ACIS 3504 Exam 3

Ace your homework & exams now with Quizwiz!

The unauthorized use of someone's personal information is referred to as

Data Masking

Software that protects confidentiality by screening outgoing documents to identify and block transmission of sensitive information is called:

Data loss prevention (DLP)

Threats sent to victims by e-mail usually requires some follow-up action, often at great expense to the victim

E-mail threats

listening to private communications or tapping into data transmissions usually by wire tap

Eavesdropping

-Theft of information, intellectual property, and trade secrets

Economic espionage

People are more likely to cooperate with people who gain their trust.

Trust

setting up similarly named websites so that users making typographical errors when entering a website name are sent to an invalid site.

Typosquatting/URL hijacking

-Takes advantage of typographical errors entered in for websites and user gets invalid or wrong website

URL hijacking

An immediate need that must be met leads people to be more cooperative and accommodating.

Urgency

Which of the following Generally Accepted Privacy Principles addresses the "right to be forgotten"?

Use, retention and disposal

People are more likely to cooperate if they are told they are going to be more popular or successful.

Vanity

Fraudsters take advantage of which of the following human traits to entice a person to reveal information or take a specific action? (Check all that apply.)

Vanity Trust Compassion Urgency

Running multiple systems (e.g., Windows, Unix, and Mac) on a single physical machine is referred to as:

Virtualization

-A section of self-replicating code that attaches to a program or file requiring a human to do something so it can replicate itself

Virus

as credit sales increase, so should accounts receivable. In addition, there are relationships between sales and accounts such as cost of goods sold, inventory, and freight out

Example of analytical reviews

How do you verify a digital signature?

If the hash you obtain by decrypting the digital signature matches the hash you obtain by hashing your copy of that document or file.

Interest calculations are truncated at two decimal places, and the excess decimals are put into an account the perpetrator controls. What is this fraud called?

Round-down fraud

-read the destination address fields in packet headers to decide where to send (route) the packet next.

Routers

One way to improve the efficiency and effectiveness of log analysis is to use a(n):

SIEM

Using short message service (SMS) to change the name or number a text message appears to come from

SMS Spoofing

-Malicious code inserted in place of a query to get to the database information

SQL injection (insertion) attack

An organization that issues public and private keys and records the public key in a digital certificate

certificate authority

Plaintext transformed into unreadable gibberish using encryption

ciphertext

The use of two or more types of authentication credentials in conjunction to achieve a greater level of security.

multifactor authentication

Reliability issues, Risk of theft or destruction if unsupervised physical access is what kind of impact on virtualization and cloud computing and IoT

negative impact on security

-Risk that exists before plans are made to control it

Inherent

To prevent typosquatting a company must

(1) tries to obtain all the web names similar to theirs to redirect people to the correct site (2) uses software to scan the Internet and find domains that appear to be typosquatting.

Which of the following helps protect you from identity theft?

***All of the above Monitor your credit reports regularly Encrypt all e-mail that contains personal information Shred all paper documents that contain personal information before disposal

Which of the following statements is true regarding VPNs, encryption, and digital certificates?

***All of the above are true VPNs protect the confidentiality of information while it is in transit over the Internet Encryption limits firewalls' ability to filter traffic A digital certificate contains that entity's public key

Which of the following statements is true about changes?

**All of the above "Emergency" changes need to be documented once the problem is resolved Changes should be tested in a system separate from the one used to process transactions Change controls are necessary to maintain adequate segregation of duties

Which of the following are indicators that an organization's change management and change control process is effective?

**All of the above A low number of emergency changes A reduction in the number of problems that need to be fixed Testing of all changes takes place in a system separate from the one used for regular business operations

Which of the following factor(s) should be considered when determining the strength of any encryption system?

**All of the above Policies for managing the cryptographic keys Encryption algorithm Key length

Which of the following statements about virtualization and cloud computing is(are) true?

**All of the above The time-based model of security applies Strong user access controls are important Perimeter protection techniques (e.g., firewalls, IDS, and IPS) are important

Which of the following is an example of multi-factor authentication?

**All of the above Voice recognition plus answer to security question Password plus smart card USB device plus retina scan

What are the six steps that many criminals use to attack information systems?

-Conduct reconnaissance -Attempt social engineering -Scan and map the target -Research -Execute the attack -Cover tracks

It is critical that controls be in place during the holiday season because

-More people are on vacation and fewer around to mind the store. -Students are not tied up with school . -Lonely counterculture hackers increase their attacks.

•three principles that apply to the information and communication process:

-Obtain or generate relevant, high-quality information to support internal control. -Internally communicate the information, including objectives and responsibilities, necessary to support the other components of internal control. -Communicate relevant internal control matters to external parties.

•Processes implemented to provide assurance that the following objectives are achieved:

-Safeguard assets -Maintain sufficient records -Provide accurate and reliable information -Prepare financial reports according to established criteria -Promote and improve operational efficiency -Encourage adherence with management policies -Comply with laws and regulations

The 4 steps to the security life cycle is

1-Asses threats and select risk response 2-Develop and communicate policy 3-Acquire and implement solutions 4-Monitor performance

What are the steps to protecting confidentiality and privacy?

1.Identify and classify information to be protected 2. Protecting sensitive information with encryption 3.Controlling access to sensitive information 4. Training

The seven different types of control activities include

1.Proper authorization of transactions and activities 2.Segregation of duties 3.Project development and acquisition controls 4.Change management controls 5.Design and use of documents and records 6.Safeguarding assets, records, and data 7.Independent checks on performance

Which of the following can be used to create a digital signature?

Asymmetric encryption system

Which of the following statements is true of a network

A DMZ is a separate network located outside the organization's internal information system.

What does COSO stand for

Committee of Sponsoring Organizations

Which of the following is not an example of multi-factor authentication?

A passphrase and a security question

Sets of IF-THEN rules used to determine what to do with arriving packets used with firewalls and routers

Access control lists

•Specifies what part of the IS a user can access and what actions they are permitted to perform.

Access control matrix

spyware that can pop banner ads on a monitor, collect information about the user's web-surfing and spending habits, and forward it to the creator

Adware

Combining a password with which of the following is an example of multi-modal authentication?

