Professional Documents
Culture Documents
Security
5-1
Learning Objectives
• Explain the threats faced by modern information systems.
• Define fraud and describe both the different types of fraud and the process one
follows to perpetuate a fraud.
• Discuss who perpetrates fraud and why it occurs, including the pressures,
opportunities, and rationalizations that are present in most frauds.
• Define computer fraud and discuss the different computer fraud classifications.
5-2
Threats to AIS
• Natural and Political disasters
• Unintentional acts
• Intentional acts
5-3
Fraud
• Any means a person uses to gain an unfair
advantage over another person; includes:
▫ A false statement, representation, or disclosure
▫ A material fact, which induces a victim to act
▫ An intent to deceive
▫ Victim relied on the misrepresentation
▫ Injury or loss was suffered by the victim
5-5
Conditions for Fraud
These three conditions
must be present for • Opportunity to:
fraud to occur: ▫ Commit
• Pressure ▫ Conceal
▫ Employee ▫ Convert to personal gain
Financial
Lifestyle
Emotional • Rationalize
▫ Financial Statement ▫ Justify behavior
Financial
Management
▫ Attitude that rules don’t
Industry conditions apply
▫ Lack personal integrity
5-6
Fraud Triangle
5-7
Computer Fraud
Ifa computer is used to commit fraud it is
called computer fraud.
Computer fraud is classified as:
◦ Input
◦ Processor
◦ Computer instruction
◦ Data
◦ Output
5-8
Preventing and Detecting Fraud
1. Make Fraud Less Likely to Occur
Organizational Systems
Restrictaccess
• Develop strong internal
controls System authentication
Organizational Systems
5-11
Preventing and Detecting Fraud
4. Reduce Fraud Losses
Organizational Systems
5-12
Computer Fraud and Abuse Techniques
6-1
Learning Objectives
• Compare and contrast computer attack and abuse
tactics.
Hacking
◦ Unauthorized access, modification, or use of an
electronic device or some element of a computer
system
Social Engineering
◦ Techniques or tricks on people to gain physical or
logical access to confidential information
Malware
◦ Software used to do harm
6-15
Hacking
▫ Hijacking
Gaining control of a computer to carry out illicit activities
▫ Botnet (robot network)
Zombies
Bot herders
Denial of Service (DoS) Attack
Spamming
Spoofing
Makes the communication look as if someone else sent it so as to gain
confidential information.
6-16
Forms of Spoofing
E-mail spoofing
Caller ID spoofing
IP address spoofing
Address Resolution (ARP) spoofing
SMS spoofing
Web-page spoofing (phishing)
DNS spoofing
6-17
Hacking with Computer Code
• Cross-site scripting (XSS)
▫ Uses vulnerability of Web application that allows the Web
site to get injected with malicious code. When a user visits
the Web site, that malicious code is able to collect data from
the user.
• Buffer overflow attack
▫ Large amount of data sent to overflow the input memory
(buffer) of a program causing it to crash and replaced with
attacker’s program instructions.
• SQL injection (insertion) attack
▫ Malicious code inserted in place of a query to get to the
database information
6-18
Other Types of Hacking
Man in the middle (MITM)
◦ Hacker is placed in between a client (user) and a host
(server) to read, modify, or steal data.
Piggybacking
Password cracking
War dialing and driving
Phreaking
Data diddling
Data leakage
pod slurping
6-19
Hacking Used for Embezzlement
Salami technique:
◦ Taking small amounts at a time
Round-down fraud
Economic espionage
◦ Theft of information, intellectual property and trade
secrets
Cyber-extortion
◦ Threats to a person or business online through e-
mail or text messages unless money is paid
6-20
Hacking Used for Fraud
Internet misinformation
E-mail threats
Internet auction
Internet pump and dump
Click fraud
Web cramming
Software piracy
6-21
Social Engineering Techniques
• Identity theft • URL hijacking
▫ Assuming someone else’s identity
▫ Takes advantage of typographical
• Pretexting errors entered in for Web sites and
▫ Using a scenario to trick victims to user gets invalid or wrong Web site
divulge information or to gain access
• Scavenging
• Posing
▫ Searching trash for confidential
▫ Creating a fake business to get
information
sensitive information
• Phishing
• Shoulder surfing
▫ Sending an e-mail asking the victim ▫ Snooping (either close behind the
to respond to a link that appears person) or using technology to
legitimate that requests sensitive data snoop and get confidential
• Pharming information
▫ Redirects Web site to a spoofed Web • Skimming
site Double swiping credit card
• Eeavesdropping 6-22
Why People Fall Victim
• Compassion
▫ Desire to help others
• Greed
▫ Want a good deal or something for free
• Sex appeal
▫ More cooperative with those that are flirtatious or good looking
• Sloth
▫ Lazy habits
• Trust
▫ Will cooperate if trust is gained
• Urgency
▫ Cooperation occurs when there is a sense of immediate need
• Vanity
▫ More cooperation when appeal to vanity
6-23
Minimize the Threat of Social Engineering
6-26
Key Terms
Hacking Address Resolution Protocol
Hijacking (ARP) spoofing
Botnet SMS spoofing