ACIS 3504 Exam 3
The unauthorized use of someone's personal information is referred to as
Data Masking
Software that protects confidentiality by screening outgoing documents to identify and block transmission of sensitive information is called:
Data loss prevention (DLP)
Threats sent to victims by e-mail usually requires some follow-up action, often at great expense to the victim
E-mail threats
listening to private communications or tapping into data transmissions usually by wire tap
Eavesdropping
-Theft of information, intellectual property, and trade secrets
Economic espionage
People are more likely to cooperate with people who gain their trust.
Trust
setting up similarly named websites so that users making typographical errors when entering a website name are sent to an invalid site.
Typosquatting/URL hijacking
-Takes advantage of typographical errors entered in for websites and user gets invalid or wrong website
URL hijacking
An immediate need that must be met leads people to be more cooperative and accommodating.
Urgency
Which of the following Generally Accepted Privacy Principles addresses the "right to be forgotten"?
Use, retention and disposal
People are more likely to cooperate if they are told they are going to be more popular or successful.
Vanity
Fraudsters take advantage of which of the following human traits to entice a person to reveal information or take a specific action? (Check all that apply.)
Vanity Trust Compassion Urgency
Running multiple systems (e.g., Windows, Unix, and Mac) on a single physical machine is referred to as:
Virtualization
-A section of self-replicating code that attaches to a program or file requiring a human to do something so it can replicate itself
Virus
as credit sales increase, so should accounts receivable. In addition, there are relationships between sales and accounts such as cost of goods sold, inventory, and freight out
Example of analytical reviews
How do you verify a digital signature?
If the hash you obtain by decrypting the digital signature matches the hash you obtain by hashing your copy of that document or file.
Interest calculations are truncated at two decimal places, and the excess decimals are put into an account the perpetrator controls. What is this fraud called?
Round-down fraud
-read the destination address fields in packet headers to decide where to send (route) the packet next.
Routers
One way to improve the efficiency and effectiveness of log analysis is to use a(n):
SIEM
Using short message service (SMS) to change the name or number a text message appears to come from
SMS Spoofing
-Malicious code inserted in place of a query to get to the database information
SQL injection (insertion) attack
An organization that issues public and private keys and records the public key in a digital certificate
certificate authority
Plaintext transformed into unreadable gibberish using encryption
ciphertext
The use of two or more types of authentication credentials in conjunction to achieve a greater level of security.
multifactor authentication
Reliability issues, Risk of theft or destruction if unsupervised physical access is what kind of impact on virtualization and cloud computing and IoT
negative impact on security
-Risk that exists before plans are made to control it
Inherent
To prevent typosquatting a company must
(1) tries to obtain all the web names similar to theirs to redirect people to the correct site (2) uses software to scan the Internet and find domains that appear to be typosquatting.
Which of the following helps protect you from identity theft?
***All of the above Monitor your credit reports regularly Encrypt all e-mail that contains personal information Shred all paper documents that contain personal information before disposal
Which of the following statements is true regarding VPNs, encryption, and digital certificates?
***All of the above are true VPNs protect the confidentiality of information while it is in transit over the Internet Encryption limits firewalls' ability to filter traffic A digital certificate contains that entity's public key
Which of the following statements is true about changes?
**All of the above "Emergency" changes need to be documented once the problem is resolved Changes should be tested in a system separate from the one used to process transactions Change controls are necessary to maintain adequate segregation of duties
Which of the following are indicators that an organization's change management and change control process is effective?
**All of the above A low number of emergency changes A reduction in the number of problems that need to be fixed Testing of all changes takes place in a system separate from the one used for regular business operations
Which of the following factor(s) should be considered when determining the strength of any encryption system?
**All of the above Policies for managing the cryptographic keys Encryption algorithm Key length
Which of the following statements about virtualization and cloud computing is(are) true?
**All of the above The time-based model of security applies Strong user access controls are important Perimeter protection techniques (e.g., firewalls, IDS, and IPS) are important
Which of the following is an example of multi-factor authentication?
**All of the above Voice recognition plus answer to security question Password plus smart card USB device plus retina scan
What are the six steps that many criminals use to attack information systems?
-Conduct reconnaissance -Attempt social engineering -Scan and map the target -Research -Execute the attack -Cover tracks
It is critical that controls be in place during the holiday season because
-More people are on vacation and fewer around to mind the store. -Students are not tied up with school . -Lonely counterculture hackers increase their attacks.
•three principles that apply to the information and communication process:
-Obtain or generate relevant, high-quality information to support internal control. -Internally communicate the information, including objectives and responsibilities, necessary to support the other components of internal control. -Communicate relevant internal control matters to external parties.
•Processes implemented to provide assurance that the following objectives are achieved:
-Safeguard assets -Maintain sufficient records -Provide accurate and reliable information -Prepare financial reports according to established criteria -Promote and improve operational efficiency -Encourage adherence with management policies -Comply with laws and regulations
The 4 steps to the security life cycle is
1-Asses threats and select risk response 2-Develop and communicate policy 3-Acquire and implement solutions 4-Monitor performance
What are the steps to protecting confidentiality and privacy?
1.Identify and classify information to be protected 2. Protecting sensitive information with encryption 3.Controlling access to sensitive information 4. Training
The seven different types of control activities include
1.Proper authorization of transactions and activities 2.Segregation of duties 3.Project development and acquisition controls 4.Change management controls 5.Design and use of documents and records 6.Safeguarding assets, records, and data 7.Independent checks on performance
Which of the following can be used to create a digital signature?
Asymmetric encryption system
Which of the following statements is true of a network
A DMZ is a separate network located outside the organization's internal information system.
What does COSO stand for
Committee of Sponsoring Organizations
Which of the following is not an example of multi-factor authentication?
A passphrase and a security question
Sets of IF-THEN rules used to determine what to do with arriving packets used with firewalls and routers
Access control lists
•Specifies what part of the IS a user can access and what actions they are permitted to perform.
Access control matrix
spyware that can pop banner ads on a monitor, collect information about the user's web-surfing and spending habits, and forward it to the creator
Adware
Combining a password with which of the following is an example of multi-modal authentication?