All of the above Name of your first grade teacher Your email address Correctly identifying a picture you had selected when you set up the account

Which of the following is the final phase of the incident response process?

Analysis of the root cause of the incident

The examination of the relationships between different sets of data is called

Analytical review

Concerned with the accuracy, completeness, validity, and authorization of data captured, processed, and stored

Application controls

Controls that prevent, detect, and correct transaction errors and fraud in application programs are called:

Application controls

Verifying the identity of the person or device attempting to access the system.

Authentication

Establishing policies and empower employees to perform activities within policy and is an important part of an organization's control procedures

Authorization

Process of restricted access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform

Authorization

The control procedure designed to restrict what portions of an information system an employee can access and what actions he or she can perform is called ___________.

Authorization

Prevents an employee from falsifying records to cover up an inaccurate or false transaction that was inappropriately authorized

Authorization Functions

To achieve effective segregation of duties, certain functions must be separated. Which of the following is the correct listing of the accounting-related functions that must be segregated?

Authorization, recording, and custody

-System and data can be accessed when needed

Availability

Making a sender address and other parts of an e-mail header appear as though the e-mail originated from a different source

E-mail spoofing

•Distributed ledger of hashed documents with copies stored on multiple computers. technology was originally developed to support the crypto-currency Bitcoin to prevent "double-spending" the same coin, but it has since been adopted for use in a variety of industries to create reliable audit trails for any business process.

Blockchain

-Taking control of a phone to make or listen to calls, send or read text messages

Bluebugging

-Stealing contact lists, data, pictures on Bluetooth compatible smartphones

Bluesnarfing

•checks the contents of the destination address field of every packet it receives.

Border router

A network of powerful and dangerous hijacked computers that are used to attack systems or spread malware

Botnet

Trial and error method that uses software to guess information such as the user ID and the password, needed to gain access to a system

Brute force attack

Large amount of data sent to overflow the input memory (buffer) of a program, causing it to crash and replacing it with attacker's program instructions.

Buffer overflow attack

Which of the following statements is true about COSO

COSO's internal control integrated framework has been widely accepted as the authority on internal controls.

-Expands COSO framework where risk is accepted and tolerated

COSO-ERM (Enterprise Risk Management)

This act gives the right to delete, know about and opt out of sale of personal information

California Consumer Privacy Act (CCPR)

Displaying an incorrect number on the recipients caller ID display to hide the caller's identity

Caller ID spoofing

The organization that issues public and private keys is called a:

Certificate authority

the formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability

Change control and change management

Independent of other IS functions and reports to the COO or CEO. Must understand the company's technology environment and work with the CIO to design, implement, and promote sound security policies and procedures. Should impartially assess and evaluate the IT environment, conduct vulnerability and risk assessments, and audit the CIO's security measures.

Chief Information Security Officer (CISO)

Manipulating the number of times an ad is clicked on to inflate advertising bills

Click fraud

The desire to help others who present themselves as needing help.

Compassion

Why do People fall victim to fraud?

Compassion Greed Sex appeal Sloth Trust Urgency Vanity

A team responsible for dealing with major security incidents

Computer Incident response team (CIRT)

discover, extract, safeguard, and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges.

Computer forensics specialists

Success of a brute force attack is a factor of what two things?

Computing power used and enough time to generate the number of combinations needed

-Sensitive organizational data is protected and ensures accuracy

Confidentiality

Employee compliance with organization's information security policies and overall performance of business processes

Continuous monitoring

Which activity are accountants most likely to participate in?

Continuous monitoring

A security internal IT control framework that allows (1) management to benchmark the security and control practices of IT environments, (2) users of IT services to be assured that adequate security and control exist, and (3) auditors to substantiate their internal control opinions and advise on IT security and control matters.

Control Objectives for Information and Related Technology (COBIT

Control policies and procedures help ensure that the actions identified by management to address risks and achieve the organization's objectives are effectively carried out

Control activities

The company culture that is the foundation for all other internal control components, as it influences how organizations establish strategies and objectives; structure business activities; and identify, assess, and respond to risk.

Control environment

-Identify and correct problems; correct and recover from the problems

Corrective controls

A digital signature is ______________.

Created by hashing a document and then encrypting the hash with the signer's private key

Uses vulnerability of Web application that allows the Web site to get injected with malicious code. When a user visits the Web site, that malicious code is able to collect data from the user.

Cross-site scripting (XSS)

Handling cash, handling inventories, tools, or fixed assets, writing checks are examples of what type of functions

Custodial functions

-Threatening to harm a company or a person if a specified amount of money is not paid

Cyber-extortion

-Threats to a person or business online through e-mail or text messages unless money is paid

Cyber-extortion

Fraud perpetrators threaten to harm a company if it does not pay a specified amount of money. What is this fraud technique called?

Cyber-extortion

Threatening to harm a company or a person if a specified amount of money is not paid.

Cyber-extortion

software, which works like antivirus programs in reverse, blocking outgoing messages (whether e-mail, IM, or other means) that contain key words or phrases associated with the intellectual property or other sensitive data the organization wants to protect.

Data loss prevention (DLP)

Which of the following can organizations use to protect the privacy of a customer's personal information when giving programmers a realistic data set with which to test a new application?

Data masking

Transforming ciphertext back into plaintext

Dcryption

A process that examines the data in the body of a TCP packet in more detail to control traffic, rather than looking only at the information in the IP and TCP headers. Slower process

Deep packet inspection

Separate network located outside the organization's internal information system that permits controlled access from the Internet to selected resources

Demilitarized Zone

A computer attack in which the attacker sends so many e-mail bombs or web page requests, often from randomly generated false addresses that the internet service provider's email server or the web server is overloaded and shuts down

Denial of service attack (DoS)

Which component of the time-based model of security does log analysis affect?

Detection

-Discover problems that are not prevented

Detective controls

Software that is embedded in documents or files that contain confidential information to indicate who owns that information is called

Digital watermark

Most computer attacks are designed to steal information or money. Which of the following attacks is designed to slow down or stop a website, often to prevent legitimate users from accessing the website?

DoS Attack

The maxim that debits equal credits provides numerous opportunities for independent checks. Debits in a payroll entry may be allocated to numerous inventory and/or expense accounts; credits are allocated to liability accounts for wages payable, taxes withheld, employee insurance, and union dues. After the payroll entries, comparing total debits and credits is a powerful check on the accuracy of both processes. Any discrepancy indicates the presence of an error.

