Risk Management and SOX History

Questions and Answers

What does the principle of confidentiality ensure?

• Traceability of an entity's actions
• Verification of content changes during transmission
• Timeliness and reliability of information access
• Protection against unauthorized access and disclosure (correct)

What does integrity in information security primarily protect against?

• Delayed access to information
• Unauthorized access to data
• Unreliable authentication of messages
• Improper modification or destruction of data (correct)

Which factor describes the incentives or pressures that lead to malicious acts?

• Motivation (correct)
• Accountability
• Integrity
• Availability

What is the role of nonrepudiation in information security?

Confirms the origin or receipt of a message (A)

Which term refers to the ability to trace the actions of an individual entity?

Accountability (C)

What vulnerability can arise from flaws in a system?

Potential exploitation for damage or delay (B)

What does the principle of availability focus on in information security?

Ensuring resources are available on time (B)

Which aspect involves a third party's ability to verify message integrity?

Authenticity (C)

What was the primary goal of the Sarbanes-Oxley Act of 2002?

To strengthen investor confidence and restore trust in capital markets (B)

Which section of SOX requires management to evaluate the operational effectiveness of Internal Controls over Financial Reporting?

Section 404 (a) (D)

Who is primarily responsible for the application of risk treatment in achieving business objectives?

Business Process Owners (A)

What does Section 404 (b) of SOX require regarding internal controls?

Attestation regarding the issuer's ICFR compliance (A)

In the context of risk management, what does risk reduction entail?

Minimizing the impact of identified risks (C)

Who has the tertiary responsibility for the oversight of compliance with legal and regulatory expectations?

Those Charged with Governance (A)

Which of the following is a common method of risk transfer in project management?

Insuring against project-related risks (B)

What is the secondary responsibility in evaluating risk treatment effectiveness?

Internal Audit (A)

What is the primary goal of Enterprise Risk Management?

To identify vulnerabilities and reduce risk to an acceptable level. (A)

Which of the following best describes 'risk avoidance'?

Stopping a project to prevent potential risks. (A)

Which term refers to flaws in a system that can be exploited?

Vulnerability (B)

What does 'significant deficiency' indicate in risk treatment?

Risks are managed without appropriate controls. (B)

What is meant by 'uncertainty' in the context of risk management?

Lack of information regarding the impact and timing of an event. (B)

Who does the Enterprise Risk Management process primarily serve?

Stakeholders interested in the achievement of objectives. (C)

Which of the following is a characteristic of a 'material weakness'?

Indicates potential for financial misstatement. (D)

What do compensating controls do in risk assessment?

Compensate for deficiencies by reducing risk exposure. (B)

What is the primary purpose of DNS tunneling?

To disguise information in domain name system queries (B)

Which of the following best describes whaling?

Phishing targeting individuals in senior management (B)

What characterizes a Distributed Denial of Service (DDoS) attack?

It uses multiple compromised computers to flood a network (A)

What is a zero-day exploit?

A flaw discovered before a patch is developed (C)

What is deepfake technology primarily used for?

Producing AI-generated forgeries that can mislead (A)

Which of the following concepts refers to misleading AI/ML systems?

Adversarial AI/ML (D)

What must be done to ensure the safety of buildings regarding fire hazards?

Secure multiple types of fire detection and suppression systems (A)

Where should an emergency evacuation plan be posted?

In a conspicuous place (C)

What is the primary purpose of threat intelligence?

To help organizations understand common vulnerabilities. (C)

What information is typically collected during manual logging of visitors?

Visitor's name, company, reason for visit, and times. (D)

What is a key benefit of virtualization?

It allows multiple operating systems to operate on one server. (C)

What does Mobile Device Management (MDM) primarily help with?

Segregating corporate and personal data on devices. (D)

What is a major concern with Bring Your Own Device (BYOD) policies?

They can result in unauthorized access to sensitive data. (A)

Which of the following best describes cloud computing?

On-demand access to computing resources via the internet. (C)

What is a risk associated with signing in visitors at a front reception desk?

The log can be easily altered or forged. (C)

What is a characteristic of zero-day threats?

They exploit unknown vulnerabilities. (A)

What technique involves a malicious actor posing a false scenario to gain trust?

Pretexting (C)

Which term refers to the method of accessing a server by hijacking a session through the client's IP address?

Session Hijacking (C)

What method is characterized by trial-and-error attempts to crack passwords?

Brute Force (A)

What method involves using existing stolen credentials across different applications?

Credential Stuffing (A)

Flashcards

Risk Transfer

A method of managing risk by transferring responsibility for the risk to another party, typically through outsourcing.

Risk Reduction

A method of managing risk by reducing the likelihood or impact of the risk, often through outsourcing part of the project.

Risk Sharing

A method of managing risk by sharing the risk with another party, often through outsourcing part of the project.

Risk Management

The process of identifying, evaluating, and responding to risks, aiming to minimize their negative impact.

Internal Controls over Financial Reporting (ICFR)

A set of processes and controls designed to ensure the reliability of financial reporting. It is a key aspect of the Sarbanes-Oxley Act of 2002.

