HSN Risk Assessment Report

  • 2,176 views
Uploaded on

Term Paper examining the security risk assessment of the Home Shopping Network (HSN)

Term Paper examining the security risk assessment of the Home Shopping Network (HSN)

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,176
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
46
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Running head: HSN RISK ASSESSMENT REPORT 1 Home Shopping Network Risk Assessment Report Belinda Edwards University of MarylandUniversityCollege August19, 2010
  • 2. HSN Risk Assessment Report 2 EXECUTIVE SUMMARY A detailed risk assessment was performed on the security of the Home ShoppingNetwork‘s (HSN) internet and ―shop by remote‖ functionality. HSN was established the―electronic retailing industry‖ in 1977 and is now considered the ―world‘s most widelydistributed TV shopping network‖ (Endeca, 2002). The corporation has ―grown into a globalmultichannel retailer that offers a live television broadcast that reaches 94 million homes – 24hours a day, 7 days a week, 364 days a year – selling 50 million products annually (Endeca,2002). HSN Inc. (HSNI) major subsidiary, HSN.com streams in three channels: television, theinternet, and mobile (Crowell, 2010). This assessment focuses primarily on the internet channel,but discusses system vulnerabilities within both the television and mobile channels. HSN.comprovides its customers with an interactive shopping experience; offering consumers a video-guided shopping from it 13,000 online video library. HSN.com has been ―rated as a Top-10trafficked e-commerce website: #25 on Internet Retailer Top 100, with 2nd highest traffic growthbehind only Amazon.com. HSN.com gets 200,000 unique users daily and 5 million page viewsper day‖ (Crowell, 2010). The HSN call center is located in St. Petersburg, FL. HSN initially used an IBMSystem/36. Its main order entry system was written in a 4GL code generator called the Logicand Information Network Compiler (LINC)—since renamed Agile Business Suite by Unisys(Wikipedia, 2010). Since HSN currently processes approximately 44 million calls each year,HSN selected the GoldenGate solution to upgrade its CRM software. This migration alsoincluded a transition to Siebel CRM v8.0 and Oracle Database 10g. The HSN business model isdemands zero downtime, therefore a systems upgrades must be performed in parallel with the oldsystem (BusinessWire, 2008). It is assumed that the Oracle database 10g holds huge amount ofsensitive customer data, such as username, passwords, pins, and credit card information foraccount access. HSN also utilizes Endeca‘s InFront, a guided navigation and advanced searchsolution, to enable customers to easily navigate HSN.com‘s online catalog of 13,000 products.The goal of this implementation is to increase impulse purchase, thus generating additionalrevenue. HSN‘s success and leadership in retail innovation attracts hackers and career criminals toexploit system vulnerabilities to steal personally identifiable information (PII) for identity theftactivities. As a leader in multichannel retailing, HSN is a practical target for identity theft, bankand individual fraud, security breaches, and mobile phone replication. The HSN chiefinformation assurance officer (CIAO) has the overwhelming task of securing systems andapplications integrity, as well as protecting the confidentiality of customer data. This assessment focused on system risks of the application, email, and web servers; enduser systems, mobile devices, and cable and satellite service providers. High risks and impactshave been identified at the client side (SANS, 2010). Client (or end user) systems are especiallyvulnerable due to the customers not fully understanding the risks of delaying patchimplementation (SANS, 2010). Customers, in addition to financial institutions, are susceptible tovarious phishing attacks that could result in the loss of valuable data, not just personallyidentifiable information (SANS, 2010). Data integrity could be compromised with any securitybreach. If a breach occurs, it could result in a negative impact on customer trust of systemsavailability and data confidentiality.
  • 3. HSN Risk Assessment Report 3 This evaluation offers recommendations of risk mitigation to each of the identifiedsystem vulnerabilities. The opinion is to address risks toward valuable data, which extendsbeyond personally identifiable information. The outlook is to secure HSN servers and customerdata, partner (service provider) systems, ecommerce transactional data, and customer‘s systems.For each service provider, it is important to insist on that all input received from remote sourcesis sanitized of data meaningful prior to storage in the backend database; (2) pledge appropriatelayered protections to prevent/detect attacks aimed at web servers; (3) consider vulnerableapplications, define actions within the incident response report and/or business continuity planand remediated in a timely manner (SANS, 2010).
