Target Data Breach 2013

Questions and Answers

According to Carter's taxonomy, what type of computer crime involves an attacker targeting a system with the intention of compromising the confidentiality, availability, or integrity of the data it contains?

• Incidental
• Target (correct)
• Instrumentality
• Associated

Which type of computer crime, according to Carter's taxonomy, involves using a computer to facilitate a criminal act, where the computer itself is not the target but rather a tool in committing the crime?

• Target
• Instrumentality (correct)
• Associated
• Incidental

In the context of computer security, what does the term 'information manipulation' refer to?

• Theft of physical computer hardware.
• Gaining unauthorized access to a system.
• Disruption of network services.
• Unauthorized alteration or modification of data. (correct)

Which of the following best describes a 'denial-of-service' (DoS) attack?

Disrupting system functionality by overloading it with traffic. (A)

What is the primary objective of implementing 'access controls' in information security?

To ensure only authorized individuals can access specific information. (A)

Which of the following is an example of a 'technical security control'?

Firewalls. (B)

Which of the following is the best definition of 'security awareness training' in an organization?

Educating employees about their roles and responsibilities in maintaining security. (B)

Within the context of security controls, what is the purpose of 'detective' controls?

To identify anomalous and unwanted events after they have occurred. (C)

What is the primary purpose of the Sarbanes-Oxley Act in relation to computer security and fraud?

To increase corporate responsibility and require governance policies to prevent fraud. (C)

What is the goal of an 'intrusion', in the context of computer and network security?

To gain unauthorized access to a network or system. (C)

In the context of information security, what does 'data integrity' refer to?

Ensuring data is accurate, consistent, and unchanged during processing. (C)

What is the term for malicious software that replicates itself over a network, causing bottlenecks and consuming resources?

Worm (C)

Within the CIA triad, what does availability refer to?

Ensuring that information is accessible when required. (A)

What is the term for a type of malicious software that remains dormant until a specific condition is met, triggering a malicious action?

Logic bomb (D)

What is the aim of website defacement?

To modify the content of a website, often to leave a message or mock the organization. (D)

What type of security measure involves physical means to protect computer hardware and facilities?

Physical controls (B)

Which of the following best describes the concept of 'hacktivism'?

Using computer skills to advocate for a specific political or social cause. (A)

What is the function of a firewall in network security?

To control network traffic by examining packets and restricting access based on a pre-defined policy. (A)

What is CoBIT's view on information in the 21st century?

Information is the most important organizational asset. (C)

According to COBIT, what is the difference between governance and management?

Governance focuses on strategic decision making and goal setting, while management focuses on achieving those goals. (B)

Flashcards

Target (Computer Crime)

Crimes where the criminal targets the system or its data to impact confidentiality and integrity.

Instrumentality (Computer Crime)

Computer is used as a tool to commit the crime, data is the means.

Incidental (Computer Crime)

Computer isn't required but is related to the criminal act, simplifying it, potentially difficult to trace.

Associated (Computer Crime)

New versions of traditional crimes due to computers and the Internet.

Computer Fraud

Any illegal act where computer tech is used to commit the offense; fundamentally people fraud.

Denial-of-Service (DOS) Attack

An unauthorized program to overload services/bandwidth, causing a loss of service and downtime.

Information Theft

Targets an organization's most precious asset: information, customer data, plans, trade secrets, etc.

Information Manipulation

Changing data at any stage of processing, input manipulation is most common.

Malicious Software (Malware)

Software that harms systems: viruses, worms, trojans, or logic bombs.

Denial-of-Service Attacks

Prevents systems/networks from functioning by consuming resources.

Web Site Defacements

Intruders modify website pages to leave a mark, message, or mock organization.

Intrusions

Bypassing security or exploiting controls to access a network/system.

Information Security

The protection of data in a system against unauthorized disclosure, modification, or destruction

Confidentiality

Data is held in confidence and protected from unauthorized disclosure.

Data Integrity

Data in the system matches source data and hasn't been altered/destroyed.

Availability

Required data can be obtained within the required timeframe.

Physical Security Controls

Protect computers/equipment from espionage ,theft, damage, disasters.