All of the above Name of your first grade teacher Your email address Correctly identifying a picture you had selected when you set up the account
Which of the following is the final phase of the incident response process?
Analysis of the root cause of the incident
The examination of the relationships between different sets of data is called
Analytical review
Concerned with the accuracy, completeness, validity, and authorization of data captured, processed, and stored
Application controls
Controls that prevent, detect, and correct transaction errors and fraud in application programs are called:
Application controls
Verifying the identity of the person or device attempting to access the system.
Authentication
Establishing policies and empower employees to perform activities within policy and is an important part of an organization's control procedures
Authorization
Process of restricted access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform
Authorization
The control procedure designed to restrict what portions of an information system an employee can access and what actions he or she can perform is called ___________.
Authorization
Prevents an employee from falsifying records to cover up an inaccurate or false transaction that was inappropriately authorized
Authorization Functions
To achieve effective segregation of duties, certain functions must be separated. Which of the following is the correct listing of the accounting-related functions that must be segregated?
Authorization, recording, and custody
-System and data can be accessed when needed
Availability
Making a sender address and other parts of an e-mail header appear as though the e-mail originated from a different source
E-mail spoofing
•Distributed ledger of hashed documents with copies stored on multiple computers. technology was originally developed to support the crypto-currency Bitcoin to prevent "double-spending" the same coin, but it has since been adopted for use in a variety of industries to create reliable audit trails for any business process.
Blockchain
-Taking control of a phone to make or listen to calls, send or read text messages
Bluebugging
-Stealing contact lists, data, pictures on Bluetooth compatible smartphones
Bluesnarfing
•checks the contents of the destination address field of every packet it receives.
Border router
A network of powerful and dangerous hijacked computers that are used to attack systems or spread malware
Botnet
Trial and error method that uses software to guess information such as the user ID and the password, needed to gain access to a system
Brute force attack
Large amount of data sent to overflow the input memory (buffer) of a program, causing it to crash and replacing it with attacker's program instructions.
Buffer overflow attack
Which of the following statements is true about COSO
COSO's internal control integrated framework has been widely accepted as the authority on internal controls.
-Expands COSO framework where risk is accepted and tolerated
COSO-ERM (Enterprise Risk Management)
This act gives the right to delete, know about and opt out of sale of personal information
California Consumer Privacy Act (CCPR)
Displaying an incorrect number on the recipients caller ID display to hide the caller's identity
Caller ID spoofing
The organization that issues public and private keys is called a:
Certificate authority
the formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability
Change control and change management
Independent of other IS functions and reports to the COO or CEO. Must understand the company's technology environment and work with the CIO to design, implement, and promote sound security policies and procedures. Should impartially assess and evaluate the IT environment, conduct vulnerability and risk assessments, and audit the CIO's security measures.
Chief Information Security Officer (CISO)
Manipulating the number of times an ad is clicked on to inflate advertising bills
Click fraud
The desire to help others who present themselves as needing help.
Compassion
Why do People fall victim to fraud?
Compassion Greed Sex appeal Sloth Trust Urgency Vanity
A team responsible for dealing with major security incidents
Computer Incident response team (CIRT)
discover, extract, safeguard, and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges.
Computer forensics specialists
Success of a brute force attack is a factor of what two things?
Computing power used and enough time to generate the number of combinations needed
-Sensitive organizational data is protected and ensures accuracy
Confidentiality
Employee compliance with organization's information security policies and overall performance of business processes
Continuous monitoring
Which activity are accountants most likely to participate in?
Continuous monitoring
A security internal IT control framework that allows (1) management to benchmark the security and control practices of IT environments, (2) users of IT services to be assured that adequate security and control exist, and (3) auditors to substantiate their internal control opinions and advise on IT security and control matters.
Control Objectives for Information and Related Technology (COBIT
Control policies and procedures help ensure that the actions identified by management to address risks and achieve the organization's objectives are effectively carried out
Control activities
The company culture that is the foundation for all other internal control components, as it influences how organizations establish strategies and objectives; structure business activities; and identify, assess, and respond to risk.
Control environment
-Identify and correct problems; correct and recover from the problems
Corrective controls
A digital signature is ______________.
Created by hashing a document and then encrypting the hash with the signer's private key
Uses vulnerability of Web application that allows the Web site to get injected with malicious code. When a user visits the Web site, that malicious code is able to collect data from the user.
Cross-site scripting (XSS)
Handling cash, handling inventories, tools, or fixed assets, writing checks are examples of what type of functions
Custodial functions
-Threatening to harm a company or a person if a specified amount of money is not paid
Cyber-extortion
-Threats to a person or business online through e-mail or text messages unless money is paid
Cyber-extortion
Fraud perpetrators threaten to harm a company if it does not pay a specified amount of money. What is this fraud technique called?
Cyber-extortion
Threatening to harm a company or a person if a specified amount of money is not paid.
Cyber-extortion
software, which works like antivirus programs in reverse, blocking outgoing messages (whether e-mail, IM, or other means) that contain key words or phrases associated with the intellectual property or other sensitive data the organization wants to protect.
Data loss prevention (DLP)
Which of the following can organizations use to protect the privacy of a customer's personal information when giving programmers a realistic data set with which to test a new application?
Data masking
Transforming ciphertext back into plaintext
Dcryption
A process that examines the data in the body of a TCP packet in more detail to control traffic, rather than looking only at the information in the IP and TCP headers. Slower process
Deep packet inspection
Separate network located outside the organization's internal information system that permits controlled access from the Internet to selected resources
Demilitarized Zone
A computer attack in which the attacker sends so many e-mail bombs or web page requests, often from randomly generated false addresses that the internet service provider's email server or the web server is overloaded and shuts down
Denial of service attack (DoS)
Which component of the time-based model of security does log analysis affect?
Detection
-Discover problems that are not prevented
Detective controls
Software that is embedded in documents or files that contain confidential information to indicate who owns that information is called
Digital watermark
Most computer attacks are designed to steal information or money. Which of the following attacks is designed to slow down or stop a website, often to prevent legitimate users from accessing the website?
DoS Attack
The maxim that debits equal credits provides numerous opportunities for independent checks. Debits in a payroll entry may be allocated to numerous inventory and/or expense accounts; credits are allocated to liability accounts for wages payable, taxes withheld, employee insurance, and union dues. After the payroll entries, comparing total debits and credits is a powerful check on the accuracy of both processes. Any discrepancy indicates the presence of an error.
