This risk assessment report evaluates security risks across Home Shopping Network's (HSN) television, internet, and mobile channels. Key risks identified include unpatched client software, SQL injections against web applications, phishing attacks targeting customer data, theft of user data from service provider databases, risks during mobile ecommerce transactions, denial of service attacks against HSN.com, and impacts of power failures on business operations. The report provides recommendations to mitigate these risks and secure HSN systems and customer data.
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
HSN Risk Assessment Report
1. Running head: HSN RISK ASSESSMENT REPORT 1
Home Shopping Network Risk Assessment Report
Belinda Edwards
University of MarylandUniversityCollege
August19, 2010
2. HSN Risk Assessment Report 2
EXECUTIVE SUMMARY
A detailed risk assessment was performed on the security of the Home Shopping
Network‘s (HSN) internet and ―shop by remote‖ functionality. HSN was established the
―electronic retailing industry‖ in 1977 and is now considered the ―world‘s most widely
distributed TV shopping network‖ (Endeca, 2002). The corporation has ―grown into a global
multichannel retailer that offers a live television broadcast that reaches 94 million homes – 24
hours a day, 7 days a week, 364 days a year – selling 50 million products annually (Endeca,
2002).
HSN Inc. (HSNI) major subsidiary, HSN.com streams in three channels: television, the
internet, and mobile (Crowell, 2010). This assessment focuses primarily on the internet channel,
but discusses system vulnerabilities within both the television and mobile channels. HSN.com
provides its customers with an interactive shopping experience; offering consumers a video-
guided shopping from it 13,000 online video library. HSN.com has been ―rated as a Top-10
trafficked e-commerce website: #25 on Internet Retailer Top 100, with 2nd highest traffic growth
behind only Amazon.com. HSN.com gets 200,000 unique users daily and 5 million page views
per day‖ (Crowell, 2010).
The HSN call center is located in St. Petersburg, FL. HSN initially used an IBM
System/36. Its main order entry system was written in a 4GL code generator called the Logic
and Information Network Compiler (LINC)—since renamed Agile Business Suite by Unisys
(Wikipedia, 2010). Since HSN currently processes approximately 44 million calls each year,
HSN selected the GoldenGate solution to upgrade its CRM software. This migration also
included a transition to Siebel CRM v8.0 and Oracle Database 10g. The HSN business model is
demands zero downtime, therefore a systems upgrades must be performed in parallel with the old
system (BusinessWire, 2008). It is assumed that the Oracle database 10g holds huge amount of
sensitive customer data, such as username, passwords, pins, and credit card information for
account access. HSN also utilizes Endeca‘s InFront, a guided navigation and advanced search
solution, to enable customers to easily navigate HSN.com‘s online catalog of 13,000 products.
The goal of this implementation is to increase impulse purchase, thus generating additional
revenue.
HSN‘s success and leadership in retail innovation attracts hackers and career criminals to
exploit system vulnerabilities to steal personally identifiable information (PII) for identity theft
activities. As a leader in multichannel retailing, HSN is a practical target for identity theft, bank
and individual fraud, security breaches, and mobile phone replication. The HSN chief
information assurance officer (CIAO) has the overwhelming task of securing systems and
applications integrity, as well as protecting the confidentiality of customer data.
This assessment focused on system risks of the application, email, and web servers; end
user systems, mobile devices, and cable and satellite service providers. High risks and impacts
have been identified at the client side (SANS, 2010). Client (or end user) systems are especially
vulnerable due to the customers not fully understanding the risks of delaying patch
implementation (SANS, 2010). Customers, in addition to financial institutions, are susceptible to
various phishing attacks that could result in the loss of valuable data, not just personally
identifiable information (SANS, 2010). Data integrity could be compromised with any security
breach. If a breach occurs, it could result in a negative impact on customer trust of systems
availability and data confidentiality.
3. HSN Risk Assessment Report 3
This evaluation offers recommendations of risk mitigation to each of the identified
system vulnerabilities. The opinion is to address risks toward valuable data, which extends
beyond personally identifiable information. The outlook is to secure HSN servers and customer
data, partner (service provider) systems, ecommerce transactional data, and customer‘s systems.