  • 4. HSN Risk Assessment Report 4 Table of ContentsEXECUTIVE SUMMARY ............................................................................................................ 2INTRODUCTION .......................................................................................................................... 6 The Purpose ................................................................................................................................ 6 Scope of the risk assessment ....................................................................................................... 6RISK ASSESSMENT APPROACH............................................................................................... 6 The Participants .......................................................................................................................... 6 The Techniques Used .................................................................................................................. 6 The Risk Model ........................................................................................................................... 7 Threat Likelihood.................................................................................................................................. 7 Impact Definitions ................................................................................................................................ 8 Risk Level Matrix ................................................................................................................................. 8 Description of Risk Levels .................................................................................................................... 9SYSTEM CHARACTERIZATION ............................................................................................. 10 The Proposed HSN Network System Architecture .................................................................... 10 Technology Components ........................................................................................................... 11 Users ......................................................................................................................................... 12THREAT STATEMENT .............................................................................................................. 12RISK ASSESSMENT RESULTS ................................................................................................ 13 Observation 1: Client side software remains unpatched. ........................................................ 13 Observation 2: Web applications are vulnerable to SQL injections. ...................................... 13 Observation 3: Customer identifiable data is vulnerable to phishing attacks......................... 14 Observation 4: User data and account information could be stolen from various service provider databases .................................................................................................................... 14 Observation 5: User data and account information could be stolen during mobile ecommerce transactions ............................................................................................................................... 15 Observation 6: E-commerce transactional data could be stolen............................................. 16 Observation 7: “Shop by Remote” exposes operating system procedures within the cable industry. .................................................................................................................................... 17 Observation 8: HSN.com is subject to denial of service attacks. ............................................ 17 Observation 9: Power failure due to a natural disaster affect business processing. .............. 18 Observation 10: HSN.com is subject to man in the middle (MITM) attacks. .......................... 18SUMMARY .................................................................................................................................. 19REFERENCES ............................................................................................................................. 19 FiguresFigure 1: Proposed HSN Network Architecture ........................................................................... 10
  • 5. HSN Risk Assessment Report 5 TablesTable 1: Threat Likelihood Definitions ......................................................................................... 7Table 2: Magnitude of Impact Definitions...................................................................................... 8Table 3: Risk Level Matrix ............................................................................................................. 8Table 4: Risk Scale and Necessary Actions .................................................................................... 9
  • 6. HSN Risk Assessment Report 6 INTRODUCTIONThe Purpose The purpose of this risk assessment is to identify threats and vulnerabilities applicable tothe three HSN channels: television, the internet, and mobile. The HSN.com site is the primarysource of revenue generation, although there are four store fronts throughout Florida.Scope of the risk assessment HSN has three channels: internet, mobile, and television. The risk assessment willreview vulnerabilities against all three channels. Due to the nature of interoperability HSN haswith its customers, financial institutions, mobile and cable service providers, this document willevaluate threats which in each arena. Unfortunately, the amount of application, email, and web servers at use at the call centersite is currently unknown. However, what is known are the types of software purchased tomaintain and search data held in repository at the corporation. It is assumed that HSN has asecured, layered architecture for its systems processing and forms the basis for this assessmentreport. This risk assessment will also emphasize manmade and natural disasters, touching onbusiness continuity planning. This is important should a natural disaster occur near theirheadquarters in St. Petersburg, Florida. A risk assessment of the physical HSN campus is out ofscope for this paper. Malign actors can impact customer trust, affecting their perception of dataconfidentiality and systems integrity and availability (CIA). RISK ASSESSMENT APPROACHThe Participants This assessment is based on information obtained though academic and industry sources;limited information was gained from HSN itself.The Techniques Used This risk assessment is based upon information and methodologies learned during thecourse of this semester. Information was gathered from public domains and sought to involvethe various industries engaged in multichannel retail, including financial, cable, and telephony.Articles from academic journals provided the techniques from which the threat and vulnerabilityassessments were performed, concentrating on information assurance. Industry articles formedthe basis to understand various techniques used to comply with the information assurancetechniques presented.
