Information system

Security

5-1
Learning Objectives
• Explain the threats faced by modern information systems.

• Define fraud and describe both the different types of fraud and the process one
follows to perpetuate a fraud.

• Discuss who perpetrates fraud and why it occurs, including the pressures,
opportunities, and rationalizations that are present in most frauds.

• Define computer fraud and discuss the different computer fraud classifications.

• Explain how to prevent and detect computer fraud and abuse.

5-2
Threats to AIS
• Natural and Political disasters

• Software errors and equipment

malfunctions

• Unintentional acts

• Intentional acts
5-3
Fraud
• Any means a person uses to gain an unfair
advantage over another person; includes:
▫ A false statement, representation, or disclosure
▫ A material fact, which induces a victim to act
▫ An intent to deceive
▫ Victim relied on the misrepresentation
▫ Injury or loss was suffered by the victim

Fraud is white collar crime

5-4
Two Categories of Fraud
Misappropriation of assets
◦ Theft of company assets which can include
physical assets (e.g., cash, inventory) and digital
assets (e.g., intellectual property such as protected
trade secrets, customer data)
Fraudulent financial reporting
◦ “cooking the books” (e.g.,booking fictitious
revenue, overstating assets, etc.)

5-5
Conditions for Fraud
These three conditions
must be present for • Opportunity to:
fraud to occur: ▫ Commit
• Pressure ▫ Conceal
▫ Employee ▫ Convert to personal gain
 Financial
 Lifestyle
 Emotional • Rationalize
▫ Financial Statement ▫ Justify behavior
 Financial
 Management
▫ Attitude that rules don’t
 Industry conditions apply
▫ Lack personal integrity
5-6
Fraud Triangle

5-7
Computer Fraud
Ifa computer is used to commit fraud it is
called computer fraud.
Computer fraud is classified as:
◦ Input
◦ Processor
◦ Computer instruction
◦ Data
◦ Output

5-8
 Preventing and Detecting Fraud
1. Make Fraud Less Likely to Occur
Organizational Systems

 Create a culture of integrity  Develop security policies to

 Adopt structure that minimizes guide and design specific
fraud, create governance (e.g., control procedures
Board of Directors)  Implement change
 Assign authority for business
management controls and
objectives and hold them project development
accountable for achieving
acquisition controls
those objectives, effective
supervision and monitoring of
employees
 Communicate policies
5-9
 Preventing and Detecting Fraud
2. Make It Difficulty to Commit
Organizational Systems

 Restrictaccess
• Develop strong internal
controls  System authentication

• Segregate accounting  Implement computer controls

functions over input, processing,
storage and output of data
• Use properly designed
 Use encryption
forms
 Fix software bugs and update
• Require independent checks
and reconciliations of data systems regularly
 Destroy hard drives when
disposing of computers
5-10
 Preventing and Detecting Fraud
3. Improve Detection

Organizational Systems

 Assess fraud risk  Audit trail of transactions

 External and internal audits
 Fraud hotline
through the system
 Install fraud detection
software
 Monitor system activities
(user and error logs,
intrusion detection)

5-11
 Preventing and Detecting Fraud
4. Reduce Fraud Losses

Organizational Systems

 Insurance  Store backup copies of

 Business continuity and program and data files in
disaster recovery plan secure, off-site location
 Monitor system activity

5-12
Computer Fraud and Abuse Techniques

6-1
Learning Objectives
• Compare and contrast computer attack and abuse
tactics.

• Explain how social engineering techniques are used

to gain physical or logical access to computer
resources.

• Describe the different types of malware used to

harm computers.
6-2
Types of Attacks

Hacking
◦ Unauthorized access, modification, or use of an
electronic device or some element of a computer
system
Social Engineering
◦ Techniques or tricks on people to gain physical or
logical access to confidential information
Malware
◦ Software used to do harm
6-15
Hacking

▫ Hijacking
 Gaining control of a computer to carry out illicit activities
▫ Botnet (robot network)
 Zombies
 Bot herders
 Denial of Service (DoS) Attack
 Spamming
 Spoofing
 Makes the communication look as if someone else sent it so as to gain
confidential information.
6-16
Forms of Spoofing

E-mail spoofing
Caller ID spoofing
IP address spoofing
Address Resolution (ARP) spoofing
SMS spoofing
Web-page spoofing (phishing)
DNS spoofing

