- Information
- AI Chat
AIS 6 - AIS
Accountancy (B113)
University of Northern Philippines
Recommended for you
Preview text
AIS 6: Information Security and Computer Fraud
Progress check:
What are the general goals of information security? The general goals of information security are to safeguard critical systems and to maintain confidentiality, integrity, and availability of information from internal and external security threats.
Give an example of social engineering. Social engineering could be an attempt to trick someone into revealing information, such as a password, that can be used to attack systems or networks. For example, a hacker may find a phone number of a salesperson from the company’s website. The hacker then pretends that he is one of the IT staff working at the helpdesk and calls the salesperson to ask for the salesperson’s password in “fixing” a problem on accessing certain files. If the salesperson gives his or her password to the hacker, the hacker can obtain access to the company’s network.
Can we use the symmetric-key encryption method to authenticate users? Why? We cannot use the symmetric-key encryption method to authenticate users because both the sender and the receiver are using the same key. This method does not provide a unique key for each user when transmitting information among different parties.
What is a digital signature? Why do we need it? A digital signature is a message digest encrypted using the sender’s private key. We use a digital signature to achieve two purposes. The main purpose is to maintain data integrity. The second purpose is to authenticate the sender. If the receiver can use the sender’s public key to decrypt the digital signature, the receiver authenticates the sender. The receiver compares the calculated message digest with the sent-over message digest to confirm data integrity.
Given your understanding of computer fraud, do you think it happens often? Why or why not? Computer fraud includes a variety of illegal acts that involve a computer or network. If the internal control of a company is not adequate, the wide use of technologies, computers, and other electronic devices in the business world provides an environment for frequent occurrences of computer fraud.
Use the fraud triangle to explain one of the fraud schemes. Scenario one: The loose access control of the company’s information system provided the employee an opportunity to obtain confidential information after leaving the position. The associate lured the employee to disclose the confidential information for his business by providing financial benefits to the employee. The employee committed the identity theft. She rationalized her behavior—because her position had changed, she was no longer responsible for keeping employees’ account information confidential.
Search over the Internet to find a recent computer fraud scheme. Given the scenario, identify the oversights of the firm. A phishing attack happened to Prisma Health in November 2018. The company gave hackers unauthorized access to several employee email accounts. An investigation into the data breach determined that 23,811 patients’ personal health information was exposed, including names, health insurance information, Social Security numbers, and financial information.
Search the internet to find additional definitions of vulnerability. The Internet Engineering Task Force (IETF) defines vulnerability as a flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy. The European Network and Information Security Agency (ENISA) defines vulnerability as the existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the computer system, network, application, or protocol involved. The Committee on National Security Systems of United States of America defines vulnerability as weakness in an IS, system security procedures, internal controls, or implementation that could be exploited.
Search the internet to find examples of recent cases for each type of vulnerability presented in Figures 14, 14, and 14. Examples for each type of vulnerability: a) Vulnerabilities in physical IT system Threats: Fire Vulnerabilities:
- Nonsensitive automatic fire detection response systems
- Improper storage of combustible materials
- Use of malfunctioning heating devices
- Insufficient training of people about fire prevention and reaction
b) Vulnerabilities in an information system Threats: System intrusion Vulnerabilities: No virus scanner on each computer c) Vulnerabilities within the process of IT operations Threats: Unintentional deletion of information Vulnerabilities:
- Employee mistakes caused by inadequate training about operation
- Lack of a backup of data and information
(CPA exam, adapted) An information technology director collected the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing? a. Internal control policy b. System hardware policy c. System security policy d. Disaster recovery plan e. Supply chain management policy
A message digest is the result of hashing. Which of the following statements about the hashing process is true? a. It is reversible. b. Comparing the hashing results can ensure confidentiality. c. Hashing is the best approach to make sure that two files are identical. d. None of the above is true.
Which one of the following vulnerabilities would create the most serious risk to a firm? a. Using open source software (downloaded for free) on the firm’s network b. Employees recording passwords in Excel files c. Employees writing instant messages with friends during office hours d. Unauthorized access to the firm’s network
Which of the following statements is correct? a. A spam will send a network packet that appears to come from a source other than its actual source. (spoofing) b. Multi-factor authentication is less secure than requiring a user always entering a password to access a network. (more secure) c. Fault tolerance uses redundant units to provide a system with the ability to continue functioning when part of the system fails. d. SOC 1 reports provide the evaluations on a broader set of controls implemented by the service provider. (SOC 2 & 3)
Which of the following can be considered as a good alternative to back up data and applications? a. Continuous monitoring b. Disaster recovery planning c. Business continuity management d. Cloud computing
A digital certificate: a. is used to certify public-key and private-key pairs. b. is a trusted entity to certify and revoke Certificate Authorities (CA). c. indicates that the subscriber identified has sole control and access to the private key. d. ensures that the symmetric-key encryption method functions well.
The symmetric-key encryption method: a. is slow. b. is not appropriate for encrypting large data sets. c. solves problems in key distribution and key management. d. uses the same key for both senders and receivers for encryption and decryption.
The fraud triangle indicates which of the following condition(s) exist for a fraud to be perpetrated? a. Rationalization b. Pressure c. Legal environment d. Only a and b are correct. e. a, b, and c are correct.
To prevent repudiation in conducting e-business, companies must be able to authenticate their trading partners. Which of the following encryption methods can be used for authentication purpose? a. Symmetric-key encryption method b. Asymmetric-key encryption method c. Both symmetric-key and asymmetric-key encryption methods are good for authentication
Regarding GDPR, which of the following statements is/are correct? a. It is a regulation enforced by EU. b. It is to protect EU citizens’ personal data. c. It is not relevant to the companies in the United States. d. a and b are correct. e. a, b, and c are all correct.
