ACY 2003 Contemporary Computer Technologies and Information Systems for Accounting Cyber Security PDF

Summary

This document is a past paper from ACY 2003, Contemporary Computer Technologies and Information Systems for Accounting, covering cyber security topics. It discusses learning objectives, types of cyber-attacks, threats, vulnerability, and risk, as well as the impact on society. The content is focused on computer security and its relation to accounting.

Full Transcript

ACY 2003
Contemporary Computer Technologies and
Information Systems for Accounting

Topic 3
Cyber Security
Chapter 4

©2020 John Wiley & Sons, Inc. All rights reserved.
Restricted - HSUHK staff only
Learning Objectives

1. The CIA of cyber security
2. Types of cyber-attacks and countermeasures
3. Impact on society

2
Restricted - HSUHK staff only
 Objective 1
The CIA of cyber security

3
Restricted - HSUHK staff only
4.1 Introduction to Information Security
Information Security Vulnerability Threat
Exposure Security

__________________: the degree of protection against criminal
activity, danger, damage, and/or loss.

__________________: all of the processes and policies
designed to protect an organization’s information and
information systems (IS) from unauthorized access, use,
disclosure, disruption, modification, or destruction.

4
Restricted - HSUHK staff only
4.1 Introduction to Information Security
__________________: any danger to which a system
may be exposed.

__________________: is the harm, loss, or damage
that can result if a threat compromises an information
resource.

__________________: is the possibility that the
system will be harmed by a threat.

5
Restricted - HSUHK staff only
Multiple choice question
A(n) _________ to an information resource is any danger
to which a system may be exposed.

a) exposure
b) risk
c) threat
d) vulnerability

6
Restricted - HSUHK staff only
Introduction to Information Security
Five Factors Contributing to Vulnerability
o Today’s interconnected, interdependent, wirelessly
networked business environment
o Smaller, faster, cheaper computers & storage devices
o Decreasing skills necessary to be a computer hacker
o International organized crime taking over cybercrime
o Lack of management support

7
Restricted - HSUHK staff only
The CIA of cyber security
CIA: a concept that focuses on the balance between the
confidentiality, integrity and availability of data under the
protection of your information security program

______________is the ability to
hide information from
unauthorized access.
______________ is maintaining
consistency, accuracy and
trustworthiness of data over its
entire lifecycle
______________ is information
requested is readily available to
untheorized entity

8
Restricted - HSUHK staff only
 Objective 2
Types of cyber-attacks and
countermeasures

9
Restricted - HSUHK staff only
What is risk?
uncertainty anticipated reliable risk future

______________
o the potential that __________ outcomes will be different from
what was __________ or planned.
o Significant of the risk depends on likelihood/probability
(Vulnerability) and impact (Threat).

_______________
o Lack of data or understanding
o Not possible to make any __________ assessment

10
Restricted - HSUHK staff only
What is risk?
Unintentional Threat Intentional
Natural Vulnerability

__________: any danger to which a system may be exposed.
o Types of threats:
____________ threats, such as floods, hurricanes, or tornadoes
____________ threats, like an employee mistakenly accessing the
wrong information (slide below)
____________ threats, such as spyware, malware, adware companies,
or the actions of a disgruntled employee (slide below)

_____________: is the possibility that the system will be harmed
by a threat.

11
Restricted - HSUHK staff only
What is risk?

12
Restricted - HSUHK staff only
4.2 Unintentional Threats to Information
Systems
Human Errors
o Higher level employees + Greater access privileges = Greater Threat
o Examples:
Carelessness with Laptops/Computing Devices
Opening Questionable E-mail
Careless Internet Surfing
Poor Password Selection and Use

Social Engineering
o Slide below

13
Restricted - HSUHK staff only
Types of cyber-attacks (intentional or unintentional)

Password
Attacks

Pharming

14
Restricted - HSUHK staff only
Types of cyber-attacks
____________, contraction Malware (2:45) https://youtu.be/n8mbzU0X2nQ
for “malicious software” Examples
(intentional)
o is an intrusive software
that is designed to damage
and destroy computers and
computer systems. Like
the human flu, it interferes
with normal functioning.

