Chapter 15 Computer crime and information technology security When you finish studying this chapter, you should be able to: Explain Carter’s taxonomy of computer crime Identify and describe business risks and threats to information systems Name and describe common types of computer criminals Discuss ways to prevent and detect computer crime Explain COBIT’s information criteria and accountability framework Explain how COBIT can be used to strengthen internal controls against computer crime I. Carter’s taxonomy Target: targets the system or its data Instrumentality: computer furthers a criminal end Incidental: computer is not required for the crime but is related to the criminal act Associated: new versions of traditional crimes II. Risks and threats to information systems Fraud: Any illegal act for which knowledge of computer technology is used to commit the offense Service interruptions and delays: Delay in processing information Intrusions: Bypassing security controls or exploiting a lack of adequate controls Information manipulation: Can occur at virtually any stage of information processing from input to output CHAPTER 15 / Page | 1 III. Risks and threats to information systems Denial of service attacks: Prevent computer systems and networks from functioning in accordance with their intended purpose Error: Can vary widely Disclosure of confidential information: Can have major impacts on an organization's financial health Information theft: Targets the organization's most precious asset: information Malicious software: Virus, Trojan horse, worms, logic bombs Web site defacements: Digital graffiti where intruders modify pages Extortion: Threat to either reveal information to the public or to launch a prolonged denial of service if demands are not met IV. Computer criminals Script kiddies: Young inexperienced hacker who uses tools and scripts written by others for the purpose of attacking systems Hacker: Someone who invades an information system for malicious purposes Cyber-criminals: Hackers driven by financial gain Organized crime: Spamming, phishing, extortion and all other profitable branches of computer crime Corporate spies: Computer intrusion techniques to gather information Terrorists: Target the underlying computers and networks of a nation’s critical infrastructure Insiders: May be the largest threat to a company’s information systems and underlying computer infrastructure CHAPTER 15 / Page | 2 V. VI. Prevention and detection techniques CIA triad • Confidentiality • Data integrity • Availability Internal controls • Physical: locks, security guards, badges, alarms • Technical: firewalls, intrusion detection, access controls, cryptography • Administrative: security policy, training, reviews COBIT framework (3 + 4 = 7) Control Objectives for Information and Related Technology Published by Information Systems Audit and Control Association (ISACA) • Three points of view • Business objectives • IT resources • IT processes • Four domains of knowledge • Plan and organize • Acquire and implement • Deliver and support • Monitor and evaluate Seven information criteria • Effectiveness • Efficiency • Confidentiality • Integrity • Availability • Compliance • Reliability of information CHAPTER 15 / Page | 3