Double entry accounting

Able wants to send a file to Baker over the Internet and protect the file so that only Baker can read it and verify that it came from Able. What should Able do?

Encrypt the file using Able's private key, and then encrypt it again using Baker's public key

Which of the following statements is true about encryption?

Encryption is reversible, but hashing is not

Which of the following statements is(are) true about encyrption and hashing

Encryption is reversible, but hashing is not. Encryption produces a file similar in size to the plaintext file, but hashing produces a short fixed-length file.

Which of the following statements is not true about encryption?

Encryption protects the confidentiality of information while it is in processing.

-imposes huge fines (up to 4% of global revenues) for issues such as not properly obtaining consent to collect and use personal information or not being able to document that the organization has taken a proactive approach to protecting privacy.

European Union's General Data Privacy Regulation (GDPR)

On your dream vacation to Hawaii you decide to log into the hotel's Wi-Fi network and notice that there are two networks with very similar names. You select one and are immediately connected to the network without having to enter the access code given you at check in. Weeks later you find that your identity has been stolen. You were a victim of which computer fraud and abuse technique?

Evil twin

trick cellphone users into divulging account information by sending an automated call or text message that appears to come from their bank. Using the divulged information, the fraudsters call the bank, spoofing the victim's phone number, and answer the security questions

Example of Caller ID Spoofing

Daniel Baas was the systems administrator for a company that did business with Acxiom, who manages customer information for companies. Baas exceeded his authorized access and downloaded a file with 300 encrypted passwords, decrypted the password file, and downloaded Acxiom customer files containing personal information. The intrusion cost Acxiom more than $5.8 million.

Example of Password Cracking

Susan Gilmour-Latham got a call asking why she was sending the caller multiple adult text messages per day. Her account records proved the calls were not coming from her phone. Neither she nor her mobile company could explain how the messages were sent. After finding no way to block the unsavory messages, she changed her mobile number to avoid further embarrassment by association.

Example of SMS spoofing

a woman got a call asking why she had sent the caller multiple adult message texts every day for the past few months. Neither she nor her mobile company could explain the texts, as her account showed that they were not coming from her phone.

Example of SMS spoofing

typing goggle.com instead of google.com might lead to a cyber-squatter site that:

Example of URL hijacking

CloudNine, an Internet service provider, went out of business after DoS attacks prevented its subscribers and their customers from communicating.

Example of a denial of service attack

A 31-year-old programmer unleashed a Visual Basic program by deliberately posting an infected document to an alt.sex Usenet newsgroup using a stolen AOL account. The program evaded security software and infected computers using the Windows operating system and Microsoft Word. On March 26, the Melissa program appeared on thousands of e-mail systems disguised as an important message from a colleague or friend. The program sent an infected e-mail to the first 50 e-mail addresses on the users' Outlook address book. Each infected computer would infect 50 additional computers, which in turn would infect another 50 computers. The program spread rapidly and exponentially, causing considerable damage. Many companies had to disconnect from the Internet or shut down their e-mail gateways because of the vast amount of e-mail the program was generating. The program caused more than $400 million in damages.

Example of a worm/ virus

One company that engages in digital media content sharing offers users a $30 version or a free version. The license agreement for the free software discloses the adware (hence making it "legal" spyware), but most users do not read the agreement and are not aware it is installed. Reputable adware companies claim sensitive or identifying data are not collected. However, there is no way for users to effectively control or limit the data collected and transmitted.

Example of adware

A reporter for TimesOnline accompanied Adam Laurie, a security expert, around London scanning for Bluetooth-compatible phones. Before a Bluetooth connection can be made, the person contacted must agree to accept the link. However, Laurie has written software to bypass this control and identified vulnerable handsets at an average rate of one per minute. He downloaded entire phonebooks, calendars, diary contents, and stored pictures. Phones up to 90 meters away were vulnerable.

Example of bluesnarfing

Ukrainian hackers cracked the passwords of news wire companies. When they found news releases that would move a stock's price, they sold the information to seven traders who bought the stock before the news was released and sold it after the news came out. The traders netted $30 million, including a $1 million profit from owning Caterpillar for less than one day.

Example of brute force attack

web page owners who get a commission to host a pay-per-click ad clicking to boost commissions

Example of click fraud

Luana hosts a website that Christy frequently uses to store all her financial data. To use the website, Christy logs on using her username and password. While searching for vulnerable websites, Miles finds that Luana's website has a vulnerability. Miles creates a URL to exploit it and sends it to Christy in an e-mail that motivates Christy to click on it while logged into Luana's website. The vulnerability is exploited when the malicious script embedded in Miles's URL executes in Christy's browser, as if it came directly from Luana's server. The script sends Christy's session cookie to Miles, who hijacks Christy's session. Miles can now do anything Christy can do. Miles can also send the victim's cookie to another server, inject forms that steal Christy's confidential data, disclose her files, or install a Trojan horse program on her computer. Miles can also use end a malicious script to her husband Jeremy's computer. Jeremy's browser has no way of knowing that the script should not be trusted; it thinks it came from a trusted source and executes the script. Miles could also execute XSS by posting a message with the malicious code to a social network. When Brian reads the message, Miles's XSS will steal his cookie, allowing Miles to hijack Brian's session and impersonate him.

Example of cross-site scripting

MicroPatent, an intellectual property firm, was notified that their proprietary information would be broadcast on the Internet if they did not pay a $17 million fee. The hacker/blackmailer was caught by the FBI before any damage was done.

Example of cyber-extortion

The owner of a credit card processor received an e-mail listing his clients as well as their credit card numbers. The e-mail told him to pay $50,000 in six payments, or the data would be sent to his clients.

Example of cyber-extortion

. Cyber-attacks left high-profile sites such as Amazon.com, eBay, Buy.com, and CNN Interactive staggering under the weight of tens of thousands of bogus messages that tied up the retail sites' computers and slowed the news site's operations for hours.

Example of denial of service attack

A former Oracle employee was charged with breaking into the company's computer network, falsifying evidence, and committing perjury for forging an e-mail message to support her charge that she was fired for ending a relationship with the company CEO. Using cell phone records, Oracle lawyers proved that the supervisor who had supposedly fired her and written the e-mail was out of town when the e-mail was written and could not have sent it.