Double entry accounting
Able wants to send a file to Baker over the Internet and protect the file so that only Baker can read it and verify that it came from Able. What should Able do?
Encrypt the file using Able's private key, and then encrypt it again using Baker's public key
Which of the following statements is true about encryption?
Encryption is reversible, but hashing is not
Which of the following statements is(are) true about encyrption and hashing
Encryption is reversible, but hashing is not. Encryption produces a file similar in size to the plaintext file, but hashing produces a short fixed-length file.
Which of the following statements is not true about encryption?
Encryption protects the confidentiality of information while it is in processing.
-imposes huge fines (up to 4% of global revenues) for issues such as not properly obtaining consent to collect and use personal information or not being able to document that the organization has taken a proactive approach to protecting privacy.
European Union's General Data Privacy Regulation (GDPR)
On your dream vacation to Hawaii you decide to log into the hotel's Wi-Fi network and notice that there are two networks with very similar names. You select one and are immediately connected to the network without having to enter the access code given you at check in. Weeks later you find that your identity has been stolen. You were a victim of which computer fraud and abuse technique?
Evil twin
trick cellphone users into divulging account information by sending an automated call or text message that appears to come from their bank. Using the divulged information, the fraudsters call the bank, spoofing the victim's phone number, and answer the security questions
Example of Caller ID Spoofing
Daniel Baas was the systems administrator for a company that did business with Acxiom, who manages customer information for companies. Baas exceeded his authorized access and downloaded a file with 300 encrypted passwords, decrypted the password file, and downloaded Acxiom customer files containing personal information. The intrusion cost Acxiom more than $5.8 million.
Example of Password Cracking
Susan Gilmour-Latham got a call asking why she was sending the caller multiple adult text messages per day. Her account records proved the calls were not coming from her phone. Neither she nor her mobile company could explain how the messages were sent. After finding no way to block the unsavory messages, she changed her mobile number to avoid further embarrassment by association.
Example of SMS spoofing
a woman got a call asking why she had sent the caller multiple adult message texts every day for the past few months. Neither she nor her mobile company could explain the texts, as her account showed that they were not coming from her phone.
Example of SMS spoofing
typing goggle.com instead of google.com might lead to a cyber-squatter site that:
Example of URL hijacking
CloudNine, an Internet service provider, went out of business after DoS attacks prevented its subscribers and their customers from communicating.
Example of a denial of service attack
A 31-year-old programmer unleashed a Visual Basic program by deliberately posting an infected document to an alt.sex Usenet newsgroup using a stolen AOL account. The program evaded security software and infected computers using the Windows operating system and Microsoft Word. On March 26, the Melissa program appeared on thousands of e-mail systems disguised as an important message from a colleague or friend. The program sent an infected e-mail to the first 50 e-mail addresses on the users' Outlook address book. Each infected computer would infect 50 additional computers, which in turn would infect another 50 computers. The program spread rapidly and exponentially, causing considerable damage. Many companies had to disconnect from the Internet or shut down their e-mail gateways because of the vast amount of e-mail the program was generating. The program caused more than $400 million in damages.
Example of a worm/ virus
One company that engages in digital media content sharing offers users a $30 version or a free version. The license agreement for the free software discloses the adware (hence making it "legal" spyware), but most users do not read the agreement and are not aware it is installed. Reputable adware companies claim sensitive or identifying data are not collected. However, there is no way for users to effectively control or limit the data collected and transmitted.
Example of adware
A reporter for TimesOnline accompanied Adam Laurie, a security expert, around London scanning for Bluetooth-compatible phones. Before a Bluetooth connection can be made, the person contacted must agree to accept the link. However, Laurie has written software to bypass this control and identified vulnerable handsets at an average rate of one per minute. He downloaded entire phonebooks, calendars, diary contents, and stored pictures. Phones up to 90 meters away were vulnerable.
Example of bluesnarfing
Ukrainian hackers cracked the passwords of news wire companies. When they found news releases that would move a stock's price, they sold the information to seven traders who bought the stock before the news was released and sold it after the news came out. The traders netted $30 million, including a $1 million profit from owning Caterpillar for less than one day.
Example of brute force attack
web page owners who get a commission to host a pay-per-click ad clicking to boost commissions
Example of click fraud
Luana hosts a website that Christy frequently uses to store all her financial data. To use the website, Christy logs on using her username and password. While searching for vulnerable websites, Miles finds that Luana's website has a vulnerability. Miles creates a URL to exploit it and sends it to Christy in an e-mail that motivates Christy to click on it while logged into Luana's website. The vulnerability is exploited when the malicious script embedded in Miles's URL executes in Christy's browser, as if it came directly from Luana's server. The script sends Christy's session cookie to Miles, who hijacks Christy's session. Miles can now do anything Christy can do. Miles can also send the victim's cookie to another server, inject forms that steal Christy's confidential data, disclose her files, or install a Trojan horse program on her computer. Miles can also use end a malicious script to her husband Jeremy's computer. Jeremy's browser has no way of knowing that the script should not be trusted; it thinks it came from a trusted source and executes the script. Miles could also execute XSS by posting a message with the malicious code to a social network. When Brian reads the message, Miles's XSS will steal his cookie, allowing Miles to hijack Brian's session and impersonate him.
Example of cross-site scripting
MicroPatent, an intellectual property firm, was notified that their proprietary information would be broadcast on the Internet if they did not pay a $17 million fee. The hacker/blackmailer was caught by the FBI before any damage was done.
Example of cyber-extortion
The owner of a credit card processor received an e-mail listing his clients as well as their credit card numbers. The e-mail told him to pay $50,000 in six payments, or the data would be sent to his clients.
Example of cyber-extortion
. Cyber-attacks left high-profile sites such as Amazon.com, eBay, Buy.com, and CNN Interactive staggering under the weight of tens of thousands of bogus messages that tied up the retail sites' computers and slowed the news site's operations for hours.
