Academic Tutorial Paper - Answer
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Academic Tutorial Paper - Answer as PDF for free.
More details
- Words: 1,708
- Pages: 7
Academic Tutorial Answers QUESTION 1 a) Security risk management consists of four phases: i)
Risk Assessment Organization evaluates their security risks by determining their assets, the vulnerabilities of their
system, and
the potential threats to these
vulnerabilities. One way to evaluate vulnerabilities is use the services of a consultant to study the types of attacks the site is facing, or secondly use a honeynet.
ii)
Planning The goal of this phase is to arrive at a set of policies defining which threats are tolerable and which are not. Also, define general measures to be taken against those threats that are intolerable.
iii)
Implementation Particular technologies are chosen to counter high-priority threats. The selection of particular technologies is based on the general guidelines established in the planning phase.
iv)
Monitoring This is an ongoing process that is used to determine which measures are successful, which measures are unsuccessful and need modification, whether there are any new types of threats, etc.
b) (i) Auditing The process of collecting information about attempts to access particular resources, use particular privileges, or perform other security actions. A log file keeps information for every attempt to access a web page, data in a database. Audits provide a means to reconstruct any action that were taken, and identify the author.
Academic Tutorial Answers (ii) Data Confidentiality Keeping private or sensitive information from being disclosed to unauthorised individuals, entities, or computer software processes. It is intertwined with the notion of data privacy, which is now a regulatory issue in many countries. Confidentiality is usually ensured with encryption. Example of confidential information: Credit card numbers, business plans, who as visited which web site.
(iii) Non Repudiation The ability to limit parties from refuting that a legitimate transaction took place. (usually by means of a signature) . If an order is made through a mail-order catalogue and pays by check, then it is difficult to dispute the veracity of the order. Similarly if the same item is ordered using the companies website and pays by credit card, the person can always claim he did not place the order.
c) Denial-of-Service Attack: An attack on a Web site or online service in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources. Hence, the online service is no longer available.
d) Possible technologies: firewall, packet-filtering router, Application-level proxy, gateways.
•
Firewall A network node consisting of both hardware and software that isolates a private network from a public network.
:
Academic Tutorial Answers
QUESTION 2: a) Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. Although the risks apply to any organisation in business it is of particular relevance to the banking sector. Any unanticipated events resulting in the institution’s inability to deliver products or services. The risk exist in each product and services offered.
b) (Any two of the following examples: fraud, system failures, terrorism and employee compensation claims.) A typical answer: •
System failures System failures could be the results of applications which have bugs. This will result in the system to make inherent errors in the processing. Example: the date format. In Mauritius we use the following format: dd-mm-yyyy, and systems can be based on the American standard mm-dd-yyyy. This type of bug can result in disastrous failures. Secondly, employees who lack training can misuse the application functionalities, once more resulting into operational failures.
Academic Tutorial Answers
•
Terrorism Events such as the September 11 terrorist attacks, rogue trading losses at Barings, AIB and National Australia Bank. Terrorism can cause system failures and fraud which are all directly related to operational risks.
c) The level of transaction risk is affected by the following: The structure of the institution’s processing environment, including the types of services offered and the complexity of the processes and supporting technology. E-banking activities will increase (in most instances): − The complexity of the institution’s activities. − The quantity of its transaction/operations risk, especially if the institution is offering innovative services that have not been standardised. Financial institutions should ensure their e-banking infrastructures contain sufficient capacity and redundancy to ensure reliable service availability.
d) Controlling transaction risk lies in adapting effective polices, procedures, and controls to meet the new risk exposures introduced by e-banking: •
Basic internal controls including segregation of duties, dual controls, and reconcilements
•
Information security controls become more significant requiring additional processes, tools, expertise, and testing.
•
Institutions should determine the appropriate level of security controls abased on their assessment of the sensitivity of the information to the customer and to the institution and on the institution’s established risk tolerance level.