____________(intentional)
o hackers use against
individuals to encrypt and
restrict access to their files
or computers.

15
Restricted - HSUHK staff only
Types of cyber-attacks
_________________ (intentional)
o an attempt to compromise a user by masquerading as a
trustworthy entity in electronic communication (e.g. email).

16
Restricted - HSUHK staff only
Types of cyber-attacks
_________________(intentional)
o is any incident that results in
unauthorized access to computer
data, applications, networks or
devices.

Data breaches (intentional or
unintentional)
o is a type of security breach
o is a confirmed security incident
which involves access, disclosure,
or destruction of private or
confidential information by a
malicious third party.
o Facebook (2:32) :
https://youtu.be/O4TFXDniG9w

17
Restricted - HSUHK staff only
Types of cyber-attacks
_______________________ (intentional)
o https://youtu.be/_JpfNhH_ckU , https://youtu.be/sqaFPDq6A_o
o software programs, apps and devices – that enable someone to secretly spy
on another person’s private life via their mobile device

_______________________(Intentional)
o the art of manipulating people into performing desired actions
o Attempting to trick a user into revealing their password by pretending to be
in IT support.

18
Restricted - HSUHK staff only
Types of cyber-attacks
______________________(intentional)
o dictionary attacks: an attacker tries thousands of passwords from numerous
dictionaries of common passwords and words of multiple languages
Most people use real words as passwords
Try all dictionary words before trying a brute force attack
Makes the attack much faster

o brute force attacks: an attacker tries different combinations of random
characters until the password is guessed, or when every possible
combination has been attempted

19
Restricted - HSUHK staff only
Types of cyber-attacks
_____________________ (intentional)
o users are redirected from legitimate to malicious websites through
manipulation of a host’s file or DNS server records as well as
reconfiguration of routers and switches resulting in redirected DNS traffic..

20
Restricted - HSUHK staff only
Multiple choice question
______________ is an activity that takes place when
cyber-criminals infiltrates any data source and takes away
or alters sensitive information.

a) Social Engineering
b) Ransomware
c) Password Attacks
d) Data breach

21
Restricted - HSUHK staff only
Multiple choice question
______________ will encrypt all your system files and
will ask you to pay a ransom in order to decrypt all the
files and unlock the system.

a) Social Engineering
b) Ransomware
c) Password Attacks
d) Data breach

22
Restricted - HSUHK staff only
Risk management
Risk __________________
o the amount and type of risk an organisation is willing to accept in pursuit of
its business objectives.
Risk __________________
o organization's or stakeholders’ readiness to bear the risk after risk
“treatment” in order to achieve its objectives
Risk __________________
o The amount of risk that the entity is able to support in pursuit of its
objectives.

23
Restricted - HSUHK staff only
Four Categories of Internal Controls
deterrent preventative corrective detective

___________________ controls
o reduce errors and improper activities by attempting to prevent
them from occurring.
o Examples include intrusion prevention systems, data validation
and access control.
___________________ controls
o detect errors and improper activities.
o Examples include intrusion detection systems, motion sensors,
surveillance, audit trails and check digit verification.
24
Restricted - HSUHK staff only
Four Categories of Internal Controls
___________________ controls
o discourage improper activities, by making them more difficult
or imposing significant consequences.
o Examples include signs, visible security cameras, non-
disclosure agreements and policies.
___________________ controls
o mitigate damage caused by errors or security incidents by
fixing the problem or preventing it from occurring again.
o Examples include restoring the latest backup data to a stand-by
server.