  • 7. HSN Risk Assessment Report 7Vulnerability sources used for this assessment include: • SANS Top cyber security risks (http://www.sans.org/top-cyber-security-risks/) • Information Assurance Technical Framework (https://www.iad.gov/library/iacf.cfm • Risk Management Guide for Information Technology Systems • Visa PCI – Complying with Payment Card Industry (PCI) Standards (http://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/dce93ca8c1f384d6862 571420036f06c/5ac115c55f9c851d8825727b007f697f/$FILE/Visa%20PCI%20%E2%80 %93%20Complying%20with%20Payment%20Card%20Industry%20Standards.pdf. • Center for Strategic and International Studies (http://csis.org/files/publication/Twenty_Critical_Controls_for_Effective_Cyber_Defense _CAG.pdf)The Risk Model The risk models used in this assessment are based upon the NIST Publication 800-30:Risk Management Guide for Information Technology Systems (Stoneburner, et. al, 2001).Threat Likelihood There are multiple factors that affect the probability of a threat being exploited into a systemvulnerability. Per the NIST Pub 800-30, these factors include: • Threat-source motivation and capability • Nature of the vulnerability • Existence and effectiveness of current controls. The likelihood of these vulnerabilities being exploited is listed in the table below.Threat Impact Impact Definition The threat-source is highly motivated and sufficiently capable, and controls to prevent theHIGH vulnerability from being exercised are ineffective. The threat-source is motivated and capable, but controls are in place that may impede successfulMEDIUM exercise of the vulnerability The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from beingLOW exercisedTable 1: Threat Likelihood Definitions
  • 8. HSN Risk Assessment Report 8Impact Definitions The assessment analyzed the adverse impact resulting from a successful exploitation ofsystem vulnerability. The magnitudeimpact is based on data value and sensitivity, as well assystem mission within HSN and its partner environments. The table below is based uponexamples presented in the NIST Pub 800-30, and was the guide used to assess system treats.Impact Magnitude Impact Definition Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources by HSN and its partner service providers within the financial, cable, and telephony industries; (2) may significantly violate, harm, or impede HSN sales and could negatively impact the reputation of theHIGH multichannel retail leader. Exercise of the vulnerability (1) may result in the costlyloss of major tangible assets or resources by HSN and its partner service providers within the financial, cable, and telephony industries; (2) may violate, harm, or impede HSN revenues and could negatively impact the reputation of the multichannel retailMEDIUM leader. Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources HSN and its partner service providers within the financial, cable, and telephony industries; or (2) may noticeably affect the mission, reputation, or interest of the multichannel retailLOW leader.Table 2: Magnitude of Impact DefinitionsRisk Level Matrix The risk level matrix calculates the probability of each threat likelihood level and offers avalue for each impact level. It provides a measurement from which to evaluate systems risk.Thetable is adapted from the NIST 800-30 publication. Threat Likelihood Impact LOW (10) MEDUIM (50) HIGH (100)HIGH (1.0) 10 50 100MEDIUM (0.5) 5 25 50HIGH (0.1) 1 5 10Table 3: Risk Level Matrix