Which organization created the Reporting on an Entity’s Cybersecurity Risk Management Program and Controls: Attestation Guide in 2017? a. SEC b. AICPA c. U. Congress d. Department of Homeland Security
Business continuity management is a: a. preventive control. b. detective control. c. corrective control. d. Two of the above are correct.
Encryption is a: a. preventive control. b. detective control. c. corrective control. d. Two of the above are correct.
What is fault tolerance? a. A policy allowing employees to make mistakes b. Using redundant units to continue functioning when a system is failing c. An application that can detect mistakes and correct mistakes automatically d. Two of the above are correct.
Comparing encryption with hashing, a. hashing process is reversible. b. encryption is used to ensure data integrity. c. hashing results are large data. d. encryption results are called cyphertext.
Discussion questions:
(3) What is the goal of each of the general security objectives (e., confidentiality, integrity, availability, access control)? Why should a company care about these?
Information security is a crucial factor that an entity considers in upholding the integrity of its system. This can be achieved through information security management which seeks to ensure that users can make use of the available system’s functions without their identity, personal information, and other sensitive records being compromised. The general security objectives of the information security management encompass keeping confidentiality, integrity, and availability of an entity’s information. Confidentiality dictates that information should not be accessible to unauthorized individuals or processes. Moreover, integrity objective ascertains that information is accurate and complete. The availability objective ensures that information needed in decision-making are available in a timely manner to individuals who have authorized access.
Considering the rapid advancement of technology, companies are exposed to diverse IT risks and attacks from internal and external parties. This is the reason why there is a need for an information security system to safeguard information from parties within and outside the entity. Confidential information kept in the entity’s information system may be made public or stolen if it maintains a weak information security system. Thus, the company should ensure that there are enough resources to support and maintain a strong information security system. For instance, its employees, in connivance with its competitors, may cut through their system to extract sensitive information regarding its customers. This may reveal the entity’s vulnerabilities and consequently affect its business performance. Aside from its effect on the entity’s operations, it may face lawsuits from its customers which may result in large sums of penalty charges. Hence, to prevent these internal and external threats to adversely affect an entity’s financial management, operating performance, and to ensure compliance with laws and regulations concerning data privacy, an entity must maintain a strong information security system to provide protection to users and achieve its goals of maintaining confidentiality, integrity, and availability of information without disrupting productivity of its operations.
(6) What are the differences between authentication and authorization?
Authentication and authorization are two vital information security processes that administrators use to protect systems and information. Authentication verifies the identity of a user or service, and authorization determines their access rights.
Authentication is a process that verifies that someone or something is who they say they are. Technology systems typically use some form of authentication to secure access to an application or its data. For example, when you need to access Google account, you usually have to enter your username and password. Then, the system compares the username and password you entered with a record it has on its database. If the information you submitted matches, the system assumes you are a valid user and grants you access. On the other hand, authorization determines what resources a user can access, and it always takes place after authentication.
With a strong authentication and authorization strategy in place, organizations can consistently verify who every user is and what they have access to do—preventing unauthorized activity that poses a serious threat. By ensuring all users properly identify themselves and access only the resources they need, organizations can maximize productivity, while strengthening their security at a time when data breaches are robbing businesses of their revenue and their reputation.
(7) Explain how to use the asymmetric-key encryption method to maintain confidentiality in transmitting a business document electronically.
The asymmetric-key encryption method is critical in e-business because it can prevent repudiation while conducting transactions online. It is used to maintain confidentiality in distributing the session key where the sender uses the receiver’s public key to encrypt the session key and sends it to the receiver. The receiver then uses his or her own private key to decrypt to get the session key.
Asymmetric encryption can be used for encrypting data and for digitally signing data. In digital signature, if the receiver can use the sender’s public key to decrypt the digital signature, the receiver authenticates the sender. The receiver compares the calculated message digest with the sent-over message digest to confirm data integrity and serves the purpose of assuring nonrepudiation. This is unlike symmetric key where both the sender and the receiver use the same key to encrypt and decrypt messages.
(8) What are the differences between asymmetric- and symmetric-key encryption, and when is each used?
Symmetric-key encryption is fast and suitable for encrypting large data sets or messages. However, key distribution and key management are problematic because both the sender and the receiver use the same key to encrypt and decrypt messages. For example, if a firm has many employees and trading partners at different geographical locations, it is very difficult to always distribute keys in a secure way. In addition, managing one key for each pair of users, which results in exponential growth of the number of keys for each additional party, is not cost-effective given the large number of users among the firms.
Asymmetric-key encryption is slow and is not appropriate for encrypting large data sets. However, because each user has a pair of two keys—the public key and the private key—asymmetric-key encryption solves problems in key distribution and key management. It is critical in e-business because it can prevent repudiation while conducting transactions online.
(9) How can data integrity be ensured when conducting e-business? Why is it critical to e-business?
Digital signatures can ensure data integrity. A digital signature is a message digest of a document that is encrypted using the document creator’s private key. A digital signature is a message digest encrypted using the sender’s private key. We use digital signatures to achieve two purposes: to maintain data integrity and to authenticate the sender. If the receiver can use the sender’s public key to decrypt the digital signature, the receiver authenticates the sender. The receiver compares the calculated message digest with the sent-over message digest to confirm data integrity and serves the purpose of assuring nonrepudiation.
Given the significant attributes of a digital signature which are maintaining data integrity and authenticating the document, it serves a critical role in e-business: No one can record an electronic transaction and then later say that he or she had nothing to do with it.
AIS 6 - AIS
Course: Accountancy (B113)
University: University of Northern Philippines
- Discover more from:
