Podcast
Questions and Answers
According to Carter's taxonomy, what type of computer crime involves an attacker targeting a system with the intention of compromising the confidentiality, availability, or integrity of the data it contains?
According to Carter's taxonomy, what type of computer crime involves an attacker targeting a system with the intention of compromising the confidentiality, availability, or integrity of the data it contains?
- Incidental
- Target (correct)
- Instrumentality
- Associated
Which type of computer crime, according to Carter's taxonomy, involves using a computer to facilitate a criminal act, where the computer itself is not the target but rather a tool in committing the crime?
Which type of computer crime, according to Carter's taxonomy, involves using a computer to facilitate a criminal act, where the computer itself is not the target but rather a tool in committing the crime?
- Target
- Instrumentality (correct)
- Associated
- Incidental
In the context of computer security, what does the term 'information manipulation' refer to?
In the context of computer security, what does the term 'information manipulation' refer to?
- Theft of physical computer hardware.
- Gaining unauthorized access to a system.
- Disruption of network services.
- Unauthorized alteration or modification of data. (correct)
Which of the following best describes a 'denial-of-service' (DoS) attack?
Which of the following best describes a 'denial-of-service' (DoS) attack?
What is the primary objective of implementing 'access controls' in information security?
What is the primary objective of implementing 'access controls' in information security?
Which of the following is an example of a 'technical security control'?
Which of the following is an example of a 'technical security control'?
Which of the following is the best definition of 'security awareness training' in an organization?
Which of the following is the best definition of 'security awareness training' in an organization?
Within the context of security controls, what is the purpose of 'detective' controls?
Within the context of security controls, what is the purpose of 'detective' controls?
What is the primary purpose of the Sarbanes-Oxley Act in relation to computer security and fraud?
What is the primary purpose of the Sarbanes-Oxley Act in relation to computer security and fraud?
What is the goal of an 'intrusion', in the context of computer and network security?
What is the goal of an 'intrusion', in the context of computer and network security?
In the context of information security, what does 'data integrity' refer to?
In the context of information security, what does 'data integrity' refer to?
What is the term for malicious software that replicates itself over a network, causing bottlenecks and consuming resources?
What is the term for malicious software that replicates itself over a network, causing bottlenecks and consuming resources?
Within the CIA triad, what does availability refer to?
Within the CIA triad, what does availability refer to?
What is the term for a type of malicious software that remains dormant until a specific condition is met, triggering a malicious action?
What is the term for a type of malicious software that remains dormant until a specific condition is met, triggering a malicious action?
What is the aim of website defacement?
What is the aim of website defacement?
What type of security measure involves physical means to protect computer hardware and facilities?
What type of security measure involves physical means to protect computer hardware and facilities?
Which of the following best describes the concept of 'hacktivism'?
Which of the following best describes the concept of 'hacktivism'?
What is the function of a firewall in network security?
What is the function of a firewall in network security?
What is CoBIT's view on information in the 21st century?
What is CoBIT's view on information in the 21st century?
According to COBIT, what is the difference between governance and management?
According to COBIT, what is the difference between governance and management?
Flashcards
Target (Computer Crime)
Target (Computer Crime)
Crimes where the criminal targets the system or its data to impact confidentiality and integrity.
Instrumentality (Computer Crime)
Instrumentality (Computer Crime)
Computer is used as a tool to commit the crime, data is the means.
Incidental (Computer Crime)
Incidental (Computer Crime)
Computer isn't required but is related to the criminal act, simplifying it, potentially difficult to trace.