Evaluation of Design and Operating Effectiveness of ICFR

The evaluation of the design and effectiveness of ICFR to ensure it is functioning as intended. Management must conduct this annual evaluation.

Attestation over Effectiveness of Internal Controls

The independent attestation by an auditor that an issuer's ICFR is effective, as mandated by Section 404 (b) of the Sarbanes-Oxley Act.

Business Process Owners

The primary responsibility for applying risk treatments to achieve business objectives, as mandated by the Sarbanes-Oxley Act.

Enterprise Risk Management

The process of identifying vulnerabilities to information assets by an enterprise in achieving its business objectives to implement and apply countermeasures and reduce risk to an acceptable level.

Risk

Uncertainty of an event that affects the achievement of an objective.

Uncertainty

Lack of information about the impact and timing of an event.

Vulnerability

The result of flaws in a system.

Threat

The malicious act of exploiting a vulnerability to access, damage, or delay an information asset.

Material Weakness

A potential financial misstatement that could occur.

Significant Deficiency

Less severe than a material weakness, where risks are compensated through risk acceptance and monitoring.

Deficiency

Less severe than a significant deficiency, where compensating controls were in place and operating effectively.

Attack

A malicious act intended to access, damage or delay information assets.

IT Risk

The lack of knowledge about the impact and timing of a potential event resulting from a system flaw that could be exploited.

Confidentiality

The process of restricting unauthorized access to and disclosure of information.

Integrity

The protection against improper modification or destruction of information.

Availability

The protection against untimely and unreliable access to and use of information.

Motivation

Any incentive or pressure that drives someone to intentionally commit a crime.

Rationalization

The thought process a perpetrator uses to justify their actions.

Pretexting

A social engineering attack where someone pretends to be someone they are not to gain access to sensitive information, such as passwords or personal details.

Eavesdropping

A social engineering attack where attackers eavesdrop on conversations or observe individuals' actions to gain access to sensitive information.

Tailgating/Piggybacking

A social engineering tactic where attackers follow victims into secure areas, such as buildings or computer networks, to gain access by piggybacking off their entry.

Honeytrap

A social engineering technique where attackers create fake dating profiles to lure victims into sharing personal information or engaging in risky behavior.

Quid Pro Quo

A type of social engineering attack where attackers offer victims something valuable in exchange for their sensitive information, such as a discount or a free product.

Brute Force Attack

A cyberattack where attackers bombard a system with login attempts using a multitude of combinations until they find the correct password.

Kerberoasting

A brute-force password attack directed at Kerberos, an authentication system used in Microsoft Active Directory.

Man-in-the-Middle

A type of attack where an attacker intercepts communication between two parties, potentially altering the information or gaining access to sensitive data.

Spear Phishing

A type of phishing attack that targets specific individuals or organizations with personalized messages.

Whaling

A type of phishing attack that targets high-level executives (whales) within an organization.

Denial of Service (DoS)

A cyberattack that overloads a network with traffic, making it unavailable to legitimate users.

Distributed Denial of Service (DDoS)

A DoS attack that uses a network of compromised computers (a botnet) to generate massive traffic.

Smishing

A type of phishing attack that uses text messages to deceive victims into giving up personal information.

Vishing

A type of phishing attack that uses voice calls to deceive victims into giving up personal information.

Zero-day Exploit

Exploiting a newly discovered vulnerability in software before a patch is available.

Deepfake

AI-generated forgeries that appear extremely realistic, used to manipulate public opinion or damage reputations.

Threat Intelligence

A process of analyzing information about potential or current attacks to understand common vulnerabilities and exposures, such as zero-day threats and advanced persistent threats (APTs).

Virtualization

A technology that allows multiple operating systems (guests) to run on the same physical server (host) in isolation from each other, improving efficiency and reducing costs.

Cloud Computing

On-demand access to computing resources over the internet with pay-per-use pricing, removing the need for local hardware and software.

Manual Logging

A security control that requires visitors to sign in at a reception desk or entrance, recording their information for tracking and accountability.

Mobile Device Management (MDM)

A security control used to manage and protect data on mobile devices, segregating work and personal data to prevent unauthorized access.

Bring Your Own Device (BYOD)

A policy that allows employees to use their personal devices for work-related tasks, potentially reducing IT costs.

Study Notes

Risk Management - AUDCIS US SOX History

• Twenty years ago, financial reporting scandals eroded investor confidence.
• The Sarbanes-Oxley Act (SOX) of 2002 aimed to restore trust.
• SOX 404 primarily focuses on internal controls over financial reporting (ICFR).

Evaluation of Design and Operating Effectiveness

• Section 404(a) mandates annual evaluation of internal controls.
• Management documents control procedures and testing.
• Results publicly reported in Form 10-K.

Attestation Over Effectiveness of Internal Controls

• Section 404(b) requires auditor attestation of ICFR.

