Chapter 11
Information
Security and
Computer
Fraud

Copyright © 2014 McGraw­Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw­Hill Education.


Learning Objectives
•

•

•

•

•

LO#1 Describe the risks related to information
security and systems integrity.
LO#2 Understand the concepts of encryption
and authentication.
LO#3 Describe computer fraud and misuse of
AIS and corresponding risk-mitigation
techniques.
LO#4 Define vulnerabilities, and explain how to
manage and assess vulnerabilities.
LO#5 Explain issues in system availability,
11-2

LO# 1

Integrity and Information Security
•

•

•

Since 2003, information security management has been ranked as
the top one technology issue for CPAs.

According to AICPA, information security management is “an
integrated, systematic approach that coordinates people, policies,
standards, processes, and controls used to safeguard critical
systems and information from internal and external security threats.”

The goal of information security management is to protect the
confidentiality, integrity and availability (CIA) of a firm’s information.
–

Confidentiality – information is not accessible to unauthorized individuals or
processes

–

Integrity – information is accurate and complete


11-3


LO# 2

Encryption and Authentication
Encryption is a preventive control providing confidentiality and privacy for data
transmission and storage.

There are two algorithmic schemes that encode plaintext into non-readable form or
cyphertext:

•

•

Symmetric-key encryption
–

fast and suitable for encrypting large data sets.

–

both the sender and the receiver use the same key to encrypt and decrypt
messages.

–

managing one key for each pair of users is not cost-effective given the large
number of users among the firms.


Asymmetric-key encryption
–

slow and is not appropriate for encrypting large data sets. 11-4


LO# 2

Encryption and Authentication
Combination of two methods:
1.

2.

Both the sender and receiver use
asymmetric-key encryption method to
authenticate each other.
Either the sender (or the receiver)
generates a symmetric key (called
session key because it is valid for a
certain timeframe only) to be used by
both parties.
11-5


LO# 2

Digital Signature
A digital signature is a message digest (MD) of a document (or data

file) that is encrypted using the document creator’s private key.

•

•

Digital signatures can:
–

Ensure data integrity

–

Prevent repudiation of Transactions

Asymmetric-key Encryption Key Factors:
–

Certificate Authority (CA)

–

digital certificate

–

public key infrastructure (PKI)

11-6



LO# 2

Digital Signature Process
Process:
1.

2.

3.

4.

5.

6.

7.

Both the sender (A) and receiver (B) use asymmetric-key encryption method
to authenticate each other.
A makes a copy of the document and uses SHA-256 to hash the copy and
get an MD.
A encrypts the MD using A’s private key to get A’s digital signature.
A uses B’s public key to encrypt the original document and A’s digital
signature (for confidentiality).
A sends the encrypted package to B.
B receives the package and decrypts it using B’s private key. B now has the
document and A’s digital signature.
B decrypts A’s digital signature using A’s public key to get the sent-over MD.

B also authenticates that A is the document creator (to assure
11-7
nonrepudiation).


LO# 3

Computer Fraud and Abuse
The International Professional Practices Framework (the IIA’s IPPF) of
the Institute of Internal Auditors (IIA) defines fraud as: “Any illegal act
characterized by deceit, concealment, or violation of trust. These acts
are not dependent upon the threat of violence or physical force.

According to the fraud triangle, three conditions exist for a fraud to be
perpetrated.

•

Incentive: provides a reason to commit fraud

•

Opportunity: for fraud to be perpetrated

•

Rationalize: the individuals committing the fraud possess an
attitude that enables them to rationalize the fraud
11-8



LO# 3

Computer Fraud Risk Assessment
Global Technology Audit Guides (GTAG®)
Common computer frauds:
•

•

The theft, misuse, or misappropriation of assets by altering computer-readable records
and files.
The theft, misuse, or misappropriation of assets by altering the logic of computer
software.

•

The theft or illegal use of computer-readable information.

•

The theft, corruption, illegal copying, or intentional destruction of computer software.

•

The theft, misuse, or misappropriation of computer hardware.

Risk Assessment Steps:
•


•

Identifying relevant IT fraud risk factors.
Identifying potential IT fraud schemes and prioritizing them based11-9
on likelihood and
impact.


LO# 3

Computer Fraud Schemes
Phase

Scenario

Oversights

Requirements
Definition
Phase

195 illegitimate drivers’ licenses are created and sold by a police
communications officer who accidentally discovers she can create
them.

- Lack of authentication and rolebased access control requirements.
- Lack of segregation of duties

System
Design Phase


- A special function to expedite handling of cases allows two
caseworkers to pocket $32,000 in kickbacks.
- An employee realizes there is no computerized control in his
firm’s system, so he entered and profited from $20 million in fake
health insurance claims.

