CH-9-10 Electronic Commerce Software – Electronic Commerce : Chapter Notes

This Document Contains Chapters 9 to 10 Chapter 9 Electronic Commerce Software At a Glance Instructor’s Manual Table of Contents • Introduction • Learning Objectives • Teaching Tips • Quick Quizzes • Class Discussion Topics • Additional Projects • Additional Resources • Key Terms Lecture Notes Introduction Online business demand can be hard to predict, but smart businesses prepare in advance for expected periods of high demand. Pet products retailer Harry Barker increased their order-handling capacity in advance of a spot on ABC’s Good Morning America by adding an extra Web server, hiring additional temporary staff and providing a separate URL for a Web page created just for viewers. The company also followed up to find measure how well it met new customers’ expectations. In this chapter, your students will learn about the kinds of software that sites like Harry Barker use to make their revenue models work, including software that enables catalog display of goods, shopping cart functions, and transaction processing activities. Learning Objectives In this chapter, your students will learn: • How to find and evaluate Web-hosting services for online business operations • What functions are performed by electronic commerce software • How electronic commerce software works with database and ERP software • What enterprise application integration and Web services are and how they can be used with electronic commerce software • What types of electronic commerce software are used by small, medium, and large businesses • How electronic commerce software works with customer relationship management, knowledge management, and supply chain management software Teaching Tips Web Hosting Alternatives 1. Introduce the terms self-hosting, commerce service providers (CSPs), managed service providers (MSPs), application service providers(ASPs), shared hosting, dedicated hosting, co-location (collocation or colocation), and scalable. Teaching Tip Read reviews of web hosting service providers, Best Web Hosting Companies 2016: http://webhostinggeeks.com/besthosting.html Basic Functions of Electronic Commerce Software 1. Introduce the three elements all electronic commerce must provide: • A catalog display • Shopping cart capabilities • Transaction processing 2. Note that larger and more complex electronic commerce sites use software that adds other features and capabilities to the basic set of commerce tools. Review the additional software components. Catalog Display Software 1. Note that a catalog organizes the goods and services being sold. Introduce the terms catalog, static catalog, and dynamic catalog. 2. Point out that both types of catalog (static and dynamic) are located in the third tier of the Web site architecture. Mention that small online stores (those that sell fewer than 100 items) can sometimes get by with a simple list of products or categories and that the organization of items on the Web site might not be particularly important. 3. Introduce the term internal search engine and remind students that besides offering a well-organized catalog, large sites with many products can provide one that allows customers to enter descriptive search terms, such as “men’s shirts,” so they can quickly find the Web page containing what they want to purchase. Shopping Cart Software 1. Mention that in the early days of electronic commerce, shoppers selected items they wanted to purchase by filling out online forms, which required a shopper to manually enter product descriptions and item numbers, along with other information, into online ordering systems. 2. Explain that today, shopping carts are now the standard method for processing sales online. A shopping cart, also called a shopping bag or shopping basket, keeps track of the items the customer has selected and allows customers to view the contents of their carts, add new items, or remove items. 3. Refer to Figure 9-1 to illustrate a typical shopping cart page at a site that sells tools. 4. Mention that some shopping cart software allows the customer to fill a shopping cart with purchases, put the cart in virtual storage, and come back days later to confirm and pay for the purchases. 5. Remind students that, because HTTP is a stateless system shopping cart software must store information about specific shoppers and their purchases. Discuss how cookies are used by shopping cart software. 6. Mention that some shoppers configure their Web browser software to refuse cookies, so many sites use another method to preserve shopping cart information from one browser session to another. 7. Introduce dynamic pricing management software, promotion management software, fulfillment integration software, product review management software, product recommendation triggers, and abandoned cart management software. Teaching Tip To learn more about 2016online shopping cart product comparisons, see: http://shopping-cart-review.toptenreviews.com/ Transaction Processing 1. Introduce the term transaction processing. 2. Use Figure 9-2 to illustrate how the three key functions of a basic electronic commerce Web site (catalog display, shopping cart, and transaction processing) are0 combined in the site’s architecture. 3. Emphasize that when an item is sold online, the electronic commerce software must communicate that fact to both the sales and inventory management modules in the accounting software. Note that computing sales taxes and shipping costs are also important parts of online sales. 4. Point out that in larger companies, the integration of the Web site’s transaction processing into the accounting and operation-control systems of the company can be very complex. How Electronic Commerce Software Works with Other Software 1. In this section, your students will learn about the features that larger companies need in their electronic commerce software. Databases 1. Describe the function of a database. Introduce the term business rules. 2. Introduce the terms database manager(or database management software), distributed information systems, and distributed database systems. Teaching Tip Students can learn more about MySQL athttp://www.mysql.com/. Middleware 1. Introduce the term middleware. 2. Note that some larger companies have sufficient IT staff to write their own middleware; however, most companies purchase middleware that is customized for their businesses by the software vendor or a consulting firm. 3. Point out that most of the cost of middleware is not the software itself, but the cost of customizing it to work in a given company. Introduce the term interoperability. Enterprise Application Integration 1. Introduce the terms application program/application software/application, application server, and business logic. 2. Introduce the term enterprise application integration. Explain that the integration is accomplished by programs that transfer information from one application to another. 3. Point out that application servers are usually grouped into two types: page-based and component-based systems. Discuss the terms page-based application system and component-based application system. 4. Note that the most common component-based systems used on the Web are Enterprise JavaBeans (EJBs), Microsoft Component Object Model (COM), and the Object Management Group’s Common Object Request Broker Architecture (CORBA). Integration with ERP Systems 1. Introduce the term enterprise resource planning (ERP). 