TITLE: Electronic Commerce Security

Sub-topics:
c. Necessity Threats
1. Online Security Issues Overview d. Threats to the Physical Security of Internet Communications Channels
a. Origins of Security on Interconnected Computer Systems
e. Threats to Wireless Networks
b. Computer Security and Risk Management
f. Encryption Solutions
c. Elements of Computer Security
g. Encryption in Web Browsers
d. Establishing a Security Policy
h. Hash Functions, Message Digest, and Digital Signatures
2. Security for Client Devices 4. Security for Server Computers
a. Cookies and Web Bugs
a. Password Attack Threats
b. Active Content
b. Database Threats
c. Graphics and Plug-Ins
c. Other Software-Based Threats
d. Viruses, Worms, and Antivirus Software
d. Threats to the Physical Security of Web Servers
e. Digital Certificates
e. Access Control and Authentication
f. Steganography
f. Firewall
g. Physical Security for Client Devices
h. Client Security for Mobile Devices 5. Organizations that Promote Computer Security
a. CERT
3. Communication Channel Security b. Other Organizations
a. Secrecy Threats
c. Computer Forensics and Ethical Hacking
b. Integrity Threats

Learning Objectives:
In this chapter, you will learn about:
a. What security risks arise in online business and how to manage them
b. How to create a security policy
c. How to implement security on Web client computers
d. How to implement security in the communication channels between computers
e. How to implement security on Web server computers
f. What organizations promote computer, network, and internet security

Discussion

Online Security Issues Overview

• Today’s high stakes
- Competitor access to messages; digital intelligence
- Credit card number security
• Computer security - asset protection from unauthorized access, use, alteration, and destruction
• Physical security
- Includes tangible protection devices such as alarms, guards, fireproof doors, security fences, safes or
vaults, and bombproof buildings
• Logical security - Protection of assets using nonphysical means
• Threat - any act or object possessing computer asset danger
• Countermeasure
- Procedure (physical or logical) that recognizes, reduces, eliminates threat. Extent and expense of
countermeasures depends on importance of asset at risk.
Managing Risk
• Risk management model (Figure 10-1)
- Four general organizational actions, depending on the impact (cost) and probability of physical threat
- Applicable for protecting Internet and electronic commerce assets from physical and electronic threats

ELEC-1 : E-Commerce and Internet Marketing

SOUTH EAST ASIAN INSTITUTE OF TECHNOLOGY, INC.

Page 1 of 15
 • Examples of electronic threats
- Impostors, eavesdroppers, thieves
• Eavesdropper
- Is a person or device that can listen in on and copy Internet transmissions
• Crackers or hackers
- People who write programs or manipulate technologies to obtain unauthorized access to computers and
networks.
• White hat hacker and black hat hacker
- Hacker: dedicated programmer who enjoyed writing complex code that tested the limits of technology.
- Distinguish between good hackers and bad hackers
• Good security scheme implementation
- Organizations must identify risks, determine how to protect threatened assets, and calculate costs to
protect assets.
Elements of Computer Security
• Secrecy: Protecting against unauthorized data disclosure and ensuring data source authenticity
• Integrity: Preventing unauthorized data modification
• Necessity: Preventing data delays or denials (removal)
• Integrity violation occurs, for example when an e-mail message are intercepted and its contents are changed
before it is forwarded to its original destination.
• Man-in-the-middle exploit: E-mail message intercepted; contents changed before forwarded to original
destination
Security Policy and Integrated Security
• Security policy: written document
- Assets to protect and why it is being protected, who is responsible for protection, and which is
acceptable and unacceptable behaviors.
- Address physical security, network security, access authorizations, virus protection, disaster recovery
• Steps to create security policy
- Determine assets to protect from threats
- Determine access to various system parts
- Determine resources to protect identified assets
- Develop written security policy
Commit resources
• Comprehensive security plan goals
- Protect system’s privacy, integrity, availability; authenticate users

• Integrated security
- Having all security measures work together to prevent unauthorized disclosure, destruction,
modification of assets
• E-commerce site security policy points
- Authentication: Who is trying to access site?
- Access control: Who is allowed to log on to and access site?