25
Restricted - HSUHK staff only
4.5 Information Security Controls
Physical Controls
Access Controls
Communication Controls
Business Continuity Planning
Information Systems Auditing
User education (Password (4:00): https://youtu.be/25G4tLVH1JE )
Procedures and standards
Legislation and regulation

26
Restricted - HSUHK staff only
Physical Controls
Prevent unauthorized individuals from gaining access
to a company’s facilities.
o Walls
o Doors
o Fencing
o Gates
o Locks
o Badges
o Guards
o Alarm systems
27
Restricted - HSUHK staff only
FIGURE 4.2 Where defense
mechanisms are located.

28
Restricted - HSUHK staff only
Access Controls
Authentication confirms the identity of the person requiring
access.
Authorization determines which actions, rights, or privileges
the person has, based on his or her verify ed identity.

____________________ ____________________

29
Restricted - HSUHK staff only
Basic Guidelines for Passwords
Difficult to guess.
Long rather than short.
They should have uppercase letters, lowercase letters,
numbers, and special characters.
Not recognizable words.
Not the name of anything or anyone familiar, such as
family names or names of pets.
Not a recognizable string of numbers, such as a Social
Security number or a birthday.

30
Restricted - HSUHK staff only
Communication Controls
Firewalls
Anti-malware Systems
Whitelisting and Blacklisting
Encryption
Virtual Private Networking
Transport Layer Security (TLS)
Employee Monitoring Systems

31
Restricted - HSUHK staff only
FIGURE 4.3 (a) Basic firewall for home computer. (b)
Organization with two firewalls and demilitarized zone.

32
Restricted - HSUHK staff only
FIGURE 4.6 Virtual private network
(VPN) and tunneling.

33
Restricted - HSUHK staff only
Business Continuity Planning
Disaster Recovery Plan: purpose is to provide guidance to people
who keep the business operating after a disaster occurs.

34
Restricted - HSUHK staff only
Business Continuity Planning
These strategies include:
o ____________________: a fully configured computer facility with all of
the company’s services, communications links, and physical plant
operations. A hot site duplicates computing resources, peripherals,
telephone systems, applications, and workstations. Hot sites reduce risk
to the greatest extent, but they are the most expensive option.
o Example: stock exchange, financial institutions

o ____________________: A warm site provides many of the same
services and options as the hot site. However, it typically does not
include the actual applications the company needs. A warm site includes
computing equipment such as servers, but it often does not include user
workstations.

35
Restricted - HSUHK staff only
Business Continuity Planning
o ___________________: A cold site provides only basic services and
facilities, such as a building or a room with heating, air conditioning, and
humidity control. This type of site provides no computer hardware or
user workstations. Cold sites reduce risk the least, but they are the least
expensive option.

36
Restricted - HSUHK staff only
Information Systems Auditing
Types of Auditors and Audits
o Internal: IS auditing is usually a part of accounting internal auditing, and
it is frequently performed by corporate internal auditors.

o External: An external auditor reviews the findings of the internal audit as
well as the inputs, processing, and outputs of information systems. The
external audit of information systems is frequently a part of the overall
external auditing performed by a certified public accounting (CPA) firm.

Professional qualification of Information System Audit
o ISACA's Certified Information Systems Auditor (CISA)

37
Restricted - HSUHK staff only
Information Systems Auditing
around through with

auditing the computer: verifying processing by
checking for known outputs using specific inputs. This
approach is most effective for systems with limited outputs.
auditing the computer: auditors check inputs,
outputs, and processing. They review program logic, and they
test the data contained within the system.
auditing the computer: using a combination of client
data, auditor software, and client and auditor hardware. This
approach enables the auditor to perform tasks such as
simulating payroll program logic using live data.

38
Restricted - HSUHK staff only
User education
User education: building awareness among employees
by equipping them with the necessary tools and skills
required to protect themselves and the company data
from loss or attack.
minimize human error and bad user practices to an
acceptable minimum since these are the two weakest
points in any cyber-defence strategy.