Example of e-mail spoofing

Global Communications sent messages threatening legal action if an overdue amount was not paid within 24 hours.

Example of e-mail threats

Mark Koenig, a 28-year-old telecommunications consultant, and four associates. Federal agents say the team pulled crucial data about Bank of America customers from telephone lines and used it to make 5,500 fake ATM cards. Koenig and his friends allegedly intended to use the cards over a long weekend to withdraw money from banks across the country.

Example of eavesdropping

A convicted felon incurred $100,000 of credit card debt, took out a home loan, purchased homes and consumer goods, and filed for bankruptcy in the victim's name. He phoned and mocked his victim because the victim could not do anything because this was not a crime at the time

Example of identity theft

a seller can use a false identity or partner with someone to drive up the bid price. A person can enter a very high bid to win the auction and then cancel his bid, allowing his partner, who has the next highest, and much lower, bid to win. The seller can fail to deliver the merchandise, or the buyer can fail to make the agreed upon payment. The seller can deliver an inferior product or a product other than the one sold

Example of internet auction fraud

a young man broke into Yahoo's news pages and replaced the name of an arrested hacker with that of Bill Gates

Example of internet misinformation

fraudsters quietly acquired shares in 15 thinly traded public companies. They used sophisticated hacking and identity fraud techniques, such as installing keystroke-logging software on computers in hotel business centers and Internet cafes, to gain access to online brokerage accounts. The hackers sold the securities in those accounts, used the money to purchase large quantities of the 15 companies' stock to pump up their share prices, and sold their stock for a $732,941 profit.

Example of internet pump and dump fraud

An enterprising student records a teacher's typed exam answers decoding her keystrokes and was caught selling exam answers

Example of keylogger

Linda sniffs and eavesdrops on a network communication and finds David sending his public key to Teressa so that they can communicate securely. Linda substitutes her forged public key for David's key and steps in the middle of their communications. If Linda can successfully impersonate both David and Teressa by intercepting and relaying the messages to each other, they believe they are communicating securely.

Example of man in the middle attack

Dan egerstad installs a packet that looked for key words such as government, military, war, passport, and visa. He intercepted e-mails from embassies and governments, many with visa and passport data.

Example of packet sniffer

Masquerading as custodians, temporary workers, or confused delivery personnel to get into offices to locate passwords or access computers. or Climbing through roof hatches and dropping through ceiling panels. are examples of

Example of penetration tests

eBay customers were notified by e-mail that their accounts had been compromised and were being restricted unless they re-registered using an accompanying hyperlink to a Web page that had eBay's logo, home page design, and internal links. The form had a place for them to enter their credit card data, ATM PINs, Social Security number, date of birth, and their mother's maiden name. Unfortunately, eBay hadn't sent the e-mail.

Example of phishing

The hackers changed the voice mail greeting to say that officers were too busy drinking coffee and eating doughnuts to answer the phone and to call 119 (not 911) in case of an emergency.

Example of phreaking

Tapping into a communications line and electronically latching onto a legitimate user before the user enters a secure system; the legitimate user unknowingly carries the perpetrator into the system.

Example of piggybacking

conduct a security survey and lull the victim into disclosing confidential information by asking 10 innocent questions before asking the confidential ones

Example of pretexting

hiring qualified personnel, segregating employee duties, and controlling physical access to assets and information is an example of

Example of preventive controls

a bank reconciliation verifies that company checking account balances agree with bank statement balances

Example of reconciliation of independently maintained records

A disgruntled employee programmed the company computer to increase all production costs by a fraction of a percent and place the excess in the account of a dummy vendor he controlled. Every few months, the fraudulent costs were raised another fraction of a percent. Because all expenses were rising together, no single account would call attention to the fraud. The perpetrator was caught when a teller failed to recognize the payee name on a check the perpetrator was trying to cash

Example of salami technique

A federal grand jury in Fort Lauderdale claimed that four executives of a rental-car franchise modified a computer-billing program to add five gallons to the actual gas tank capacity of their vehicles. Over three years, 47,000 customers who returned a car without topping it off ended up paying an extra $2 to $15 for gasoline.

Example of salami technique

Microsoft filed a lawsuit against two Texas firms that produced software that sent incessant pop-ups resembling system warnings. The messages stated "CRITICAL ERROR MESSAGE! REGISTRY DAMAGED AND CORRUPTED" and instructed users to visit a Web site to download Registry Cleaner XP at a cost of $39.95.

Example of scareware

a dire warning that a computer is infected with a virus, spyware, or some other catastrophic problem

Example of scareware

Oracle Corporation was embarrassed a few years ago when investigators it hired were caught going through the trash of companies that supported its rival, Microsoft. The investigators had paid building janitors $1,200 for the trash

Example of scavenging/dumpster diving

a man hid a video camera in some bushes and pointed it at a company president's computer, which was visible through a first-floor window. A significant business acquisition almost fell through because of the information on the recording.

Example of shoulder surfing

Jason Scott discovered that some purchases did not have a purchase requisition. Instead, they had been "personally authorized" by Bill Springer, the purchasing vice president.

Example of specific authorization

At Kinko's in Manhattan, an employee gathered the data needed to open bank accounts and apply for credit cards in the names of the people using Kinko's wireless network.

Example of spyware

Rajendrasinh Makwana, an Indian citizen and IT contractor who worked at Fannie Mae's Maryland facility, was terminated at 1:00 P.M. on October 24. Before his network access was revoked, he created a program to wipe out all 4,000 of Fannie Mae's servers on the following January 31.

Example of time/logic bomb

America Online subscribers received a message offering free software. Users who installed the software unknowingly unleashed a second program hidden inside the software that secretly copied the subscriber's account name and password and forwarded them to the sender.

Example of trojan horse

visitors to an adult site were told to download a special program to see the pictures. This program disconnected them from their Internet service providers and connected them to a service that billed them $2 a minute until they turned off their computers

Example of trojan horse

•The expected loss related to a risk is measured as:

Expected loss = likelihood * impact/exposure

Hackers who publish instructions for taking advantage of vulnerabilities

Exploits

The potential dollar loss should a particular threat become a reality

Exposure/impact

What is the name of the law Congress passed to prevent companies from bribing foreign officials?