ELEC-1 : E-Commerce and Internet Marketing

SOUTH EAST ASIAN INSTITUTE OF TECHNOLOGY, INC.

Page 2 of 15
 - Secrecy: Who is permitted to view selected information?
- Data integrity: Who is allowed to change data?
- Audit: Who or what causes specific events to occur, and when?
Security for Client Devices
• Client computers and devices threats:
- Originate in software and downloaded data
- Malevolent server site masquerades as legitimate Web site
- Users and their client computers are duped into revealing information
Cookies
• Internet connection between Web clients and servers
• Independent information transmission; that is, no continuous connection (open session) maintained
between any client and server
• Cookies: Small text files Web servers place on Web client, Identify returning visitors and allow continuing
open session
- Example: shopping cart and payment processing
• Time duration cookie category
- Session cookies: exist until Web client connection ends
- Persistent cookies: remain on the client computer indefinitely
• Source cookie category
- First-party cookies: Web server site places them on client computer
- Third-party cookies: Different Web site places them on client computer
• Disable cookies entirely
- Complete protection from revealing private information
- Problem:
o Useful cookies are blocked (along with others)
o Full site resources are not available
• Web browsers have settings that allow the user to refuse only third-party cookies or to review each cookie
before it is accepted.

ELEC-1 : E-Commerce and Internet Marketing

SOUTH EAST ASIAN INSTITUTE OF TECHNOLOGY, INC.

Page 3 of 15
Web Bugs
• Tiny graphic that a third-party Web site places on another site’s Web page
• Purpose: provide a way for a third party Web site to place cookies from the third party site on the visitor’s
computer.
• Internet advertising community calls Web bugs “clear GIFs” or “1-by-1 GIFs”
Graphics created in GIF format with a color value of “transparent,” small as 1 pixel by 1 pixel
Active Content
• Programs that run when the client devices loads the Web page.
• display moving graphics, download and play audio, or implement Web-based spreadsheet programs.
• Placed items into a shopping cart and compute a total invoice amount.
• Advantages: Extends HTML functionality; moves data processing chores to client computer
• Disadvantages: Can damage and pose a threat to the client computer
• Cookies, Java applets, JavaScript, VBScript, ActiveX controls, graphics, Web browser plug-ins, e-mail
attachments can deliver active content
• Scripting languages: provide executable script
- Examples: JavaScript and VBScript
• Applet: small application program, typically runs within Web browser
- Browsers include tools limiting applets’ actions

• Active content module are embedded in Web pages (transparent)

• Crackers can embed malicious active content
• Trojan horse: Program hidden inside another program or Web page that masks its true purpose.
• Zombie (Trojan horse): Secretly takes over another computer for the purpose of launching attacks on other
computers.
Java Applets
• Java: platform-independent programming language
- provides Web page active content
- Server sends applets with client-requested pages
- Most cases: operation visible to visitor
- Possibility: functions not noticed by visitor
• Advantages: Adds functionality to business application’s functionality; relieves server-side programs
• Disadvantage: Possible security violations
• Java sandbox
- Confines Java applet actions to set of rules defined by security model
- Rules apply to all untrusted Java applets is not established as secure
ELEC-1 : E-Commerce and Internet Marketing

SOUTH EAST ASIAN INSTITUTE OF TECHNOLOGY, INC.

Page 4 of 15
 - Java applets running within sandbox constraints has no full client system access
• Java applet security information
- Java Security Page
o Maintained by Center for Education and Research in Information Assurance and Security (CERIAS)
JavaScript
• Scripting language developed by Netscape
• Enables Web page designers to build active content
• Can be used for attacks; cannot commence execution on its own
ActiveX Controls
• Objects that contain programs and properties Web designers place on Web pages to perform particular tasks
• Run on Windows operating systems computers
Security danger: Once downloaded, they execute like any other programs on client computer. They have
access to full system resources that can cause secrecy, integrity, and necessity violations
• Web browsers provide notice of Active-X download or install
Graphics and Plug-Ins
• Graphics, browser plug-ins, and e-mail attachments can harbor executable content
• Code embedded in graphic might harm client computer
• Plug-ins (programs): Enhance browser capabilities (normally beneficial), handle Web content that browser
cannot handle
- Can pose security threats to client computers by executing commands buried within the media being
manipulated.
Viruses, Worms, and Antivirus Software
• Programs display e-mail attachments by automatically executing associated programs
- Word and Excel macro viruses can cause damage to a client device
• Virus: software that attaches itself to another program and causes damage when host program activated
• Worm: virus that replicates itself on computers it infects. It spreads quickly through the Internet
• Macro virus: Small program (macro) embedded in file
• Antivirus software: Detects viruses and worms and either deletes or isolates them on client computer
- Symantec and McAfee
o Keep track of viruses, sell antivirus software
- Only effective if antivirus data files kept current