For each service provider, it is important to insist on that all input received from remote sources
is sanitized of data meaningful prior to storage in the backend database; (2) pledge appropriate
layered protections to prevent/detect attacks aimed at web servers; (3) consider vulnerable
applications, define actions within the incident response report and/or business continuity plan
and remediated in a timely manner (SANS, 2010).
4. HSN Risk Assessment Report 4
Table of Contents
EXECUTIVE SUMMARY ............................................................................................................ 2
INTRODUCTION .......................................................................................................................... 6
The Purpose ................................................................................................................................ 6
Scope of the risk assessment ....................................................................................................... 6
RISK ASSESSMENT APPROACH............................................................................................... 6
The Participants .......................................................................................................................... 6
The Techniques Used .................................................................................................................. 6
The Risk Model ........................................................................................................................... 7
Threat Likelihood.................................................................................................................................. 7
Impact Definitions ................................................................................................................................ 8
Risk Level Matrix ................................................................................................................................. 8
Description of Risk Levels .................................................................................................................... 9
SYSTEM CHARACTERIZATION ............................................................................................. 10
The Proposed HSN Network System Architecture .................................................................... 10
Technology Components ........................................................................................................... 11
Users ......................................................................................................................................... 12
THREAT STATEMENT .............................................................................................................. 12
RISK ASSESSMENT RESULTS ................................................................................................ 13
Observation 1: Client side software remains unpatched. ........................................................ 13
Observation 2: Web applications are vulnerable to SQL injections. ...................................... 13
Observation 3: Customer identifiable data is vulnerable to phishing attacks......................... 14
Observation 4: User data and account information could be stolen from various service
provider databases .................................................................................................................... 14
Observation 5: User data and account information could be stolen during mobile ecommerce
transactions ............................................................................................................................... 15
Observation 6: E-commerce transactional data could be stolen............................................. 16
Observation 7: “Shop by Remote” exposes operating system procedures within the cable
industry. .................................................................................................................................... 17
Observation 8: HSN.com is subject to denial of service attacks. ............................................ 17
Observation 9: Power failure due to a natural disaster affect business processing. .............. 18
Observation 10: HSN.com is subject to man in the middle (MITM) attacks. .......................... 18
SUMMARY .................................................................................................................................. 19
REFERENCES ............................................................................................................................. 19
Figures
Figure 1: Proposed HSN Network Architecture ........................................................................... 10
6. HSN Risk Assessment Report 6
INTRODUCTION
The Purpose
The purpose of this risk assessment is to identify threats and vulnerabilities applicable to
the three HSN channels: television, the internet, and mobile. The HSN.com site is the primary
source of revenue generation, although there are four store fronts throughout Florida.
Scope of the risk assessment
HSN has three channels: internet, mobile, and television. The risk assessment will
review vulnerabilities against all three channels. Due to the nature of interoperability HSN has
with its customers, financial institutions, mobile and cable service providers, this document will
evaluate threats which in each arena.
Unfortunately, the amount of application, email, and web servers at use at the call center
site is currently unknown. However, what is known are the types of software purchased to
maintain and search data held in repository at the corporation. It is assumed that HSN has a
secured, layered architecture for its systems processing and forms the basis for this assessment
report. This risk assessment will also emphasize manmade and natural disasters, touching on
business continuity planning. This is important should a natural disaster occur near their
headquarters in St. Petersburg, Florida. A risk assessment of the physical HSN campus is out of
scope for this paper. Malign actors can impact customer trust, affecting their perception of data
confidentiality and systems integrity and availability (CIA).
RISK ASSESSMENT APPROACH
The Participants
This assessment is based on information obtained though academic and industry sources;
limited information was gained from HSN itself.
The Techniques Used
This risk assessment is based upon information and methodologies learned during the
course of this semester. Information was gathered from public domains and sought to involve
the various industries engaged in multichannel retail, including financial, cable, and telephony.
Articles from academic journals provided the techniques from which the threat and vulnerability
assessments were performed, concentrating on information assurance. Industry articles formed
the basis to understand various techniques used to comply with the information assurance
techniques presented.