2. Use Figure 9-3 to illustrate a typical architecture for a B2B Web site in a company that has an ERP system and uses EDI to connect to its trading partners. Web Services 1. Introduce the terms Web services, application program interface (API) and Web APIs. What Web Services Can Do 1. Explain that companies are using Web services to offer improved customer service and reduce costs. 2. Discuss some of the examples of specific Web service implementations. How Web Services Work 1. Point out that a key element of the Web services approach is that programmers can write software that accesses units of business application logic without knowing the details of how each unit is implemented. Web Services Specifications 1. Introduce the terms Simple Object Access Protocol(SOAP), Web Services Description Language (WSDL), and Universal Description, Discovery, and Integration Specification (UDDI). REST and RESTful Design 1. Describe the principle of Representational State Transfer (REST) and how Web services can be built on this model. Introduce the terms RESTful design and RESTful applications. 2. Briefly discuss the Atom Publishing Protocol. Teaching Tip Students can learn more about Service-Oriented Architecture (SOA) and Web services in the article, New to SOA and web services: http://www.ibm.com/developerworks/webservices/newto/. Quick Quiz 1 1. ____ means that the client’s Web site is on a server that hosts other Web sites simultaneously and is operated by the service provider at its location. Answer: Shared hosting 2. A(n) ____ is a simple list written in HTML that appears on a Web page or a series of Web pages. Answer: static catalog 3. ____ occurs when the shopper proceeds to the virtual checkout counter by clicking a checkout button. Answer: Transaction processing 4. ____ is software that takes information about sales and inventory shipments from the electronic commerce software and transmits it to accounting and inventory management software in a form that these systems can read. Answer: Middleware Electronic Commerce Software for Small and Midsize Companies 1. In this section, your students will learn about software that small and midsize businesses can use to implement online business Web sites. Basic CSPs 1. Discus the advantages of using a service provider’s shared or dedicated hosting services instead of building an in-house server or using a co-location service: • The staffing burden shifts from the company to the Web host. • The operating costs of a large Web site are shared by all of the businesses hosted by the service. • The host provider is responsible for keeping the servers working through power outages. • CSPs offer free or low-cost electronic commerce software for building online business sites hosted on the CSP’s server. Mall-Style CSPs 1. Introduce the term mall-style CSPs. 2. Note that mall-style CSPs provide shopping cart software or the ability to use another vendor’s shopping cart software. They also provide payment-processing services so the online store can accept credit cards. 3. Emphasize that today, the two main mall-style CSPs that remain in business are Amazon Services (through its “Professional Sellers” and “Individual Sellers” programs) and eBay Stores. Teaching Tip Ask students to discuss online shopping through service providers such as the Amazon marketplace. Estimating Operating Expenses for a Small Web Business 1. Refer to Figure 9-4 and discuss the approximate costs to put a small store online . 2. Explain why costs for larger sites are much more difficult to estimate. Electronic Commerce Software for Midsize Businesses 1. In this section, your students will learn about software, development tools and software that midsize companies can use to implement online business activities. Web Site Development Tools 1. Remind students of the Web page creation and site management tools discussed in Chapter 2. 2. Note that after creating the Web site with these tools, the designer can add purchased software elements, such as shopping carts and content management software, to the site. The final step is to create the middleware that connects the site to the company’s existing product and transaction processing databases. Midrange Electronic Commerce Software 1. Briefly review characteristics of midrange electronic commerce software: • It typically costs between $5000 and $200,000, with annual operating costs ranging from $1000 to $30,000. • Almost all software in this category offers connectivity to database or ERP systems that store inventory information. • Because most of these products are customized for each installation, they are often sold either as components that can be assembled in different configurations or in multiple versions designed for specific types of business. 2. Discuss the following midrange electronic commerce software: • Inter shop: Inter shop sells a series of midrange electronic commerce software packages for specific types of online businesses, including B2B, B2C, mobile commerce, and software services. Each package provides specific search and catalog capabilities, electronic shopping carts, online credit card transaction processing, and the ability to connect to existing back-end business systems and databases to work with each type of business. • IBM WebSphere Commerce Professional: Mention that IBM WebSphere software components include catalog templates, setup wizards, and catalog management tools for both B2B and B2C operations. These components link to existing corporate systems, such a webs inventory databases and procurement systems. Customizing WebSphere requires programmers with JavaScript, Java, or C++ expertise. Electronic Commerce Software for Large Businesses 1. Introduce the term enterprise-class software. Enterprise-Class Electronic Commerce Software 1. Explain to students that enterprise-class electronic commerce software running large online organizations usually requires several dedicated computers, in addition to the Web server system and any necessary firewalls. 2. Note that enterprise-class software typically provides tools for linking to and supporting supply and purchasing activities 3. Use Figure 9-5to illustrate a typical enterprise-class electronic commerce architecture. 4. Point out that enterprise-class commerce Web sites must include or work with supply chain management software. 5. Remind students that companies are building social networking elements into their sites to engage their customers and suppliers. Note that this need has given rise to software that automatically manages and rotates content on Web sites. 6. Mention that large electronic commerce sites must include customer relationship management software. Content Management Software 1. Briefly discuss the uses of content management software. 2. Note that increased use of social media and networking as part of online business operations has made content management even more important as all kinds of Web sites now put content online. 3. Before committing to a content management program, companies should perform testing to ensure that company employees find the software’s procedures for performing regular maintenance to be straightforward. 4. Note that the leading providers of content management software include IBM and Oracle. Knowledge Management Software 1. Introduce the term knowledge management (KM) software. 