ELEC-1 : E-Commerce and Internet Marketing

SOUTH EAST ASIAN INSTITUTE OF TECHNOLOGY, INC.

Page 5 of 15
ELEC-1 : E-Commerce and Internet Marketing

SOUTH EAST ASIAN INSTITUTE OF TECHNOLOGY, INC.

Page 6 of 15
Digital Certificates
• Digital certificate (digital ID)
- E-mail message attachment (program) embedded in Web page that verifies sender or Web site.
- Contains a means to send encrypted message—encoded so others cannot read it.
- Signed message or code that provides proof that the holder is the person identified by the certificate
- Used for online transactions including electronic commerce, electronic mail, and electronic funds
transfers

ELEC-1 : E-Commerce and Internet Marketing

SOUTH EAST ASIAN INSTITUTE OF TECHNOLOGY, INC.

Page 7 of 15
 • Certification authority (CA): Issues digital certificates to organizations or individuals
• cannot be forged easily
• Six main elements
- Certificate owner’s identifying information - Certificate serial number
- Certificate owner’s public key - Certificate issuer name
- Dates certificate is valid - Certificate issuer digital signature
• Key: is a number--usually long binary number—that is used with encryption algorithm to “Lock” message
characters being protected (undecipherable without key)
- Longer keys provide significantly better protection
• Identification requirements vary: Driver’s license, notarized form, fingerprints
• Classification: Low, medium and high assurance and is based largely on identification requirements
• Digital certificates expire after period of time to provides protection (users and businesses)
- Must submit credentials for reevaluation periodically
Steganography
• Process of hiding information within another piece of information that can be used for malicious purposes
• Provides a way of hiding encrypted file within another file so that a casual observer cannot detect anything
of importance in container file
• Two-step process: Encrypting file protects it from being read and Steganography makes it invisible
• Al Qaeda used steganography to hide attack orders
Physical Security for Client Devices
• Physical security is a major concern for large computers, as networks (Intranets and the Internet) have made
it possible to control important business functions, physical security concerns for client computers is great.
• New physical security technologies
- Fingerprint readers (less than $100), stronger protection than password approaches
• Biometric security devices
- Identification using element of person’s biological makeup, includes writing pads, eye scanners, palm
reading scanners, reading back of hand vein pattern
Communication Channel Security
• Internet is not designed to be secure, it is designed to provide redundancy
• The internet remains unchanged from original state
- Message traveling on the Internet is subject to secrecy, integrity, and necessity threats
Secrecy Threats
• Secrecy
- Prevention of disclosure of unauthorized information
Is a technical issue requiring sophisticated physical and logical mechanisms
• Privacy: Protection of individual rights to nondisclosure
• E-mail message
- Protected using encryption against secrecy violations
- Secrecy countermeasures is to protects outgoing messages
- Privacy issues address whether supervisors permitted to read employees’ messages randomly
• Sniffer programs
- Record information passing through computer or router
- Read e-mail messages and unencrypted Web client–server message traffic
• Electronic commerce threat
- Backdoors: electronic holes
o Element of a program (or separate program) that allows users to run the program without
going through the normal authentication procedure for access to the program.
• Web users continually reveal information
- Secrecy breach
- Possible solution: anonymous Web surfing
Integrity Threats
• Also known as active wiretapping
- Unauthorized party alters message information stream
• Integrity violation example
- Cybervandalism: Web site’s page electronic defacing
• Masquerading (spoofing): Pretending to be someone else or fake Web site representing itself as original
• Domain name servers (DNSs)
- Internet computers maintaining directories that links domain names to IP addresses
ELEC-1 : E-Commerce and Internet Marketing

SOUTH EAST ASIAN INSTITUTE OF TECHNOLOGY, INC.

