ACC 341 Exam 3

computer incident response team (CIRT)

-Recognition that a problem exists (e.g. via IPS or IDS signal) -Containment of the problem -Recovery (e.g. restoring data and programs from backup files) -Follow-up: see if actions are needed to adjust existing security policies

system performance measurements

ways to evaluate and assess a system

PCAOB

created by SOX; enforces quality control, ethics, independence, and other auditing standards

virtualization

creating a virtual environment or machine

processing integrity

data are processed accurately, completely, in a timely manner, and only with proper authorization

honeypots

decoys used to lure would be hackers; allows monitoring of potential attack without putting any real assets at risk

COSO

dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence

preventive controls

deter problems from occurring Ex: require a signed source document authorizing a transaction

authorization

determines what a person can access

strategic master plan

developed and updated yearly to align an organization's information system with its business strategies. shows projects that must be completed, and addresses company's hardware, software, personnel, and infrastructure requirements

endpoint configuration (hardening)

disable unnecessary programs to reduce vulnerabilities; turn off unnecessary services, uninstall sample scripts and files

detective controls

discover problems that are not prevented ex: bank reconciliations

avoid

do not engage in activity

accept

do nothing, accept likelihood, and impact of risk

cross site scripting

embed malware in website to attack other users

authorization

empowering employees to perform certain organizational functions within parameters of organizational policies

general controls

ensure that organization's control environment is stable and well managed. (Security, IT infrastructure, software acquisition)

Transmission Control Protocol (TCP)

establishes a connection (handshake), handles packet sequencing, requests retransmission of lost packets, and designates ports (numbers associated with specific applications; for example, http port # is 80, https port # is 443)

risk assessment approach to designing internal controls

estimate likelihood / impact of risk, identify controls to guard against threats, estimate costs / benefits from implementing controls, decide to implement control or not

deep packet inspection

examination of data in body of TCP packets; performed by firewalls

firewalls

examine other fields in IP/TCP packets

packet filtering

examining fields in pack headers

log analysis

examining logs to identify evidence of possible attacks

COSO - ERM

expands COSO framework taking a risk based approach

risk = P x M

expected loss = impact x likelihood

trust services framework

for use in attestation or consulting engagements to evaluate and report on controls over info and systems

COBIT

framework for IT control

COSO

framework for enterprise internal controls (control based approach); most commonly used framework

IT related controls are segregated into what 2 categories

general controls and application controls

time based model of info security

goal is to employ controls that will protect info long enough for a response to shut down an attack

segregation of duties

good internal control requires no single employee to have too much responsibility over transactions and business processes

micro

good internal controls are necessary for an organization to achieve its goals

custodial

handles cash and assets (inventory & fixed)

internal firewalls

help wall off different sections to protect from within

corrective controls

identify and correct problems; correct and recover from the problems ex: having a recovery team restore system from backup files

vulnerability scanners

identify unnecessary programs

reduce

implement effective internal control

control activities

include policies & procedures that provide reasonable assurance that control objectives are met; occur at all levels and functions of organization

COSO ERM

internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, monitoring

Sarbanes-Oxley Act of 2002

legislation that applies to publicly held companies and their auditors in order to: - prevent financial statement fraud - increase financial reporting transparency - protect investors - strengthen internal controls - punish executives who perpetrate fraud

Chief Information Security Officer (CISO)

manages security for the organization's information systems and information

intrusion prevention systems

monitor network traffic flow to identify patterns that indicate potential attacks

defense in depth

multiple layers of control (preventive & detective) to avoid single point of failur

multimodal

multiple of same type of authentication

multifactor

mutliple types of authentication

media access control (MAC) address

number assigned to the Network Interface Controller (NIC) card by the manufacturer

IP address

number assigned to the connection in a network. DNS translates webpage names to IP addresses

buffer overflows

overwriting memory space alloceated for user input

privacy

personal information about trading partners, investors, and employees are protected

project milestones

points where progress is reviewed and actual and estimated completion times are compared

exposure or impact of threat

potential dollar loss should a particular threat become a reality

recording

preparing source documents, entering data into the system, maintaining journals or data files, and performing reconciliations of accounts

application controls

prevent, detect, and correct transaction errors and fraud in application programs. these controls are concerned with the accuracy, completeness, validity, and authorization of data captured, entered, processed, stored, transmitted to other systems and reported. (focus on validity of input, processing, and output of application)

types of internal controls

preventive, detective, corrective

Foreign Corrupt Practices (FCPA)

prevents companies from bribing foreign officials to obtain business and requires all publicly owned corporations to maintain a system of internal accounting controls

two components of risk assessment

probability of event occurring & magnitude of potential impact

monitoring

process of evaluating quality of internal control design and implementation as well as the effectiveness of the ERM model

risk assessment

process of identifying and analyzing risks in order to determine the appropriate risk response and control activities

share

buy insurance, outsource, or hedge

access control list

used by routers and firewalls to determine what to do with incoming packets

P > D + R

- P = time it takes an attacker to break through preventive controls - D = time it takes to detect an attack in progress - R = time it takes to respond to the attack and take corrective action

security

- fundamentally necessary for all 4 principles - access to system and data is controlled and restricted to legitimate users - prevent submission of unauthorized transactions or unauthorized changes to the data - provides protection from unwanted attacks that could bring down the system and make it unavailable

cloud computing

-Accessing software, storage, and hardware via the internet (instead of having it installed on the local machine) ; reduces costs, enhances flexiblity