FCPA

The act that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.

Health Insurance Portability and Accountability Act

Gaining control of a computer to carry out illicit activities such as sending spam without the computer's knowledge

Hijacking

A decoy system used to provide early warning that an insider or outsider is attempting to search for confidential information

Honeypots

Spoofing is making an electronic communication look like it came from someone other than the actual sender. Which of the following is not one of the types of spoofing mentioned in the text?

Identity theft spoofing

Act as filters and only permit packets that meet specific conditions to pass. It does not block all traffic

Firewalls

To prevent companies from bribing foreign officials to obtain business. Requires all publicly owned corporations to maintain a system of internal accounting controls

Foreign Corrupt Practices Act (1977)

Management authorizes employees to handle routine transactions without special approval.

General authorization

maintaining backup copies of files, correcting data entry errors, and resubmitting transactions for subsequent processing.

General controls

People are more likely to cooperate if they get something free or think they are getting a once-in-a-lifetime deal.

Greed

-Unauthorized access, modification, or use of an electronic device or some element of a computer system

Hacking

A 17-year-old broke into the Bell Laboratories network, destroyed files, copied 52 proprietary software programs, and published confidential information on underground bulletin boards. Which computer fraud and abuse technique is this?

Hacking attack

Modifying default configurations to turn off unnecessary programs and features to improve security is called ____________.

Hardening

assuming someone's identity, usually for economic gain, by illegally obtaining and using confidential information, such as a Social Security number or a bank account or credit card number.

Identity theft

contains the packet's origin and destination addresses, as well as info about the type of data contained in the body.

IP Header

Creating Internet Protocol packets with a forged IP address to hide the sender's identity or to impersonate another computer system.

IP address spoofing

Contents of the packet of an Internet Protocol

IP body

The risk response procedure includes

Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls If it is cost-beneficial to protect systems reduce risk by implementing set of controls to guard against threat **If it is NOT cost-beneficial to protect systems than avoid, share, or accept risk

Which of the following is the correct order of the risk assessment steps discussed in this chapter?

Identify threats, estimate risk and exposure, identify controls, estimate costs and benefits

-Assuming someone else's identity

Identity theft

Your current system is deemed to be 90% reliable. A major threat has been identified with an impact of $3,000,000. Two control procedures exist to deal with the threat. Implementation of control A would cost $100,000 and reduce the likelihood to 6%. Implementation of control B would cost $140,000 and reduce the likelihood to 4%. Implementation of both controls would cost $220,000 and reduce the likelihood to 2%. Given the data, and based solely on an economic analysis of costs and benefits, what should you do?

Implement control B only

According to the time-based model of security, one way to increase the effectiveness is to

Increase P

capture and exchange the information needed to conduct, manage, and control the organization's operations. and must occur internally and externally to provide information needed to carry out day-to-day internal control activities

Information and communication

software provides an additional layer of protection to sensitive information stored in digital format, offering the capability not only to limit access to specific files or documents but also to specify the actions (read, copy, print, download to USB devices, etc.) that individuals granted access to that resource can perform.

Information rights management (IRM)

Which of the following statements is true?

Information security is necessary for protecting confidentiality, privacy, integrity of processing, and availability of information resources.

COSO identified five interrelated components of internal control. Which of the following is not one of those five?

Internal control policies

The processes and procedures implemented to provide reasonable assurance that control objectives are met

Internal controls

specifies the structure of the packets and how to route them to the proper destination

Internet Protocol (IP)

using an Internet auction site to defraud another person

Internet auction fraud

using the Internet to spread false or misleading information.

Internet misinformation

refers to embedding sensors in a multitude of devices so they can connect to the Internet. Again there is a net effect of positive and negative effects.

Internet of Things (IoT)

Using the internet to increase the stock price and sell it

Internet pump and dump fraud

Monitors patterns in the traffic flow, rather than only inspecting individual packets, to identify and automatically block attacks

Intrusion Prevention Systems (IPS)

System that creates logs of network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions

Intrusion detection systems (IDS)

Which device blocks or admits individual packets by examining information in the TCP and IP headers?

Intrusion prevention system (IPS)

Examining logs to identify evidence of possible attacks. Done regularly to detect problems in a timely manner Not easy because they grow in size -use software tools to efficiently strip out routine log entries so that they can focus their attention on anomalous behavior.

Log analysis

Software used to do harm

Malware

-Hacker is placed in between a client (user) and a host (server) to read, modify, or steal data.

Man in the middle (MITM)

What are the three factors that influence encryption strength

Key length Encryption algorithm Policies for managing the cryptographic keys

-Software that records user keystrokes

Keylogger

Type of user account that should be logged into when browsing the web or reading email. Used to performed regular routines and hackers can not access much information

Limited user account

What are the 10 Generally accepted Privacy Principles (GAPP)

Management Notice Choice and consent Collection Use, retention Access Disclosure to third parties Security Quality Monitoring and enforcement

Which of the following statements about the control enviornment is false?

Management's attitudes toward internal control and ethical behavior have little impact on employee beliefs or actions

Gaining access to a system by pretending to be an authorized user. Requires the perpetrator to know the legitimate user's ID and passwords

Masquerading/impersonation

Confidentiality focuses on protecting _______________.

Merger and acquisition plans

Evaluations ascertain whether each component of internal control is present and functioning. Deficiencies are communicated in a timely manner, with serious matters reported to senior management and the board.

Monitoring

The five components of COSO are

Monitoring, Information and communication, control activities, risk assessment, control environment

A website has a checkbox that states, "Click here if you do NOT want the AJAX company to share your information with third parties and send you offers that you might be interested in" is following the choice and consent practice known as

Opt-out

For the time based model of information security Security is most effective when

P > D+R

Which of the following combinations of credentials is an example of multifactor authentication?

PIN and ATM cards

-Captures data as it travels over the Internet

Packet sniffer

Which of the following is an example of multi-modal authentication?

Passphrase plus answer to a security question

code released by software developers to fix vulnerabilities that have been discovered

Patch

Which of the following is a corrective control designed to fix vulnerabilities?

Patch management

An authorized hired attempt to break into the organization's information system by either an internal audit team or external security consulting firm to break into the organization's IS.

Penetration test

Which of the following statements is(are) true about penetration tests?

Penetration tests are authorized attacks.

Which of the following is a detective control?

Pentraction testing

-Redirects website to a spoofed website

Pharming

Someone redirects a website's traffic to a bogus website, usually to gain access to personal and confidential information. What is this computer fraud technique called?

Pharming

-Sending an e-mail asking the victim to respond to a link that appears legitimate that requests sensitive data

Phishing

ending an electronic message pretending to be a legitimate company, usually a financial institution, and requesting information or verification of information and often warning of some negative consequence if it is not provided. The recipient is asked to either respond to the bogus request or visit a web page and submit data. The message often contains a link to a web page that appears legitimate. The web page has company logos, familiar graphics, phone numbers, and Internet links that appear to be those of the victimized company

Phishing

A perpetrator attacks phone systems to obtain free phone line access or uses telephone lines to transmit viruses and to access, steal, and destroy data. What is this computer fraud technique called?

Phreaking

Attacking phone systems to obtain free phone line access, use phone lines to transmit malware, and to access, steal, and destroy data.

Phreaking

using a small device with storage capacity, such as an iPod or Flash drive, to download unauthorized data

Podslurping

-Creating a fake business to get sensitive information

Posing

-Using a scenario to trick victims to divulge information or to gain access

Pretexting

using an invented scenario (the pretext) to increase the likelihood that a victim will divulge information or do something

Pretexting

-Deter problems from occurring

Preventive controls

All other things being equal, which of the following is true about controls

Preventive controls are superior to detective controls.

Ensures that personal information from customers, suppliers, and employees is collected, used, disclosed, and maintained in a manner that is consistent with organization policies

Privacy

-Data are processed accurately, completely, in a timely manner, and only with proper authorization.

Processing Integrity

-Management lacks the time and resources to supervise each employee activity and decision, Consequently, they establish policies and empower employees to perform activities within policy.

Proper Authorization of Transactions and Activities

Which of the following is not an independent check?

Re-adding the total of a batch of invoices and comparing it with your first total

The 4 steps that CIRT must use to lead the organization's incident response process

Recognition Containment Recovery Follow-up

Which step should happen first as part of the incident response process?

Recognition of an attack

Which of the following is the correct sequence of steps in the incident response process?

Recognize that a problem exists, stop the attack, repair the damage, learn from the attack

Preparing source documents or entering data online, Maintaining journals, ledgers, files, databases, Preparing reconciliations, preparing performance reports are examples of what type of functions

Recording functions

Management responds to risk in what four ways

Reduce, accept, share, avoid

-Risk that is left over after you control it

Residual

The organization must identify, analyze, and manage its risks. Managing risk is a dynamic process. Management must consider changes in the external environment and within the business that may be obstacles to its objectives.

Risk assessment

Internal control that prevent or detect their unauthorized acquisition, use, or disposition.

Safeguard assets

-Taking small amounts at a time also known as round-down fraud

Salami technique

Stealing tiny slices of money from many different accounts

Salami technique

Legislation intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls at public companies and punish executives who perpetrate fraud

Sarbanes Oxley Act

-Prevent financial statement fraud, Make financial reports transparent, Protect investors, Strengthen internal controls, Punish executives who perpetrate fraud

Sarbanes-Oxley Act (2002)

software that is often malicious, is of little or no benefit, and is sold using scare tactics.

Scareware

-Searching trash for confidential information

Scavenging

-Access to the system and data is controlled and restricted to legitimate users.

Security

-Good internal control requires that no single employee be given too much responsibility over business transactions or processes. An employee should not be in a position to commit and conceal fraud or unintentional errors.

Segregation of Duties

People are more likely to cooperate with someone who is flirtatious or viewed as "hot."

Sex Appeal

-Snooping (either close behind the person) or using technology to snoop and get confidential information

Shoulder surfing

What social engineering technique uses double swiping credit card

Skimming

Few people want to do things the hard way, waste time, or do something unpleasant; fraudsters take advantage of our lazy habits and tendencies.

Sloth

-Techniques or tricks on people to gain physical or logical access to confidential information

Social engineering

Techniques used to obtain confidential information, often by tricking people, are referred to as what?

Social engineering

techniques or psychological tricks used to get people to comply with the perpetrator's wishes in order to gain physical or logical access to a building, computer, server, or network—usually to get the information needed to access a system and obtain confidential data.

Social engineering

the unauthorized copying or distribution of copyrighted software

Software piracy

Simultaneously sending the same unsolicited message to many people, often in a attempt to sell them something

Spamming

For activities or transactions that are of significant consequences, management review and approval is required. Might apply to sales, capital expenditures, or write-offs over a particular dollar limit.

Special authorization

Makes the communication look as if someone else sent it to gain the trust of the recipient to get confidential information

Spoofing

-Secretly monitors and collects information. Can hijack browser search requests, adware, scareware

Spyware

What type of software secretly collects personal information about users and send it to someone else without the user's permission?

Spyware

Looks at the header of a TCP packet to control traffic Less detailed process but quicker

Static packet inspection

Which type of encryption is faster?

Symmetric

Which of the following statements is true about symmetric encryption

Symmetric encryption is faster than asymmetric encryption but cannot be used to provide nonrepudiation of contracts

Management expects accountants to:

Take a proactive approach to eliminating system threats. Detect, correct, and recover from threats when they occur.

The SOX act was created by

The Public Company Accounting Oversight Board (PCAOB)

Which of the following statements about obtaining consent to collect and use a customer's personal information is true?

The default policy in Europe is opt-in, but in the United States the default is opt-out.

What are the steps in creating a digital signature

The document creator uses a hashing algorithm to generate a hash of the original document The document creator uses his/her private key to encrypt the hash created Result: The encrypted hash is a legally-binding digital signature

Any potential adverse occurrence or unwanted event that could be injurious to either the accounting information system or the organization

Threat/event

-is the implementation of a combination of preventive, detective, and corrective controls that protect information assets long enough to enable an organization to recognize that an attack is occurring and take steps to thwart it before any information is lost or compromised.