Page 8 of 15
 - Perpetrators use software security hole and substitute their Web site address in place of real ones to
spoofs Web site visitors
• Phishing expeditions: Capture confidential customer information
- Common victims are online banking and payment system users
Necessity Threats
• Also known as delay, denial, denial-of-service (DoS) threats
- Disrupt normal computer processing or deny processing entirely
• DoS attacks: Remove information from a transmission or file
• Documented denial attacks
- Quicken accounting program diverted money to perpetrator’s bank account
- Overwhelmed sites’ servers and choked off legitimate customers’ access
- disabled thousands of computers that were connected in the Internet.
Threats to the Physical Security of Internet Communications Channels
• Internet’s packet-based network design precludes it from being shut down by an attack on single
communications link
• Individual user’s Internet service can be interrupted by User’s Internet link destruction
• Larger companies, organizations often have multiple links to main Internet backbone
Threats to Wireless Networks
• Wardrivers: Attackers drive around in cars using wireless-equipped computers searching for accessible
networks
• Warchalking: Place chalk mark on building so that other attackers identifies easily entered wireless network
nearby
• Avoid being targeted by simply turning on WEP in access points and changing default settings
Encryption Solutions
• Encryption: coding information using mathematically based program, secret key to produces unintelligible
string of characters
• Cryptography: science studying encryption
- Science of creating messages only sender and receiver can read
• Steganography: Makes text undetectable to naked eye
• Cryptography converts text to other visible text but appears to have no meaning
Encryption algorithms
• Encryption program
- Transforms normal text (plain text) into cipher text (unintelligible characters string)
• Encryption algorithm
- Logic behind encryption program that includes mathematics to do transformation
• Decryption program: encryption-reversing procedure
- Messages encrypted just before being sent over a network. Upon arrival, message is decoded
(decrypted)
• Encryption algorithms (cont’d.)
- Considered so vitally important to preserving security within the United States that the National Security
Agency has control over their dissemination.
• Key type subdivides encryption into three functions
• Hash coding, asymmetric encryption, symmetric encryption
Hash coding
• process that uses a Hash algorithm to calculate number (hash value), from a message of any length.
• Unique message fingerprint
• Design of good hash algorithms
- Probability of collision is extremely small (two different messages resulting in same hash value)
- Determine whether message has been altered during transit
o No match with original hash value and receiver computed value
Asymmetric encryption (public-key encryption)
• Encodes messages using two mathematically related numeric keys
• Public key: one key freely distributed to public
- Encrypt messages using encryption algorithm
• Private key: second key is kept by the key owner
- Decrypt all messages received
• Asymmetric encryption (cont’d.)
• Pretty Good Privacy (PGP)

ELEC-1 : E-Commerce and Internet Marketing

SOUTH EAST ASIAN INSTITUTE OF TECHNOLOGY, INC.

Page 9 of 15
 - Software tools using different encryption algorithms to perform public key encryption
- Individuals download free versions from the PGP Corporation site, PGP International site
Symmetric encryption (private-key encryption)
• Encodes message with one of several available algorithms that uses a single numeric key to encode and
decode data
• Message sender and receiver must know the key, but the key must be guarded.
• Very fast and efficient encoding and decoding
• Problems
- Difficult to distribute new keys to authorized parties while maintaining security, control over keys
- Private keys do not scale well in large environments
• Data Encryption Standard (DES)
- Encryption algorithms adopted by U.S. government
- Most widely used private-key encryption system
- Fast computers break messages encoded with smaller keys
• Triple Data Encryption Standard (Triple DES, 3DES)
- Stronger version of Data Encryption Standard
• Advanced Encryption Standard (AES)
- Longer bit lengths dramatically increase difficulty of cracking encryption protection
Comparing asymmetric and symmetric encryption systems
• Advantages of public-key (asymmetric) systems
- Small combination of keys required
- No problem in key distribution
- Implementation of digital signatures possible
• Disadvantages of public-key systems
- Significantly slower than private-key systems
- Do not replace private-key systems (complement them)