SOC 1

-Type 1 - report as of a point in time on the fairness of the presentation of management's description of the service organization's system and the suitability of the design of the controls. -Type 2 - report covering a period of time that addresses fairness of the presentation of management's description of the service organization's system and the suitability of the design and operating effectiveness of the controls.

SOC 2 report

-focuses on a business's non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 18 which is focused on the financial reporting controls. Ties in with the Trust Services Principles. -Type 1 - describes the systems of a vendor and whether they are capable of meeting relevant trust principles as of a specified date -Type 2 - details the operational effectiveness of the said systems throughout a disclosed period of time.

Combining a password with which of the following is an example of multi-modal authentication? A.All of these are examples of multi-modal authentication B.Your e-mail address C.Correctly identifying a picture you had selected when you set up the account D.Name of your first-grade teacher

A.All of these are examples of multi-modal authentication

COSO

Committee of Sponsoring Organizations of the Treadway Commission

A potential adverse occurrence is called a threat. With respect to threats, which of these statements is false? A.The timing of when a threat will occur is called the timeframe or timeline. B.The potential dollar loss from a threat is called the exposure or impact. C.The probability a threat will occur is called the likelihood or risk. D.None of these statements about threats are false.

A.The timing of when a threat will occur is called the timeframe or timeline.

Which device blocks or admits individual packets by examining information in the TCP and IP headers? A.Firewalls B.Intrusion prevention system (IPS) C.DMZ D.Intrusion detection systems (IDS)

B.Intrusion prevention system (IPS)

Which of the following does not help safeguard assets, documents, and data? A.Create and enforce appropriate policies and procedures. B.Measure the throughput and utilization of data and physical assets. C.Restrict access to data and documents. D.Periodically reconcile recorded asset quantities with a count of those assets. E.Store data and documents in fireproof storage areas or secure offsite locations.

B.Measure the throughput and utilization of data and physical assets.

Which of the following is the correct sequence of steps in the incident response process? A.Recognize that a problem exists, repair the damage, stop the attack, learn from the attack B.Recognize that a problem exists, stop the attack, repair the damage, learn from the attack C.Stop the attack, repair the damage, recognize that a problem exists, learn from the attack D.Stop the attack, recognize that a problem exists, repair the damage, learn from the attack

B.Recognize that a problem exists, stop the attack, repair the damage, learn from the attack

The Trust Services Framework identifies five principles for systems reliability. Which one of those five principles is a necessary prerequisite to the other four? A.Privacy B.Security C.Processing integrity D.Availability E.Confidentiality

B.Security

A company's organizational structure provides a framework for planning, executing, controlling, and monitoring operations. Which of the following are important aspects of the organizational structure? (Check all that apply.) A.The technology needed to meet information requirements B.Size and nature of company activities. C.Organization by industry, product line, location, or marketing network. D.Centralization or decentralization of authority.

B.Size and nature of company activities. C.Organization by industry, product line, location, or marketing network. D.Centralization or decentralization of authority.

The amount of risk a company is willing to accept in order to achieve its goals and objectives is called A.risk tolerance. B.risk appetite. C.risk acceptance. D.risk management.

B.risk appetite.

Which of the following is true? A.The Cloud and virtualization increase the risk associated with unsupervised physical access. B.Multifactor authentication is necessary for controlling access to virtualized systems. C.All of these are correct D.Network access controls (e.g., firewalls, IPS, and IDS) should be employed both in the cloud and in virtualized systems.

C.All of these are correct

Which of the following is not a SOX requirement? A.The CEO must certify that financial statements were reviewed by management and are not misleading. B.Audit committee members must be on the company's board of directors and be independent of the company. C.Auditors must maintain an audit trail that documents all client-auditor communications. D.Auditors must report specific information to the company's audit committee.

C.Auditors must maintain an audit trail that documents all client-auditor communications.

Which of the following is not a key method of monitoring internal control system performance? A.Employ a computer security officer. B.Implement a fraud hotline. C.Hire private investigators to investigate employee behavior. D.Perform internal control evaluations.

C.Hire private investigators to investigate employee behavior.