Example of denial of service attack
A former Oracle employee was charged with breaking into the company's computer network, falsifying evidence, and committing perjury for forging an e-mail message to support her charge that she was fired for ending a relationship with the company CEO. Using cell phone records, Oracle lawyers proved that the supervisor who had supposedly fired her and written the e-mail was out of town when the e-mail was written and could not have sent it.
Example of e-mail spoofing
Global Communications sent messages threatening legal action if an overdue amount was not paid within 24 hours.
Example of e-mail threats
Mark Koenig, a 28-year-old telecommunications consultant, and four associates. Federal agents say the team pulled crucial data about Bank of America customers from telephone lines and used it to make 5,500 fake ATM cards. Koenig and his friends allegedly intended to use the cards over a long weekend to withdraw money from banks across the country.
Example of eavesdropping
A convicted felon incurred $100,000 of credit card debt, took out a home loan, purchased homes and consumer goods, and filed for bankruptcy in the victim's name. He phoned and mocked his victim because the victim could not do anything because this was not a crime at the time
Example of identity theft
a seller can use a false identity or partner with someone to drive up the bid price. A person can enter a very high bid to win the auction and then cancel his bid, allowing his partner, who has the next highest, and much lower, bid to win. The seller can fail to deliver the merchandise, or the buyer can fail to make the agreed upon payment. The seller can deliver an inferior product or a product other than the one sold
Example of internet auction fraud
a young man broke into Yahoo's news pages and replaced the name of an arrested hacker with that of Bill Gates
Example of internet misinformation
fraudsters quietly acquired shares in 15 thinly traded public companies. They used sophisticated hacking and identity fraud techniques, such as installing keystroke-logging software on computers in hotel business centers and Internet cafes, to gain access to online brokerage accounts. The hackers sold the securities in those accounts, used the money to purchase large quantities of the 15 companies' stock to pump up their share prices, and sold their stock for a $732,941 profit.
Example of internet pump and dump fraud
An enterprising student records a teacher's typed exam answers decoding her keystrokes and was caught selling exam answers
Example of keylogger
Linda sniffs and eavesdrops on a network communication and finds David sending his public key to Teressa so that they can communicate securely. Linda substitutes her forged public key for David's key and steps in the middle of their communications. If Linda can successfully impersonate both David and Teressa by intercepting and relaying the messages to each other, they believe they are communicating securely.
Example of man in the middle attack
Dan egerstad installs a packet that looked for key words such as government, military, war, passport, and visa. He intercepted e-mails from embassies and governments, many with visa and passport data.
Example of packet sniffer
Masquerading as custodians, temporary workers, or confused delivery personnel to get into offices to locate passwords or access computers. or Climbing through roof hatches and dropping through ceiling panels. are examples of
Example of penetration tests
eBay customers were notified by e-mail that their accounts had been compromised and were being restricted unless they re-registered using an accompanying hyperlink to a Web page that had eBay's logo, home page design, and internal links. The form had a place for them to enter their credit card data, ATM PINs, Social Security number, date of birth, and their mother's maiden name. Unfortunately, eBay hadn't sent the e-mail.
Example of phishing
The hackers changed the voice mail greeting to say that officers were too busy drinking coffee and eating doughnuts to answer the phone and to call 119 (not 911) in case of an emergency.
Example of phreaking
Tapping into a communications line and electronically latching onto a legitimate user before the user enters a secure system; the legitimate user unknowingly carries the perpetrator into the system.
Example of piggybacking
conduct a security survey and lull the victim into disclosing confidential information by asking 10 innocent questions before asking the confidential ones
Example of pretexting
hiring qualified personnel, segregating employee duties, and controlling physical access to assets and information is an example of
Example of preventive controls
a bank reconciliation verifies that company checking account balances agree with bank statement balances
Example of reconciliation of independently maintained records
A disgruntled employee programmed the company computer to increase all production costs by a fraction of a percent and place the excess in the account of a dummy vendor he controlled. Every few months, the fraudulent costs were raised another fraction of a percent. Because all expenses were rising together, no single account would call attention to the fraud. The perpetrator was caught when a teller failed to recognize the payee name on a check the perpetrator was trying to cash
Example of salami technique
A federal grand jury in Fort Lauderdale claimed that four executives of a rental-car franchise modified a computer-billing program to add five gallons to the actual gas tank capacity of their vehicles. Over three years, 47,000 customers who returned a car without topping it off ended up paying an extra $2 to $15 for gasoline.
Example of salami technique
Microsoft filed a lawsuit against two Texas firms that produced software that sent incessant pop-ups resembling system warnings. The messages stated "CRITICAL ERROR MESSAGE! REGISTRY DAMAGED AND CORRUPTED" and instructed users to visit a Web site to download Registry Cleaner XP at a cost of $39.95.
Example of scareware
a dire warning that a computer is infected with a virus, spyware, or some other catastrophic problem
Example of scareware
Oracle Corporation was embarrassed a few years ago when investigators it hired were caught going through the trash of companies that supported its rival, Microsoft. The investigators had paid building janitors $1,200 for the trash
Example of scavenging/dumpster diving
a man hid a video camera in some bushes and pointed it at a company president's computer, which was visible through a first-floor window. A significant business acquisition almost fell through because of the information on the recording.
Example of shoulder surfing
Jason Scott discovered that some purchases did not have a purchase requisition. Instead, they had been "personally authorized" by Bill Springer, the purchasing vice president.
Example of specific authorization
At Kinko's in Manhattan, an employee gathered the data needed to open bank accounts and apply for credit cards in the names of the people using Kinko's wireless network.
Example of spyware
Rajendrasinh Makwana, an Indian citizen and IT contractor who worked at Fannie Mae's Maryland facility, was terminated at 1:00 P.M. on October 24. Before his network access was revoked, he created a program to wipe out all 4,000 of Fannie Mae's servers on the following January 31.
Example of time/logic bomb
America Online subscribers received a message offering free software. Users who installed the software unknowingly unleashed a second program hidden inside the software that secretly copied the subscriber's account name and password and forwarded them to the sender.
Example of trojan horse
visitors to an adult site were told to download a special program to see the pictures. This program disconnected them from their Internet service providers and connected them to a service that billed them $2 a minute until they turned off their computers
Example of trojan horse
•The expected loss related to a risk is measured as:
Expected loss = likelihood * impact/exposure
Hackers who publish instructions for taking advantage of vulnerabilities
Exploits
The potential dollar loss should a particular threat become a reality
Exposure/impact
What is the name of the law Congress passed to prevent companies from bribing foreign officials?