39
Restricted - HSUHK staff only
Procedures and standards
policy standardised instructions
specific directions authorisation

A cybersecurity policy sets the standards of behaviour for activities such as the
encryption of email attachments and restrictions on the use of social media.
Procedure
o is a set of __________________________for completing a task.
o For example, a junior staff get _______________________ from the senior.
Segregation of duties for payment, one staff prepare the check, another staff
prepare reconciliation report.
Standard
o provides __________________on how policy requirements should be met.
o For example, a ____________________ could declare that all computers in
the organisation must have anti-malware software installed by the IT
department.
40
Restricted - HSUHK staff only
Legislation and regulation
Privacy is governed by Hong Kong’s Personal Data
(Privacy) Ordinance (Chapter 486)
o Purpose and manner of collection of personal data
o Accuracy and duration of retention of personal data
o Use of personal data
o Security of personal data
o Information to be generally available
o Access to personal data

41
Restricted - HSUHK staff only
Multiple choice question
_________ controls prevent unauthorized individuals
from gaining access to a company’s facilities.

a) Access
b) Communications
c) Physical
d) Useful

42
Restricted - HSUHK staff only
Multiple choice question
_________ controls restrict unauthorized individuals from
using information resources.

a) Access
b) Communications
c) Physical
d) Useful

43
Restricted - HSUHK staff only
Discuss question
Flying Pig Limited becomes a famous company in the
printing industry. You are the CIO.

Identify five potential cyber risks and suggest an internal
control for each risk identified.

44
Restricted - HSUHK staff only
Objective 3
Impact on society

45
Restricted - HSUHK staff only
What Ethical, Social, and Political Issues are
Raised by Information Systems?
Ethics
Principles of right and wrong that individuals, acting as free
moral agents, use to make choices to guide their behaviors
Information systems raise new ethical questions because
they create opportunities for:
Intense social change, threatening existing distributions of
power, money, rights, and obligations
New opportunities for crime
New kinds of crimes

46
Restricted - HSUHK staff only
What is the Business Value of Security and
Control?
Failed computer systems can lead to significant or total
loss of business function
Firms now are more vulnerable than ever
Confidential personal and financial data
Trade secrets, new products, strategies
A security breach may cut into a firm’s market value
almost immediately
Inadequate security and controls also bring forth issues
of liability

47
Restricted - HSUHK staff only
Legal and Regulatory Requirements for
Electronic Records Management
H I PAA
Medical security and privacy rules and procedures
Gramm-Leach-Bliley Act
Requires financial institutions to ensure the security and
confidentiality of customer data
Sarbanes-Oxley Act
Imposes responsibility on companies and their management to
safeguard the accuracy and integrity of financial information
that is used internally and released externally

48
Restricted - HSUHK staff only
Electronic Evidence and Computer Forensics
Electronic evidence
Evidence for white collar crimes often in digital form
Proper control of data can save time and money when
responding to legal discovery request

Computer forensics
Scientific collection, examination, authentication,
preservation, and analysis of data from computer storage
media for use as evidence in court of law
Recovery of ambient data

49
Restricted - HSUHK staff only
Basic Concepts: Responsibility,
Accountability, and Liability
Accountability Liability Responsibility Due process

___________________
Accepting the potential costs, duties, and obligations for decisions
_______________________
Mechanisms for identifying responsible parties
_______________________
Permits individuals (and firms) to recover damages done to them
_______________________
Laws are well-known and understood, with an ability to appeal to
higher authorities

50
Restricted - HSUHK staff only
Ethical Analysis
Five-step process for ethical analysis
1. Identify and clearly describe the facts.
2. Define the conflict or dilemma and identify the higher-order
values involved.
3. Identify the stakeholders.
4. Identify the options that you can reasonably take.
5. Identify the potential consequences of your options.

51
Restricted - HSUHK staff only
Discuss question
Flying Pig Limited becomes a famous company in the
printing industry. You are the CIO and worked in the
company over 10 years. Because of your democratic
leadership style, you have earned recognition for your
outstanding work performance from the subordinates and
customers.
One day, you received a call from an important customer,
who contributed more than 40% revenue. He would like
you to share Flying Pig’s customer database. What should
you do?

52
Restricted - HSUHK staff only