ACY 2003 Contemporary Computer Technologies and Information Systems for Accounting Cyber Security PDF
Document Details
Uploaded by PleasantJudgment5673
null
2020
ACY
null
Tags
Related
- Defensive Technologies - Intrusion Detection and Firewalls (PDF)
- Ciberseguridad (Una Estrategia Informático/Militar) PDF
- Information and Communication Technology in the 21st Century PDF
- Cybersecurity Module 1 PDF
- Cyber Security Final Module 1 PDF
- Cyber Commando Training 2025 Screening Test Syllabus PDF
Summary
This document is a past paper from ACY 2003, Contemporary Computer Technologies and Information Systems for Accounting, covering cyber security topics. It discusses learning objectives, types of cyber-attacks, threats, vulnerability, and risk, as well as the impact on society. The content is focused on computer security and its relation to accounting.
Full Transcript
ACY 2003 Contemporary Computer Technologies and Information Systems for Accounting Topic 3 Cyber Security Chapter 4 ©2020 John Wiley & Sons, Inc. All rights reserved. Restricted - HSUHK staff only Learning Objectiv...
ACY 2003 Contemporary Computer Technologies and Information Systems for Accounting Topic 3 Cyber Security Chapter 4 ©2020 John Wiley & Sons, Inc. All rights reserved. Restricted - HSUHK staff only Learning Objectives 1. The CIA of cyber security 2. Types of cyber-attacks and countermeasures 3. Impact on society 2 Restricted - HSUHK staff only Objective 1 The CIA of cyber security 3 Restricted - HSUHK staff only 4.1 Introduction to Information Security Information Security Vulnerability Threat Exposure Security __________________: the degree of protection against criminal activity, danger, damage, and/or loss. __________________: all of the processes and policies designed to protect an organization’s information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction. 4 Restricted - HSUHK staff only 4.1 Introduction to Information Security __________________: any danger to which a system may be exposed. __________________: is the harm, loss, or damage that can result if a threat compromises an information resource. __________________: is the possibility that the system will be harmed by a threat. 5 Restricted - HSUHK staff only Multiple choice question A(n) _________ to an information resource is any danger to which a system may be exposed. a) exposure b) risk c) threat d) vulnerability 6 Restricted - HSUHK staff only Introduction to Information Security Five Factors Contributing to Vulnerability o Today’s interconnected, interdependent, wirelessly networked business environment o Smaller, faster, cheaper computers & storage devices o Decreasing skills necessary to be a computer hacker o International organized crime taking over cybercrime o Lack of management support 7 Restricted - HSUHK staff only The CIA of cyber security CIA: a concept that focuses on the balance between the confidentiality, integrity and availability of data under the protection of your information security program ______________is the ability to hide information from unauthorized access. ______________ is maintaining consistency, accuracy and trustworthiness of data over its entire lifecycle ______________ is information requested is readily available to untheorized entity 8 Restricted - HSUHK staff only Objective 2 Types of cyber-attacks and countermeasures 9 Restricted - HSUHK staff only What is risk? uncertainty anticipated reliable risk future ______________ o the potential that __________ outcomes will be different from what was __________ or planned. o Significant of the risk depends on likelihood/probability (Vulnerability) and impact (Threat). _______________ o Lack of data or understanding o Not possible to make any __________ assessment 10 Restricted - HSUHK staff only What is risk? Unintentional Threat Intentional Natural Vulnerability __________: any danger to which a system may be exposed. o Types of threats: ____________ threats, such as floods, hurricanes, or tornadoes ____________ threats, like an employee mistakenly accessing the wrong information (slide below) ____________ threats, such as spyware, malware, adware companies, or the actions of a disgruntled employee (slide below) _____________: is the possibility that the system will be harmed by a threat. 11 Restricted - HSUHK staff only What is risk? 12 Restricted - HSUHK staff only 4.2 Unintentional Threats to Information Systems Human Errors o Higher level employees + Greater access privileges = Greater Threat o Examples: Carelessness with Laptops/Computing Devices Opening Questionable E-mail Careless Internet Surfing Poor Password Selection and Use Social Engineering o Slide below 13 Restricted - HSUHK staff only Types of cyber-attacks (intentional or unintentional) Password Attacks Pharming 14 Restricted - HSUHK staff only Types of cyber-attacks ____________, contraction Malware (2:45) https://youtu.be/n8mbzU0X2nQ for “malicious software” Examples (intentional) o is an intrusive software that is designed to damage and destroy computers and computer systems. Like the human flu, it interferes with normal functioning. ____________(intentional) o hackers use against individuals to encrypt and restrict access to their files or computers. 15 Restricted - HSUHK staff only Types of cyber-attacks _________________ (intentional) o an attempt to compromise a user by masquerading as a trustworthy entity in electronic communication (e.g. email). 16 Restricted - HSUHK staff only Types of cyber-attacks _________________(intentional) o is any incident that results in unauthorized access to computer data, applications, networks or devices. Data breaches (intentional or unintentional) o is a type of security breach o is a confirmed security incident which involves access, disclosure, or destruction of private or confidential information by a malicious third party. o Facebook (2:32) : https://youtu.be/O4TFXDniG9w 17 Restricted - HSUHK staff only Types of cyber-attacks _______________________ (intentional) o https://youtu.be/_JpfNhH_ckU , https://youtu.be/sqaFPDq6A_o o software programs, apps and devices – that enable someone to secretly spy on another person’s private life via their mobile device _______________________(Intentional) o the art of manipulating people into performing desired actions o Attempting to trick a user into revealing their password by pretending to be in IT support. 