  • 9. HSN Risk Assessment Report 9Description of Risk Levels The risk scale listed below represents the risk level to which an IT system, facility, orprocedure might be exposed if a given vulnerability were exercised. The risk scale presentsactions adopted by the HSN chief information assurance officer, and enforced by its technicalstaff and systems stakeholders. The table is adapted from the NIST 800-30 publication.Risk Level Risk Description and Necessary Actions Immediate, corrective action is required for any system observed at high risk. Actions detailed within the incident response reportHIGH must be executed immediately. Corrective actions must be taken against any system observed as medium risk. The incident response report mustaddress actions to beMEDIUM executed within a reasonable time period. The HSN CIAO should develop an observation is described as low risk, the systems DAA must determine whether corrective actions are still required or decide toLOW accept the risk.Table 4: Risk Scale and Necessary Actions
  • 10. HSN Risk Assessment Report 10 SYSTEM CHARACTERIZATIONThe Proposed HSN Network System Architecture The following diagram is an assumption of Home Shopping Network‘s networkarchitecture. HSN does not publically disclose its proprietary information. WIRELESS ROUTER ` USER TELEVISION SMART PC LAPTOP PHONE LINK MS COM INTERNET COMMS LINK INK SL FINANCIAL MM INDUSTRY CO HSN INK SL MM CO MOBILE STREAMING WEB SERVER TELEPHONY APPLICATION EMAIL MOBILE INDUSTRY MEDIA SERVER SERVER INFORMATION SERVER COMMS LINK CO M M S LI NK CABLE INDUSTRY CUSTOMER ACCOUNT DATABASE Figure 1: Proposed HSN Network Architecture
  • 11. HSN Risk Assessment Report 11Technology Components The table below contains assumed system components, based upon informationdiscovered from various industry case studies presented by BusinessWire, Endeca, andMicrosoft.Tier ComponentsConsumer/End User Internet Access via PC Internet Access via Laptop Internet Access via Smart Phone Satellite or High Definition TelevisionWeb Server UnknownApplication Server Oracle Siebel CRM v8.0 User service application Endeca InFront ―Shop by Remote‖ application 360 Degree Fashion applicationDatabase Oracle Database 10gSystem Monitor and Management Systems monitoring application Intrusion detection applicationTechnologies Oracle Database Cookie data collection Web beacons data collection Microsoft Silverlight Information System Smooth Streaming Microsoft Expression Blend Microsoft Visual Studio 2008 Microsoft .NET Framework Microsoft Internet Information Services
  • 12. HSN Risk Assessment Report 12UsersData Description Customer who watches and/or purchases from the HSN inventory of approximately 13,000Consumer/User products Home Shopping Network Cable and/or satellite provider Financial service provider Mobile telephonyservice provider All contribute to the processing cycle toService providers/partner organizations successfully complete a purchase HSN employee responsible with maintaining system and network integrity and availability,HSN System Administrators which will enforce data credibility Employees at partner organizations who are also responsible for maintaining systems and network integrity and availability, which willService provider network administrators enforce data credibility Employee and independent personnel, responsible for developing secure applicationsThird-party developers for use by the HSN Responsible for establishing and enforcing security standards specific to systemHSN Chief Information Assurance Officer implementation and maintenance (O&M) and(CIAO) application development HSN information system comprised of interactive voice response (IVR), call centerPurchase processing system technology, transaction processing THREAT STATEMENT HSN is the leader of global multichannel retailing. Theirprofileas a leader for retailinnovation makes HSN a practical target for identity theft, bank and consumer fraud, securitybreaches, and mobile phone replication, which would attract threat sources from hackers, andcareer criminals, all of whom have various motivations. This risk assessment identified the commonthreat from humans, but also spoke of natural threats. Each table lists the references consideredwhen evaluating threats and vulnerabilities.