7. HSN Risk Assessment Report 7
Vulnerability sources used for this assessment include:
• SANS Top cyber security risks (http://www.sans.org/top-cyber-security-risks/)
• Information Assurance Technical Framework (https://www.iad.gov/library/iacf.cfm
• Risk Management Guide for Information Technology Systems
• Visa PCI – Complying with Payment Card Industry (PCI) Standards
(http://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/dce93ca8c1f384d6862
571420036f06c/5ac115c55f9c851d8825727b007f697f/$FILE/Visa%20PCI%20%E2%80
%93%20Complying%20with%20Payment%20Card%20Industry%20Standards.pdf.
• Center for Strategic and International Studies
(http://csis.org/files/publication/Twenty_Critical_Controls_for_Effective_Cyber_Defense
_CAG.pdf)
The Risk Model
The risk models used in this assessment are based upon the NIST Publication 800-30:
Risk Management Guide for Information Technology Systems (Stoneburner, et. al, 2001).
Threat Likelihood
There are multiple factors that affect the probability of a threat being exploited into a system
vulnerability. Per the NIST Pub 800-30, these factors include:
• Threat-source motivation and capability
• Nature of the vulnerability
• Existence and effectiveness of current controls.
The likelihood of these vulnerabilities being exploited is listed in the table below.
Threat Impact Impact Definition
The threat-source is highly motivated and
sufficiently capable, and controls to prevent the
HIGH vulnerability from being exercised are ineffective.
The threat-source is motivated and capable, but
controls are in place that may impede successful
MEDIUM exercise of the vulnerability
The threat-source lacks motivation or capability, or
controls are in place to prevent, or at least
significantly impede, the vulnerability from being
LOW exercised
Table 1: Threat Likelihood Definitions
8. HSN Risk Assessment Report 8
Impact Definitions
The assessment analyzed the adverse impact resulting from a successful exploitation of
system vulnerability. The magnitudeimpact is based on data value and sensitivity, as well as
system mission within HSN and its partner environments. The table below is based upon
examples presented in the NIST Pub 800-30, and was the guide used to assess system treats.
Impact Magnitude Impact Definition
Exercise of the vulnerability (1) may result in
the highly costly loss of major tangible assets
or resources by HSN and its partner service
providers within the financial, cable, and
telephony industries; (2) may significantly
violate, harm, or impede HSN sales and could
negatively impact the reputation of the
HIGH multichannel retail leader.
Exercise of the vulnerability (1) may result in
the costlyloss of major tangible assets or
resources by HSN and its partner service
providers within the financial, cable, and
telephony industries; (2) may violate, harm, or
impede HSN revenues and could negatively
impact the reputation of the multichannel retail
MEDIUM leader.
Exercise of the vulnerability (1) may result in
the loss of some tangible assets or resources
HSN and its partner service providers within
the financial, cable, and telephony industries;
or (2) may noticeably affect the mission,
reputation, or interest of the multichannel retail
LOW leader.
Table 2: Magnitude of Impact Definitions
Risk Level Matrix
The risk level matrix calculates the probability of each threat likelihood level and offers a
value for each impact level. It provides a measurement from which to evaluate systems risk.The
table is adapted from the NIST 800-30 publication.
Threat Likelihood Impact
LOW (10) MEDUIM (50) HIGH (100)
HIGH (1.0) 10 50 100
MEDIUM (0.5) 5 25 50
HIGH (0.1) 1 5 10
Table 3: Risk Level Matrix
9. HSN Risk Assessment Report 9
Description of Risk Levels
The risk scale listed below represents the risk level to which an IT system, facility, or
procedure might be exposed if a given vulnerability were exercised. The risk scale presents
actions adopted by the HSN chief information assurance officer, and enforced by its technical
staff and systems stakeholders. The table is adapted from the NIST 800-30 publication.
Risk Level Risk Description and Necessary Actions
Immediate, corrective action is required for
any system observed at high risk. Actions
detailed within the incident response report
HIGH must be executed immediately.
Corrective actions must be taken against any
system observed as medium risk. The incident
response report mustaddress actions to be
MEDIUM executed within a reasonable time period.
