AIS Exam 2

AIS Threats

• natural and political disasters

• software errors and equipment malfunctions

• unintentional acts

• intentional acts

types of fraud

• misappropriation of assets

• fraudulent financial reporting

misappropriation of assets

Theft of company assets which can include physical assets (e.g., cash, inventory) and digital assets (e.g., intellectual property such as protected trade secrets, customer data)

fraudulent financial reporting

“Cooking the books” (e.g., booking fictitious revenue, overstating assets, etc.)

auditors’ responsibilities

• understand fraud

• discuss the risks of material fraudulent misstatements

• obtain information

• identify, assess, and respond to risks

• evaluate the results of their audit tests

• document and communicate findings

• incorporate a technology focus

Fraud Triangle

computer fraud classifications

• input

• processor

• computer instruction

• data

• output

bluebugging

taking control of a phone to make calls, send text messages, listen to calls, or read text messages

bluesnarfing

stealing contract lists, images, and other data using bluetooth

botnet, bot herders

a network of hijacked computers; use the hijacked computers, called zombies, in a variety of attacks

buffer overflow attack

inputting so much data that the input buffer overflows. the overflow contains code that takes control of the computer

brute force attack

trial-and-error method that uses software to guess information, such as the user ID and the password needed to gain access to a system

caller id spoofing

displaying an incorrect number on the recipient’s caller ID display to hide the identity if the callerv

carding

verifying credit card validity; buying and selling stolen credit cards

chipping

planting a chip that records transaction data in a legitimate credit card reader

click fraud

manipulating the number of times an ad is clicked on to inflate advertising bills

cross-site scripting (XSS) attack

exploits web page security vulnerabilities to bypass browser security mechanisms and create a malicious link that injects unwanted code into a website

cyber-bullying

using computer technology to harm another person

cyber-extortion

requiring a company to pay money to keep an extortionist from harming a computer or a person

cryptocurrency fraud

defrauding investors in a variety of cryptocurerrency-related fraud schemes, such as fake initial coin offerings and fake exchanges and wallets

denial-of-service attack

an attack designed to make computer resources unavailable to its users

dictionary attack

software that guesses user IDs and passwords using a dictionary of user IDs and passwords to reduce the number of guesses required

eavesdropping

listening to private voice or data transmissions

economic espionage

the theft of information, trade secrets, and intellectual property

email spoofing

making a sender address and other parts of an e-mail header appear as though the e-mail originated from a different source

email threats

sending a threatening message asking recipients to do something that makes it possible to defraud them

evil twin

a wireless network with the same name as another wireless access point. Users unknowingly connect to the evil twin; hackers monitor the traffic looking for useful information

hacking

unauthroized access, modification, or use of an electronic device or some element of a computer system

hijacking

gaining control of someone else’s computer for illicit activities

identity theft

assuming someone’s identify by illegally obtaining confidential information such as a social security number

internet auction fraud

using an internet auction site to commit fraud

internet misinformation

using the internet to spread false or misleading information

internet pump-and-dump fraud

using the internet to pump up the price of a stock and then sell it

IP address spoofing

creating IP packets with a forged IP address to hide the sender’s identity or to impersonate another computer system

keylogger

using spyware to record a user’s keystrokes

Lebanese looping

inserting a sleeve into an ATM so that it will not eject the victim’s card, pretending to help the victim as a means of obtaining his PIN, and using the card and PIN to drain the account

malware

software that is used to do harm

man-in-the-middle (MITM) attack

a hacker placing himself between a client and a host to intercept network traffic; also called session hijacking

masquerading/impersonation

gaining access to a system by pretending to be an authorized user. the impersonator enjoys the same privileges as the legitimate user

packet sniffers

inspecting information packets as they travel across computer networks

password cracking

recovering passwords by trying every possible combination of upper and lower case letters, numbers and special characters and comparing them to a cryptographic hash of the password

pharming

redirecting traffic to a spoofed website to obtain confidential information

phising or web-page spoofing

communications that request recipients to disclose confidential information by responding to an email or visiting a website

phreaking

attacking phone systems to get free phone access using phone lines to transmit viruses and to access steal, and destroy data

piggybacking

1. clandestine use of someone’s Wi-Fi network

2. tapping into a communications line and entering a system by latching onto a legitimate user