6-17
Hacking with Computer Code
• Cross-site scripting (XSS)
▫ Uses vulnerability of Web application that allows the Web
site to get injected with malicious code. When a user visits
the Web site, that malicious code is able to collect data from
the user.
• Buffer overflow attack
▫ Large amount of data sent to overflow the input memory
(buffer) of a program causing it to crash and replaced with
attacker’s program instructions.
• SQL injection (insertion) attack
▫ Malicious code inserted in place of a query to get to the
database information
6-18
Other Types of Hacking
Man in the middle (MITM)
◦ Hacker is placed in between a client (user) and a host
(server) to read, modify, or steal data.
Piggybacking
Password cracking
War dialing and driving
Phreaking
Data diddling
Data leakage
pod slurping
6-19
Hacking Used for Embezzlement
Salami technique:
◦ Taking small amounts at a time
 Round-down fraud
Economic espionage
◦ Theft of information, intellectual property and trade
secrets
Cyber-extortion
◦ Threats to a person or business online through e-
mail or text messages unless money is paid
6-20
Hacking Used for Fraud
Internet misinformation
E-mail threats
Internet auction
Internet pump and dump
Click fraud
Web cramming
Software piracy

6-21
 Social Engineering Techniques
• Identity theft
▫ Assuming someone else’s identity
• Pretexting
▫ Using a scenario to trick victims to
divulge information or to gain access
• Posing
▫ Creating a fake business to get
sensitive information
• Phishing
▫ Sending an e-mail asking the victim
to respond to a link that appears
legitimate that requests sensitive data
• Pharming
▫ Redirects Web site to a spoofed Web
site
• URL hijacking
▫ Takes advantage of typographical
errors entered in for Web sites and
user gets invalid or wrong Web site
• Scavenging
▫ Searching trash for confidential
information
• Shoulder surfing
▫ Snooping (either close behind the
person) or using technology to
snoop and get confidential
information
• Skimming
 Double swiping credit card
• Eeavesdropping 6-22
Why People Fall Victim
• Compassion
▫ Desire to help others
• Greed
▫ Want a good deal or something for free
• Sex appeal
▫ More cooperative with those that are flirtatious or good looking
• Sloth
▫ Lazy habits
• Trust
▫ Will cooperate if trust is gained
• Urgency
▫ Cooperation occurs when there is a sense of immediate need
• Vanity
▫ More cooperation when appeal to vanity
6-23
Minimize the Threat of Social Engineering

Never let people follow you into restricted

areas
Never log in for someone else on a computer
Never give sensitive information over the
phone or through e-mail
Never share passwords or user IDs
Be cautious of someone you don’t know who
is trying to gain access through you
6-24
Types of Malware
Trap door
Spyware ◦ Set of instructions that allow the
◦ Secretly monitors and collects user to bypass normal system
information controls
Packet sniffer
◦ Can hijack browser, search
requests ◦ Captures data as it travels over
the Internet
◦ Adware
Virus
Keylogger
◦ A section of self-replicating code
◦ Software that records user that attaches to a program or file
keystrokes requiring a human to do
Trojan Horse something so it can replicate itself
◦ Malicious computer Worm
instructions in an authorized ◦ Stand alone self replicating
and properly functioning program
program 6-25
Cellphone Bluetooth Vulnerabilities
Bluesnarfing
◦ Stealing contact lists, data, pictures on
bluetooth compatible smartphones
Bluebugging
◦ Taking control of a phone to make or listen to
calls, send or read text messages

6-26
Key Terms
Hacking Address Resolution Protocol
Hijacking (ARP) spoofing
Botnet SMS spoofing

Zombie Web-page spoofing

Bot herder DNS spoofing

Denial-of-service (DoS) attack Zero day attack

Spamming Patch
Dictionary attack Cross-site scripting (XSS)
Splog Buffer overflow attack
Spoofing SQL injection (insertion) attack
E-mail spoofing Man-in-the-middle (MITM)
Caller ID spoofing attack
IP address spoofing Masquerading/impersonation
6-27
MAC address Piggybacking
Key Terms (continued)
Password Internet terrorism
cracking
War dialing Internet misinformation

War driving E-mail threats

War rocketing Internet auction fraud

Phreaking Internet pump-and-dump fraud

Data diddling Click fraud
Data leakage Web cramming
Podslurping Software piracy
Salami technique Social engineering
Round-down fraud Identity theft
Economic espionage Pretexting
Cyber-extortion Posing
Cyber-bullying Phishing
Sexting vishing 6-28
Key Terms (continued)
• Carding
• Adware
• Torpedo software
• Pharming
• Scareware
• Evil twin • Ransomware
• Typosquatting/URL hijacking • Keylogger
• QR barcode replacements • Trojan horse
• Tabnapping • Time bomb/logic bomb
• Scavenging/dumpster diving • Trap door/back door
• Shoulder surfing • Packet sniffers
• Steganography program
• Lebanese looping
• Rootkit
• Skimming • Superzapping
• Chipping • Virus
• Eavesdropping • Worm
• Malware • Bluesnarfing
• Spyware • Bluebugging 6-29
Key Terms
Sabotage Pressure
Cookie Opportunity
Fraud rationalization
White-collar criminals Lapping
Corruption
Checkkiting
Investment fraud Computer fraud
Misappropriation of
assets
Fraudulent financial
reporting
5-30