  • 13. HSN Risk Assessment Report 13 RISK ASSESSMENT RESULTSObservation 1: Client side software remains unpatched. Hackers, Career Criminals, Developers,Threat Source ―Friends‖Vulnerability User computerImpact High. Computers are compromisedRisk Rating High. High. Occurs when users access infected websites and/or download infected files;Likelihood provides attacker with access to ― User education on the importance of patch installation Service providers maintain intrusion detection capabilities Service providers maintain a layersExisting Controls approach Service providers must maintains intrusion detection and system monitoring capabilities Service providers must keep operatingRecommended Controls systems patches updatedReference SANS, 2010.Observation 2: Web applications are vulnerable to SQL injections.Threat Source Hacker, career criminal, mobile app developers Common flaws in application development,Vulnerability client-side exploits (inefficient system patches) High. Trusted website become malicious,Impact infecting visitorsRisk Rating High. High, most website owners fail to scan for common flaws; secure code development is notLikelihood enforced, thus aiding in vulnerabilities On-going penetration (Pen) testing User input validation prior to system processingExisting Controls User authentication Data from external sources must be sanitized prior to insertion into backendRecommended Controls database
  • 14. HSN Risk Assessment Report 14 Multiple layers of security (i.e. firewall, data encryption, intrusion detection mechanism)Reference SANS, 2010, UMUC Sample report 1Observation 3: Customer identifiabledata is vulnerable to phishingattacks between service partners.Threat Source Hackers, ―Friends‖, Career CriminalsVulnerability User unawareness, Web session controlImpact High. Consumer data could be compromised. High. Consumer data could be divulged, resulting in identify theft and loss of consumerRisk Rating trustLikelihood High. Banks are implementing ―Trusteer‖ software to ensure session are blocked from being redirected to phishing sites Trusteer warns users when visiting phishing sites Service providers authenticate users,Existing Controls utilizing preference security questions Service enhance user authentication procedures, modernizing security questions towards preference questions Service provides continue to comply with FCC rule prohibiting landline and cellular phone companies from asking biographical questions (pretexting) Service provider infrastructure must ensure inter-machine processing communicationRecommended Controls and authentication Litan, 2010; Pickert, 2008; KnowledgeLeader,Reference 2010Observation 4: User data and account information could be stolenfrom various service provider databasesThreat Source Career criminalVulnerability Web, Application, Email ServersImpact High. Personally Identifiable Information
  • 15. HSN Risk Assessment Report 15 could be compromised, Consumer trust could be lostRisk Rating High. High, attackers are interested in gaining access to valuable data types, not just consumerLikelihood information. Service providers maintain compliance with Data Breach Notification Act (S. 139) Service providers maintain emphasis on securing critical customer personal data Service providers limit usage of externalExisting Controls media usage (i.e. CDs, thumb drives) Payment Card Industry (PCI) is a leading authority for merchants to learn about data security threats and mechanisms to prevent attacks. They host a Security Council o Encourage/enforce certifications for system security, developers (SCCLP) and network administrators (SSCP) o Service providers should become PCI DSS-certifiedRecommended ControlsReference Kumar, 2009; SANS, 2010; PCI, 2006.Observation 5: User data and account information could be stolenduring mobile ecommerce transactionsThreat Source Hacker, career criminalVulnerability User unawareness High. PII data (name, address, mobile phone number, mobile contacts, HSN and financialImpact account number) can be captured and usedRisk Rating High. High, as mobile commerce is in its infancy. As the medium becomes commonplace (as Gartner projects by 2014), security policyLikelihood procedures will improve. User Authentication Session keys, used to secure customer interaction and/or automatically logoff due to inactivityExisting Controls System files, transaction logs, backup files
  • 16. HSN Risk Assessment Report 16 (kept distinctly by service providers ) Software patches, applied by both customers and service providers System and configuration file security (maintained by service providers) Physical security Operating system security – applies to customer and service providers, means systems are installed on securely configured and maintained system Intrusion detection – applies to customer and service providers, means systems are monitored for unauthorized access Privacy policy must be maintained, enforced, and updated per legislative changes – applies to service providers Operating system security must improve within mobile phone industry, breaches have increased as customers increased usage of mobile apps Customers and service providers must maintain timeliness of applying security patches Privacy policy must be maintained, enforced, and updated per legislativeRecommended Controls changes – applies to service providersReference KnowledgeLeader, 2010.Observation 6: E-commerce transactional data could be stolen.Threat Source Hackers, Career CriminalsVulnerability Financial transaction data storage High. Consumer and financial informationImpact could be obtained, modified, and reused. High. Consumer data could be divulged, resulting in identify theft and loss of consumerRisk Rating trustLikelihood Medium. Financial industry complies with Data Security Standard (DSS), initially implemented in 2004 Financial industry recently approved PCI security standards for data storage Service providers must build and maintainExisting Controls secure network