FCPA
The act that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.
Health Insurance Portability and Accountability Act
Gaining control of a computer to carry out illicit activities such as sending spam without the computer's knowledge
Hijacking
A decoy system used to provide early warning that an insider or outsider is attempting to search for confidential information
Honeypots
Spoofing is making an electronic communication look like it came from someone other than the actual sender. Which of the following is not one of the types of spoofing mentioned in the text?
Identity theft spoofing
Act as filters and only permit packets that meet specific conditions to pass. It does not block all traffic
Firewalls
To prevent companies from bribing foreign officials to obtain business. Requires all publicly owned corporations to maintain a system of internal accounting controls
Foreign Corrupt Practices Act (1977)
Management authorizes employees to handle routine transactions without special approval.
General authorization
maintaining backup copies of files, correcting data entry errors, and resubmitting transactions for subsequent processing.
General controls
People are more likely to cooperate if they get something free or think they are getting a once-in-a-lifetime deal.
Greed
-Unauthorized access, modification, or use of an electronic device or some element of a computer system
Hacking
A 17-year-old broke into the Bell Laboratories network, destroyed files, copied 52 proprietary software programs, and published confidential information on underground bulletin boards. Which computer fraud and abuse technique is this?
Hacking attack
Modifying default configurations to turn off unnecessary programs and features to improve security is called ____________.
Hardening
assuming someone's identity, usually for economic gain, by illegally obtaining and using confidential information, such as a Social Security number or a bank account or credit card number.
Identity theft
contains the packet's origin and destination addresses, as well as info about the type of data contained in the body.
IP Header
Creating Internet Protocol packets with a forged IP address to hide the sender's identity or to impersonate another computer system.
IP address spoofing
Contents of the packet of an Internet Protocol
IP body
The risk response procedure includes
Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls If it is cost-beneficial to protect systems reduce risk by implementing set of controls to guard against threat **If it is NOT cost-beneficial to protect systems than avoid, share, or accept risk
Which of the following is the correct order of the risk assessment steps discussed in this chapter?
Identify threats, estimate risk and exposure, identify controls, estimate costs and benefits
-Assuming someone else's identity
Identity theft
Your current system is deemed to be 90% reliable. A major threat has been identified with an impact of $3,000,000. Two control procedures exist to deal with the threat. Implementation of control A would cost $100,000 and reduce the likelihood to 6%. Implementation of control B would cost $140,000 and reduce the likelihood to 4%. Implementation of both controls would cost $220,000 and reduce the likelihood to 2%. Given the data, and based solely on an economic analysis of costs and benefits, what should you do?
Implement control B only
According to the time-based model of security, one way to increase the effectiveness is to
Increase P
capture and exchange the information needed to conduct, manage, and control the organization's operations. and must occur internally and externally to provide information needed to carry out day-to-day internal control activities
Information and communication
software provides an additional layer of protection to sensitive information stored in digital format, offering the capability not only to limit access to specific files or documents but also to specify the actions (read, copy, print, download to USB devices, etc.) that individuals granted access to that resource can perform.
Information rights management (IRM)
Which of the following statements is true?
Information security is necessary for protecting confidentiality, privacy, integrity of processing, and availability of information resources.
COSO identified five interrelated components of internal control. Which of the following is not one of those five?
Internal control policies
The processes and procedures implemented to provide reasonable assurance that control objectives are met
Internal controls
specifies the structure of the packets and how to route them to the proper destination
Internet Protocol (IP)
using an Internet auction site to defraud another person
Internet auction fraud
using the Internet to spread false or misleading information.
Internet misinformation
refers to embedding sensors in a multitude of devices so they can connect to the Internet. Again there is a net effect of positive and negative effects.
Internet of Things (IoT)
Using the internet to increase the stock price and sell it
Internet pump and dump fraud
Monitors patterns in the traffic flow, rather than only inspecting individual packets, to identify and automatically block attacks
Intrusion Prevention Systems (IPS)
System that creates logs of network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions
Intrusion detection systems (IDS)
Which device blocks or admits individual packets by examining information in the TCP and IP headers?
Intrusion prevention system (IPS)
Examining logs to identify evidence of possible attacks. Done regularly to detect problems in a timely manner Not easy because they grow in size -use software tools to efficiently strip out routine log entries so that they can focus their attention on anomalous behavior.
Log analysis
Software used to do harm
Malware
-Hacker is placed in between a client (user) and a host (server) to read, modify, or steal data.
Man in the middle (MITM)
What are the three factors that influence encryption strength
Key length Encryption algorithm Policies for managing the cryptographic keys
-Software that records user keystrokes
Keylogger
Type of user account that should be logged into when browsing the web or reading email. Used to performed regular routines and hackers can not access much information
Limited user account
What are the 10 Generally accepted Privacy Principles (GAPP)
Management Notice Choice and consent Collection Use, retention Access Disclosure to third parties Security Quality Monitoring and enforcement
Which of the following statements about the control enviornment is false?
Management's attitudes toward internal control and ethical behavior have little impact on employee beliefs or actions
Gaining access to a system by pretending to be an authorized user. Requires the perpetrator to know the legitimate user's ID and passwords
Masquerading/impersonation
Confidentiality focuses on protecting _______________.
Merger and acquisition plans
Evaluations ascertain whether each component of internal control is present and functioning. Deficiencies are communicated in a timely manner, with serious matters reported to senior management and the board.
Monitoring
The five components of COSO are
Monitoring, Information and communication, control activities, risk assessment, control environment
A website has a checkbox that states, "Click here if you do NOT want the AJAX company to share your information with third parties and send you offers that you might be interested in" is following the choice and consent practice known as
Opt-out
For the time based model of information security Security is most effective when
P > D+R
Which of the following combinations of credentials is an example of multifactor authentication?
PIN and ATM cards
-Captures data as it travels over the Internet
Packet sniffer
Which of the following is an example of multi-modal authentication?