Academic Tutorial Answers QUESTION 3: a) In any e-payment method, there are five parties involved: 1. Customer/payer/buyer: The party making the e-payment in exchange for goods or services. 2. Merchant/payee/seller: The party receiving the e-payment in exchange for goods and services 3. Issuer: The banks or non-banking institutions that issue the e-payment instrument used to make the purchase. 4. Regulator: usually a government agency whose regulations control the e-payment process. 5. Automated Clearing House (ACH): An electronic network that transfers money between bank accounts. (Mauritius automated clearing and settlement systemMACSS)
b) Crucial factors in any e-payment system: 1. Independence Some e-payment methods require specialized software/hardware. These are less likely to succeed. 2. Interoperability and portability All forms of e-commerce run on specific systems that are interconnected with the enterprise system. E-payment method must be able to connect to these existing system and applications. 3. Security How safe is a transfer? If payer risk is higher that payee’s risk, then the method is unlikely to be adopted.
4. Anonymity Just like paying with cash is not traceable, some buyers want their identities and transaction to remain anonymous. 5. Divisibility Buyers accept credit cards for a range (minimum and maximum value). Below the minimum value, and above the maximum value, credit cards cannot be used. So one method that can address this lower and uppur bound, as well as span in the middle has a high chance of being accepted. 6. Ease of use In B2C, credit cards are a standard, because of it ease of use. 7. Transaction fees
Academic Tutorial Answers In credit card payments, the merchant pays a transaction fee of up to 3% of the item’s purchase price (above a minimum fixed fee). These fees makes it prohibitive to support smaller purchases, and leave room for alternative payments.
c) Micropayment are small payments that involve a small amount of money. Examples: •
A Customer goes to online gaming company, plays for 30 mins and plays $ 3.00
•
A Customer purchases a couple of images and clip arts online for $ 0.80
Micropayments are one area where e-cash and other payment card schemes come into play, since Credit cards do not work well for such small payments. Vendors who accept credit cards, typically must pay a minimum transaction fee that range from 25 cents to 35 cents, plus 2 to 3 percent of the purchase price. These fees are practically insignificant for amount above $10, but are cost-prohibitive for smaller transactions. Therefore, e-cash being just like traditional paper money does not involve a transaction fee and hence is suitable for micropayments.
d) An e-check is the electronic version or representation of a paper check. E-checks contain the same information as paper based checks, can be used wherever paper checks are used, and are based on the same legal framework. Two benefits of e-checks: (any two benefits listed below) 1. It reduces the merchant’s administrative costs by providing faster and less paperintensive collection of funds. 2. It improves the efficiency of the deposit process for merchants and financial institutions. 3. It speeds the checkout process for consumers. 4. It provides consumers with more information about their purchases on their account statements. 5. It reduces the float period and the number of checks that bounce because of insufficient funds (NSFs).
Academic Tutorial Answers QUESTION 4: a) Symmetric v/s Asymmetric: When using symmetric algorithms, both parties share the same key for en- and decryption. To provide privacy, this key needs to be kept secret. Once somebody else gets to know the key, it is not safe anymore. Symmetric algorithms have the advantage of not consuming too much computing power. A few well-known examples are: DES, Triple-DES (3DES), IDEA, CAST5, BLOWFISH, TWOFISH. Asymmetric algorithms use pairs of keys. One is used for encryption and the other one for decryption. The decryption key is typically kept secretly, therefore called ``private key'' or ``secret key'', while the encryption key is spread to all who might want to send encrypted messages, therefore called ``public key''. Everybody having the public key is able to send encrypted messages to the owner of the secret key. The secret key can't be reconstructed from the public key. The idea of asymmetric algorithms was first published 1976 by Diffie and Hellmann. Asymmetric algorithms seem to be ideally suited for real-world use: As the secret key does not have to be shared, the risk of getting known is much smaller. Every user only needs to keep one secret key in secrecy and a collection of public keys, that only need to be protected against being changed. With symmetric keys, every pair of users would need to have an own shared secret key. Well-known asymmetric algorithms are RSA, DSA, ELGAMAL. However, asymmetric algorithms are much slower than symmetric ones. Therefore, in many applications, a combination of both is being used. The asymmetric keys are used for authentication and after this has been successfully done, one or more symmetric keys are generated and exchanged using the asymmetric encryption. This way the advantages of both algorithms can be used. Typical examples of this procedure are the RSA/IDEA combination of PGP2 or the DSA/BLOWFISH used by GnuPG.
c) A honeynet is a network of honeypots, which are production systems (firewalls, routers, web servers, database servers, and the like) that can be watched and studied as a network intrusion occurs. (Setting a trap in a real system, when the hackers attack the system, IT professionals can watch and learn what tools and techniques are being used.)
