Computer and Internet Fraud * Flashcards
Which of the following is an accurate definition of SMiShing?
A. Stealing data from payroll accounts through the use of computers
B. Stealing private, financial data through the use of voicemail
C. Obtaining sensitive data through the use of short message services
D. Obtaining sensitive data by impersonating a government official
C Obtaining sensitive data through the use of short message services
SMiShing is a hybrid of phishing and short message service (text messaging). These schemes use text messages or other short message systems to conduct phishing activities. That is, in SMiShing schemes, the attacker uses text messages or other short message systems to dupe an individual or business into providing sensitive data by falsely claiming to be from an actual business, bank, ISP, or other entity with which the target does business.
Physical access controls refer to the process by which users are allowed access to computer programs, systems, and networks.
T/F
False
Physical access controls refer to the process by which users are allowed access to physical objects (e.g., buildings). In contrast, logical access controls are tools used to control access to computer information systems and their components.
Implementing privilege escalation and using buffer overflow exploits are examples of administrative controls used for securing computer systems and communication networks.
T/F
False
Computer networks and communications are inherently insecure and vulnerable to attack and disruption. Consequently, management must use technical and administrative controls to protect systems against threats like unauthorized use, disclosure, modification, destruction, or denial of service. Technical security involves the use of safeguards incorporated in computer hardware, operations or applications software, communications hardware and software, and related devices. Administrative security involves the use of tools to provide an acceptable level of protection for computing resources.
Common technical and administrative controls used to secure computer systems and communication networks include: • Logical access controls • Network security • Operating system security • Encryption • Application security • Separation of duties
Buffer overflows and privilege escalation are not controls to prevent computer fraud. Rather, they are both methods of exploiting design flaws in computer systems to gain unauthorized access.
All of the following are options for authenticating users in information systems EXCEPT:
A. Encryption
B. Profiling software
C. Biometrics
D. Card-based systems
A. Encryption Logical access controls are tools used for identification, authentication, and authorization in computer information systems. All of the following are options for authenticating users in information systems: • Passwords • Card-based systems • Biometrics • Profiling software
Encryption is the process whereby information is taken and scrambled so that it is unreadable by anyone who does not have the decryption code.
______________ is the term used to describe malicious software used to simplify or automate online criminal activities.
A. Crimeware
B. Freeware
C. Adware
D. None of the above
A. Crimeware
Crimeware is malware used to simplify or automate online criminal activities. It refers to programs used to obtain financial gain from the affected user or other third parties.
Which of the following are considered red flags of insider computer fraud?
I. Access privileges limited to those required to perform assigned tasks.
II. Access logs are not reviewed.
III. Production programs are run during normal business hours.
IV. Exception reports are not reviewed and resolved.
A. II and IV only
B. III and IV only
C. I, II, III, and IV
D. I and III only
A. II and IV only
Rock phishing is the type of phishing scheme that uses text messages or other short message systems to dupe an individual or business into providing sensitive data by falsely claiming to be from an actual business, bank, ISP, or other entity
T/F
False
SMiShing is a hybrid of phishing and short message service (text messaging). These schemes use text messages or other short message systems to conduct phishing activities. That is, in SMiShing schemes, the attacker uses text messages or other short message systems to dupe an individual or business into providing sensitive data by falsely claiming to be from an actual business, bank, ISP, or other entity with which the target does business.
Rock phishers use botnets to send massive amounts of phishing emails to huge volumes of Internet users. The emails contain a message from a financial institution, enticing users to click on a fraudulent URL. There is some indication that rock phishers cycle through multiple email lists and attempt to reach the Internet users most likely to use the brands that they are targeting
Which of the following is an information security goal that an e-commerce system should strive to provide its users and asset holders?
A. Non-repudiation
B. Exactness
C. Access authority
D. Systems reliability
A. Non-repudiation CORRECT
Non-repudiation is an information security goal that an e-commerce system should strive to provide its users and asset holders. It refers to a method used to guarantee that the parties involved in an e-commerce transaction cannot repudiate (deny) participation in that transaction. Non-repudiation is obtained through the use of digital signatures, confirmation services, and timestamps.
Additional information security goals that should be provided to users and account holders of information systems include: • Confidentiality of data • Integrity of data • Availability of data • Authentication
Which of the following is NOT a type of physical access control device that can be used to control access to physical objects?
A. Electronic access cards
B. Locks and keys
C. Biometric systems
D. Profiling software
D. Profiling software There are various types of physical access control devices that can be used to control access to physical objects. Some common types of physical access control devices include: • Locks and keys • Electronic access cards • Biometric systems
Profiling software is a type of logical access control device that authenticates users by monitoring their statistical characteristics, such as typing speed and keystroke touch.
Which of the following is the term used to describe the method of gaining unauthorized access to a computer system in which attackers use an automated process to guess a system user’s passwords?
A. Password engineering
B. Password sniffing
C. Password cracking
D. Password logging
Password cracking is an automated process by which an attacker attempts to guess a system user’s most likely passwords.
A virus that loads itself onto the target system’s memory, infects other files, and then unloads itself is called a:
A. Direct-action virus
B. Boot sector virus
C. Network virus
D. None of the above
Direct-action viruses load themselves onto the target system’s memory, infect other files, and then unload themselves.
Which of the following is the best definition of a computer worm?
A. A program or command procedure that gives the appearance that it is useful but in fact contains hidden code that causes malicious damage
B. A self-replicating computer program that penetrates operating systems to spread malicious code to other systems
C. A type of software that, while not definitely malicious, has a suspicious or potentially unwanted aspect to it
D. Any software application in which advertising banners are displayed while a program is running
A computer worm is a malicious self-replicating computer program that penetrates operating systems to spread malicious code to other computers.
Which of the following are information security goals that an e-commerce system should be designed to provide its users and asset holders?
I. Penetrability of data
II. Materiality of data
III. Integrity of data
IV. Availability of data
A. II and III only
B. I, II, and III only
C. III and IV only
D. I, II, III, and IV
C. III and IV only
To ensure separation of duties within the information technology department and between information systems and business unit personnel, computer operators should be responsible for performing computer programming. T/F
False
Separation of duties is a key element in a well-designed internal control system, and it is fundamental to data security. There are various options for achieving separation of duties in information security, and the options vary depending on department responsibilities. For example, some of the best practices for ensuring separation of duties within the information technology department and between information systems and business unit personnel are as follows:
• Programmers should not have unsupervised access to production programs or have access to production data sets (data files).
• Information systems personnel’s access to production data should be limited.
• Application system users should only be granted access to those functions and data required for their job duties.
• Program developers should be separated from program testers.
• System users should not have direct access to program source code.
• Computer operators should not perform computer programming.
• Development staff should not have access to production data.
• Development staff should not access system-level technology or database management systems.
• End users should not have access to production data outside the scope of their normal job duties.
• End users or system operators should not have direct access to program source code.
• Programmers should not be server administrators or database administrators.
• IT departments should be separated from information user departments.
• Functions involving the creation, installation, and administration of software programs should be assigned to different individuals.
• Managers at all levels should review existing and planned processes and systems to ensure proper separation of duties.
• Employees’ access to documents should be limited to those that correspond with their related job tasks
_________ is an attack in which a user is fooled into entering sensitive data into a malicious website that impersonates a legitimate website.
A. Phishing
B. Pharming
C. SMiShing
D. Spear phishing
Pharming is an attack in which a user is fooled into entering sensitive data (such as a password or credit card number) into a malicious website that impersonates a legitimate website. It is different from phishing in that the attacker in a pharming scheme does not have to rely on having the user click on a link in an email to direct him to the imitation website.