Passphrase plus answer to a security question
code released by software developers to fix vulnerabilities that have been discovered
Patch
Which of the following is a corrective control designed to fix vulnerabilities?
Patch management
An authorized hired attempt to break into the organization's information system by either an internal audit team or external security consulting firm to break into the organization's IS.
Penetration test
Which of the following statements is(are) true about penetration tests?
Penetration tests are authorized attacks.
Which of the following is a detective control?
Pentraction testing
-Redirects website to a spoofed website
Pharming
Someone redirects a website's traffic to a bogus website, usually to gain access to personal and confidential information. What is this computer fraud technique called?
Pharming
-Sending an e-mail asking the victim to respond to a link that appears legitimate that requests sensitive data
Phishing
ending an electronic message pretending to be a legitimate company, usually a financial institution, and requesting information or verification of information and often warning of some negative consequence if it is not provided. The recipient is asked to either respond to the bogus request or visit a web page and submit data. The message often contains a link to a web page that appears legitimate. The web page has company logos, familiar graphics, phone numbers, and Internet links that appear to be those of the victimized company
Phishing
A perpetrator attacks phone systems to obtain free phone line access or uses telephone lines to transmit viruses and to access, steal, and destroy data. What is this computer fraud technique called?
Phreaking
Attacking phone systems to obtain free phone line access, use phone lines to transmit malware, and to access, steal, and destroy data.
Phreaking
using a small device with storage capacity, such as an iPod or Flash drive, to download unauthorized data
Podslurping
-Creating a fake business to get sensitive information
Posing
-Using a scenario to trick victims to divulge information or to gain access
Pretexting
using an invented scenario (the pretext) to increase the likelihood that a victim will divulge information or do something
Pretexting
-Deter problems from occurring
Preventive controls
All other things being equal, which of the following is true about controls
Preventive controls are superior to detective controls.
Ensures that personal information from customers, suppliers, and employees is collected, used, disclosed, and maintained in a manner that is consistent with organization policies
Privacy
-Data are processed accurately, completely, in a timely manner, and only with proper authorization.
Processing Integrity
-Management lacks the time and resources to supervise each employee activity and decision, Consequently, they establish policies and empower employees to perform activities within policy.
Proper Authorization of Transactions and Activities
Which of the following is not an independent check?
Re-adding the total of a batch of invoices and comparing it with your first total
The 4 steps that CIRT must use to lead the organization's incident response process
Recognition Containment Recovery Follow-up
Which step should happen first as part of the incident response process?
Recognition of an attack
Which of the following is the correct sequence of steps in the incident response process?
Recognize that a problem exists, stop the attack, repair the damage, learn from the attack
Preparing source documents or entering data online, Maintaining journals, ledgers, files, databases, Preparing reconciliations, preparing performance reports are examples of what type of functions
Recording functions
Management responds to risk in what four ways
Reduce, accept, share, avoid
-Risk that is left over after you control it
Residual
The organization must identify, analyze, and manage its risks. Managing risk is a dynamic process. Management must consider changes in the external environment and within the business that may be obstacles to its objectives.
Risk assessment
Internal control that prevent or detect their unauthorized acquisition, use, or disposition.
Safeguard assets
-Taking small amounts at a time also known as round-down fraud
Salami technique
Stealing tiny slices of money from many different accounts
Salami technique
Legislation intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls at public companies and punish executives who perpetrate fraud
Sarbanes Oxley Act
-Prevent financial statement fraud, Make financial reports transparent, Protect investors, Strengthen internal controls, Punish executives who perpetrate fraud
Sarbanes-Oxley Act (2002)
software that is often malicious, is of little or no benefit, and is sold using scare tactics.
Scareware
-Searching trash for confidential information
Scavenging
-Access to the system and data is controlled and restricted to legitimate users.
Security
-Good internal control requires that no single employee be given too much responsibility over business transactions or processes. An employee should not be in a position to commit and conceal fraud or unintentional errors.
Segregation of Duties
People are more likely to cooperate with someone who is flirtatious or viewed as "hot."
Sex Appeal
-Snooping (either close behind the person) or using technology to snoop and get confidential information
Shoulder surfing
What social engineering technique uses double swiping credit card
Skimming
Few people want to do things the hard way, waste time, or do something unpleasant; fraudsters take advantage of our lazy habits and tendencies.
Sloth
-Techniques or tricks on people to gain physical or logical access to confidential information
Social engineering
Techniques used to obtain confidential information, often by tricking people, are referred to as what?
Social engineering
techniques or psychological tricks used to get people to comply with the perpetrator's wishes in order to gain physical or logical access to a building, computer, server, or network—usually to get the information needed to access a system and obtain confidential data.
Social engineering
the unauthorized copying or distribution of copyrighted software
Software piracy
Simultaneously sending the same unsolicited message to many people, often in a attempt to sell them something
Spamming
For activities or transactions that are of significant consequences, management review and approval is required. Might apply to sales, capital expenditures, or write-offs over a particular dollar limit.
Special authorization
Makes the communication look as if someone else sent it to gain the trust of the recipient to get confidential information
Spoofing
-Secretly monitors and collects information. Can hijack browser search requests, adware, scareware
Spyware
What type of software secretly collects personal information about users and send it to someone else without the user's permission?
Spyware
Looks at the header of a TCP packet to control traffic Less detailed process but quicker
Static packet inspection
Which type of encryption is faster?
Symmetric
Which of the following statements is true about symmetric encryption
Symmetric encryption is faster than asymmetric encryption but cannot be used to provide nonrepudiation of contracts
Management expects accountants to:
Take a proactive approach to eliminating system threats. Detect, correct, and recover from threats when they occur.
The SOX act was created by
The Public Company Accounting Oversight Board (PCAOB)
Which of the following statements about obtaining consent to collect and use a customer's personal information is true?
The default policy in Europe is opt-in, but in the United States the default is opt-out.
What are the steps in creating a digital signature
The document creator uses a hashing algorithm to generate a hash of the original document The document creator uses his/her private key to encrypt the hash created Result: The encrypted hash is a legally-binding digital signature
Any potential adverse occurrence or unwanted event that could be injurious to either the accounting information system or the organization
Threat/event
-is the implementation of a combination of preventive, detective, and corrective controls that protect information assets long enough to enable an organization to recognize that an attack is occurring and take steps to thwart it before any information is lost or compromised.