Risk Assessment Organization evaluates their security risks by determining their assets, the vulnerabilities of their
system, and
the potential threats to these
vulnerabilities. One way to evaluate vulnerabilities is use the services of a consultant to study the types of attacks the site is facing, or secondly use a honeynet.
ii)
Planning The goal of this phase is to arrive at a set of policies defining which threats are tolerable and which are not. Also, define general measures to be taken against those threats that are intolerable.
iii)
Implementation Particular technologies are chosen to counter high-priority threats. The selection of particular technologies is based on the general guidelines established in the planning phase.
iv)
Monitoring This is an ongoing process that is used to determine which measures are successful, which measures are unsuccessful and need modification, whether there are any new types of threats, etc.
b) (i) Auditing The process of collecting information about attempts to access particular resources, use particular privileges, or perform other security actions. A log file keeps information for every attempt to access a web page, data in a database. Audits provide a means to reconstruct any action that were taken, and identify the author.
Academic Tutorial Answers (ii) Data Confidentiality Keeping private or sensitive information from being disclosed to unauthorised individuals, entities, or computer software processes. It is intertwined with the notion of data privacy, which is now a regulatory issue in many countries. Confidentiality is usually ensured with encryption. Example of confidential information: Credit card numbers, business plans, who as visited which web site.
(iii) Non Repudiation The ability to limit parties from refuting that a legitimate transaction took place. (usually by means of a signature) . If an order is made through a mail-order catalogue and pays by check, then it is difficult to dispute the veracity of the order. Similarly if the same item is ordered using the companies website and pays by credit card, the person can always claim he did not place the order.
c) Denial-of-Service Attack: An attack on a Web site or online service in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources. Hence, the online service is no longer available.
d) Possible technologies: firewall, packet-filtering router, Application-level proxy, gateways.
•
Firewall A network node consisting of both hardware and software that isolates a private network from a public network.
:
Academic Tutorial Answers
QUESTION 2: a) Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. Although the risks apply to any organisation in business it is of particular relevance to the banking sector. Any unanticipated events resulting in the institution’s inability to deliver products or services. The risk exist in each product and services offered.
b) (Any two of the following examples: fraud, system failures, terrorism and employee compensation claims.) A typical answer: •
System failures System failures could be the results of applications which have bugs. This will result in the system to make inherent errors in the processing. Example: the date format. In Mauritius we use the following format: dd-mm-yyyy, and systems can be based on the American standard mm-dd-yyyy. This type of bug can result in disastrous failures. Secondly, employees who lack training can misuse the application functionalities, once more resulting into operational failures.
Academic Tutorial Answers
•
Terrorism Events such as the September 11 terrorist attacks, rogue trading losses at Barings, AIB and National Australia Bank. Terrorism can cause system failures and fraud which are all directly related to operational risks.
c) The level of transaction risk is affected by the following: The structure of the institution’s processing environment, including the types of services offered and the complexity of the processes and supporting technology. E-banking activities will increase (in most instances): − The complexity of the institution’s activities. − The quantity of its transaction/operations risk, especially if the institution is offering innovative services that have not been standardised. Financial institutions should ensure their e-banking infrastructures contain sufficient capacity and redundancy to ensure reliable service availability.
d) Controlling transaction risk lies in adapting effective polices, procedures, and controls to meet the new risk exposures introduced by e-banking: •
Basic internal controls including segregation of duties, dual controls, and reconcilements
•
Information security controls become more significant requiring additional processes, tools, expertise, and testing.
•
Institutions should determine the appropriate level of security controls abased on their assessment of the sensitivity of the information to the customer and to the institution and on the institution’s established risk tolerance level.
Academic Tutorial Answers QUESTION 3: a) In any e-payment method, there are five parties involved: 1. Customer/payer/buyer: The party making the e-payment in exchange for goods or services. 2. Merchant/payee/seller: The party receiving the e-payment in exchange for goods and services 3. Issuer: The banks or non-banking institutions that issue the e-payment instrument used to make the purchase. 4. Regulator: usually a government agency whose regulations control the e-payment process. 5. Automated Clearing House (ACH): An electronic network that transfers money between bank accounts. (Mauritius automated clearing and settlement systemMACSS)
b) Crucial factors in any e-payment system: 1. Independence Some e-payment methods require specialized software/hardware. These are less likely to succeed. 2. Interoperability and portability All forms of e-commerce run on specific systems that are interconnected with the enterprise system. E-payment method must be able to connect to these existing system and applications. 3. Security How safe is a transfer? If payer risk is higher that payee’s risk, then the method is unlikely to be adopted.