Technical Security Controls

Safeguards in hardware/software: firewalls, encryption, access control, antivirus.

Administrative Security Controls

Policies, awareness, supervision, audits, and training.

Preventive Controls

To keep unwanted events from occurring.

Study Notes

• In late 2013, Target Stores experienced a major security breach that compromised many customers' data
• The incident was widely reported in the media

Target Data Breach Details

• Target says its stores were hit by a major credit-card attack involving up to 40 million accounts
• CEO Greg Steinhafel confirmed the data breach
• Target is working closely with law enforcement and financial institutions and has identified and resolved the issue
• Unlawful access to customer information took place between November 27 and December 15 of 2013
• Hackers had gotten data all the way from credit card swipe machines, including encrypted PIN numbers from debit cards
• Other information was also stolen, specifically names, addresses, phone numbers, and/or email addresses
• Later investigation revealed that the problem impacted at least 70 million Target customers

Chapter Overview

• The chapter extends the earlier discussion of internal control into the realm of information technology
• The uses organizations can use to combat it
• The chapter aims to explain Carter's taxonomy of computer crime
• The chapter aims to help identify and describe business risks and threats to information systems
• The chapter aims to discuss ways to prevent and detect computer crime
• The chapter aims to explain the main components of the CoBIT framework and their implications for IT security

Carter's Taxonomy of Computer Crime

• Target: Crimes where the criminal targets the system or its data to impact confidentiality, availability, and integrity
• Instrumentality: Using the computer to further a criminal end, using the computer to commit a crime
• Incidental: Crimes where the computer is not required but simplifies the criminal act and makes it harder to trace
• Associated: New versions of traditional crimes are generated due to the presence of computers
• The lines between each type of crime can be blurry at times

Business Risks and Threats to Information Systems

• Organizations rely heavily on information systems for timely information used in critical business decisions
• Reliance on information systems increases the risks the organization faces
• Anyone involved in decision-making should understand those risks and their impacts
• Following are the business risks and threats
• Fraud
• Error
• Service interruption and delays
• Disclosure of confidential information
• Intrusions

Fraud

• Defined as any illegal act for which knowledge of computer technology is used to commit the offense
• Computer fraud is ultimately people fraud
• Computer skills required vary depending on the fraud type, from basic skills for data diddling to advanced skills for secure database theft
• The Sarbanes-Oxley Act was introduced to restore customer confidence and requires companies to establish extensive governance policies to prevent and respond to fraudulent activities

Error

• Losses associated with errors depend on the error's origin and the time to correct it
• Implementing preventive controls can prevent financial losses and negative impacts on the organization's image.

Service Interruption and Delays

• A delay in processing information or a service interruption can bring an organization to a standstill
• Service interruptions can be due to accidental, willful neglect, or malicious behavior

Disclosure of Confidential Information

• Disclosure of sensitive information can have major impacts on an organization's financial health
• Protecting information assets is critical, as highlighted by privacy laws

Intrusions

• The main objective of an intrusion is to gain access to a network or system by bypassing security controls

Information Theft

• This form of computer crime targets the organization's information
• Examples of data in this category are trade secrets, marketing plans, advertising campaigns, research and development data for new products, and customer lists
• These assets, which are represented in a numeric format, often have a higher value than other traditionally targeted assets, resulting in potentially higher losses for the organizations

Information Manipulation

• Can occur at virtually any stage of information processing, from input to output
• Input manipulation is the most common form of fraud since it is easy to perform and hard to detect
• Program manipulation is complex and difficult to detect, requiring advanced computer programming knowledge
• The "salami technique" involves taking advantage of automatic repetitions in a computer program to transfer small amounts to another account

Malicious Software

• Can take many different forms, such as a virus infecting a system and modifying its data, a worm replicating over the network causing a bottleneck, or a Trojan horse allowing an unauthorized backdoor into a system
• Logic bombs validate software and trigger the deletion of all employee records

Denial-of-Service Attacks

• Prevent computer systems and networks from functioning in accordance with their intended purpose
• DOS attacks cause loss of service by consuming resources or disrupting components
• Distributed denial-of-service (DDOS) attacks bring computer operations to a complete standstill and are virtually impossible to block