Encryption in Web browser

• Two encryption approaches:
- Secure Sockets Layer (SSL) system: Secures connections between two computers
- Secure Hypertext Transfer Protocol (S-HTTP): Send individual messages securely
Secure sockets layer (SSL) protocol
• Provides security “handshake” in which a client and server exchange brief burst of messages
ELEC-1 : E-Commerce and Internet Marketing

SOUTH EAST ASIAN INSTITUTE OF TECHNOLOGY, INC.

Page 10 of 15
 • When all communication encoded, eavesdropper receives unintelligible information
• Secures many different communication types: HTTP, FTP, Telnet
• HTTPS: protocol implementing SSL and precede URL with protocol name HTTPS
• Encrypted transaction generates private session key length (40-bit, 56-bit, 128-bit, 168-bit)
• Session key: Used by encryption algorithm to creates cipher text from plain text during single secure session

Secure HTTP (S-HTTP)

• Extension to HTTP providing security features including client and server authentication, spontaneous
encryption, request/response nonrepudiation
• Provides symmetric encryption for secret communications and public-key encryption to establish
client/server authentication
• Session negotiation: process of proposing and accepting (or rejecting) various transmission conditions
• Establishes secure session with a client-server handshake exchange to set up secure communication
• Secure envelope (complete package): Encapsulates and encrypts message which provides secrecy, integrity,
and client/server authentication
Hash Functions, Message Digest and Digital Signatures
• Hash algorithm: Technique used to detect when a message is being altered.
- To detect message alteration, hash algorithm is applied to the message content to create a message
digest, which is a number that summarizes the encrypted information.
• Message digest: Small integer summarizing encrypted information to ensure transaction Integrity with
Digital Signatures
• Hash functions: potential for fraud
- Solution: sender encrypts message digest using private key
• Digital signature: Encrypted message digest (message hash value) created using a private key
- Provide transaction secrecy by encrypt entire string (digital signature, message)
- Digital signatures: same legal status as traditional signatures

Security for Server Computers

ELEC-1 : E-Commerce and Internet Marketing

SOUTH EAST ASIAN INSTITUTE OF TECHNOLOGY, INC.

Page 11 of 15
 • Server is the third link in the client-Internet-server electronic commerce path between the user and a Web
server.
- Security policies are documented and implemented to minimize the impact of Web server threats.
Password Attack Threats/ Web Server Threats
• An intruder who can access and read the file can enter privileged areas masquerading as a legitimate user.
- Solution: Web servers store user authentication information in encrypted files.
• Dictionary Attack programs: Cycle through an electronic dictionary, trying every word and common name as
a password.
- Solution: use password assignment software to check user password against dictionary
• Sensitive file on Web server holds Web server username-password pairs
- Solution: store authentication information in encrypted form
• Passwords that users select
- Easily guessable such as mother’s maiden name, name of a child and etc.

Database Threats
• Usernames and passwords
- Stored in unencrypted table, or they fail to enforce security at all and rely on Web server to enforce
security
• Unauthorized users obtain user authentication information, they can masquerade as legitimate database
users and reveal or download confidential and potentially valuable information.
• Trojan horse programs hide within database system can reveal information by changing the access rights of
various user groups. It can remove all access controls within database
Other Programming Threats
• Java or C++ programs executed by server
- Passed to Web servers by client or that reside on server
- Use a buffer: Memory area set aside holding data read from file or database
• Buffer overrun (buffer overflow error)
- Programs filling buffers malfunction and overfill buffer, spilling the excess data spilled outside
designated buffer memory
- Cause: error in program or intentional
- Example: 1988 Internet worm
• Insidious version of buffer overflow attack writes instructions into critical memory locations so that when the
intruder program has completed its work of overwriting buffers, the Web server resumes execution by
loading internal registers with address of attacking program’s code
• Reducing potential buffer overflow damage
- Good programming practices
- Some hardware functionality
• Mail bomb attack
- Hundreds (thousands) send message to particular address
Threats to the Physical Security of Web Servers
• Protecting Web servers
- Put computers in CSP facility
- Security on CSP physical premise is maintained better

ELEC-1 : E-Commerce and Internet Marketing

SOUTH EAST ASIAN INSTITUTE OF TECHNOLOGY, INC.

