Chapter 15 Computer crime and information technology security

advertisement
Chapter 15
Computer crime and information technology security
When you finish studying this chapter, you should be able to:

Explain Carter’s taxonomy of computer crime

Identify and describe business risks and threats to information systems

Name and describe common types of computer criminals

Discuss ways to prevent and detect computer crime

Explain COBIT’s information criteria and accountability framework

Explain how COBIT can be used to strengthen internal controls against computer crime
I.
Carter’s taxonomy

Target: targets the system or its data

Instrumentality: computer furthers a criminal end

Incidental: computer is not required for the crime but is related to the criminal act

Associated: new versions of traditional crimes
II.

Risks and threats to information systems
Fraud: Any illegal act for which knowledge of computer technology is used to commit the
offense

Service interruptions and delays: Delay in processing information

Intrusions: Bypassing security controls or exploiting a lack of adequate controls

Information manipulation: Can occur at virtually any stage of information processing from input
to output
CHAPTER 15 / Page | 1
III.

Risks and threats to information systems
Denial of service attacks: Prevent computer systems and networks from functioning in
accordance with their intended purpose

Error: Can vary widely

Disclosure of confidential information: Can have major impacts on an organization's financial
health

Information theft: Targets the organization's most precious asset: information

Malicious software: Virus, Trojan horse, worms, logic bombs

Web site defacements: Digital graffiti where intruders modify pages

Extortion: Threat to either reveal information to the public or to launch a prolonged denial of
service if demands are not met
IV.

Computer criminals
Script kiddies: Young inexperienced hacker who uses tools and scripts written by others for the
purpose of attacking systems

Hacker: Someone who invades an information system for malicious purposes

Cyber-criminals: Hackers driven by financial gain

Organized crime: Spamming, phishing, extortion and all other profitable branches of computer
crime

Corporate spies: Computer intrusion techniques to gather information

Terrorists: Target the underlying computers and networks of a nation’s critical infrastructure

Insiders: May be the largest threat to a company’s information systems and underlying
computer infrastructure
CHAPTER 15 / Page | 2
V.


VI.
Prevention and detection techniques
CIA triad
•
Confidentiality
•
Data integrity
•
Availability
Internal controls
•
Physical: locks, security guards, badges, alarms
•
Technical: firewalls, intrusion detection, access controls, cryptography
•
Administrative: security policy, training, reviews
COBIT framework (3 + 4 = 7)
Control Objectives for Information and Related Technology
Published by Information Systems Audit and Control Association (ISACA)
•
Three points of view
• Business objectives
• IT resources
• IT processes
•
Four domains of knowledge
• Plan and organize
• Acquire and implement
• Deliver and support
• Monitor and evaluate

Seven information criteria
• Effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
• Compliance
• Reliability of information
CHAPTER 15 / Page | 3
Download