The HSN CIAO should develop an
observation is described as low risk, the
systems DAA must determine whether
corrective actions are still required or decide to
LOW accept the risk.
Table 4: Risk Scale and Necessary Actions
10. HSN Risk Assessment Report 10
SYSTEM CHARACTERIZATION
The Proposed HSN Network System Architecture
The following diagram is an assumption of Home Shopping Network‘s network
architecture. HSN does not publically disclose its proprietary information.
WIRELESS
ROUTER
`
USER
TELEVISION
SMART PC
LAPTOP
PHONE
LINK
MS
COM
INTERNET
COMMS LINK
INK
SL FINANCIAL
MM INDUSTRY
CO
HSN
INK
SL
MM
CO MOBILE
STREAMING WEB SERVER TELEPHONY
APPLICATION EMAIL MOBILE INDUSTRY
MEDIA
SERVER SERVER INFORMATION
SERVER
COMMS LINK
CO
M
M
S
LI
NK
CABLE
INDUSTRY
CUSTOMER
ACCOUNT
DATABASE
Figure 1: Proposed HSN Network Architecture
11. HSN Risk Assessment Report 11
Technology Components
The table below contains assumed system components, based upon information
discovered from various industry case studies presented by BusinessWire, Endeca, and
Microsoft.
Tier Components
Consumer/End User Internet Access via PC
Internet Access via Laptop
Internet Access via Smart Phone
Satellite or High Definition Television
Web Server Unknown
Application Server Oracle Siebel CRM v8.0
User service application
Endeca InFront
―Shop by Remote‖ application
360 Degree Fashion application
Database Oracle Database 10g
System Monitor and Management Systems monitoring application
Intrusion detection application
Technologies Oracle Database
Cookie data collection
Web beacons data collection
Microsoft Silverlight
Information System Smooth Streaming
Microsoft Expression Blend
Microsoft Visual Studio 2008
Microsoft .NET Framework
Microsoft Internet Information Services
12. HSN Risk Assessment Report 12
Users
Data Description
Customer who watches and/or purchases from
the HSN inventory of approximately 13,000
Consumer/User products
Home Shopping Network
Cable and/or satellite provider
Financial service provider
Mobile telephonyservice provider
All contribute to the processing cycle to
Service providers/partner organizations successfully complete a purchase
HSN employee responsible with maintaining
system and network integrity and availability,
HSN System Administrators which will enforce data credibility
Employees at partner organizations who are
also responsible for maintaining systems and
network integrity and availability, which will
Service provider network administrators enforce data credibility
Employee and independent personnel,
responsible for developing secure applications
Third-party developers for use by the HSN
Responsible for establishing and enforcing
security standards specific to system
HSN Chief Information Assurance Officer implementation and maintenance (O&M) and
(CIAO) application development
HSN information system comprised of
interactive voice response (IVR), call center
Purchase processing system technology, transaction processing
THREAT STATEMENT
HSN is the leader of global multichannel retailing. Theirprofileas a leader for retail
innovation makes HSN a practical target for identity theft, bank and consumer fraud, security
breaches, and mobile phone replication, which would attract threat sources from hackers, and
career criminals, all of whom have various motivations. This risk assessment identified the common
threat from humans, but also spoke of natural threats. Each table lists the references considered
when evaluating threats and vulnerabilities.
13. HSN Risk Assessment Report 13
RISK ASSESSMENT RESULTS
Observation 1: Client side software remains unpatched.
Hackers, Career Criminals, Developers,
Threat Source ―Friends‖
Vulnerability User computer
Impact High. Computers are compromised
Risk Rating High.
High. Occurs when users access infected
websites and/or download infected files;
Likelihood provides attacker with access to ―
User education on the importance of patch
installation
Service providers maintain intrusion
detection capabilities
Service providers maintain a layers
Existing Controls approach
Service providers must maintains intrusion
detection and system monitoring
capabilities
Service providers must keep operating
Recommended Controls systems patches updated
Reference SANS, 2010.
Observation 2: Web applications are vulnerable to SQL injections.
Threat Source Hacker, career criminal, mobile app developers
Common flaws in application development,
Vulnerability client-side exploits (inefficient system patches)
High. Trusted website become malicious,
Impact infecting visitors
Risk Rating High.