Associated (Computer Crime)
Associated (Computer Crime)
Signup and view all the flashcards
Computer Fraud
Computer Fraud
Signup and view all the flashcards
Denial-of-Service (DOS) Attack
Denial-of-Service (DOS) Attack
Signup and view all the flashcards
Information Theft
Information Theft
Signup and view all the flashcards
Information Manipulation
Information Manipulation
Signup and view all the flashcards
Malicious Software (Malware)
Malicious Software (Malware)
Signup and view all the flashcards
Denial-of-Service Attacks
Denial-of-Service Attacks
Signup and view all the flashcards
Web Site Defacements
Web Site Defacements
Signup and view all the flashcards
Intrusions
Intrusions
Signup and view all the flashcards
Information Security
Information Security
Signup and view all the flashcards
Confidentiality
Confidentiality
Signup and view all the flashcards
Data Integrity
Data Integrity
Signup and view all the flashcards
Availability
Availability
Signup and view all the flashcards
Physical Security Controls
Physical Security Controls
Signup and view all the flashcards
Technical Security Controls
Technical Security Controls
Signup and view all the flashcards
Administrative Security Controls
Administrative Security Controls
Signup and view all the flashcards
Preventive Controls
Preventive Controls
Signup and view all the flashcards
Study Notes
- In late 2013, Target Stores experienced a major security breach that compromised many customers' data
- The incident was widely reported in the media
Target Data Breach Details
- Target says its stores were hit by a major credit-card attack involving up to 40 million accounts
- CEO Greg Steinhafel confirmed the data breach
- Target is working closely with law enforcement and financial institutions and has identified and resolved the issue
- Unlawful access to customer information took place between November 27 and December 15 of 2013
- Hackers had gotten data all the way from credit card swipe machines, including encrypted PIN numbers from debit cards
- Other information was also stolen, specifically names, addresses, phone numbers, and/or email addresses
- Later investigation revealed that the problem impacted at least 70 million Target customers
Chapter Overview
- The chapter extends the earlier discussion of internal control into the realm of information technology
- The uses organizations can use to combat it
- The chapter aims to explain Carter's taxonomy of computer crime
- The chapter aims to help identify and describe business risks and threats to information systems
- The chapter aims to discuss ways to prevent and detect computer crime
- The chapter aims to explain the main components of the CoBIT framework and their implications for IT security
Carter's Taxonomy of Computer Crime
- Target: Crimes where the criminal targets the system or its data to impact confidentiality, availability, and integrity
- Instrumentality: Using the computer to further a criminal end, using the computer to commit a crime
- Incidental: Crimes where the computer is not required but simplifies the criminal act and makes it harder to trace
- Associated: New versions of traditional crimes are generated due to the presence of computers
- The lines between each type of crime can be blurry at times
Business Risks and Threats to Information Systems
- Organizations rely heavily on information systems for timely information used in critical business decisions
- Reliance on information systems increases the risks the organization faces
- Anyone involved in decision-making should understand those risks and their impacts
- Following are the business risks and threats
- Fraud
- Error
- Service interruption and delays
- Disclosure of confidential information
- Intrusions
Fraud
- Defined as any illegal act for which knowledge of computer technology is used to commit the offense
- Computer fraud is ultimately people fraud
- Computer skills required vary depending on the fraud type, from basic skills for data diddling to advanced skills for secure database theft
- The Sarbanes-Oxley Act was introduced to restore customer confidence and requires companies to establish extensive governance policies to prevent and respond to fraudulent activities
Error
- Losses associated with errors depend on the error's origin and the time to correct it
- Implementing preventive controls can prevent financial losses and negative impacts on the organization's image.
Service Interruption and Delays
- A delay in processing information or a service interruption can bring an organization to a standstill
- Service interruptions can be due to accidental, willful neglect, or malicious behavior
Disclosure of Confidential Information
- Disclosure of sensitive information can have major impacts on an organization's financial health
- Protecting information assets is critical, as highlighted by privacy laws
Intrusions
- The main objective of an intrusion is to gain access to a network or system by bypassing security controls
Information Theft
- This form of computer crime targets the organization's information
- Examples of data in this category are trade secrets, marketing plans, advertising campaigns, research and development data for new products, and customer lists
- These assets, which are represented in a numeric format, often have a higher value than other traditionally targeted assets, resulting in potentially higher losses for the organizations
Information Manipulation
- Can occur at virtually any stage of information processing, from input to output
- Input manipulation is the most common form of fraud since it is easy to perform and hard to detect
- Program manipulation is complex and difficult to detect, requiring advanced computer programming knowledge
- The "salami technique" involves taking advantage of automatic repetitions in a computer program to transfer small amounts to another account
Malicious Software
- Can take many different forms, such as a virus infecting a system and modifying its data, a worm replicating over the network causing a bottleneck, or a Trojan horse allowing an unauthorized backdoor into a system
- Logic bombs validate software and trigger the deletion of all employee records
