Study Guides (238,292)
Canada (115,058)
Business (1,198)
BU486 (7)

AIS Final Condensed Notes.pdf

2 Pages
Unlock Document

Wilfrid Laurier University
Keith Whelan

FRAUD slice” at a time from many different accounts lished criteria  Strategic master plan is developed and updated yearly Elements of Fraud include: advantage over another person. secrets, intellectual propertyt of information, trade  Promote and improve operational efficiency  Project development plan shows the tasks to be per-  False statement, representation or disclosure Cyber extortion is threatening to harm a company or a  Encourage adherence to prescribed managerial policies formed, who will perform them  A material fact, which is something that induces a person if a specified amount of money is not paid  Comply with applicable laws and regulations  Data processing schedule shows which each tasks person to act communication technologies to support deliberate, repeatedhree important functions of internal controls: should be performed  An intent to deceive and hostile behaviour that torments, threatens, harasses, Preventive controls—deter problems before they arise  evaluate the systemmeasurements are established to  A justifiable reliance humiliates, embarrasses, or otherwise harms another person Detective controls—discovers problems not prevented  Post-implementation review is performed after a devel-  An injury or loss suffered by the victim Internet terrorism is the act of disrupting electronic com- Corrective controls—identify and correct problems and opment project is completed Misappropriation of assets is the theft of company assets Internet misinformation is using the Internet to spread Internal controls are often segregated into two categories:feguard Assets, Records and Data— Fraud Triangle—Pressure, Opportunity, Rationalization false or misleading information  General controls—make sure an organization’s control  Create and enforce appropriate policies and procedures ting frauds a person’s incentive or motivation for commit-Internet auction fraud is using an Internet site to defraud environment is stable and well managed  Maintain accurate records of all assets  Financial pressures such as losses, poor investments Internet pump-and-dump fraud is using the Internet to  Application controls—make sure transactions are  Restrict access to assets  Emotional pressures such as need for power, job dissat-ump up the price a stock and then selling it processed correctly; concerned with the accuracy,  Protect records and documents isfaction, fear of losing job, greed Software privacy is the unauthorized copying or distribu- captured, entered, processed, stored, transmitted toaInformation and Communication—relates to the primary  Lifestyle pressures such as gambling habits, addictioncomputer with pre-loaded illegal software, installing ag a other systems marize, and communicate), understand how transactions sum- relationships and family/peer pressure single license copy on multiple machines, and loading COBIT Framework is a framework that consolidates are initiated, data are captured, files are accessed and up- person to do three things:on or situation that allows a software on a network server and allowing unrestricted framework:andards from 36 different sources into a singledated, data are processed, information reported  Commit the fraud access to it  Business Objectives: Monitoring ally for economic gain, by illegally obtaining and using  Implement effective supervision  Conceal the fraud confidential information  IT resources  Use responsibility accounting systems Rationalization allows perpetrators to justify their illegaletexting is using an invented scenario to increase the  tion, acquisition and implementation, delivery and  Monitor system activities behaviour, rationalize that they are not hurting anyone something. that a victim will divulge information or do support, and monitoring and evaluation  Track purchased software and mobile devices Computer Fraud is any fraud that requires computer Posing is creating a seemingly legitimate business collect-SO’s Internal Control Model  Conduct periodic audits cute itogy knowledge to perpetrate, investigate, or prose-ing personal information while making a sale, and never  Control environment—members of the organization  Employ a computer security officer and a chief compli- Computer Fraud Classifications: Phishing is sending an electronic message pretending to be Control activities—policies and procedures ensure that ance officer  Input Fraud—alter or falsify computer input a legitimate company, usually a financial institution, and effectively carried outo address risks and objectives Engage forensic specialists  Processor Fraud—unauthorized system use, including requesting information or verification of information and Risk assessment—organization must identify, analyze  Install fraud detection software the theft of computer time and services vided warning of some dire consequence if it is not pro- and manage its risks  SYSTEMS RELIABILITY—INFORMATION SECU-  Computer Instructions Fraud—tampering with com- Pharming is redirecting Web site traffic to a spooled Web Information and communication—capture and ex- RITY pany software, copying software illegally, software site change the information needed to conduct, manage and Achieving the organization’s business and governance  Data Fraud—illegally using, copying, browsing, Lebanese looping is where the perpetrator inserts a sleeve control the organization’s operations objectives requires adequate controls over IT resources to fraudhing, or harming company data constitutes data Skimming is double-swiping a credit card in a legitimate  Monitoring—entire process must be monitored, and ensure that information satisfies key criteria:  Output Fraud—preventing forged output terminal or covertly swiping a credit card in a small, hiInternal Environmentde as necessary  timelyiveness—information must be relevant and COMPUTER FRAUD AND ABUSE TECHNIQUES den, handheld card reader that records credit card data fConsists of the following:  Efficiency—information must be produced in a cost Hacking is the unauthorized access, modification, or use oMalware is any software that can be used to do harm  Management’s philosophy, operating style, and risk effective manner Botnet is a network of powerful and dangerous hijackedtem Spyware software secretly monitors and collects personal appetite  Confidentiality—sensitive information must be pro- computers information about users and send it to someone else  The board of directors duced in a cost effective manner Hijacking is gaining control of a computer to carry out collects information about the user`s charge for each com- Commitment to integrity, ethical values, and compe-  Integrity—information must be