Web Site Defacements

• A form of digital graffiti where intruders modify pages on the site to leave their mark, send a message, or mock the organization
• Politically motivated defacement, hacktivism, attempts to send a message to the organization or some part of the online community

Extortion

• Online extortion is often the result of the computer being the object of a crime
• The extortionist threatens to reveal stolen information or launch a denial-of-service attack if demands are not met

Information security

• Defined as the protection of data in a system against unauthorized disclosure, modification, or destruction, and protection of the computer system itself against unauthorized use, modification, or denial of service
• Information security is based on three fundamental principles: confidentiality, availability, and integrity

Principles of Information Security

• Confidentiality: Condition that exists when data are held in confidence and are protected from unauthorized disclosure
• Data integrity: State that exists when data stored in an information system are the same as those in the source documents
• Availability: Achieved when the required data can be obtained within the required time frame
• These three principles must be maintained throughout the information life cycle from creation to destruction

IT Controls

• IT controls are classified as physical, technical, or administrative
• Physical controls protect computers and equipment from threats like espionage, theft, destruction, or natural disasters
• Technical security controls use safeguards in computer and telecommunication hardware and software, such as firewalls and encryption
• Administrative security controls include security policies, procedures, and training

Safeguards

• Firewalls: The first line of defense, using access control policies to determine which packets can flow between network segments
• Intrusion Detection Systems (IDS): Detect potentially malicious data and access patterns at both network and individual computer levels
• Access Controls: Protect the confidentiality, integrity, and availability of information resources through identification, authentication, and authorization
• Cryptography: Transforms data to hide it, prevent modification, and/or prevent unauthorized access
• Administrative Security Controls: Management constraints and accountability procedures such as security policies, awareness training, and security reviews

Security policy

• Policy is a clear and concise set of guiding statements supported by management that provides a framework for securing information assets
• Security policies are key components to an organization's information security management system
• Security awareness training communicates the roles and responsibilities of employees

Security Reviews

• Organizations should conduct security reviews to monitor compliance, fine-tune the security policy, and correct deficiencies
• Security audits examine whether systems operate in accordance with the security policy and ensure controls are effective

Administrative Security Controls

• Supplementals, protects information processing resources and ensures proper authorization for accessing computing resources
• Physical, technical, and administrative controls can be preventive, detective, or corrective

COBIT

• COBIT is the acronym for Control Objectives for Information and Related Technology

ISACA

• ISACA is the acronym for the Information Systems Audit and Control Association
• ISACA bridges the gap between accounting and information technology

COBIT Framework

• COBIT framework gives accountants and other information systems professionals clear guidance in establishing strong internal controls to deter fraud
• COBIT emphasizes information as a crucial organizational asset in the 21st century
• The COBIT framework provides concepts and ideas to manage information effectively

Five Principles that Form the Foundation of a Strong IT Goverance

• Meeting stakeholder needs
• Covering the enterprise end-to-end
• Applying a single integrated framework
• Enabling a holistic approach
• Separating governance Management

Meeting Stakeholder Needs

• a stakeholder is any person who has an interest in an organization's activities
• When an organization manages its IT well, the system will meet the legitimate information needs of all stakeholder groups

Covering the Enterprise End-to-End

• All parts of the organization have information and need to be managed
• A well-designed plan for managing information covers the whole entity not just the IT function

Applying a Single Integrated Framework

• COBIT's third principle incorporates and builds on other frameworks to produce a unified set of ideas

Enabling a Holistic Approach

• enables stakeholders to look at the organization holistically
• COBIT integrates the other functions throughout the entity

Separating Goverance from Management

• Governance focuses on strategic decision-making, goal setting, and prioritization
• Management focuses more on the day-to-day actions needed to achieve those goals

COBIT Enablers

• Principles, policies, and frameworks - translate the desired behavior into practical guidance
• Processes: organized set of practices and activities to achieve overall IT-related goals
• Organizational structures - key decision-making entities in an enterprise
• Culture, ethics, and behavior - important for governance and management activities
• Information: keep the organization running and the key product of the enterprise
• Services, infrastructure, and applications - provide the enterprise with IT processing and services
• People, skills, and competencies - required for completion of all activities, and making correct decisions