Time based model of information security
Program that lies idle until some specified circumstance or time
Time bomb/logic bomb
-the implementation of a combination of preventive, detective, and corrective controls that protect information assets long enough to enable an organization to recognize that an attack is occurring and take steps to thwart it before any information is lost or compromised.
Time-based model of information security
What is the objective of a penetration test?
To identify where additional protections are most needed to increase the time and effort required to compromise the system
Management should monitor company results and periodically compare actual company performance to (1) planned performance, as shown in budgets, targets, and forecasts; (2) prior period performance; and (3) competitors' performance
Top level reviews
Which of following action(s) must an organization take to preserve the confidentiality of sensitive information?
Train employees to properly handle information
Which of the following is a preventive control?
Training
Specifies the procedures for dividing files and documents into packets and for reassembly at the destination.
Transmission Control Protocol (TCP)
-Set of instructions that allow the user to bypass normal system controls
Trap door
a set of computer instructions that allows a user to bypass the system's normal controls
Trap door/back door
-Malicious computer instructions in an authorized and properly functioning program
Trojan Horse
A set of instructions to increase a programmer's pay rate by 10% is hidden inside an authorized program. It changes and updates the payroll file. What is this computer fraud technique called?
Trojan horse
A weakness an attacker can take advantage of to either disable or take control of a system is called a[n] ______________.
Vulnerability
programming a computer to dial thousands of phone lines searching for dial-up modem lines. Hackers break into the PC attached to the modem and access the network to which it is connected. This approach got its name from the movie War Games.
War dialing
-Stand-alone self replicating program that doesn't require a human to activate it
Worm
Using your private key to encrypt a hash of a document creates a __________.
a digital signature
If you want to e-mail a document to a friend and be assured that only your friend will be able to open the document, you should encrypt the document using:
Your friend's public key
If you want to e-mail a document to a friend so that your friend can be certain that the document came from you, you should encrypt the document using:
Your private key
Botnet examples include
Zombies Bot herders Denial of Service (DoS) attack Brute force attack Password cracking Dictionary attack Spamming Spoofing
In the hybrid solution what type of encryption is used for decrypting information
asymmetric
Encryption systems that use two keys (one public and one private) wither key can encrypt but only the other matching key can decrypt
asymmetric encryption systems
SOX created new rules for
auditors, audit committees, management, control requirements
The lever of control that describes how a company creates value and helps employees understand management's vision is called a
belief system
Which of the following can be used to prevent unauthorized changes to completed business transactions?
blockchains
The person who creates a botnet by installing software on PCs that respond to the electronic instructions. This controls the PCs allows this person to mount a variety of internet attacks
bot herder
The word zombie is related to which type of computer attack?
botnet
Individuals who control an army of malware-infected zombie computers are called _______________.
botnet owners
when the amount of data entered into a program is greater than the amount of the memory (the input buffer) set aside to receive it. The input overflow usually overwrites the next computer instruction, causing the system to crash and open a back door into the system can read sensitive data from the database; modify, disclose, destroy, or limit the availability of the data; allow the attacker to become a database administrator; spoof identity; and issue operating system commands.
buffer overflow attack
Jake Malone is running an online business that specialized in buying and reselling stolen credit card information. Jake is engaging in _______________.
carding
Significant assets are periodically counted and reconciled to company records. At the end of each clerk's shift, cash in a cash register drawer should match the amount on the cash register tape.
comparison of actual quantities with recorded amounts
When an employee tries to access a particular resource, the system performs a test that matches the user's authentication credentials against the matrix to determine if the employee should be allowed to access that resource and perform the action
compatibility test
An employee independent of the information system function who monitors the system, disseminates information about improper system uses and their consequences and reports to top management
computer security officer (CSO)
Encryption is necessary to protect what?
confidentiality and privacy
policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out.
control activities
a vulnerability in dynamic web pages that allows an attacker to bypass a browser's security mechanisms and instruct the victim's browser to execute code, thinking it came from the desired website.
cross-site scripting
Defrauding investors such as fake initial coin offerings and fake exchanges and wallets
cryptocurrency fraud
Protecting privacy by replacing sensitive personal information with fake data
data masking
Software that generates user ID and password guesses using information about the targeted company and an index of possible user IDs and passwords to reduce the number of guesses required
dictionary attack
_____ provides assurance that someone cannot enter into a digital transaction and then subsequently deny they had done so and refuse to fulfill their side of the contract.
digital Signature
an electronic document that contains an entity's public key and certifies the identity of the owner of that particular public key.
digital certificate
Code embedded in documents that enables an organization to identify confidential information that has been disclosed
digital watermark
Process of transforming normal text into unreadable gibberish
encryption
Collective term for the workstations, servers, printers, and other devices that comprise an organization's network
endpoints
An unauthorized person following an authorized person through a secure door, bypassing physical security controls such as keypads, ID cards, or biometric identification scanners.
example of Piggybacking
The day after you downloaded a new game on your laptop from a free software site, pop-up ads begin to appear on your computer, even though your browser says that pop-up ads are being blocked. You also occasionally find your web browser jumping to Web sites you did not ask it to display. You have most likely become a victim of what type of malware?
example of adware
One woman authorized new credit card accounts, and the other wrote off unpaid accounts of less than $1,000. The first woman created a new account for each of them using fictitious data. When the amounts outstanding neared the $1,000 limit, the woman in collections wrote them off. The process would then be repeated. They were caught when a jilted boyfriend seeking revenge reported the scheme to the credit card company.
example of collusion
maintaining backup copies of files, correcting data entry errors, and resubmitting transactions for subsequent processing is an example of
example of corrective controls
duplicate checking of calculations and preparing bank reconciliations and monthly trial balances. is an example of
example of detective controls
requiring a user both to insert a smart card in a card reader and enter a password is an example of
example of multifactor authentication
The clandestine use of a neighbor's Wi-Fi network; this can be prevented by enabling the security features in the wireless network.