2. Explain how KM software helps companies do four main things: collect and organize knowledge, share the knowledge among users, enhance the ability of users to collaborate, and preserve the knowledge gained through the use of information so that future users can benefit from the learning of current users. 3. Note that the major software vendors have KM software offerings, including IBM and Microsoft SharePoint. Supply Chain Management Software 1. Introduce the term supply chain management (SCM). 2. Explain that SCM planning software helps companies develop coordinated demand forecasts using information from each participant in the supply chain. SCM execution software helps with tasks such as warehouse and transportation management. 3. Note that two companies that sell SCM software are JDA Software and Logility. 4. Point out that common supply chain management software components include those that manage demand planning, supply planning, and demand fulfillment. 5. Emphasize that the cost of SCM software implementations varies tremendously depending on how many locations (retail stores, wholesale warehouses, distribution centers, and manufacturing plants) are in the supply chain. Customer Relationship Management Software 1. Ensure that students understand that the goal of customer relationship management(CRM) is to understand each customer’s specific needs and then customize a product or service to meet those needs. The idea is that a customer whose needs are being met exactly is willing to pay more for the goods or services that they need. 2. Introduce the term customer relationship management (CRM) software. Teaching Tip Learn about CRM integration in marketing automation: http://www.marketingautomationsoftware.com/blog/crm-integration-in-marketing-automation-1011111/. 3. Note that some companies create their own CRM software using outside consultants and their own IT staffs but most companies today are more likely to buy a CRM software package rather than create their own. 4. Review major CRM vendors and their CRM software such as Siebel Systems, Oracle CRM On Demand, SAP CRM and Salesforce.com. Quick Quiz 2 1. Software used in large online business operations is sometimes called ____ software. Answer: enterprise-class 2. ____ software helps companies control the large amounts of text, graphics, and media files that have become crucial to doing business. Answer: Content management 3. ____ software helps companies to coordinate planning and operations with their partners in the industry supply chains of which they are members. Answer: Supply chain management (SCM) 4. (True or False) Most companies today are more likely to buy a customer relationship management package rather than create it on their own. Answer: True Class Discussion Topics 1. Discuss the security risks involved in allowing cookies to be stored on your computer. 2. Describe some of the interactions between systems that occur during transaction processing. 3. What are the advantages of having middleware developed in-house? Additional Projects 1. In approximately 300 words, discuss the functions of middleware and the challenges faced by future middleware system designers. 2. Provide answers to the following questions:  Why and how would you use Web services?  What lies behind the Web services platform?  Is it possible to use Web services to convert your applications into Web applications? Give reasons for your answer. Additional Resources 1. Understanding Enterprise Application Integration: https://www.mulesoft.com/resources/esb/enterprise-application-integration-eai-and-esb 2. Supply Chain Management: http://www.itinfo.am/eng/supply-chain-management Key Terms  Abandoned cart management: software that enables the shopping cart to retain a record of what customers added to their shopping carts when their session is terminated and allows them to pick up when they return to the site after an interruption.  Application: a program that performs a specific function, such as creating invoices, calculating payroll, or processing payments received from customers.  Application program: a program that performs a specific function, such as creating invoices, calculating payroll, or processing payments received from customers.  Application program interface (API): general name for the ways programs interconnect with each other.  Application server: a computer that takes the request messages received by the Web server and runs application programs that perform some kind of action based on the contents of the request messages.  Application service providers (ASPs): firms that often offer Web server management and rent application software (such as databases, shopping carts, and content management programs) to businesses.  Application software: program that performs a specific function, such as creating invoices, calculating payroll, or processing payments received from customers.  Business logic: rules used in the business.  Business rules: the rules a business establishes about its database structure are carefully thought out and take into account how the company does business.  Catalog: a listing of goods and services.  Collocation: the service provider rents a physical space to the client to install its own server hardware.  Colocation: the service provider rents a physical space to the client to install its own server hardware.  Co-location: the service provider rents a physical space to the client to install its own server hardware.  Commerce service providers (CSPs):firms that often offer Web server management and rent application software (such as databases, shopping carts, and content management programs) to businesses.  Component-based application system: separates presentation logic from business logic.  Content management software: helps companies control the large amounts of text, graphics, and media files that have become a key part of doing business.  Customer relationship management (CRM)software: obtains data from operations software that conducts activities such as sales automation, customer service center operations, and marketing campaigns.  Database: a collection of information that is stored on a computer in a highly structured way.  Database management software: software that makes it easy for users to enter, edit, update, and retrieve information in the database.  Database manager: software that makes it easy for users to enter, edit, update, and retrieve information in the database.  Dedicated hosting: the service provider makes a Web server available to the client, but the client does not share the server with other clients of the service provider.  Distributed database systems: databases within large information systems that store the same data in many different physical locations.  Distributed information systems: large information systems that store the same data in many different physical locations.  Dynamic catalog: stores the information about items in a database, usually on a separate computer that is accessible to the server that is running the Web site itself.  Enterprise application integration: the creation of links among scattered applications so that the organization’s business logic can be interconnected.  Enterprise resource planning (ERP): business systems that integrate all facets of a business, including accounting, logistics, manufacturing, marketing, planning, project management, and treasury functions.  Enterprise-class software: used in large online business operations.  