3. bypassing physical security controls by entering a secure door when an authorized person opens it

podslurping

using a small device with storage capacity to download unauthorized data from a computer

posing

creating a seemingly legitimate business, collecting personal data while making a sale, and never delivering items sold

pretexting

acting under false pretenses to gain confidential information

ransomware

software that encrypts programs and data until a ransom is paid to remove it

rootkit

software that conceals processes, files, network connections, and system data from the operating system and other programs; can also change the operating system

round-down fraud

truncating interest calculations at two decimal places and placing truncated amounts in the perpetrator’s account

salami technique

stealing tiny slices of money over time

scareware

malicious software of no benefit that is sold using scare tactics

scavenging/dumpster diving

searching for documents and records in garbage cans, communal trash bins, and city dumps to obtain confidential information

sexting

exchanging sexually explicit text messages and pictures, usually by phone

shoulder surfing

watching or listening to people enter or disclose confidential data

skimming

double-swiping a credit card or covertly swiping it in a card reader to record the data for later use

SMS spoofing

using short message service (SMS) to change the name or number a text message appears to come from

social engineering

techniques that trick a person into disclosing confidential information

software piracy

unauthorized copying or distribution of copyrighted software

spamming

sending an unsolicited message to many people at the same times

spoofing

making an electronic communication look like someone else sent it

spyware

software that monitors computing habits and sends that data to someone else, often without the user’s permission

SQL injection attack

inserting a malicious SQL query in input such that it is passed to and executed by an application program

steganography

hiding data inside a host file, such as a large image or sound file

time bomb/logid bomb

software that sits idle until a specified circumstance or time triggers it, destroying programs, data, or both

torpedo software

software that destroys competing malware

trap door/back door

a back door into a system that bypasses normal system controls

trojan horse

unauthorized code in an authorized and properly functioning program

typosquatting/URLhijacking

websites with names similar to real websites; users making typographical errors are sent to a site filled with malware

virus

executable code that attaches itself to software, replicates itself, and spreads to other systems or files. When triggered, it makes unauthorized alterations to the way a system operates

vishing

voice phishing, in which email recipients are asked to call a phone number that asks them to divulge confidential data

war dialing

dialing phone lines to find idle modems to use to enter a system, capture the attached computer, and gain access to its network(s)

war driving

looking for unprotected wireless networks using a car

worm

a program rather than a code segment hidden in a host program. actively transmits itself to other systems. it usually does not live long but is quite destructive while alive

zero-day attack

attack between the time a software vulnerability is discovered and a patch to fix the problem is released

zombie

a hijacked computer, typically part of a botnet, that is used to launch a variety of Internet attacks

functions of internal controls

preventive controls, detective controls, corrective controls

preventive controls

deter problems from occuring

detective controls

discover problems that are not prevented

corrective controls

identify and correct problems; correct and recover from the problems

levers of control

belief system, boundary system, diagnostic control system, interactive control system

belief system

Help employees understand mission and vision

boundary system

Establishing the boundaries of ethical employee behavior

diagnostic control system

Measure, monitors, and compares actual performance to goals

interactive control system

Focus attention on strategic issues

regulatory background

• Foreign Corrupt Practices (FCPA)

• Sarbanes-Oxley (SOX)

Foreign Corrupt Practices (FCPA)

• Prevent companies from bribing foreign officials to obtain business

• Requires all publicly owned corporations to maintain a system of internal accounting controls.

Sarbanes-Oxley (SOX)

• Prevent financial statement fraud.

• SOX 404: requires public corporations to get an audit of Internal Control over Financial Reporting (ICFR)

COSCO-IC

• control environment

• risk assessment

• control activities

• information and communication

• monitoring

COSO-ERM

• internal environment

• objective setting

• event identification

• risk assessment

• risk response

• control activities

• information and communication

• monitoring

COSO-ERM Internal Environment

• Management’s philosophy, operating style, and risk appetite

• Commitment to integrity, ethical values, and competence

• Internal control oversight by Board of Directors

• Organizing structure

• Methods of assigning authority and responsibility

• Human resource standards

Cost Benefit Analysis

• Risk is assessed from two perspectives:

  • Likelihood

    • Probability that the event will occur

  • Impact

    • Estimate potential loss if event occurs

• Expected Loss = Impact x Likelihood

Risk Response

• reduce

• accept

• share

• avoid

reduce

implement effective internal control

accept

do nothing, accept likelihood, and impact of risk

share

buy insurance, outsource, or hedge

avoid

do not engage in the activity

control activities

• Proper authorization of transactions and activities

• Segregation of duties

• Project development and acquisition controls

• Change management controls

• Design and use of documents and records

• Safeguarding assets, records, and data

• Independent checks on performance

trust services framework