18 Restricted - HSUHK staff only Types of cyber-attacks ______________________(intentional) o dictionary attacks: an attacker tries thousands of passwords from numerous dictionaries of common passwords and words of multiple languages Most people use real words as passwords Try all dictionary words before trying a brute force attack Makes the attack much faster o brute force attacks: an attacker tries different combinations of random characters until the password is guessed, or when every possible combination has been attempted 19 Restricted - HSUHK staff only Types of cyber-attacks _____________________ (intentional) o users are redirected from legitimate to malicious websites through manipulation of a host’s file or DNS server records as well as reconfiguration of routers and switches resulting in redirected DNS traffic.. 20 Restricted - HSUHK staff only Multiple choice question ______________ is an activity that takes place when cyber-criminals infiltrates any data source and takes away or alters sensitive information. a) Social Engineering b) Ransomware c) Password Attacks d) Data breach 21 Restricted - HSUHK staff only Multiple choice question ______________ will encrypt all your system files and will ask you to pay a ransom in order to decrypt all the files and unlock the system. a) Social Engineering b) Ransomware c) Password Attacks d) Data breach 22 Restricted - HSUHK staff only Risk management Risk __________________ o the amount and type of risk an organisation is willing to accept in pursuit of its business objectives. Risk __________________ o organization's or stakeholders’ readiness to bear the risk after risk “treatment” in order to achieve its objectives Risk __________________ o The amount of risk that the entity is able to support in pursuit of its objectives. 23 Restricted - HSUHK staff only Four Categories of Internal Controls deterrent preventative corrective detective ___________________ controls o reduce errors and improper activities by attempting to prevent them from occurring. o Examples include intrusion prevention systems, data validation and access control. ___________________ controls o detect errors and improper activities. o Examples include intrusion detection systems, motion sensors, surveillance, audit trails and check digit verification. 24 Restricted - HSUHK staff only Four Categories of Internal Controls ___________________ controls o discourage improper activities, by making them more difficult or imposing significant consequences. o Examples include signs, visible security cameras, non- disclosure agreements and policies. ___________________ controls o mitigate damage caused by errors or security incidents by fixing the problem or preventing it from occurring again. o Examples include restoring the latest backup data to a stand-by server. 25 Restricted - HSUHK staff only 4.5 Information Security Controls Physical Controls Access Controls Communication Controls Business Continuity Planning Information Systems Auditing User education (Password (4:00): https://youtu.be/25G4tLVH1JE ) Procedures and standards Legislation and regulation 26 Restricted - HSUHK staff only Physical Controls Prevent unauthorized individuals from gaining access to a company’s facilities. o Walls o Doors o Fencing o Gates o Locks o Badges o Guards o Alarm systems 27 Restricted - HSUHK staff only FIGURE 4.2 Where defense mechanisms are located. 28 Restricted - HSUHK staff only Access Controls Authentication confirms the identity of the person requiring access. Authorization determines which actions, rights, or privileges the person has, based on his or her verify ed identity. ____________________ ____________________ 29 Restricted - HSUHK staff only Basic Guidelines for Passwords Difficult to guess. Long rather than short. They should have uppercase letters, lowercase letters, numbers, and special characters. Not recognizable words. Not the name of anything or anyone familiar, such as family names or names of pets. Not a recognizable string of numbers, such as a Social Security number or a birthday. 30 Restricted - HSUHK staff only Communication Controls Firewalls Anti-malware Systems Whitelisting and Blacklisting Encryption Virtual Private Networking Transport Layer Security (TLS) Employee Monitoring Systems 31 Restricted - HSUHK staff only FIGURE 4.3 (a) Basic firewall for home computer. (b) Organization with two firewalls and demilitarized zone. 32 Restricted - HSUHK staff only FIGURE 4.6 Virtual private network (VPN) and tunneling. 33 Restricted - HSUHK staff only Business Continuity Planning Disaster Recovery Plan: purpose is to provide guidance to people who keep the business operating after a disaster occurs. 34 Restricted - HSUHK staff only Business Continuity Planning These strategies include: o ____________________: a fully configured computer facility with all of the company’s services, communications links, and physical plant operations. A hot site duplicates computing resources, peripherals, telephone systems, applications, and workstations. Hot sites reduce risk to the greatest extent, but they are the most expensive option. o Example: stock exchange, financial institutions o ____________________: A warm site provides many of the same services and options as the hot site. However, it typically does not include the actual applications the company needs. A warm site includes computing equipment such as servers, but it often does not include user workstations. 35 Restricted - HSUHK staff only Business Continuity Planning o ___________________: A cold site provides only basic services and facilities, such as a building or a room with heating, air conditioning, and humidity control. This type of site provides no computer hardware or user workstations. Cold sites reduce risk the least, but they are the least expensive option. 