Fulfillment integration: software that can connect a seller’s shopping cart directly to the fulfillment service provider’s computers so that shipping can be triggered automatically when the sale transaction is complete.  Internal search engine: software that allows customers to enter descriptive search terms so they can quickly find the Web pages containing what they want to purchase.  Interoperability: making a company’s information systems work together.  Knowledge management (KM) software: helps to manage knowledge itself, rather than the documentary representations of that knowledge.  Mall-style CSPs (commerce service providers): provide small businesses with a basic Web site, online store design tools, storefront templates, and an easy-to-use interface.  Managed service providers (MSPs): firms that often offer Web server management and rent application software (such as databases, shopping carts, and content management programs) to businesses.  Middleware: software that takes information about sales and inventory shipments from the electronic commerce software and transmits it to accounting and inventory management software in a form that these systems can read.  Page-based application systems: return pages generated by scripts that include the rules for presenting data on the Web page with the business logic.  Product recommendation trigger: software tool that responds to a customer’s product selection with suggestions for related products or refills for products that have consumable elements.  Product review management: software that allows customers to post reviews of products.  Promotion management: software that allows sellers to create special offers (promotions) on specific products in response to variations in customer demand, seasonal preferences, introduction of new product varieties or package sizes, and any other variables chosen.  Representational State Transfer (REST):principle that describes the way the Web uses networking architecture to identify and locate Web pages and the elements (graphics, audio clips, and so on) that make up those Web pages.  RESTful applications: Web services built on the REST model using RESTful design.  RESTful design: design of Web services built on the REST model.  Scalable: Web server hardware and software combinations that can be adapted to meet changing requirements when their clients grow.  Self-hosting: when companies doing business online use their own servers and server software.  Shared hosting: the client’s Web site is on a server that hosts other Web sites simultaneously and is operated by the service provider at its location.  Simple Object Access Protocol (SOAP): a message-passing protocol that defines how to send marked up data from one software application to another across a network.  Static catalog: simple list written in HTML that appears on a Web page or a series of Web pages.  Stateless system: system that does not retain information from one transmission or session to another.  Supply chain management (SCM) software: helps companies to coordinate planning and operations with their partners in the industry supply chains of which they are members.  Transaction processing: occurs when the shopper proceeds to the virtual checkout counter by clicking a checkout button.  Universal Description, Discovery, and Integration specification(UDDI): one of three SOAP rule set that let programs work with formatted (using XML or HTML) data flows. UDDI works as a sort of address book to identify the locations of Web services and their associated WSDL descriptions.  Web APIs: name for the way that programs interconnect with each other over the Web.  Web services: software systems that support interoperable machine-to-machine interaction over a network.  Web Services Description Language (WSDL): one of three SOAP rule set that let programs work with formatted (using XML or HTML) data flows. WSDL is used to describe the logic unit characteristics of each Web service. Chapter 10 Electronic Commerce Security At a Glance Instructor’s Manual Table of Contents • Introduction • Learning Objectives • Teaching Tips • Quick Quizzes • Class Discussion Topics • Additional Projects • Additional Resources • Key Terms Lecture Notes Introduction An important element in maintaining security over individual and company online assets is the proper use of password protection. Experts agree long, complex passwords that differ for each activity and are changed often are best. In practice, remembering dozens of complex passwords and changing them regularly is not something most people are willing to do. One solution is a password management tool that creates and stores a large number of complex passwords and is accessed by a single, master password. This is an appealing solution but has a weak link. If a user’s master password becomes compromised, all passwords are compromised. In 2015, LastPass was compromised and hackers were able to obtain users’ master passwords, e-mail addresses and hints. LastPass had stored the master passwords in an encrypted form and was able to reset all the master passwords. However, it is possible that the hacker could have used passwords before they were changed. In this chapter, your students will learn more about threats to online security and the methods used to reduce the risk of loss due to those threats. Learning Objectives In this chapter, your students will learn: • What security risks arise in online business and how to manage them • How to create a security policy • How to implement security on Web client computers • How to implement security in the communication channels between computers • How to implement security on Web server computers • What organizations promote computer, network, and Internet security Teaching Tips Online Security Issues Overview 1. Note that today, security is a concern for everyone engaging in online transactions or communication regarding economic activities of any kind. This chapter outlines key security problems and presents some solutions to those problems. Origins of Security on Interconnected Computer Systems 1. Point out that many computer security techniques were developed by the U.S. Department of Defense, including Trusted Computer System Evaluation Criteria (known as the “Orange Book” because its cover was orange), first issued in the late 1970s. 2. Review the factors that have made the need for comprehensive security risk controls more important than ever. Computer Security and Risk Management 1. Introduce the terms computer security, physical security, logical security, threat and countermeasure. 2. Use Figure 10-1 to illustrate four general actions that an organization could take, depending on the impact (cost) and the probability of the physical threat. 3. Introduce the terms eavesdropper and crackers (hackers). 4. Explain the difference between a white hat hacker and a black hat hacker. 5. Point out that to implement an effective security scheme, organizations must identify risks, determine how to protect threatened assets, and calculate how much to spend to protect those assets. Teaching Tip To learn more about hackers, see: https://www.cs.berkeley.edu/~bh/hacker.html Elements of Computer Security 1. Note that computer security includes three main elements: secrecy, integrity, and necessity (also known as denial of service). 