  • 17. HSN Risk Assessment Report 17 Financial service provider must protect cardholder data Service providers should maintain strong access control methods Service providers must test and monitor networks on a regular basis A report on compliance (ROC) audit offinancial service providers should beRecommended Controls performed, annually, at a minimumReference Bess, 2008; PCI, 2006.Observation 7: “Shop by Remote” exposes operatingsystemprocedures within the cable industry.Threat Source Hackers, Career Criminals Consumer telephone, cable, and financialVulnerability serviceImpact High. Consumer data could be compromisedRisk Rating Medium. Low (for now). Attackers would need to infiltrate cable infrastructure to obtain data sentLikelihood over lines to HSN, Strong user authentication procedures are used by all service providers Consumers must register for the ‗shop by remote‘ service, by providing personally identifiable information (i.e. name, address,Existing Controls credit card, email address) Data sent from cable providers should be encrypted when sent to HSN Standards must be established and enforced for ‗shop by demand‘ functionalityRecommended Controls between HSN and all cable outletReference Spangler, 2010; Arlen, 2010.Observation 8: HSN.com is subject to denial of service attacks.Threat Source Hackers, Career Criminals Servers: application, email, web, networkVulnerability devices High. Consumer access to the virtual marketplace is denied, thus resulting in loss ofImpact revenue
  • 18. HSN Risk Assessment Report 18Risk Rating High. Medium. It is not clear whether HSN.com has been attacked, but it is always possible, especially since HSN is the world‘s largestLikelihood television shopping network.Existing Controls Unknown Protect communications network Enforce intrusion detection measures (i.e. firewalls) Impose access controls Impose secure development procedures Encourage certification for systemsRecommended Controls developers and administratorsReference UMUC Sample report 1, NSA, 2001.Observation 9: Power failure due to a natural disaster affects businessprocessing.Threat Source Natural Disaster All equipment that requires power and coolingVulnerability to perform Medium. HSN headquarters is located in central Florida; home to its call centerImpact broadcasting and studio facilities.Risk Rating Medium. Medium. It is not clear whether HSN.com has been attacked, but it is always possible, especially since HSN is the world‘s largestLikelihood multichannel retailer Business continuity plans (BCP) Backup/secondary locations for broadcasting and studio facilities, cal center processing Backup ecommerce systems regularly Recovery procedures should tested regularly toExisting Controls validate the backup integrity Test the actions outlined in the business continuity plan quarterly BCP should be modified to address currentRecommended Controls threats, treating is as a ―living document‖Reference KnowledgeLeader, 2010; Pfleeger, 2007Observation 10: HSN.com is subject to man in the middle (MITM)attacks.
  • 19. HSN Risk Assessment Report 19Threat Source Hackers, Career CriminalsVulnerability End user and network systemsImpact High. Consumer data could be compromisedRisk Rating High. High. Consumers could become victims via receipt of phishing emails, encouragingLikelihood dissemination of identifiable informationExisting Controls Unknown Users must immediately implement security patches Users must employ firewall technology Data encryption measure should beRecommended Controls employed, including PKI certifications UMUC Sample report 1, KnowledgeLeader,Reference 2010 SUMMARY For the past thirty years, the industry has grown at a compound rate of only just over onepercent a year. Tapping into the enormous potential sales in India and China will bring a newboom. The auto industry will consequently be much larger in 2020, around sixty-five percentlarger, in terms of production. China has already become a strong player in manufacturing globalautomotive electronics. Chinese automakers are also buying factory equipment from topinternational suppliers. Competitive Chinese suppliers are looking to start manufacturing andselling in overseas markets (International Trade Administration, 2009, p. 32). ―By 2020 the autoindustry will have reached an annual production of 100 million vehicles [a year], mostly due todemand in Asia,‖ says Dr. Carl Hahn, a former chairman of Volkswagen AG (The EconomistIntelligence Unit, 2006, p. 25). REFERENCESArlen, G. (2010). HSNs remote shopping sparks new interactivity. TVtechnology.com. Retrieved August 17, 2010 from http://www.tvtechnology.com/article/10840.Bess, J. (2008). Visa PCI – Complying with payment card industry standards. Retrieved August 8, 2010 from http://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/dce93ca8c1f384d6862 571420036f06c/5ac115c55f9c851d8825727b007f697f/$FILE/Visa%20PCI%20%E2%80 %93%20Complying%20with%20Payment%20Card%20Industry%20Standards.pdf.BusinessWire. (2008, September 15). HSN deploys GoldenGate software for zero-downtime migration of Oracles Siebel CRM application. Retrieved August 18, 2010 from http://findarticles.com/p/articles/mi_m0EIN/is_2008_Sept_15/ai_n28094247/.