Time based model of information security

Program that lies idle until some specified circumstance or time

Time bomb/logic bomb

-the implementation of a combination of preventive, detective, and corrective controls that protect information assets long enough to enable an organization to recognize that an attack is occurring and take steps to thwart it before any information is lost or compromised.

Time-based model of information security

What is the objective of a penetration test?

To identify where additional protections are most needed to increase the time and effort required to compromise the system

Management should monitor company results and periodically compare actual company performance to (1) planned performance, as shown in budgets, targets, and forecasts; (2) prior period performance; and (3) competitors' performance

Top level reviews

Which of following action(s) must an organization take to preserve the confidentiality of sensitive information?

Train employees to properly handle information

Which of the following is a preventive control?

Training

Specifies the procedures for dividing files and documents into packets and for reassembly at the destination.

Transmission Control Protocol (TCP)

-Set of instructions that allow the user to bypass normal system controls

Trap door

a set of computer instructions that allows a user to bypass the system's normal controls

Trap door/back door

-Malicious computer instructions in an authorized and properly functioning program

Trojan Horse

A set of instructions to increase a programmer's pay rate by 10% is hidden inside an authorized program. It changes and updates the payroll file. What is this computer fraud technique called?

Trojan horse

A weakness an attacker can take advantage of to either disable or take control of a system is called a[n] ______________.

Vulnerability

programming a computer to dial thousands of phone lines searching for dial-up modem lines. Hackers break into the PC attached to the modem and access the network to which it is connected. This approach got its name from the movie War Games.

War dialing

-Stand-alone self replicating program that doesn't require a human to activate it

Worm

Using your private key to encrypt a hash of a document creates a __________.

a digital signature

If you want to e-mail a document to a friend and be assured that only your friend will be able to open the document, you should encrypt the document using:

Your friend's public key

If you want to e-mail a document to a friend so that your friend can be certain that the document came from you, you should encrypt the document using:

Your private key

Botnet examples include

Zombies Bot herders Denial of Service (DoS) attack Brute force attack Password cracking Dictionary attack Spamming Spoofing

In the hybrid solution what type of encryption is used for decrypting information

asymmetric

Encryption systems that use two keys (one public and one private) wither key can encrypt but only the other matching key can decrypt

asymmetric encryption systems

SOX created new rules for

auditors, audit committees, management, control requirements

The lever of control that describes how a company creates value and helps employees understand management's vision is called a

belief system

Which of the following can be used to prevent unauthorized changes to completed business transactions?

blockchains

The person who creates a botnet by installing software on PCs that respond to the electronic instructions. This controls the PCs allows this person to mount a variety of internet attacks

bot herder

The word zombie is related to which type of computer attack?

botnet

Individuals who control an army of malware-infected zombie computers are called _______________.

botnet owners

when the amount of data entered into a program is greater than the amount of the memory (the input buffer) set aside to receive it. The input overflow usually overwrites the next computer instruction, causing the system to crash and open a back door into the system can read sensitive data from the database; modify, disclose, destroy, or limit the availability of the data; allow the attacker to become a database administrator; spoof identity; and issue operating system commands.

buffer overflow attack

Jake Malone is running an online business that specialized in buying and reselling stolen credit card information. Jake is engaging in _______________.

carding

Significant assets are periodically counted and reconciled to company records. At the end of each clerk's shift, cash in a cash register drawer should match the amount on the cash register tape.

comparison of actual quantities with recorded amounts

When an employee tries to access a particular resource, the system performs a test that matches the user's authentication credentials against the matrix to determine if the employee should be allowed to access that resource and perform the action

compatibility test

An employee independent of the information system function who monitors the system, disseminates information about improper system uses and their consequences and reports to top management

computer security officer (CSO)

Encryption is necessary to protect what?

confidentiality and privacy

policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out.

control activities

a vulnerability in dynamic web pages that allows an attacker to bypass a browser's security mechanisms and instruct the victim's browser to execute code, thinking it came from the desired website.

cross-site scripting

Defrauding investors such as fake initial coin offerings and fake exchanges and wallets

cryptocurrency fraud

Protecting privacy by replacing sensitive personal information with fake data

data masking

Software that generates user ID and password guesses using information about the targeted company and an index of possible user IDs and passwords to reduce the number of guesses required

dictionary attack

_____ provides assurance that someone cannot enter into a digital transaction and then subsequently deny they had done so and refuse to fulfill their side of the contract.

digital Signature

an electronic document that contains an entity's public key and certifies the identity of the owner of that particular public key.

digital certificate

Code embedded in documents that enables an organization to identify confidential information that has been disclosed

digital watermark

Process of transforming normal text into unreadable gibberish

encryption

Collective term for the workstations, servers, printers, and other devices that comprise an organization's network

endpoints

An unauthorized person following an authorized person through a secure door, bypassing physical security controls such as keypads, ID cards, or biometric identification scanners.

example of Piggybacking

The day after you downloaded a new game on your laptop from a free software site, pop-up ads begin to appear on your computer, even though your browser says that pop-up ads are being blocked. You also occasionally find your web browser jumping to Web sites you did not ask it to display. You have most likely become a victim of what type of malware?

example of adware

One woman authorized new credit card accounts, and the other wrote off unpaid accounts of less than $1,000. The first woman created a new account for each of them using fictitious data. When the amounts outstanding neared the $1,000 limit, the woman in collections wrote them off. The process would then be repeated. They were caught when a jilted boyfriend seeking revenge reported the scheme to the credit card company.

example of collusion

maintaining backup copies of files, correcting data entry errors, and resubmitting transactions for subsequent processing is an example of

example of corrective controls

duplicate checking of calculations and preparing bank reconciliations and monthly trial balances. is an example of

example of detective controls

requiring a user both to insert a smart card in a card reader and enter a password is an example of

example of multifactor authentication

The clandestine use of a neighbor's Wi-Fi network; this can be prevented by enabling the security features in the wireless network.

example of piggybacking

Danny Ferrar, the owner of BuysUSA.com, was sentenced to six years in prison for selling $4.1 million of copyrighted software for much less than the suggested retail price. Ferrar was guilty of:

example of software piracy

After visiting a large number of Web sites to complete your research for a lengthy research paper, your computer begins to act up. Your CPU is running much slower, your software frequently crashes, and you have difficulty connecting to the Internet. You have most likely become a victim of what type of malware?