2. Introduce the terms integrity violation and man-in-the-middle exploit. Mention that necessity violations involve preventing or delaying access to data. Establishing a Security Policy 1. Explain that a security policy is a written statement describing which assets to protect and why they are being protected, who is responsible for that protection, and which behaviors are acceptable and which are not. 2. Review the four step process most organizations use when creating a security policy. 3. Note that once the security policy is written and approved by management, the organization commits resources to building or buying software, hardware, and physical barriers that implement the security policy. 4. Use Figure 10-2 to illustrate the requirements for secure electronic commerce. 5. Mention that security measures must be designed to work together to prevent unauthorized disclosure, destruction, or modification of assets. A good security policy should address the following: • Authentication: Who is trying to access the site? • Access control: Who is allowed to log on to and access the site? • Secrecy: Who is permitted to view selected information? • Data integrity: Who is allowed to change data? • Audit: Who or what causes specific events to occur, and when? Security for Client Devices 1. In this section, your students will learn that active content delivered over the Internet in dynamic Webpages can be harmful. 2. Mention that this section describes threats to client devices and outlines how to prevent or reduce the threats they pose. Cookies and Web Bugs 1. Introduce the terms open session, session cookies, persistent cookies, first-party cookies, and third-party cookies. 2. Mention that the most complete way for Web site visitors to protect themselves from revealing private information or being tracked by cookies is to disable cookies entirely. Note that the problem with this approach is that useful cookies are blocked along with the others, requiring visitors to enter information each time they revisit a Web site. 3. Use Figure 10-3 to illustrate the dialog box that can be used to manage stored cookies in the Mozilla Firefox Web browser. 4. Explain that a Web bug (also called a Web beacon) is a tiny graphic that a third-party Web site places on another site’s Web page. Teaching Tip To learn more about cookies and Web bugs, see:http://www.scmagazine.com/cookies-and-web-bugs-and-spyware-oh-my/article/30616/ Active Content 1. Introduce the term active content. Note that active content can pose a threat to the security of client computers. 2. Introduce the terms JavaScript, scripting languages, applet and sandbox. Note that when scripting languages are run in a sandbox, active content tools do not have full access to the client device. 3. Introduce the term ActiveX. Note that ActiveX controls run only on computers with Windows operating systems. Discuss the security danger associated with ActiveX controls. 4. Introduce the terms Trojan horse, zombie, and botnet/robotic network/zombie farm. Teaching Tip To learn more about Java applets, see:http://docs.oracle.com/javase/tutorial/deployment/applet/security.html Graphics and Plug-Ins 1. Point out that graphics, browser plug-ins, and e-mail attachments can harbor executable content. 2. Introduce the term plug-ins. Emphasize that plug-ins can pose security threats to client computers by executing commands buried within the media being manipulated. Viruses, Worms, and Antivirus Software 1. Remind students that most users know that e-mail attachments can pose security risks to client devices. 2. Note that a virus is software that attaches itself to another program and can cause damage when the host program is activated. 3. Introduce the terms worm, macro virus, multivect or virus, and antivirus software. 4. Introduce the term ransomware. Use the Trojan Crypto locker as an example to describe this type of threat. Digital Certificates 1. Introduce the terms digital certificate. Explain how digital certificates can control threats from active content. 2. Introduce the terms signed code, certification authority (CA), and key. 3. Discuss the development and use of the Secure Sockets Layer-Extended Validation (SSL-EV) digital certificate. 4. Explain how your students can tell if they are visiting a Web site that has an SSL-EV certificate by looking at the address window of your browser. Steganography 1. Introduce the term steganography. 2. Explain that steganography provides a way of hiding an encrypted file within another file so that a casual observer cannot detect that there is anything of importance in the container file. 3. Emphasize that messages hidden using steganography are extremely difficult to detect. Teaching Tip To learn more about steganography, see: http://www.symantec.com/connect/articles/steganography-revealed Physical Security for Client Devices 1. Introduce the term biometric security device. Client Security for Mobile Devices 1. Introduce the terms remote wipe and rogue apps. Quick Quiz 1 1. ____ is the protection of assets from unauthorized access, use, alteration, or destruction. Answer: Computer security 2. A(n) ____ is a procedure that recognizes, reduces, or eliminates a threat. Answer: countermeasure 3. A(n) ____ is a tiny graphic that a third-party Web site places on another site’s Web page. Answer: Web bug 4. A(n) ____ control is an object that contains programs and properties that Web designers place on Web pages to perform particular tasks. Answer: ActiveX 5. A(n) ____ is a program hidden inside another program or Web page that masks its true purpose. Answer: Trojan horse Communication Channel Security 1. Students may find it interesting to learn that any message traveling on the Internet is subject to secrecy, integrity, and necessity threats. This section describes these problems in more detail and outlines several solutions for those problems. Secrecy Threats 1. Discuss the differences between secrecy and privacy. 2. Introduce the term sniffer programs. Note that sniffer programs can read e-mail messages and unencrypted Web client-server message traffic, such as user logins, passwords, and credit card numbers. 3. Introduce the term backdoor. Explain that a backdoor allows anyone with knowledge of its existence to cause damage by observing transactions, deleting data, or stealing data. 4. Explain that Web users continually reveal information about themselves when they use the Web. This information includes IP addresses and the type of browser being used. Such data exposure is a secrecy breach. 5. Introduce the term anonymous Web services. Integrity Threats 1. Introduce the terms active wiretapping, cyber vandalism, masque rading, spoofing, domain name servers (DNSs), and phishing expeditions. Teaching Tip To learn more about IP spoofing, see: http://www.symantec.com/connect/articles/ip-spoofing-introduction. Necessity Threats 1. Introduce the terms necessity threat, delay attack, denial attack, or denial-of-service (DoS) attack. 2. Note that a botnet can be used to launch a simultaneous attack on a Web site in a distributed denial-of-service (DDoS) attack. Threats to the Physical Security of Internet Communications Channels 1. Note that the Internet’s packet-based network design precludes it from being shut down by an attack on a single communications link on that network. 2. Emphasize that despite this design feature, an individual user’s Internet service could be interrupted by destruction of that user’s link to the Internet because few individual users have multiple connections to an ISP. Threats to Wireless Networks 1. Introduce the term Wireless Encryption Protocol (WEP), which is a set of rules for encrypting transmissions from the wireless devices to the WAPs. 2. Point out that companies that have large wireless networks are usually careful to turn on WEP in devices. Note, however, that smaller companies and individuals who have installed wireless networks in their homes often do not turn on the WEP security feature. 