Chapter 11
Information
Security and
Computer Fraud
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Learning Objectives
• LO#1 Describe the risks related to information
security and systems integrity.
• LO#2 Understand the concepts of encryption and
authentication.
• LO#3 Describe computer fraud and misuse of AIS
and corresponding risk-mitigation techniques.
• LO#4 Define vulnerabilities, and explain how to
manage and assess vulnerabilities.
• LO#5 Explain issues in system availability, disaster
recovery, and business continuity.
11-2
LO# 1
Integrity and Information Security
• Since 2003, information security management has been ranked as the top
one technology issue for CPAs.
• According to AICPA, information security management is “an integrated,
systematic approach that coordinates people, policies, standards,
processes, and controls used to safeguard critical systems and information
from internal and external security threats.”
• The goal of information security management is to protect the
confidentiality, integrity and availability (CIA) of a firm’s information.
– Confidentiality – information is not accessible to unauthorized individuals or processes
– Integrity – information is accurate and complete
– Availability – information and systems are accessible on demand
11-3
LO# 2
Encryption and Authentication
Encryption is a preventive control providing confidentiality and privacy for data transmission and
storage.
There are two algorithmic schemes that encode plaintext into non-readable form or cyphertext:
•
Symmetric-key encryption
– fast and suitable for encrypting large data sets.
– both the sender and the receiver use the same key to encrypt and decrypt messages.
– managing one key for each pair of users is not cost-effective given the large number of
users among the firms.
•
Asymmetric-key encryption
– slow and is not appropriate for encrypting large data sets.
– since each user has a pair of two keys, the public key and the private key, asymmetrickey encryption solves the problems in key distribution and key management
– A common name for asymmetric-key encryption is public-key encryption or two-key
encryption.
Authentication is a process that establishes the origin of information or determines the identity
of a user, process, or device.
11-4
LO# 2
Encryption and Authentication
Combination of two methods:
1. Both the sender and receiver use asymmetric-key encryption
method to authenticate each other.
2. Either the sender (or the receiver) generates a symmetric key
(called session key because it is valid for a certain timeframe
only) to be used by both parties.
3. Use asymmetric-key encryption method to distribute the
session key. (For example, the sender uses the receiver’s
public key to encrypt the session key and sends it to the
receiver. The receiver uses his/her own private key to decrypt
to get the session key.)
4. After both parties have the session key, use the session key to
transmit confidential data/information. This is because using
symmetric key for encryption is faster in data transmission.
11-5
LO# 2
Digital Signature
A digital signature is a message digest (MD) of a document (or data file) that
is encrypted using the document creator’s private key.
• Digital signatures can:
– Ensure data integrity
– Prevent repudiation of Transactions
• Asymmetric-key Encryption Key Factors:
– Certificate Authority (CA)
– digital certificate
– public key infrastructure (PKI)
11-6
LO# 2
Digital Signature Process
Process:
1. Both the sender (A) and receiver (B) use asymmetric-key encryption method to
authenticate each other.
2. A makes a copy of the document and uses SHA-256 to hash the copy and get an
MD.
3. A encrypts the MD using A’s private key to get A’s digital signature.
4. A uses B’s public key to encrypt the original document and A’s digital signature (for
confidentiality).
5. A sends the encrypted package to B.
6. B receives the package and decrypts it using B’s private key. B now has the
document and A’s digital signature.
7. B decrypts A’s digital signature using A’s public key to get the sent-over MD. B also
authenticates that A is the document creator (to assure nonrepudiation).
8. B makes a copy of the received document and uses SHA-256 to hash the copy and
get a calculated MD.
9. If the sent-over MD is the same as the calculated MD, B ensures data integrity (no
changes made to the document).
11-7
LO# 3
Computer Fraud and Abuse
The International Professional Practices Framework (the IIA’s IPPF) of the
Institute of Internal Auditors (IIA) defines fraud as: “Any illegal act
characterized by deceit, concealment, or violation of trust. These acts are not
dependent upon the threat of violence or physical force.
According to the fraud triangle, three conditions exist for a fraud to be
perpetrated.
• Incentive: provides a reason to commit fraud
• Opportunity: for fraud to be perpetrated
• Rationalize: the individuals committing the fraud possess an attitude that
enables them to rationalize the fraud
11-8
LO# 3
Computer Fraud Risk Assessment
Global Technology Audit Guides (GTAG®)
Common computer frauds:
• The theft, misuse, or misappropriation of assets by altering computer-readable records and
files.
• The theft, misuse, or misappropriation of assets by altering the logic of computer software.
• The theft or illegal use of computer-readable information.
• The theft, corruption, illegal copying, or intentional destruction of computer software.
• The theft, misuse, or misappropriation of computer hardware.
Risk Assessment Steps:
• Identifying relevant IT fraud risk factors.
• Identifying potential IT fraud schemes and prioritizing them based on likelihood and impact.
• Mapping existing controls to potential fraud schemes and identifying gaps.
• Testing operating effectiveness of fraud prevention and detection controls.
• Assessing the likelihood and business impact of a control failure and/or a fraud incident
11-9
LO# 3
Computer Fraud Schemes
Phase
Scenario
Oversights
Requirements
Definition
Phase
195 illegitimate drivers’ licenses are created and sold by a police
communications officer who accidentally discovers she can create them.
- Lack of authentication and role-based
access control requirements.
- Lack of segregation of duties
System Design
Phase
- A special function to expedite handling of cases allows two caseworkers
to pocket $32,000 in kickbacks.
- An employee realizes there is no computerized control in his firm’s
system, so he entered and profited from $20 million in fake health
insurance claims.
- Insufficient attention to security details
in automated workflow processes
- Lack of consideration for security
vulnerabilities posed by authorized
system access
System
Implementation
Phase
- An 18-year old former Web developer uses backdoors he inserted into
his code to access his former firm’s network, spam its customers, alter its
applications, and ultimately put the firm out of business.
- Lack of code reviews
System
Deployment
Phase
- A computer technician uses his unrestricted access to customers’
systems to plant a virus on their networks that brings the customers’
systems to a halt.
- A software engineer did not document or backup his source code
intentionally, and then deleted the only copy of the source code once the
system is in production.
- A foreign currency trader covers up losses of $691 million over a fiveyear period by making unauthorized changes to the source code.
- A logic bomb sits undetected for six months before finally performing a
mass deletion of data on a telecommunications firm.
- Lack of enforcement of documentation
practices and back-up procedures
- Unrestricted access to all customers’
systems
System
Maintenance
Phase
- Lack of code reviews
- End-user access to source code
- Ineffective back-up processes
11-10
LO# 3
Computer Fraud Prevention and Detection
A fraud prevention program starts with a fraud risk
assessment across the entire firm, taking into
consideration the firm’s critical business divisions,
processes, and accounts, performed by the
management.
A fraud detection program should include an
evaluation by internal auditors on the effectiveness of
business processes, along with an analysis of
transaction-level data to obtain evidence on the
effectiveness of internal controls and to identify
indicators of fraud risk or actual fraudulent activities.
11-11
LO# 4
Vulnerability Assessment and Management
Types of vulnerabilities within a Physical IT Environment
Threats
Physical intrusion
Vulnerabilities