Page 12 of 15
 - Maintain server content’s backup copies at remote location
- Rely on service providers that offer managed services including Web server security
- Hire smaller, specialized security service providers
Access Control and Authentication
• Controlling who and what has access to Web server
• Authentication: Identity verification of entity requesting computer access
• Server user authentication
- Server must successfully decrypt user’s digital signature-contained certificate
- Server checks certificate timestamp
- Server uses callback system
• Certificates provide attribution (irrefutable evidence of identity) in a security breach
• Usernames and passwords provide some protection element
• Maintain usernames in plain text: Encrypt passwords with one-way encryption algorithm
• Problem when site visitor saves username and password as a cookie, might be stored on client computer in plain text
• Use access control list security to restrict file access to selected users
- List (database of files), usernames of people allowed access to files, other resources
Firewalls
• Software, hardware-software combination that is Installed in a network to control packet traffic
• Provides a defense between network and the Internet or between network and any other network that
could pose a threat
• Characteristics:
- All traffic must pass through it
- Only authorized traffic allowed to pass
- Immune to penetration
• Trusted: networks inside firewall
• Untrusted: networks outside firewall
• Filter permits selected messages though network
• Separate corporate networks from one another
- segment corporate network into secure zones serves as a Coarse need-to-know filter
• Organizations with large multiple sites install firewall at each location and each follow same security policy
• Should be stripped of unnecessary software
• Packet-filter firewalls
- Examine all data flowing back and forth between trusted network (within firewall) and the Internet
• Gateway servers: Filter traffic based on requested application
- Limit access to specific applications such as Telnet, FTP, HTTP
• Proxy server firewalls: Communicate with the Internet on private network’s behalf
• Perimeter expansion problem: Computers outside traditional physical site boundary
• Servers under almost constant attack
- Install intrusion detection systems
o Monitor server login attempts and analyze for patterns indicating cracker attack
- Block further attempts originating from same IP address
• Personal firewalls
- Software-only firewalls on individual client computers
Organizations that Promote Computer Security
• After Internet Worm of 1988
- Organizations formed to share computer system threat information
- Devoting principle that sharing information about attacks and attack defenses helps everyone create
better computer security
- Some began at universities while others are launched by government agencies
CERT
• Housed at Carnegie Mellon University: Software Engineering Institute
• Maintains effective, quick communications infrastructure among security experts so that security incidents
can be avoided or handled quickly
• Provides security risk information
• Posts security events alerts
• Primary authoritative source for viruses, worms, and other types of attack information
Other Organizations
• 1989: SANS Institute

ELEC-1 : E-Commerce and Internet Marketing

SOUTH EAST ASIAN INSTITUTE OF TECHNOLOGY, INC.

Page 13 of 15
 - Education and research efforts yield resources such as news releases, research reports, security alerts,
and white papers
• SANS Internet Storm Center Web site
- Provides current information on location, intensity of computer attacks worldwide
• CERIAS
- Center for multidisciplinary information security research and education
• CERIAS Web site
- Provides resources in computer, network, communications security resources
• Center for Internet Security
- Not-for-profit cooperative organization devoted in helping electronic commerce companies
• CSO Online: Articles from CSO Magazine
- Computer security-related news items
Computer Forensics and Ethical Hacking
• Computer forensics experts (ethical hackers)
- Computer sleuths hired to probe PCs and locate information usable in legal proceedings
• Computer forensics field
- Responsible for collection, preservation, and computer-related evidence analysis
• Companies hire ethical hackers to test computer security safeguards