  • 20. HSN Risk Assessment Report 20Crowell, G. (2010). E-Commerce video strategies with the Home Shopping Network. RetrievedAugust 18, 2010 from http://www.reelseo.com/video-commerce-hsn/.Endeca. (2002). World‘s largest television shopping network HSN selects Endeca InFrontTM for enriched online customer experience. Retrieved August 18, 2010 from http://www.endeca.com/83dc77d1-b5c8-4fcc-b927-e60fa173054b/news-and-events- press-releases-archive-details.htm.Stoneburner, G., Goguen, A., & Feringa, A. (2001). Risk management guide for information technology systems. NIST 800-30. Retrieved May 30, 2010 from UMUC WebTycho.Litan, A. (2010, June 4). Banks distribute Trusteer and other security software, but need to do more. Gartner.com. Retrieved June 27, 2010 from http://my.gartner.com.ezproxy.umuc.edu/portal/server.pt?open=512&objID=260&mode= 2&PageID=3460702&resId=1381017&ref=QuickSearch&sthkw=transactional+security.KnowledgeLeader. (2010). E-commerce security best practice guidelines. Retrieved August 8, 2010 from http://www.auditnet.org/articles/eCom%20Sec%20Best%20Practices.doc.Kumar, P. (2010, January 18). E-Commerce data security 2010: Learning From 2009s debacles. Retrieved June 27, 2010 from http://www.ecommercetimes.com/story/E-Commerce- Data-Security-2010-Learning-From-2009s-Debacles-69129.html.NSA. (2001). Defense in depth. Retrieved August 16, 2010 from http://www.nsa.gov/ia/_files/support/defenseindepth.pdf.PCI. (2006). Visa PCI – complying with payment card industry standards. Retrieved August 8, 2010 from http://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/dce93ca8c1f384d6862 571420036f06c/5ac115c55f9c851d8825727b007f697f/$FILE/Visa%20PCI%20%E2%80 %93%20Complying%20with%20Payment%20Card%20Industry%20Standards.pdf.Pickert, K. (2008, September 24). Those crazy internet security questions. Time.com. Retrieved July 7, 2010 from http://www.time.com/time/business/article/0,8599,1843984,00.html.Pfleeger, C. P., & Pfleeger, S. L. (2007). Security in computing. 4th Edition. Upper Saddle River, NJ: Prentice Hall.SANS. (2010). The top cyber security risks. Retrieved August 16, 2010 from http://www.sans.org/top-cyber-security-risks/.Spangler, T. (2010, July 28). HSN secures shop by remote patent. Retrieved August 17, 2010 from http://www.broadcastingcable.com/article/455320- HSN_Secures_Shop_By_Remote_Patent.php.UMUC. (2010). Sample risk assessment report 1. Retrieved May 30, 2010 from UMUC
  • 21. HSN Risk Assessment Report 21 WebTycho.UMUC. (2010). Sample risk assessment report 2. Retrieved May 30, 2010 from UMUC WebTycho.Wikipedia. (2010). Home Shopping Network. Retrieved June 27, 2010, from http://en.wikipedia.org/w/index.php?title=Home_Shopping_Network&oldid=370138844