3. Introduce the terms war drivers and warchalking. Encryption Solutions 1. Introduce the terms encryption and cryptography. Encryption Algorithms 1. Introduce the terms plain text, cipher text, encryption program, encryption algorithm, decrypted, and decryption program. Hash Coding 1. Explain that hash coding is a process that uses a hash algorithm to calculate a hash value. 2. Note that hash coding can indicate whether a message has been altered in transit because its original hash value and the hash value computed by the receiver will not match after a message is altered. Asymmetric Encryption 1. Note that asymmetric encryption, or public-key encryption, encodes messages by using two mathematically related numeric keys. 2. Introduce the terms public key, private key, and Pretty Good Privacy (PGP). Teaching Tip To learn more about Pretty Good Privacy (PGP), see: http://www.tech-faq.com/pgp.html Symmetric Encryption 1. Note that symmetric encryption, also known as private-key encryption, encodes a message with an algorithm that uses a single numeric key, such as 456839420783, to encode and decode data. 2. Introduce the terms Data Encryption Standard (DES), Triple Data Encryption Standard (Triple DES or 3DES), and Advanced Encryption Standard (AES). Comparing Asymmetric and Symmetric Encryption Systems 1. Use Figure 10-7 to show a graphical comparison of the hash coding, private-key, and public-key encryption methods. Encryption in Web Browsers 1. Note that two encryption approaches are used to establish secure connections between Web servers and clients: the Secure Sockets Layer (SSL) system developed by Netscape Communications and the Secure Hypertext Transfer Protocol (S-HTTP) developed by Commerce Net. 2. Compare the goals of each encryption approach. Secure Sockets Layer (SSL) Protocol 1. Discuss the topic of secure sockets layer (SSL) protocol. 2. Introduce the term session key. Walk through the description of an SSL-protected exchange between a browser and Web server. 3. Review the SSL handshake shown in Figure 10-8. Secure HTTP (S-HTTP) 1. Introduce the term session negotiation. 2. Explain that S-HTTP differs from SSL in the way it establishes a secure session. SSL carries out a client-server handshake exchange to set up a secure communication, but S-HTTP sets up security details with special packet headers exchanged in S-HTTP. 3. Introduce the term secure envelope. Hash Functions, Message Digests, and Digital Signatures 1. Introduce the terms message digest and digital signature. 2. Use Figure 10-9to illustrate how a digital signature and a signed message are created and sent. Quick Quiz 2 1. ____ is the protection of individual rights to nondisclosure. Answer: Privacy 2. ____ are the computers on the Internet that maintain directories that link domain names to IP addresses. Answer: Domain name servers (DNSs), Domain name servers, DNSs 3. ____ is the coding of information by using a mathematically based program and a secret key to produce a string of characters that is unintelligible. Answer: Encryption 4. A(n) ____ is a key used by an encryption algorithm to create cipher text from plain text during a single secure session. Answer: session key 5. A(n) ____ encapsulates a message and provides secrecy, integrity, and client/server authentication. Answer: secure envelope Security for Server Computers 1. Explain that the server is the third link in the client-Internet-server electronic commerce path between the user and a Web server. The Web server administrator’s job is to make sure that security policies are documented and implemented to minimize the impact of Web server threats. Password Attack Threats 1. Note that one of the most sensitive files on a Web server is the file that holds Web server username-password pairs. An intruder who can access and read that file can enter privileged areas masquerading as a legitimate user. 2. Introduce the terms dictionary attack programs, passphrase and password manager. 3. Use Figure 10-10 to illustrate examples of passwords that range from very weak to very strong. Teaching Tip To learn more about password management, see:http://www.pocket-lint.com/news/124283-password-managers-explained-the-best-apps-available-and-why-you-need-one. Database Threats 1. Explain that, if unauthorized users obtain user authentication information, they can masquerade as legitimate database users and reveal or download confidential and potentially valuable information. Other Software-Based Threats 1. Introduce the terms buffer, buffer overrun(buffer overflow), and mail bomb. Teaching Tip To learn more about buffer overflows, see:http://arstechnica.com/security/2015/08/how-security-flaws-work-the-buffer-overflow/ Threats to the Physical Security of Web Servers 1. Emphasize the that Web servers and the computers that are networked closely to them, such as the database servers and application servers used to supply content and transaction-processing capabilities to electronic commerce Web sites, must be protected from physical harm. Access Control and Authentication 1. Note that access control and authentication refer to controlling who and what has access to the Web server. 2. Explain how servers can authenticate users. 3. Note that many Web servers store usernames in plain text and encrypt passwords. 4. Introduce the term access control list (ACL). Firewalls 1. Introduce the term firewall. 2. Point out that most organizations place a firewall at the Internet entry point of their networks. The firewall provides a defense between a network and the Internet or between a network and any other network that could pose a threat. 3. Review firewall operational principles. 4. Introduce the terms trusted, untrusted, packet-filter firewalls, gateway servers, proxy server firewalls, perimeter expansion, intrusion detection systems, and personal firewalls. Organizations that Promote Computer Security 1. In this section, students will learn about organizations that share resources concerning threats to computer systems. CERT 1. Point out that Computer Emergency Response Team (CERT) responds to thousands of security incidents each year and provides a wealth of information to help Internet users and companies become more knowledgeable about security risks. Teaching Tip To learn more about Computer Emergency Response Team (CERT), see: https://www.cert.org/about/. Other Organizations 1. Students should be familiar with the System Administrator, Audit, Network and Security (SANS) Institute, which operates the SANS Internet Storm Center, a Web site that provides current information on the location and intensity of computer attacks throughout the world. 