Review Questions
1. In a paragraph, explain why early computer security efforts focused on controlling the physical environment in
which computers operated.
2. refer to figure 10-1. In two paragraphs, identify and briefly describe two threats that you would place in
Quadrant III and explain why you would classify them as Quadrant III threats.
3. Write a paragraph in which you provide one example of an integrity violation.
4. In about 100 words, describe the steps an organization would follow when writing its security policy.
5. In about 100 words, explain the difference between session cookies and persistent cookies. In your answer, be
sure to include how each type of cookie is used.
6. In two or three paragraphs, outline the differences between first-party cookies and third party cookies.
7. In one or two paragraphs, explain what a Web bug is, what it accomplishes, and who might use one.
8. In a paragraph, explain why active content poses a threat to client devices.
9. Write a paragraph in which you explain the concept of a sandbox and describe how it is used to reduce security
risks in client computers.
10. In a paragraph or two, explain why a zombie farm could cause more damage than a Trojan Horse
11. In about 100 words, describe a multivector worm or virus and explain why it is a more severe threat than other
viruses o worms.
12. In about 100 words, explain what assurances a certification authority (CA) provides to a business that purchases
one of its digital certificates. In your answer, describe what procedures the CA typically follows before issuing a
digital certificate.
13. In one or two paragraphs, explain why an SSL-EV digital certificate is superior to an ordinary digital certificate.
14. In one or two paragraphs, explain how remote wipe software can increase security for the user of a mobile
device.
15. Write a paragraph in which you describe the purpose and use of a sniffer program.
16. In a paragraph or two, describe what an anonymous Web service does and explain why individuals or businesses
might use one.
17. In a paragraph, briefly describe what occurs in a denial-of-service attack.
18. In about 100 words, describe how a digital certificate is used in an SSL exchange between a Web server and a
Web browser.
19. In a paragraph, describe a dictionary attack program and explain how it might be used.
20. In two or three paragraphs, describe a firewall and how it works.

ELEC-1 : E-Commerce and Internet Marketing

SOUTH EAST ASIAN INSTITUTE OF TECHNOLOGY, INC.

Page 14 of 15
 Exercises

1. Wilderness Trailhead, Inc. (WTI) is a retailer that offers hiking, rock-climbing, and survival gear for sale on its
Web site. WTI offers about 1200 different items for sale and has about 1000 visitors per day at its Web site. The
company makes about 200 sales each day on its site, with an average transaction value of $372. WTI sells
products primarily through its Web site to customers in the United States and Canada. WTI ships orders from its
two warehouses: one in Vancouver, British Columbia, and another in Shoreline, Washington. WTI accepts four
major credit cards and processes its own credit card transactions. It stores records of all transactions on a
database server that shares a small room with the Web server computer at WTI’s main offices in a small
industrial park just outside Bellingham, Washington. In about 500 words, outline a security policy for the WTI
database server. Be sure to consider the threats that exist because that server stores customer credit card
numbers. Use the Web Links for this exercise to find samples of security policies and detailed guidelines for
creating them.
2. Many organizations rely on a firewall to prevent or deter threats to information security that arise from outside
the organization. Using your favorite search engine or the resources of your library, identify firewall issues that
can arise when companies use cloud computing as part of their online sales systems. In about 100 words,
summarize your findings in terms of the perimeter expansion problem.
3. You have built an app that help users store their passwords securely on their phones or tablet devices. The app
has just been cleared for listing in both the Apple and Google Play markets. Companies such as Truste sell
assurance services to online businesses that can convince potential customers that their products or services are
safe to use. Visit the Truste Web site (or use your favorite search engine to find other companies that offer
third-party assurance services to online merchants), review their service offerings for app developers, and write
a 100-word evaluation of their assurance products. Conclude your evaluation with a decision about whether you
would be likely to use these services and why.
4. Using your library or your favorite search engine, find three Web sites that have an SSl-EV digital certificate.
Note that some sites that do have SSL-EV certificates will not show the green background until you log in to the
site or place an item in the site’s shopping cart. For each site, write a paragraph in which you identify the CA that
provides the SSL-EV certificate and explain why that site decided to incur the additional expense of buying an
SSL-EV certificate. The Web links for this exercise include links to Cas that sell SSL-EV digital certificates, which
you might find useful.

ELEC-1 : E-Commerce and Internet Marketing

SOUTH EAST ASIAN INSTITUTE OF TECHNOLOGY, INC.

Page 15 of 15