High, most website owners fail to scan for
common flaws; secure code development is not
Likelihood enforced, thus aiding in vulnerabilities
On-going penetration (Pen) testing
User input validation prior to system
processing
Existing Controls User authentication
Data from external sources must be
sanitized prior to insertion into backend
Recommended Controls database
14. HSN Risk Assessment Report 14
Multiple layers of security (i.e. firewall,
data encryption, intrusion detection
mechanism)
Reference SANS, 2010, UMUC Sample report 1
Observation 3: Customer identifiabledata is vulnerable to phishing
attacks between service partners.
Threat Source Hackers, ―Friends‖, Career Criminals
Vulnerability User unawareness, Web session control
Impact High. Consumer data could be compromised.
High. Consumer data could be divulged,
resulting in identify theft and loss of consumer
Risk Rating trust
Likelihood High.
Banks are implementing ―Trusteer‖
software to ensure session are blocked from
being redirected to phishing sites
Trusteer warns users when visiting
phishing sites
Service providers authenticate users,
Existing Controls utilizing preference security questions
Service enhance user authentication
procedures, modernizing security questions
towards preference questions
Service provides continue to comply with
FCC rule prohibiting landline and cellular
phone companies from asking biographical
questions (pretexting)
Service provider infrastructure must ensure
inter-machine processing communication
Recommended Controls and authentication
Litan, 2010; Pickert, 2008; KnowledgeLeader,
Reference 2010
Observation 4: User data and account information could be stolen
from various service provider databases
Threat Source Career criminal
Vulnerability Web, Application, Email Servers
Impact High. Personally Identifiable Information
15. HSN Risk Assessment Report 15
could be compromised, Consumer trust could
be lost
Risk Rating High.
High, attackers are interested in gaining access
to valuable data types, not just consumer
Likelihood information.
Service providers maintain compliance
with Data Breach Notification Act (S. 139)
Service providers maintain emphasis on
securing critical customer personal data
Service providers limit usage of external
Existing Controls media usage (i.e. CDs, thumb drives)
Payment Card Industry (PCI) is a leading
authority for merchants to learn about data
security threats and mechanisms to prevent
attacks. They host a Security Council
o Encourage/enforce certifications for
system security, developers
(SCCLP) and network
administrators (SSCP)
o Service providers should become
PCI DSS-certified
Recommended Controls
Reference Kumar, 2009; SANS, 2010; PCI, 2006.
Observation 5: User data and account information could be stolen
during mobile ecommerce transactions
Threat Source Hacker, career criminal
Vulnerability User unawareness
High. PII data (name, address, mobile phone
number, mobile contacts, HSN and financial
Impact account number) can be captured and used
Risk Rating High.
High, as mobile commerce is in its infancy. As
the medium becomes commonplace (as
Gartner projects by 2014), security policy
Likelihood procedures will improve.
User Authentication
Session keys, used to secure customer
interaction and/or automatically logoff due
to inactivity
Existing Controls System files, transaction logs, backup files
16. HSN Risk Assessment Report 16
(kept distinctly by service providers )
Software patches, applied by both
customers and service providers
System and configuration file security
(maintained by service providers)
Physical security
Operating system security – applies to
customer and service providers, means
systems are installed on securely
configured and maintained system
Intrusion detection – applies to customer
and service providers, means systems are
monitored for unauthorized access
Privacy policy must be maintained,
enforced, and updated per legislative
changes – applies to service providers
Operating system security must improve
within mobile phone industry, breaches
have increased as customers increased
usage of mobile apps
Customers and service providers must
maintain timeliness of applying security
patches
Privacy policy must be maintained,
enforced, and updated per legislative
Recommended Controls changes – applies to service providers
Reference KnowledgeLeader, 2010.
Observation 6: E-commerce transactional data could be stolen.
Threat Source Hackers, Career Criminals
Vulnerability Financial transaction data storage
High. Consumer and financial information
Impact could be obtained, modified, and reused.
High. Consumer data could be divulged,
resulting in identify theft and loss of consumer
Risk Rating trust
Likelihood Medium.