example of piggybacking
Danny Ferrar, the owner of BuysUSA.com, was sentenced to six years in prison for selling $4.1 million of copyrighted software for much less than the suggested retail price. Ferrar was guilty of:
example of software piracy
After visiting a large number of Web sites to complete your research for a lengthy research paper, your computer begins to act up. Your CPU is running much slower, your software frequently crashes, and you have difficulty connecting to the Internet. You have most likely become a victim of what type of malware?
example of spyware
On March 20, at 2 p.m. local time, the hard drives and master boot records of computers at three banks and two media companies in South Korea were wiped clean. The computers were then restarted, and the message "Boot device not found. Please install an operating system and then reboot the system" appeared on those computer screens. These companies were victims of what kind of computer fraud and abuse technique?
example of time bomb
Hackers created malicious and self-replicating code to exploit a weakness in the Windows Server service. Two weeks after it was released, it had infected almost 9 million computers worldwide. In addition to looking for other computers to infect, the code downloaded additional malware on the hijacked computers. The code, named Downadup, is an example of what kind of computer fraud and abuse technique?
example of worm
A phone number employees can call to anonymously report fraud and abuse
fraud hotline
process that takes plaintext of any length and creates a short code called a message digest, popularly Includes SHA-256 bits and that a document has not changed
hashing
If the time an attacker takes to break through the organization's preventive controls is shorter than the sum of the time required for the organization to detect the attack and the time required to respond to the attack, then organization's security is considered
ineffective
software records computer activity, such as a user's keystrokes, e-mails sent and received, websites visited, and chat session participation.
keylogger
The probability that the threat will happen
llikelihood
Any software used to do harm
malware
Security is a _________ issue
management
Referred to as explicit consent because organizations cannot collect and use customers' personal information unless they explicitly agree to allow such actions.
opt-in
Referred to as implicit consent because companies can assume it is okay to collect and use customers' personal information unless they explicitly object.
opt-out
Recovering passwords by trying every possible combination of upper and lower case letters, numbers, and special characters and comparing them to cryptographic hash of the password
password cracking
Process for regularly applying patches and updates to all of an organization's software.
patch management
Communications that request recipients to disclose confidential information by responding to an e-mail or visiting a website is called:
phishing
Normal text that has not been encrypted
plaintext
creating a seemingly legitimate business (often selling new and exciting products), collecting personal information while making a sale, and never delivering the product.
posing
Implementing strong access controls is good security over all the systems is what kind of impact on virtualization and cloud computing and IoT
positive impact on security
In the movie "Identity Thief," Melissa McCarthy used an invented scenario to get the name and other identifying information of Jason Bateman, enabling her to steal his identity. Which computer fraud and abuse technique did she use?
pretexting
One of the keys used in asymmetric encryption systems that is kept secret and known only to the owner
private key
One of the keys used in asymmetric encryption that is widely distributed and available to everyone
public key
The system for issuing pairs of public and private keys and corresponding digital certificates
public key infrastructure (PKI)
The amount of risk a company is willing to accept to achieve its goals and objectives. To avoid undue risk, risk appetite must be in alignment with company strategy.
risk appetite
Implementing control procedures to clearly divide authority and responsibility within the information system function
segregation of system duties
In a hurry to catch a train, a man in Grand Central Station made a quick ATM stop to withdraw $40. Before he went to bed, he checked his bank account and found his $40 withdrawal, as well as five additional withdrawals, for a total of $700, all made within a minute of his. This man was most likely a victim of _______________.
shoulder surfing
double-swiping a credit card in a legitimate terminal or covertly swiping a credit card in a small, hidden, handheld card reader that records credit card data for later use.
skimming
The FBI arrested Russian spies and accused them of encoding messages into pictures that were posted on publically accessible Web sites. To retrieve the messages, the recipients used special software to decode the messages hidden in the pixels of the pictures. The Russian spies were using which computer fraud and abuse technique?
steganography
In the hybrid solution what type of encryption is used for encrypting information
symmetric
Encryption system that use the same key both to encrypt and to decrypt
symmetric encryption systems
To decrypt a digital signature, you need to use _______.
the public key of the person who created the signature.
In the time based model formula what does P represent
the time it takes an attacker to break through the various controls that protect the organization's information assets.
In the time based model formula what does D represent
the time it takes for the organization to detect that an attack is in progress.
In the time based model formula what does R represent
the time it takes to respond to and stop the attack.
lies idle until triggered by a specified date or time, by a change in the system, by a message sent to the system, or by an event that does not occur.
time bomb/logic bomb
Fake data that is also another word for data masking
tokenization
In your haste to watch a video that you heard about, you type in yuube.com and are taken to a site with the familiar YouTube logo but find that the site sells a video ad blocker that allows you to watch YouTube without having to watch the ads. This is an example of _______________.
typosquatting
Using encryption and authentication to securely transfer information over the internet privately
virtual private network (VPN)
Which computer fraud technique involves a set of instructions hidden inside a calendar utility that copies itself each time the utility is enabled until memory is filled and the system crashes?
virus
driving around looking for unprotected wireless networks.
war driving
-People can either be the___________in security or _________
weakest link, important asset
An attack between the time a new software vulnerability is discovered and the time a software developer releases a patch that fixes the problem is called
zero-day attack
Hijacked computers, typically part of a botnet that are used to launch a variety of Internet attacks
zombies
Components of a COSCO consist of
•Control (internal) environment •Risk assessment •Control activities •Information and communication •Monitoring
What are some forms of spoofing?
•E-mail •Caller ID •IP address •SMS •Web-page (phishing)
Components of a COSCO-ERM consist of
•Internal environment •Objective setting •Event identification •Risk assessment •Risk response •Control activities •Information and communication •Monitoring
Examples of hacking used for fraud include
•Internet misinformation •E-mail threats •Internet auction •Internet pump and dump •Cryptocurrency fraud •Click fraud •Software piracy
The primary objective of an AIS is to
•Is to control the organization so the organization can achieve its objectives
Examples of man in the middle hacking include
•Masquerading/impersonation •Piggybacking •War dialing and driving •Phreaking •Podslurping
What can be done to minimize the threat of social engineering?
•Never let people follow you into restricted areas •Never log in for someone else on a computer •Never give sensitive information over the phone or through e-mail •Never share passwords or user I Ds •Be cautious of someone you don't know who is trying to gain access through you