Enterprise Risk Management

• Identifying vulnerabilities in achieving business objectives.
• Implementing countermeasures to reduce risk.
• Definition of Risk: Uncertainty of an event affecting objective attainment.
• Uncertainty: Lack of information about impact and timing of an event.

Risk Treatment

• Risk Avoidance: Stopping a project.
• Risk Transfer: Outsourcing a project.
• Risk Reduction: Outsourcing part of a project.
• Risk Sharing: Outsourcing part of a project

Enterprise Risk Management Responsibility

• Business Process Owners: Apply risk treatment to achieve business objectives.
• Internal Audit: Assess risk treatment applied by business process owners.
• Those Charged with Governance: Oversee compliance with legal and regulatory expectations, stakeholder management and resource-provision.
• External Audit: Provide assurance to legislative and regulatory bodies.

Reportorial Requirements

• Material Weakness: Potential for a financial misstatement.

Information Security Principle

• Confidentiality: Restrictions against unauthorized access and disclosure.
• Integrity: Restrictions against improper modification or destruction.
• Availability: Protection against untimely and unreliable access.

Fraud Risk Factors

• Motivation: Incentives and pressures driving perpetrator actions.
• Rationalization: Justification for the perpetrator's actions.
• Opportunity: Methods for the perpetrator to commit fraud, e.g., poor internal controls.

Vulnerabilities, Threats, and Attacks

• Risk: Uncertainty affecting objective achievement.
• Uncertainty: Lack of information about impact and timing.
• Vulnerability: Result of flaws in a system.
• Threat: System flaw that's exploited by malicious action.
• Attack: Intentional malicious action to access, damage, or delay an asset.
• IT Risk: Lack of information impacting and timing an event due to a system flaw.

Example of Vulnerabilities

• Authenticity: Verifying content hasn’t changed in transit
• Nonrepudiation: Verifying origin or receipt of a message
• Accountability: Trackable actions of an entity
• Network Availability: Timely and reliable IT resource access

Perpetrators May Use and Their Controls

• Unauthorized hardware/software.
• Untrusted wireless network.
• Use of unsecured network.
• Untrusted devices.

Types of Attacks

• Malware (malicious software).
• Viruses: Software activated to cause damage.
• Trojans: Viruses hidden in legitimate software.
• Worms: Viruses that replicate on their own.
• Spyware: Secretly collects sensitive data.
• Ransomware: Demands payment to recover data.

Social Engineering

• Exploitation of human behavior to gain physical/security access.
• Tailgating/piggybacking: Tagging along behind employees.
• Eavesdropping: Listening to private communications.
• Shoulder surfing: Physically spying on someone.
• Brute Force: Trial-and-error password cracking.
• Keylogging: Recording every keystroke.
• Credential stuffing: Re-using stolen credentials.
• Kerberoasting: Brute force attack on authentication systems.
• Downgrading: Forcing into less secure environments.
• Phishing: Enticing victims to share info.
• Spear phishing: Targeted phishing attacks.
• WHaling: Attacking top-level executives.
• Smishing: Phishing via text messages.
• Vishing: Phishing via phone calls.
• Spoofing: Disguising as a trusted source.
• Honeytrap: Luring victims into traps.
• Domain spoofing: Disguises use of a known organization's email.
• ARP spoofing: Disguising use of a known organization protocol.
• Pretexting: False scenarios to gain trust.
• Quid pro quo: Exchanging services for sensitive data
• Man-in-the-middle: Altering communications between parties.
• Session hijacking: Changing IP address to access a server.
• Pass-the-Hash: Using stolen info.
• DNS tunneling: Using DNS to bypass firewalls.
• Denial-of-service (DoS): Flooding networks with malicious requests.
• Distributed denial-of-service (DDoS): Using multiple compromised computers to launch attacks.
• Zero-day exploits: Exploiting vulnerabilities before patches.
• Deepfakes: Al-generated forgeries to cause damage to reputation and sway political landscapes.
• Adversarial AI/ML: Exploiting AI/ML models by introducing inaccuracies.

Physical and Environmental Controls

• Information asset protections (physical).
• Fire and Humidity hazards.
• Disaster recovery plan.
• Recovery time objectives (RTO).
• Recovery point objective (RPO).
• Emergency evacuation plan.
• Fire suppression system.

Virtualization

• Virtualization (on-prem server): Increase efficiency by allowing multiple OSs to coexist on one hardware.
• Cloud Computing (third-party or backup server): On-demand access to computing resources.

Emerging Technologies

• Private Branch Exchange (PBX).
• Peer-to-Peer.
• Voice over Internet Protocol (VoIP).
• Wireless networks.
• Instant messaging (IM).
• Digital signatures.
• Mobile (Edge) Computing.
• Bring your own device (BYOD).
• Internet of Things (IoT).
• Cloud Computing (sharing computing resources).

Cloud Models

• Private Cloud: Solely for one organization.
• Community Cloud: Shared by several organizations.
• Public Cloud: Available to the general public.
• Hybrid Cloud: Composition of two or more clouds for data portability.

IT Forensics

• Process of identifying, preserving, analyzing, and reporting digital evidence.