example of spyware

On March 20, at 2 p.m. local time, the hard drives and master boot records of computers at three banks and two media companies in South Korea were wiped clean. The computers were then restarted, and the message "Boot device not found. Please install an operating system and then reboot the system" appeared on those computer screens. These companies were victims of what kind of computer fraud and abuse technique?

example of time bomb

Hackers created malicious and self-replicating code to exploit a weakness in the Windows Server service. Two weeks after it was released, it had infected almost 9 million computers worldwide. In addition to looking for other computers to infect, the code downloaded additional malware on the hijacked computers. The code, named Downadup, is an example of what kind of computer fraud and abuse technique?

example of worm

A phone number employees can call to anonymously report fraud and abuse

fraud hotline

process that takes plaintext of any length and creates a short code called a message digest, popularly Includes SHA-256 bits and that a document has not changed

hashing

If the time an attacker takes to break through the organization's preventive controls is shorter than the sum of the time required for the organization to detect the attack and the time required to respond to the attack, then organization's security is considered

ineffective

software records computer activity, such as a user's keystrokes, e-mails sent and received, websites visited, and chat session participation.

keylogger

The probability that the threat will happen

llikelihood

Any software used to do harm

malware

Security is a _________ issue

management

Referred to as explicit consent because organizations cannot collect and use customers' personal information unless they explicitly agree to allow such actions.

opt-in

Referred to as implicit consent because companies can assume it is okay to collect and use customers' personal information unless they explicitly object.

opt-out

Recovering passwords by trying every possible combination of upper and lower case letters, numbers, and special characters and comparing them to cryptographic hash of the password

password cracking

Process for regularly applying patches and updates to all of an organization's software.

patch management

Communications that request recipients to disclose confidential information by responding to an e-mail or visiting a website is called:

phishing

Normal text that has not been encrypted

plaintext

creating a seemingly legitimate business (often selling new and exciting products), collecting personal information while making a sale, and never delivering the product.

posing

Implementing strong access controls is good security over all the systems is what kind of impact on virtualization and cloud computing and IoT

positive impact on security

In the movie "Identity Thief," Melissa McCarthy used an invented scenario to get the name and other identifying information of Jason Bateman, enabling her to steal his identity. Which computer fraud and abuse technique did she use?

pretexting

One of the keys used in asymmetric encryption systems that is kept secret and known only to the owner

private key

One of the keys used in asymmetric encryption that is widely distributed and available to everyone

public key

The system for issuing pairs of public and private keys and corresponding digital certificates

public key infrastructure (PKI)

The amount of risk a company is willing to accept to achieve its goals and objectives. To avoid undue risk, risk appetite must be in alignment with company strategy.

risk appetite

Implementing control procedures to clearly divide authority and responsibility within the information system function

segregation of system duties

In a hurry to catch a train, a man in Grand Central Station made a quick ATM stop to withdraw $40. Before he went to bed, he checked his bank account and found his $40 withdrawal, as well as five additional withdrawals, for a total of $700, all made within a minute of his. This man was most likely a victim of _______________.

shoulder surfing

double-swiping a credit card in a legitimate terminal or covertly swiping a credit card in a small, hidden, handheld card reader that records credit card data for later use.

skimming

The FBI arrested Russian spies and accused them of encoding messages into pictures that were posted on publically accessible Web sites. To retrieve the messages, the recipients used special software to decode the messages hidden in the pixels of the pictures. The Russian spies were using which computer fraud and abuse technique?

steganography

In the hybrid solution what type of encryption is used for encrypting information

symmetric

Encryption system that use the same key both to encrypt and to decrypt

symmetric encryption systems

To decrypt a digital signature, you need to use _______.

the public key of the person who created the signature.

In the time based model formula what does P represent

the time it takes an attacker to break through the various controls that protect the organization's information assets.

In the time based model formula what does D represent

the time it takes for the organization to detect that an attack is in progress.

In the time based model formula what does R represent

the time it takes to respond to and stop the attack.

lies idle until triggered by a specified date or time, by a change in the system, by a message sent to the system, or by an event that does not occur.

time bomb/logic bomb

Fake data that is also another word for data masking

tokenization

In your haste to watch a video that you heard about, you type in yuube.com and are taken to a site with the familiar YouTube logo but find that the site sells a video ad blocker that allows you to watch YouTube without having to watch the ads. This is an example of _______________.

typosquatting

Using encryption and authentication to securely transfer information over the internet privately

virtual private network (VPN)

Which computer fraud technique involves a set of instructions hidden inside a calendar utility that copies itself each time the utility is enabled until memory is filled and the system crashes?

virus

driving around looking for unprotected wireless networks.

war driving

-People can either be the___________in security or _________

weakest link, important asset

An attack between the time a new software vulnerability is discovered and the time a software developer releases a patch that fixes the problem is called

zero-day attack

Hijacked computers, typically part of a botnet that are used to launch a variety of Internet attacks

zombies

Components of a COSCO consist of

•Control (internal) environment •Risk assessment •Control activities •Information and communication •Monitoring

What are some forms of spoofing?

•E-mail •Caller ID •IP address •SMS •Web-page (phishing)

Components of a COSCO-ERM consist of

•Internal environment •Objective setting •Event identification •Risk assessment •Risk response •Control activities •Information and communication •Monitoring

Examples of hacking used for fraud include

•Internet misinformation •E-mail threats •Internet auction •Internet pump and dump •Cryptocurrency fraud •Click fraud •Software piracy

The primary objective of an AIS is to

•Is to control the organization so the organization can achieve its objectives

Examples of man in the middle hacking include

•Masquerading/impersonation •Piggybacking •War dialing and driving •Phreaking •Podslurping

What can be done to minimize the threat of social engineering?

•Never let people follow you into restricted areas •Never log in for someone else on a computer •Never give sensitive information over the phone or through e-mail •Never share passwords or user I Ds •Be cautious of someone you don't know who is trying to gain access through you


Related study sets

ATI Pharmacology Made Easy 4.0: The Reproductive & Genitourinary Systems

View Set

PP RNSG 1538 Intrapartum Mastery Quiz

View Set

Exam review insurance life and health missed questions:

View Set

Chapter 4 Adaptive Study Pre-Test

View Set