2. Other resources worth mentioning include Purdue University’s Center for Education and Research in Information Assurance and Security (CERIAS), the Center for Internet Security, CSO Online, andInfosecurity.com. Teaching Tip To learn more about the System Administrator, Audit, Network and Security (SANS) Institute, see: https://www.sans.org/about/. Computer Forensics and Ethical Hacking 1. Introduce the terms computer forensics experts(ethical hackers)and computer forensics. Teaching Tip To learn more about computer forensics, see: http://www.computerforensicsworld.com/. Quick Quiz 3 1. ____cycle through an electronic dictionary, trying every word and common name as a password. Answer: Dictionary attack programs 2. A(n) ____ is an area of memory set aside to hold data read from a file or database. Answer: buffer 3. A(n) ____ is a list or database of files and other resources and the usernames of people who can access the files and other resources. Answer: access control list (ACL), access control list, ACL 4. A(n) ____ is software or a hardware-software combination that is installed in a network to control the packet traffic moving through it. Answer: firewall Class Discussion Topics 1. How does a firewall protect a computer network from unauthorized access? 2. Discuss the difference between types of firewalls. Additional Projects 1. Write a 300-word paper in which you evaluate the SANS organization. Include information about when it was founded, what groups or people are members, and where it is headquartered. Discuss at least three current security alerts, specifying the name of the virus or attack program, the date the alert was posted, and a brief description about each reported security alert. Use Internet search engines and the SANS Web site to help you locate information. 2. Create an Acceptable Use Policy for your school’s computer lab. Include the following headings:  Overview  Purpose  Scope  General Use and Ownership  Security and Proprietary Information  Unacceptable Use  System and Network Activities  E-mail and Communication Activities  Blogging  Enforcement Additional Resources 1. JavaScript: http://www.javascriptsource.com 2. Advantages and Disadvantages of Digital Signatures: http://lerablog.org/technology/data-security/advantages-and-disadvantages-of-digital-signatures/ 3. What is a Man-in-the-Middle Attack?: https://blog.kaspersky.com/man-in-the-middle-attack/ 4. How Firewalls Work: http://computer.howstuffworks.com/firewall.htm 5. HTTPS: The S is More Than Just a Letter: http://www.zonealarm.com/blog/2014/02/https-the-s-is-more-than-just-a-letter/ Key Terms  Access control list (ACL):a list or database of files and other resources and the usernames of people who can access files and other resources.  Active content: programs that run when a client device loads a Web page.  Active wiretapping: type of integrity threat that exists when an unauthorized party can alter a message stream of information.  ActiveX: an object that contains programs and properties that Web designers place on Web pages to perform particular tasks.  Advanced Encryption Standard (AES):an encryption standard stronger that Triple DES designed to keep government information secure.  Anonymous Web services: hide personal information from sites visited.  Antivirus software: detects viruses and worms and either deletes them or isolates them on the client computer so they cannot run.  Applet: a small application program.  Asymmetric encryption: encodes messages by using two mathematically related numeric keys.  Backdoor: an element of a program (or a separate program) that allows users to run the program without going through the normal authentication procedure for access to the program.  Biometric security device: one that uses an element of a person’s biological makeup to perform identification.  Black hat hacker: hacker with bad intentions.  Botnet: short for robotic network. Large number of computers that can act as an attacking unit, sending spam or launching denial-of-service attacks against specific Web sites.  Buffer: an area of memory set aside to hold data read from a file or database.  Buffer overflow: error that occurs when programs filling buffers malfunction and overfill the buffer, spilling the excess data outside the designated buffer memory area.  Buffer overrun: error that occurs when programs filling buffers malfunction and overfill the buffer, spilling the excess data outside the designated buffer memory area.  Certification authority (CA): issues digital certificates.  Cipher text: unintelligible string of characters.  Computer forensics: responsible for the collection, preservation, and analysis of computer-related evidence.  Computer forensics experts: computer sleuths hired to probe PCs and locate information that can be used in legal proceedings.  Computer security: the protection of assets from unauthorized access, use, alteration, or destruction.  Countermeasure: a procedure that recognizes, reduces, or eliminates a threat.  Crackers: write programs or manipulate technologies to obtain unauthorized access to computers and networks.  Cryptography: converts text to other text that is visible but does not appear to have any meaning.  Cyber vandalism: the electronic defacing of an existing Web site’s page.  Data Encryption Standard (DES): the U.S. government’s primary method of private-key encryption from 1976 through 1999.  Decrypted: decoded message.  Decryption program: type of encryption-reversing procedure.  Delay attack: necessity threat that disrupts normal computer processing, or denies processing entirely.  Denial attack: necessity threat that disrupts normal computer processing, or denies processing entirely.  Denial-of-service (DoS) attack: necessity threat that disrupts normal computer processing, or denies processing entirely.  Dictionary attack programs: cycle through an electronic dictionary, trying every word and common name as a password.  Digital certificate: an attachment to an e-mail message or a program embedded in a Web page that verifies that the sender or Web site is who or what it claims to be.  Digital signature: an encrypted message digest created using a private key.  Distributed denial-of-service (DDoS) attack: an attack using botnets to simultaneous attack on a Web site (or a number of Web sites) from all of the computers in the botnet.  Domain name servers (DNSs):the computers on the Internet that maintain directories that link domain names to IP addresses.  Eavesdropper: a person or device that can listen in on and copy Internet transmissions.  Encryption: the coding of information by using a mathematically based program and a secret key to produce a string of characters that is unintelligible.  Encryption algorithm: the logic behind an encryption program that includes the mathematics used to do the transformation from plain text to cipher text.  Encryption program: the program that transforms normal text, called plain text, into cipher text.  Ethical hackers: computer sleuths hired to probe PCs and locate information that can be used in legal proceedings.  Firewall: software or a hardware-software combination that is installed in a network to control the packet traffic moving through it.  First-party cookies: cookies placed on the client computer by the Web server site.  Gateway servers: firewalls that filter traffic based on the application requested.  Hackers: write programs or manipulate technologies to obtain unauthorized access to computers and networks.  Hash algorithm: used to calculate a number.  Hash coding: a process that uses a hash algorithm to calculate a number, called a hash value, from a message of any length.  Hash value: number created by hash algorithm.  Integrity: preventing unauthorized data modification.  Integrity violation: occurs whenever a message is altered while in transit between the sender and receiver.  Intrusion detection systems: designed to monitor attempts to login to servers and analyze those attempts for patterns that might indicate a cracker’s attack is underway.  