- Insufficient attention to security
details in automated workflow
processes
- Lack of consideration for security
vulnerabilities posed by authorized
system access

System
Implementatio
n Phase

- An 18-year old former Web developer uses backdoors he inserted
into his code to access his former firm’s network, spam its
customers, alter its applications, and ultimately put the firm out of
business.

- Lack of code reviews

System
Deployment
Phase

- A computer technician uses his unrestricted access to customers’

systems to plant a virus on their networks that brings the
customers’ systems to a halt.
- A software engineer did not document or backup his source code
intentionally, and then deleted the only copy of the source code
once the system is in production.

- Lack of enforcement of
documentation practices and back-up
procedures
- Unrestricted access to all
customers’ systems

System
Maintenance
Phase

- A foreign currency trader covers up losses of $691 million over a
five-year period by making unauthorized changes to the source
code.
- A logic bomb sits undetected for six months before finally
performing a mass deletion of data on a telecommunications firm.

- Lack of code reviews
- End-user access to source code
- Ineffective back-up processes

11-10


LO# 3


Computer Fraud Prevention and
Detection
A fraud prevention program starts with a fraud
risk assessment across the entire firm, taking into
consideration the firm’s critical business divisions,
processes, and accounts, performed by the
management.
A fraud detection program should include an
evaluation by internal auditors on the effectiveness
of business processes, along with an analysis of
transaction-level data to obtain evidence on the
effectiveness of internal controls and to identify
indicators of fraud risk or actual fraudulent
11-11


Vulnerability Assessment and
Types of vulnerabilities within a Physical IT Environment
Management
Threats

Vulnerabilities

Physical intrusion

External parties entering facilities without permission and/or providing access
information
Unauthorized hardware changes


Natural disasters

No regular review of a policy that identifies how IT equipments are protected against
environmental threats
Inadequate or outdated measures for environmental threats

Excessive heat or humidity

Humidity alarm not in place
Outdated devices not providing information on temperature and humidity levels

Water seepage in a data center

Server room located in the basement
Clogged water drain

Electrical disruptions or blackouts

Insufficient backup power supply
No voltage stabilizer

Examples of Vulnerabilities within an Information System
Threats

Vulnerabilities

System intrusion (e.g.,
spyware, malware, etc.)

Software not patched immediately

Open ports on a main server without router access
Outdated intrusion detection/prevention system

Logical access control failure

Work performed not aligned with business requirements
Poor choice of password
Failure to terminate unused accounts in a timely manner

Interruption of a system

Improper system configuration and customization
Poor service level agreements (SLAs) monitoring on service providers

11-12

LO# 4


LO# 4

Vulnerability Assessment and
Management
Examples of Vulnerabilities within the Processes of
IT Operations
Threats
Social engineering
Unintentional
disclosure of sensitive
information by

employee

Vulnerabilities
Employee training not providing information about social
engineering attempts
Inappropriate data classification rule
Poor user access management allows some users to retrieve
sensitive information not pertaining to their roles and
responsibilities

Intentional destruction
of information

Not requiring approval prior to deleting sensitive data
Poor employee morale
Writable disk drive containing data which shall not be deleted
such as transaction logs

Inappropriate end-user
computing

Ineffective training as to the proper use of computer
End-user computing policy has not been reviewed
Poor firewall rules allowing users to access illegitimate websites

11-13


LO# 4


An Overall Framework for Vulnerability
Assessment and Management
Prerequisites:
1.

2.

Determine the main objectives of its vulnerability management, as the firm’s
resource for managing vulnerabilities is limited.
assign roles and responsibility for vulnerability management.

11-14


LO# 4

An Overall Framework for Vulnerability
Assessment and Management
Main components:
VULNERABILITY ASSESSMENT
II. Risk
I. Identification
Assessment
IT Asset
Vulnerability
Inventory
Assessment
Threat
Vulnerability
Identification

Prioritization
Vulnerability
Identification

VULNERABILITY MANAGEMENT
III. Remediation IV. Maintenance
Risk Response
Plan
Policy and
Requirements
Control
Implementation

Monitoring
Ongoing
Assessment
Continuous
Improvement

11-15


LO# 5

Availability, Disaster Recovery and Business
Continuity
•

A key component of IT service delivery and
support is making sure the data is available at all

times or, at a minimum, in the moment it is
needed.

•

Uninterruptible power supply

•

Fault tolerance

•

Virtualization or Cloud computing

11-16


LO# 5

Availability, Disaster Recovery and Business
Continuity
•

•

Disaster recovery planning (DRP) identifies significant events that may
threaten a firm’s operations, outlining the procedures that ensure the firm’s
smooth resuming of operations in the case this event occurs.
Business continuity management (BCM) refers to the activities required

to keep a firm running during a period of interruption of normal operations.

11-17