Financial industry complies with Data Security
Standard (DSS), initially implemented in 2004
Financial industry recently approved PCI
security standards for data storage
Service providers must build and maintain
Existing Controls secure network
17. HSN Risk Assessment Report 17
Financial service provider must protect
cardholder data
Service providers should maintain strong
access control methods
Service providers must test and monitor
networks on a regular basis
A report on compliance (ROC) audit
offinancial service providers should be
Recommended Controls performed, annually, at a minimum
Reference Bess, 2008; PCI, 2006.
Observation 7: “Shop by Remote” exposes operating
systemprocedures within the cable industry.
Threat Source Hackers, Career Criminals
Consumer telephone, cable, and financial
Vulnerability service
Impact High. Consumer data could be compromised
Risk Rating Medium.
Low (for now). Attackers would need to
infiltrate cable infrastructure to obtain data sent
Likelihood over lines to HSN,
Strong user authentication procedures are
used by all service providers
Consumers must register for the ‗shop by
remote‘ service, by providing personally
identifiable information (i.e. name, address,
Existing Controls credit card, email address)
Data sent from cable providers should be
encrypted when sent to HSN
Standards must be established and enforced
for ‗shop by demand‘ functionality
Recommended Controls between HSN and all cable outlet
Reference Spangler, 2010; Arlen, 2010.
Observation 8: HSN.com is subject to denial of service attacks.
Threat Source Hackers, Career Criminals
Servers: application, email, web, network
Vulnerability devices
High. Consumer access to the virtual
marketplace is denied, thus resulting in loss of
Impact revenue
18. HSN Risk Assessment Report 18
Risk Rating High.
Medium. It is not clear whether HSN.com has
been attacked, but it is always possible,
especially since HSN is the world‘s largest
Likelihood television shopping network.
Existing Controls Unknown
Protect communications network
Enforce intrusion detection measures (i.e.
firewalls)
Impose access controls
Impose secure development procedures
Encourage certification for systems
Recommended Controls developers and administrators
Reference UMUC Sample report 1, NSA, 2001.
Observation 9: Power failure due to a natural disaster affects business
processing.
Threat Source Natural Disaster
All equipment that requires power and cooling
Vulnerability to perform
Medium. HSN headquarters is located in
central Florida; home to its call center
Impact broadcasting and studio facilities.
Risk Rating Medium.
Medium. It is not clear whether HSN.com has
been attacked, but it is always possible,
especially since HSN is the world‘s largest
Likelihood multichannel retailer
Business continuity plans (BCP)
Backup/secondary locations for broadcasting
and studio facilities, cal center processing
Backup ecommerce systems regularly
Recovery procedures should tested regularly to
Existing Controls validate the backup integrity
Test the actions outlined in the business
continuity plan quarterly
BCP should be modified to address current
Recommended Controls threats, treating is as a ―living document‖
Reference KnowledgeLeader, 2010; Pfleeger, 2007
Observation 10: HSN.com is subject to man in the middle (MITM)
attacks.
19. HSN Risk Assessment Report 19
Threat Source Hackers, Career Criminals
Vulnerability End user and network systems
Impact High. Consumer data could be compromised
Risk Rating High.
High. Consumers could become victims via
receipt of phishing emails, encouraging
Likelihood dissemination of identifiable information
Existing Controls Unknown
Users must immediately implement
security patches
Users must employ firewall technology
Data encryption measure should be
Recommended Controls employed, including PKI certifications
UMUC Sample report 1, KnowledgeLeader,
Reference 2010
SUMMARY
For the past thirty years, the industry has grown at a compound rate of only just over one
percent a year. Tapping into the enormous potential sales in India and China will bring a new
boom. The auto industry will consequently be much larger in 2020, around sixty-five percent
larger, in terms of production. China has already become a strong player in manufacturing global
automotive electronics. Chinese automakers are also buying factory equipment from top
international suppliers. Competitive Chinese suppliers are looking to start manufacturing and
selling in overseas markets (International Trade Administration, 2009, p. 32). ―By 2020 the auto
industry will have reached an annual production of 100 million vehicles [a year], mostly due to
demand in Asia,‖ says Dr. Carl Hahn, a former chairman of Volkswagen AG (The Economist
Intelligence Unit, 2006, p. 25).