4. Anonymity Just like paying with cash is not traceable, some buyers want their identities and transaction to remain anonymous. 5. Divisibility Buyers accept credit cards for a range (minimum and maximum value). Below the minimum value, and above the maximum value, credit cards cannot be used. So one method that can address this lower and uppur bound, as well as span in the middle has a high chance of being accepted. 6. Ease of use In B2C, credit cards are a standard, because of it ease of use. 7. Transaction fees
Academic Tutorial Answers In credit card payments, the merchant pays a transaction fee of up to 3% of the item’s purchase price (above a minimum fixed fee). These fees makes it prohibitive to support smaller purchases, and leave room for alternative payments.
c) Micropayment are small payments that involve a small amount of money. Examples: •
A Customer goes to online gaming company, plays for 30 mins and plays $ 3.00
•
A Customer purchases a couple of images and clip arts online for $ 0.80
Micropayments are one area where e-cash and other payment card schemes come into play, since Credit cards do not work well for such small payments. Vendors who accept credit cards, typically must pay a minimum transaction fee that range from 25 cents to 35 cents, plus 2 to 3 percent of the purchase price. These fees are practically insignificant for amount above $10, but are cost-prohibitive for smaller transactions. Therefore, e-cash being just like traditional paper money does not involve a transaction fee and hence is suitable for micropayments.
d) An e-check is the electronic version or representation of a paper check. E-checks contain the same information as paper based checks, can be used wherever paper checks are used, and are based on the same legal framework. Two benefits of e-checks: (any two benefits listed below) 1. It reduces the merchant’s administrative costs by providing faster and less paperintensive collection of funds. 2. It improves the efficiency of the deposit process for merchants and financial institutions. 3. It speeds the checkout process for consumers. 4. It provides consumers with more information about their purchases on their account statements. 5. It reduces the float period and the number of checks that bounce because of insufficient funds (NSFs).
Academic Tutorial Answers QUESTION 4: a) Symmetric v/s Asymmetric: When using symmetric algorithms, both parties share the same key for en- and decryption. To provide privacy, this key needs to be kept secret. Once somebody else gets to know the key, it is not safe anymore. Symmetric algorithms have the advantage of not consuming too much computing power. A few well-known examples are: DES, Triple-DES (3DES), IDEA, CAST5, BLOWFISH, TWOFISH. Asymmetric algorithms use pairs of keys. One is used for encryption and the other one for decryption. The decryption key is typically kept secretly, therefore called ``private key'' or ``secret key'', while the encryption key is spread to all who might want to send encrypted messages, therefore called ``public key''. Everybody having the public key is able to send encrypted messages to the owner of the secret key. The secret key can't be reconstructed from the public key. The idea of asymmetric algorithms was first published 1976 by Diffie and Hellmann. Asymmetric algorithms seem to be ideally suited for real-world use: As the secret key does not have to be shared, the risk of getting known is much smaller. Every user only needs to keep one secret key in secrecy and a collection of public keys, that only need to be protected against being changed. With symmetric keys, every pair of users would need to have an own shared secret key. Well-known asymmetric algorithms are RSA, DSA, ELGAMAL. However, asymmetric algorithms are much slower than symmetric ones. Therefore, in many applications, a combination of both is being used. The asymmetric keys are used for authentication and after this has been successfully done, one or more symmetric keys are generated and exchanged using the asymmetric encryption. This way the advantages of both algorithms can be used. Typical examples of this procedure are the RSA/IDEA combination of PGP2 or the DSA/BLOWFISH used by GnuPG.
c) A honeynet is a network of honeypots, which are production systems (firewalls, routers, web servers, database servers, and the like) that can be watched and studied as a network intrusion occurs. (Setting a trap in a real system, when the hackers attack the system, IT professionals can watch and learn what tools and techniques are being used.)
Related Documents
Academic Tutorial Paper - Answer
June 2020 2
Academic Tutorial Paper
June 2020 1
Academic Paper
June 2020 3
Tutorial 11 [answer].xlsx
May 2020 8
Tutorial 10 [answer].xlsx
May 2020 7