E-commerce Security (II) *MIDTERM CONTENT INCLUSIVE* Flashcards
Malicious code (Malware)
Includes a variety of threats such as viruses, worms, Trojan horses, and bots
Exploit Kits
Collection of exploits bundled together and rented or sold as a commercial product. Use of a kit does not require much skill, allowing for non-fluent digital users to commit cybercrime
Drive-by download
Malware that comes with a downloaded file that a user requests
Malvertising
Online advertising that contains malicious code
Virus
A computer program that can replicate or make copies of itself and spread to other files
Worm
Malware that is designed to spread from computer to computer
Ransomware
Malware that blocks or limits access to a computer or network by encrypting files and then demanding a ransom payment, typically in a cyryptocurrency such as Bitcoin, in exchange for the decryption key
Trojan horse
Appears to be harmless but then does something other than expected. Often a way for viruses or other malicious code to be introduced into a computer system
Backdoor
Malware feature that allows an attacker to covertly access a compromised computer or network
Bot
Type of malicious code that can be covertly installed on a computer when connected to the Internet. Once installed, the bot responds to external commands sent by the attacker
Botnet
A collection of captured bot computers
Potentially Unwanted Program (PUP)
Program that installs itself on a computer, typically without the user’s informed consent
Adware
A PUP that serves pop-up ads to your computer
Browser parasite
A program that can monitor and change the settings of a user’s browser
Cryptojacking
Installs a browser parasite that sucks up a computer’s processing power to mine cryptocurrency without the user’s knowledge or consent
Spyware
A program used to obtain information such as a user’s keystrokes, e-mails, instant messages, and so on
Social engineering
Exploitation of human fallibility and gullibility to distribute malware
Phishing
Any deceptive, online attempt by a third party to obtain confidential information for financial gain
BEC (business e-mail compromise) phishing
Variation of Nigerian letter scam in which an attacker poses as a high-level employee of a company and requests that another employee transfer funds to what is actually a fraudulent account
Hacker
An individual who intends to gain unauthorized access to a computer system
Cracker
Within the hacking community, a term typically used to denote a hacker with criminal intent
Cybervandalism
Intentionally disrupting, defacing, or even destroying a site
Hacktivism
Cybervandalism and data theft for political purposes
Data breach
Occurs when an organization loses control over corporate information, including the personal information of customers and employees, to outsiders
Credential stuffing
Brute force attack that hackers launch via
botnets and automated tools using known username and password combinations obtained from data breaches
Identity fraud
Involves the unauthorized use of another person’s personal data for illegal financial benefit
Spoofing
Involves attempting to hide a true identity by using someone else’s e-mail or IP address
Pharming
Automatically redirecting a web link to an address
different from the intended one, with the site masquerading as the intended destination
Spam (junk) websites
Also referred to as link farms; promise to offer products or services but, in fact, are just collections of advertisements
Sniffer
A type of eavesdropping program that monitors the information traveling over a network
Man-in-the-middle (MitM) attack
Attacker can intercept communications between two parties who believe they are directly communicating with one another, when in fact the attacker is controlling the communications
Denial of Service (DoS) attack
Flooding a website with useless traffic to inundate and overwhelm the network
Distributed Denial of Service (DDoS) attack
Using numerous computers to attack the target network from numerous launch points
SQL Injection (SQLi) attack
Takes advantage of poorly coded web application software that fails to properly validate or filter data entered by a user on a web page
Zero-day vulnerability
Software vulnerability that has been previously unreported and for which no patch yet exists
Encryption & Cipher text
The process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and the receiver
The 4 dimensions of e-commerce security encryption provides
Message integrity
Nonrepudiation
Authentication
Confidentiality
Key (cipher)
Any method for transforming plain text to cipher text
Substitution cipher
Every occurrence of a given letter is replaced systematically by another letter
Transposition cipher
The ordering of the letters in each word is changed in some systematic way
Symmetric key cryptography (secret key cryptography)
Both the sender and the receiver use the same key to encrypt and decrypt the message
Data Encryption Standard (DES)
Developed by the National Security Agency (NSA) and IBM. Uses a 56-bit encryption key
Advanced Encryption Standard (AES)
The most widely used symmetric key algorithm,
offering 128-, 192-, and 256-bit keys
Public key cryptography
Two mathematically related digital keys are used: a public key and a private key. The private key is kept secret by the owner, and the public key is widely disseminated. Both keys can be used to encrypt and decrypt a message. However, once the keys are used to encrypt a message, that same key cannot be used to unencrypt the message
Ensures authentication (private key encryption proves who the sender is)
Hash function
An algorithm that produces a fixed-length number called a hash or message digest
Digital signature (e-signature)
“Signed” cipher text that can be sent over the Internet
Digital certificate
A digital document issued by a certification authority that contains a variety of identifying information
Certification Authority (CA)
A trusted third party that issues digital certificates
Public key infrastructure (PKI)
CAs and digital certificate procedures that are accepted by all parties
Secure negotiated session
A client-server session in which the URL of the requested document, along with the contents, contents of forms, and the cookies exchanged, are encrypted
Session key
A unique symmetric encryption key chosen for a single secure session
HTTPS
Secure version of the HTTP protocol that uses TLS for encryption and authentication
Virtual Private Networks (VPN)
Allows remote users to securely access internal networks via the Internet, using the Point-to-Point Tunneling Protocol (PPTP)
WPA2
Wireless security standard that uses the AES algorithm for encryption and CCMP, a more advanced authentication code protocol
WPA3
Next-generation WPA protocol that implements more robust security
Firewall
Refers to either hardware or software that filters communication packets and prevents some
packets from entering the network based on a security policy
Proxy server (proxy)
Software server that handles all communications originating from or being sent to the Internet, acting as a bodyguard for the organization
Intrusion detection system (IDS)
Examines network traffic, watching to see if it matches certain patterns or preconfigured rules indicative of an attack
Intrusion prevention system (IPS)
Has all the functionality of an IDS, with the additional ability to take steps to prevent and block suspicious activities
Software supply chain attack
Hackers target development environments to infect software that is then downloaded by end users