REFERENCES
Arlen, G. (2010). HSN's remote shopping sparks new interactivity. TVtechnology.com.
Retrieved August 17, 2010 from http://www.tvtechnology.com/article/10840.
Bess, J. (2008). Visa PCI – Complying with payment card industry standards. Retrieved August
8, 2010 from
http://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/dce93ca8c1f384d6862
571420036f06c/5ac115c55f9c851d8825727b007f697f/$FILE/Visa%20PCI%20%E2%80
%93%20Complying%20with%20Payment%20Card%20Industry%20Standards.pdf.
BusinessWire. (2008, September 15). HSN deploys GoldenGate software for zero-downtime
migration of Oracle's Siebel CRM application. Retrieved August 18, 2010 from
http://findarticles.com/p/articles/mi_m0EIN/is_2008_Sept_15/ai_n28094247/.
20. HSN Risk Assessment Report 20
Crowell, G. (2010). E-Commerce video strategies with the Home Shopping Network. Retrieved
August 18, 2010 from http://www.reelseo.com/video-commerce-hsn/.
Endeca. (2002). World‘s largest television shopping network HSN selects Endeca InFrontTM
for enriched online customer experience. Retrieved August 18, 2010 from
http://www.endeca.com/83dc77d1-b5c8-4fcc-b927-e60fa173054b/news-and-events-
press-releases-archive-details.htm.
Stoneburner, G., Goguen, A., & Feringa, A. (2001). Risk management guide for information
technology systems. NIST 800-30. Retrieved May 30, 2010 from UMUC WebTycho.
Litan, A. (2010, June 4). Banks distribute Trusteer and other security software, but need to do
more. Gartner.com. Retrieved June 27, 2010 from
http://my.gartner.com.ezproxy.umuc.edu/portal/server.pt?open=512&objID=260&mode=
2&PageID=3460702&resId=1381017&ref=QuickSearch&sthkw=transactional+security.
KnowledgeLeader. (2010). E-commerce security best practice guidelines. Retrieved August 8,
2010 from http://www.auditnet.org/articles/eCom%20Sec%20Best%20Practices.doc.
Kumar, P. (2010, January 18). E-Commerce data security 2010: Learning From 2009's debacles.
Retrieved June 27, 2010 from http://www.ecommercetimes.com/story/E-Commerce-
Data-Security-2010-Learning-From-2009s-Debacles-69129.html.
NSA. (2001). Defense in depth. Retrieved August 16, 2010 from
http://www.nsa.gov/ia/_files/support/defenseindepth.pdf.
PCI. (2006). Visa PCI – complying with payment card industry standards. Retrieved August 8,
2010 from
http://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/dce93ca8c1f384d6862
571420036f06c/5ac115c55f9c851d8825727b007f697f/$FILE/Visa%20PCI%20%E2%80
%93%20Complying%20with%20Payment%20Card%20Industry%20Standards.pdf.
Pickert, K. (2008, September 24). Those crazy internet security questions. Time.com. Retrieved
July 7, 2010 from http://www.time.com/time/business/article/0,8599,1843984,00.html.
Pfleeger, C. P., & Pfleeger, S. L. (2007). Security in computing. 4th Edition. Upper Saddle
River, NJ: Prentice Hall.
SANS. (2010). The top cyber security risks. Retrieved August 16, 2010 from
http://www.sans.org/top-cyber-security-risks/.
Spangler, T. (2010, July 28). HSN secures 'shop by remote' patent. Retrieved August 17, 2010
from http://www.broadcastingcable.com/article/455320-
HSN_Secures_Shop_By_Remote_Patent.php.
UMUC. (2010). Sample risk assessment report 1. Retrieved May 30, 2010 from UMUC
21. HSN Risk Assessment Report 21
WebTycho.
UMUC. (2010). Sample risk assessment report 2. Retrieved May 30, 2010 from UMUC
WebTycho.
Wikipedia. (2010). Home Shopping Network. Retrieved June 27, 2010, from
http://en.wikipedia.org/w/index.php?title=Home_Shopping_Network&oldid=370138844