JavaScript: used to deliver active content. Scripting language that provides scripts, or commands, that are executed on the client.  Key: a number - usually a long binary number - that is used with the encryption algorithm to “lock” the characters of the message being protected so that they are undecipherable without the key.  Logical security: protection of assets using nonphysical means.  Macro virus: a type of virus that is coded as a small program, called a macro, and is embedded in a file.  Mail bomb: an attack in which excessive data is sent to a mail server.  Man-in-the-middle exploit: integrity violation that occurs when an Internet e-mail message is intercepted and its contents are changed before it is forwarded to its original destination.  Masquerading: pretending to be someone you are not, or representing a Web site as an original when it is a fake; one means of disrupting Web sites.  Message digest: a number that summarizes encrypted information.  Multivector virus: can enter a computer system in several different ways (vectors).  Necessity: refers to preventing data delays or denials (removal).  Necessity threat: purpose is to disrupt normal computer processing or deny processing entirely. Usually occurs as a delay attack, denial attack, or denial-of-service (DoS) attack.  Open session: no continuous connection is maintained between any client and server on the Internet.  Packet-filter firewalls: examines all data flowing back and forth between the trusted network (within the firewall) and the Internet.  Passphrase: sequence of words or text that is easy to remember but complex enough to serve as either a good password itself or a prompt to remember a good password.  Password manager: software that securely stores all a person’s passwords.  Perimeter expansion: the problem that results when companies locate computers outside the traditional boundaries of the company’s physical site expanding the number of computers that must be protected by the firewall.  Persistent cookies: remains on the client computer indefinitely.  Personal firewalls: software-only firewalls installed on individual client computers.  Phishing expeditions: exploits that capture confidential customer information.  Physical security: includes tangible protection devices, such as alarms, guards, fireproof doors, security fences, safes or vaults, and bombproof buildings.  Plain text: normal text.  Plug-ins: programs that enhance the capabilities of browsers; handle Web content that a browser cannot handle.  Pretty Good Privacy (PGP):used to implement public-key encryption.  Privacy: the protection of individual rights to nondisclosure.  Private key: kept by the key owner to decrypt all messages received.  Private-key encryption: encodes a message with one of several available algorithms that use a single numeric key, such as 456839420783, to encode and decode data.  Proxy server firewalls: firewalls that communicates with the Internet on the private network’s behalf.  Public key: used to encrypt messages using one of several different encryption algorithms.  Public-key encryption: encodes messages by using two mathematically related numeric keys.  Ransomware: a Trojan that encrypts files on the victim computer and demands a payment for the key to unlock them.  Remote wipe: clears all of the personal data stored on the device, including e-mails, text messages, contact lists, photos, videos, and any type of document file if a mobile device is stolen.  Robotic network: large number of computers that can act as an attacking unit, sending spam or launching denial-of-service attacks against specific Web sites.  Rogue apps: apps that contain malware or that collects information from the mobile device and forwards it to perpetrators.  Sandbox: a functional subset of the full browser.  Scripting languages: provide scripts, or commands, that are executed on the client.  Secrecy: protecting against unauthorized data disclosure and ensuring the authenticity of the data source.  Secure envelope: encapsulates and encrypts a message, which provides secrecy, integrity, and client/server authentication.  Secure Hypertext Transfer Protocol (S-HTTP): an extension to HTTP that provides a number of security features, including client and server authentication, spontaneous encryption, and request/response nonrepudiation.  Secure Sockets Layer (SSL): used to establish secure connections between Web servers and clients.  Secure Sockets Layer-Extended Validation (SSL-EV) digital certificate: new type of certificate where a certification authority must confirm the legal existence of the organization by verifying the organization’s registered legal name, registration number, registered address, and physical business address.  Security policy: a written statement describing which assets to protect and why they are being protected, who is responsible for that protection, and which behaviors are acceptable and which are not.  Session cookies: exist until the Web client ends the connection.  Session key: used by an encryption algorithm to create cipher text from plain text during a single secure session.  Session negotiation: when establishing S-HTTP security, the process of proposing and accepting (or rejecting) various transmission conditions.  Signed code: provides proof that the holder is the person identified by the certificate.  Sniffer programs: provide the means to record information that passes through a computer or router that is handling Internet traffic.  Spoofing: pretending to be someone you are not, or representing a Web site as an original when it is a fake; one means of disrupting Web sites.  Steganography: the process of hiding information (a command, for example) within another piece of information.  Symmetric encryption: encodes a message with one of several available algorithms that use a single numeric key, such as 456839420783, to encode and decode data.  Third-party cookies: originates on a Web site other than the site being visited.  Threat: any act or object that poses a danger to computer assets.  Triple Data Encryption Standard (Triple DES or 3DES): a stronger version of the Data Encryption Standard.  Trojan horse: a program hidden inside another program or Web page that masks its true purpose.  Trusted: network inside the firewall.  Untrusted: network outside the firewall.  Warchalking: a practice used by war drivers when they find an open network (or a WAP that has a common default login and password) of placing a chalk mark on the building so that other attackers will know that an easily entered wireless network is nearby.  War drivers: attackers who drive around in cars using their wireless-equipped laptop computers to search for accessible networks.  Web bug (Web beacon): a tiny graphic that a third-party Web site places on another site’s Web page.  White hat hacker: hacker with good intentions.  Wireless Encryption Protocol (WEP): a set of rules for encrypting transmissions from the wireless devices to WAPs.  Worm: a type of virus that replicates itself on the computers that it infects.  Zombie: a Trojan horse that secretly takes over another computer for the purpose of launching attacks on other computers.  Zombie farm: large number of computers that can act as an attacking unit, sending spam or launching denial-of-service attacks against specific Web sites. Instructor Manual for Electronic Commerce Gary P. Schneider 9781305867819