Lecture 8: Information security and computer fraud Flashcards
What is information security management? What is its goal?
- Information security management is an integrated, systematic approach that coordinates people, policies, standards, processes and controls used to safeguard critical systems and information from internal and external security threats
- Goal of information security mgmt. is to protect:
• Confidentiality (making sure info is not accessible to unauthorised individuals or processes);
• Integrity (info is accurate & complete); and
• Availability (info and systems are accessible on demand)
… of a firm’s information
Describe some of the risks related to information security and systems integrity?
Malwares (malicious software) are codes designed to damage, disrupt, steal data, or disrupt computer systems and network, and they pose risks to information security.
Examples of malwares include:
• Viruses, which is a self-replication program that runs and spreads by modifying other programs/files
• Worms, which is a self-replicating, self-propagating and self-contained program that uses network mechanism to spread itself.
• Trojans, non-self-replicating program that seem to have useful purpose in appearance but in reality has different malicious purpose
• Bots, collection of software robots that overruns computers to act automatically in response to the bot-herder’s control inputs through the internet
• Spyware, software secretly installed into an information system to gather info on individuals or organisations without their knowledge
• Denial-of-service (DoS), prevention of authorised access to resources or the delaying of time-critical operations.
Tutorial 9 Q1:
Explain why encryption is used in the electronic transmission of business documentation
- Encryption is a preventive control providing confidentiality and privacy for data transmission and store.
- It is a technique used in the process of authentication, which is a process that establishes the origin of information or determine the identity of user/process/device.
- Process: sender encrypts challenge message with receiver’s public key; Receiver decrypts with own private key, answers message and sends response encrypted with their own private key; sender decrypts message with receiver’s public key and validates the challenge message
- Process is reversed to authenticate the sender. Either sender or receiver generates a symmetric key (valid for a certain timeframe only) to be used by both parties
Fraud Triangle
According to the fraud triangle, three conditions exist for a fraud to be perpetrated.
- Incentive/pressure provides a reason to commit fraud
- -> E.g. financial payoff, greed/need to maintain lifestyle, wanting to please friend, highly competitive industry - Opportunity for fraud to be perpetrated
- -> E.g. absence of controls, ineffective controls, or the ability of mgmt. to override controls - Individuals committing fraud possess attitude that enables them to rationalise the fraud
- -> E.g. dissatisfaction with entity/its treatment of employees so deserve to be punished; believing that actions wouldn’t cause detrimental consequences; only borrowing money temporarily and will return; it is for the good of others
Possible controls?
- Removing access rights immediately upon employee’s change of position/upon them leaving
- Reviewing authentication requirements
- Appropriate segregation of duties
- Enforcement of documentation practices and back-up procedures
Tutorial 9 Q5:
Describe in general terms how businesses can address the risks related to information confidentiality, integrity and availability (CIA).
Addressing all aspects of a business’s data security:
- Having well-designed systems with embedded internal controls such that the systems process data with integrity
- Use of encryption and authentication
- Conducting a computer fraud risk assessment as part of business’s enterprise risk management program
• A systematic process that assists mgmt. and internal auditors in discovering where and how fraud may occur and who may commit the specific fraud - Strong IT governance as part of corporate governance, includes the internal audit function
- Appropriate and well-designed IT General and Application controls
- Having firm policies on IT use in place. Making employees aware of their obligations concerning controls, fraud and misconduct with practical communication and training
- Having in place an ongoing program of Vulnerability Assessment and Management
- Having to backup policies and procedures (e.g. uninterruptible power supply) in place to ensure system availability
- Having a disaster recovery plan in place as part of wider business continuity management. (identify significant events that may threaten firm’s operations, outline the procedures that ensure firms ‘s smooth resuming of operations)
Define different types of vulnerabilities
Vulnerabilities are characteristics of IT resources that can be exploited by threat to cause harm (weaknesses/exposures in IT assets or processes that may lead to business risk, compliance risk or security risk)
Different types of vulnerabilities
- Vulnerabilities within a physical IT environment:
• External parties entering without permission, unauthorised hardware changes (physical intrusion)
• Lack of review of policy identifying how IT equipment are protected against environmental threats (natural disaster)
• Humidity alarm not in place
• Server room located in basement (water seepage in data centre)
• Insufficient backup power supply (electrical disruptions)
- Vulnerabilities within an information system:
• Outdated intrusion detection/prevention system (System intrusion)
• Work performed not aligned with business requirements, poor choice of password (logical access control failure)
• Improper system configuration (interruption of system)
- Vulnerabilities within process of IT operations:
• Inappropriate data classification rule, poor user access management (unintentional disclosure of sensitive info by employee)
• Not requiring approval prior to deleting sensitive data, poor employee moral (Intentional destruction of info)
Poor firewall rules allowing users to access illegitimate website (inappropriate en-user computing)