36 Restricted - HSUHK staff only Information Systems Auditing Types of Auditors and Audits o Internal: IS auditing is usually a part of accounting internal auditing, and it is frequently performed by corporate internal auditors. o External: An external auditor reviews the findings of the internal audit as well as the inputs, processing, and outputs of information systems. The external audit of information systems is frequently a part of the overall external auditing performed by a certified public accounting (CPA) firm. Professional qualification of Information System Audit o ISACA's Certified Information Systems Auditor (CISA) 37 Restricted - HSUHK staff only Information Systems Auditing around through with auditing the computer: verifying processing by checking for known outputs using specific inputs. This approach is most effective for systems with limited outputs. auditing the computer: auditors check inputs, outputs, and processing. They review program logic, and they test the data contained within the system. auditing the computer: using a combination of client data, auditor software, and client and auditor hardware. This approach enables the auditor to perform tasks such as simulating payroll program logic using live data. 38 Restricted - HSUHK staff only User education User education: building awareness among employees by equipping them with the necessary tools and skills required to protect themselves and the company data from loss or attack. minimize human error and bad user practices to an acceptable minimum since these are the two weakest points in any cyber-defence strategy. 39 Restricted - HSUHK staff only Procedures and standards policy standardised instructions specific directions authorisation A cybersecurity policy sets the standards of behaviour for activities such as the encryption of email attachments and restrictions on the use of social media. Procedure o is a set of __________________________for completing a task. o For example, a junior staff get _______________________ from the senior. Segregation of duties for payment, one staff prepare the check, another staff prepare reconciliation report. Standard o provides __________________on how policy requirements should be met. o For example, a ____________________ could declare that all computers in the organisation must have anti-malware software installed by the IT department. 40 Restricted - HSUHK staff only Legislation and regulation Privacy is governed by Hong Kong’s Personal Data (Privacy) Ordinance (Chapter 486) o Purpose and manner of collection of personal data o Accuracy and duration of retention of personal data o Use of personal data o Security of personal data o Information to be generally available o Access to personal data 41 Restricted - HSUHK staff only Multiple choice question _________ controls prevent unauthorized individuals from gaining access to a company’s facilities. a) Access b) Communications c) Physical d) Useful 42 Restricted - HSUHK staff only Multiple choice question _________ controls restrict unauthorized individuals from using information resources. a) Access b) Communications c) Physical d) Useful 43 Restricted - HSUHK staff only Discuss question Flying Pig Limited becomes a famous company in the printing industry. You are the CIO. Identify five potential cyber risks and suggest an internal control for each risk identified. 44 Restricted - HSUHK staff only Objective 3 Impact on society 45 Restricted - HSUHK staff only What Ethical, Social, and Political Issues are Raised by Information Systems? Ethics Principles of right and wrong that individuals, acting as free moral agents, use to make choices to guide their behaviors Information systems raise new ethical questions because they create opportunities for: Intense social change, threatening existing distributions of power, money, rights, and obligations New opportunities for crime New kinds of crimes 46 Restricted - HSUHK staff only What is the Business Value of Security and Control? Failed computer systems can lead to significant or total loss of business function Firms now are more vulnerable than ever Confidential personal and financial data Trade secrets, new products, strategies A security breach may cut into a firm’s market value almost immediately Inadequate security and controls also bring forth issues of liability 47 Restricted - HSUHK staff only Legal and Regulatory Requirements for Electronic Records Management H I PAA Medical security and privacy rules and procedures Gramm-Leach-Bliley Act Requires financial institutions to ensure the security and confidentiality of customer data Sarbanes-Oxley Act Imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial information that is used internally and released externally 48 Restricted - HSUHK staff only Electronic Evidence and Computer Forensics Electronic evidence Evidence for white collar crimes often in digital form Proper control of data can save time and money when responding to legal discovery request Computer forensics Scientific collection, examination, authentication, preservation, and analysis of data from computer storage media for use as evidence in court of law Recovery of ambient data 49 Restricted - HSUHK staff only Basic Concepts: Responsibility, Accountability, and Liability Accountability Liability Responsibility Due process ___________________ Accepting the potential costs, duties, and obligations for decisions _______________________ Mechanisms for identifying responsible parties _______________________ Permits individuals (and firms) to recover damages done to them _______________________ Laws are well-known and understood, with an ability to appeal to higher authorities 50 Restricted - HSUHK staff only Ethical Analysis Five-step process for ethical analysis 1. Identify and clearly describe the facts. 2. Define the conflict or dilemma and identify the higher-order values involved. 3. Identify the stakeholders. 4. Identify the options that you can reasonably take. 5. Identify the potential consequences of your options. 51 Restricted - HSUHK staff only Discuss question Flying Pig Limited becomes a famous company in the printing industry. You are the CIO and worked in the company over 10 years. Because of your democratic leadership style, you have earned recognition for your outstanding work performance from the subordinates and customers. One day, you received a call from an important customer, who contributed more than 40% revenue. He would like you to share Flying Pig’s customer database. What should you do? 52 Restricted - HSUHK staff only