Denial-of-Service Attacks
- Prevent computer systems and networks from functioning in accordance with their intended purpose
- DOS attacks cause loss of service by consuming resources or disrupting components
- Distributed denial-of-service (DDOS) attacks bring computer operations to a complete standstill and are virtually impossible to block
Web Site Defacements
- A form of digital graffiti where intruders modify pages on the site to leave their mark, send a message, or mock the organization
- Politically motivated defacement, hacktivism, attempts to send a message to the organization or some part of the online community
Extortion
- Online extortion is often the result of the computer being the object of a crime
- The extortionist threatens to reveal stolen information or launch a denial-of-service attack if demands are not met
Information security
- Defined as the protection of data in a system against unauthorized disclosure, modification, or destruction, and protection of the computer system itself against unauthorized use, modification, or denial of service
- Information security is based on three fundamental principles: confidentiality, availability, and integrity
Principles of Information Security
- Confidentiality: Condition that exists when data are held in confidence and are protected from unauthorized disclosure
- Data integrity: State that exists when data stored in an information system are the same as those in the source documents
- Availability: Achieved when the required data can be obtained within the required time frame
- These three principles must be maintained throughout the information life cycle from creation to destruction
IT Controls
- IT controls are classified as physical, technical, or administrative
- Physical controls protect computers and equipment from threats like espionage, theft, destruction, or natural disasters
- Technical security controls use safeguards in computer and telecommunication hardware and software, such as firewalls and encryption
- Administrative security controls include security policies, procedures, and training
Safeguards
- Firewalls: The first line of defense, using access control policies to determine which packets can flow between network segments
- Intrusion Detection Systems (IDS): Detect potentially malicious data and access patterns at both network and individual computer levels
- Access Controls: Protect the confidentiality, integrity, and availability of information resources through identification, authentication, and authorization
- Cryptography: Transforms data to hide it, prevent modification, and/or prevent unauthorized access
- Administrative Security Controls: Management constraints and accountability procedures such as security policies, awareness training, and security reviews
Security policy
- Policy is a clear and concise set of guiding statements supported by management that provides a framework for securing information assets
- Security policies are key components to an organization's information security management system
- Security awareness training communicates the roles and responsibilities of employees
Security Reviews
- Organizations should conduct security reviews to monitor compliance, fine-tune the security policy, and correct deficiencies
- Security audits examine whether systems operate in accordance with the security policy and ensure controls are effective
Administrative Security Controls
- Supplementals, protects information processing resources and ensures proper authorization for accessing computing resources
- Physical, technical, and administrative controls can be preventive, detective, or corrective
COBIT
- COBIT is the acronym for Control Objectives for Information and Related Technology
ISACA
- ISACA is the acronym for the Information Systems Audit and Control Association
- ISACA bridges the gap between accounting and information technology
COBIT Framework
- COBIT framework gives accountants and other information systems professionals clear guidance in establishing strong internal controls to deter fraud
- COBIT emphasizes information as a crucial organizational asset in the 21st century
- The COBIT framework provides concepts and ideas to manage information effectively
Five Principles that Form the Foundation of a Strong IT Goverance
- Meeting stakeholder needs
- Covering the enterprise end-to-end
- Applying a single integrated framework
- Enabling a holistic approach
- Separating governance Management
Meeting Stakeholder Needs
- a stakeholder is any person who has an interest in an organization's activities
- When an organization manages its IT well, the system will meet the legitimate information needs of all stakeholder groups
Covering the Enterprise End-to-End
- All parts of the organization have information and need to be managed
- A well-designed plan for managing information covers the whole entity not just the IT function
Applying a Single Integrated Framework
- COBIT's third principle incorporates and builds on other frameworks to produce a unified set of ideas
Enabling a Holistic Approach
- enables stakeholders to look at the organization holistically
- COBIT integrates the other functions throughout the entity
Separating Goverance from Management
- Governance focuses on strategic decision-making, goal setting, and prioritization
- Management focuses more on the day-to-day actions needed to achieve those goals
COBIT Enablers
- Principles, policies, and frameworks - translate the desired behavior into practical guidance
- Processes: organized set of practices and activities to achieve overall IT-related goals
- Organizational structures - key decision-making entities in an enterprise
- Culture, ethics, and behavior - important for governance and management activities
- Information: keep the organization running and the key product of the enterprise
- Services, infrastructure, and applications - provide the enterprise with IT processing and services
- People, skills, and competencies - required for completion of all activities, and making correct decisions
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.