Natural disasters


Excessive heat or humidity


Water seepage in a data center


Electrical disruptions or blackouts


External parties entering facilities without permission and/or providing access information
Unauthorized hardware changes
No regular review of a policy that identifies how IT equipments are protected against
environmental threats
Inadequate or outdated measures for environmental threats
Humidity alarm not in place
Outdated devices not providing information on temperature and humidity levels
Server room located in the basement
Clogged water drain
Insufficient backup power supply
No voltage stabilizer
Examples of Vulnerabilities within an Information System
Threats
System intrusion (e.g., spyware,
malware, etc.)
Vulnerabilities




Logical access control failure



Interruption of a system

Software not patched immediately
Open ports on a main server without router access
Outdated intrusion detection/prevention system
Work performed not aligned with business requirements
Poor choice of password
Failure to terminate unused accounts in a timely manner
Improper system configuration and customization
Poor service level agreements (SLAs) monitoring on service providers
11-12
LO# 4
Vulnerability Assessment and Management
Examples of Vulnerabilities within the Processes of IT
Operations
Threats
Social engineering
Unintentional disclosure
of sensitive information
by employee
Intentional destruction
of information
Vulnerabilities






Inappropriate end-user
computing



Employee training not providing information about social engineering
attempts
Inappropriate data classification rule
Poor user access management allows some users to retrieve sensitive
information not pertaining to their roles and responsibilities
Not requiring approval prior to deleting sensitive data
Poor employee morale
Writable disk drive containing data which shall not be deleted such as
transaction logs
Ineffective training as to the proper use of computer
End-user computing policy has not been reviewed
Poor firewall rules allowing users to access illegitimate websites
11-13
LO# 4
An Overall Framework for Vulnerability
Assessment and Management
Prerequisites:
1. Determine the main objectives of its vulnerability management, as the firm’s
resource for managing vulnerabilities is limited.
2. assign roles and responsibility for vulnerability management.
11-14
LO# 4
An Overall Framework for Vulnerability
Assessment and Management
Main components:
VULNERABILITY ASSESSMENT
II. Risk
I. Identification
Assessment
IT Asset Inventory Vulnerability
Assessment
Risk Response
Plan
Monitoring
Threat
Identification
Policy and
Requirements
Ongoing
Assessment
Control
Implementation
Continuous
Improvement
Vulnerability
Identification
Vulnerability
Prioritization
VULNERABILITY MANAGEMENT
III. Remediation
IV. Maintenance
11-15
Availability, Disaster Recovery and Business
Continuity
LO# 5
• A key component of IT service delivery and support is
making sure the data is available at all times or, at a
minimum, in the moment it is needed.
• Uninterruptible power supply
• Fault tolerance
• Virtualization or Cloud computing
11-16
Availability, Disaster Recovery and Business
Continuity
•
•
LO# 5
Disaster recovery planning (DRP) identifies significant events that may threaten a
firm’s operations, outlining the procedures that ensure the firm’s smooth resuming
of operations in the case this event occurs.
Business continuity management (BCM) refers to the activities required to keep a
firm running during a period of interruption of normal operations.
11-17