Hiring qualified personnel, segregating employee duties, and controlling physical access to assets and information are examples of what kind of internal controls? A.Detective controls B.General controls C.Preventive controls D.Corrective controls

C.Preventive controls

Considering the potential of fraud belongs to which component of COSO's Internal Control Model? A.Control activities B.Control environment C.Risk assessment D.Information and communication

C.Risk assessment

What is the objective of a penetration test? A.To prevent employees from doing actions that are incompatible with their job functions B.To determine whether or not a system can be broken into C.To identify where additional protections are most needed to increase the time and effort required to compromise the system D.To correct identified weaknesses by applying updates that eliminate known vulnerabilities

C.To identify where additional protections are most needed to increase the time and effort required to compromise the system

The examination of the relationships between different sets of data is called A.comparison of actual quantities with recorded amounts. B.reconciliation of independently maintained records. C.analytical reviews. D.top-level reviews

C.analytical reviews.

A(n) ________ helps managers to focus subordinates' attention on key strategic issues and to be more involved in their decisions. A.belief system B.diagnostic control system C.interactive control system D.boundary system

C.interactive control system

common control frameworks

COBIT, COSO, COSO - ERM

major difference between COSO and COSO ERM

COSO ERM's focus is on risk based approach and components are expanded for this approach (objective setting, event id, risk response)

Which of the following is not an example of multi-factor authentication? A.A 6-digit PIN and a smart card B.A fingerprint and a USB device C.A password and a cellphone D.A passphrase and a security question

D.A passphrase and a security question

Which of the following are indicators that an organization's change management and change control process is effective? A.A reduction in the number of problems that need to be fixed B.A low number of emergency changes C.Testing of all changes takes place in a system separate from the one used for regular business operations D.All of these are correct

D.All of these are correct

If the time an attacker takes to break through the organization's preventive controls is shorter than the sum of the time required for the organization to detect the attack and the time required to respond to the attack, then organization's security is considered A.effective. B.efficient. C.inefficient. D.ineffective.

D.ineffective.

The Trust Services Reliability Principle that states, "access to the system and its data is controlled and restricted to legitimate users," is known as A.processing integrity. B.privacy. C.confidentiality. D.security.

D.security.

steering committee

Executive level committee to plan and oversee the information systems function

audit trail

a path that allows a transaction to be traced through a data processing system from point of origin to output or backward from output to point of origin

data processing schedule

a schedule that shows when each data processing task should be performed

likelihood

associated with the threat, the probability that the threat will happen

sql injection

access database through web server that interfaces with it

systems integrator

an outside party hired to manage a company's systems development effort

change management controls

any changes to current processes and procedures can introduce risk

threat (or event)

any potential adverse occurrence or unwanted event that could be injurious to either the accounting info system or the organization

authorizing

approving transactions & decisions

penetration testing

authorized attempt to break into IS

3 functions that need to be segregated are

authorizing, custodial, recording

steps criminal takes in attacking an organization's info system

conduct recon, attempt social engineering, scan and map the target, research, execute the attack, and cover tracks

border routers

connects organization's network to internet

COSO

control environment, risk assessment, control activities, information & communication, monitoring

internal controls

processes and policies implemented to provide assurance that the following objectives are met: - safeguard assets - maintain sufficient records - provide accurate and reliable information - prepare financial reports according to established criteria - promote and improve operational efficiency - encourage adherence with management policies - comply with laws and regulations

4 ways management can respond to risk

reduce, accept, share, avoid

internet of things

refers to the extension of Internet connectivity into physical devices and everyday objects.

post implementation review

review, performed after a new system has been operating for a brief period, to ensure that it meets its planned objectives

control risk

risk that internal control system will fail to be effective

residual risk

risk that is left over after you control it (RR= IR x CR)

inherent risk

risk that is related to nature of activity performed by the firm

5 principles of the framework

security, confidentiality, privacy, processing integrity, availability

authentication

verifies the person

confidentiality

sensitive organizational data is protected

corporate governance

set of processes and policies in managing an orgnanization with sound ethics to safeguard the interests of its stakeholder

project development plan

shows the tasks to be performed, who will perform them, project costs, completion dates, and project milestones

malware

software intended to damage a computer, mobile device, computer system, or computer network, or to take partial control over its operation

Treadway Commission

special committee formed to investigate the underlying causes of fraudulent financial reporting; commission's report stressed the need for strong and independent audit committees for public companies

macro

stable capital markets rely heavily on good control systems

DMZ (perimeter network)

subnetwork between the internal and external networks

limitations of internal controls

susceptible to errors, poor judgements & decision making, management override, collusion

availability

system and information are available

intrusion detection systems (IDSs)

system that creates logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions; creates alert if attack is suspected (whereas IPS also blocks the traffic)

analytical reviews

the examination of the relationships between different sets of data