complete, accurate, Denial-of-service (DOS) attack which is designed to puter showing its ads. They increase the number of com- tence valid make a resource unavailable to its users puters with adware by paying shareware developers to  Organizational structure  neededbility—information must be available whenever Spamming is e-mailing or texting an unsolicited message bundle the adware with their software  Methods of assigning authority and responsibility  Compliance—controls must ensure compliance with to many people at the same time or no benefit that is sold using scare tacticsand of litte Human resource standards internal policies and with external legal and regulatory someone else sent it to gain the trust of the recipientif Ransomware is software which locks you out of your  External influences requirements E-mail spoofing is making an email appear as through it programs and data by encrypting them Objective Setting  Reliability—management must have access to appro- originated from a different source a user`s keystrokes, e-mails sent and received, and chat  sion, support it, and create shareholder values mis- priate information needed to conduct daily activities ARP (Access Resolution Protocol) Spoofing is sending session participation  Operations objectives which deal with the effective- bilitiesxercise its fiduciary and governance responsi- fake ARP messages to an Ethernet LAN Trojan Horse is a set of malicious computer instructions ness and efficiency of company operations, determine Basic Management Activities as defined by COBIT: SMS Spoofing is using short message service to change gramn authorized and otherwise properly functioning pro- how to allocate resources  Plan and organize Cross site scripting (XSS) is a vulnerability in dynamic Time Bombs and Logic Bombs are Trojan horses that lie  Reporting objectives help ensure the accuracy, com-  Acquire and implement Webpages that allows an attacker to bypass a browser’s idle until triggered by a specified date or time, by a chRisk Assessment and Risk Response company reports  Deliver and Support security mechanisms and instruct the victim’s browser to in the system, by a message sent to the system, or by an Inherent Risk—exists before management takes any steps  Monitor and Evaluate execute code thinking it came from the desired Web site Packet sniffers capture data from information packets as to control the likelihood or impact of an event Trust Services Framework entered into a program is greater than the amount of the they travel over networks Residual Risk—what remains after management imple-  Security—access to the system and its data controlled memory set aside to receive it Rootkit conceals processes, files, network connections, Risk Responses:controls or some other response to risk and managed, restricted to legitimate users SQL injection attack is where malicious code in the form data from the operating program and other programsstem  Reduce—reduce the likelihood and impact of risk  Confidentiality—sensitive organizational information and executed by an application program so it can be passedVirus is a segment of self-replicating, executable code tat Accept—accept the likelihood and impact of risk  Privacy—personal information is collected, used, Man in the middle (MITM) attack places a hacker be- attaches itself to a file or program  Share—share risk or transfer it to someone disclosed and maintained only in compliance tween a client and a host and intercepts network traffic virus, with some exceptions:omputer program similar to a  Avoid—avoid risk by not engaging in the activity that Processing integrity—data processed accurately Piggybacking involves the use of an neighbour’s WiFi  Virus is a segment of code hidden in or attached to a produces the risk Security as a Management Issueformation meet obligations network without permission, tapping into a telecommunica- host program or executable file Control Activities are policies and procedures that provie Create and foster a pro-active, “security aware” culture tions line and latching onto a legitimate user, unauthorizd A virus requires a human to do something to replicaterisk responses are carried outrol objectives are met and  Inventory and value the organization’s information person following an authorized person through a secure itself Proper Authorization of Transactions and Activities— resources Password cracking is penetrating a system’s defenses,  Worms harm networks, whereas viruses infect or cor- management lacks the time and resources to supervise each Assess risks and select a risk response stealing the file containing valid passwords, decrypting rupt files or data to an infected computer company activity and decision  Develop and communicate security plans, policies and them, and using them to gain access to programs, files andCONTROL AND ACCOUNTING ITEMSMATION SYS- much responsibility over business transactions or policies procedures War dialing is programming a computer to dial thousands Internal Control—the process implemented to provide Separate the following functions:  Acquire and deploy information security technologies of phone lines searching for dialup modem lines reasonable assurance that the following control objective Authorization—approving transactions and decisions and products Phreaking is attacking phone systems to obtain free phone are achieved:  Recording—preparing source documents; entering data  Monitor and evaluate the effectiveness of the organiza- access, steal and destroy dataes to transmit viruses and t acquisition, use or dispositiondetect their unauthorized into online systems; maintaining files, journals; andDefense in Depth and Time-Based Modelam Data diddling is changing data before, during, or after itisMaintain records in sufficient detail to report company preparing reconciliations and performance reports  Typically involves the use of a combination of preven- entered into the system in order to delete, alter, add, or assets accurately and fairly  assetsy—handling cash, tools, inventory, or fixed tive, detective and corrective controls Data leakage is the unauthorized copying of company data  Provide accurate and factual information Project Development and Acquisition Controls—  Goal of the time based model of security is to employ a Salami technique is used to embezzle money a “salami  Prepare financial reports in accordance with estab-  Steering committee guides and oversees systems combination of detective and corrective controls that identify an information security incident early enough use
More Less

Related notes for BU486

Log In


Don't have an account?

Join OneClass

Access over 10 million pages of study
documents for 1.3 million courses.

Sign up

Join to view


By registering, I agree to the Terms and Privacy Policies
Already have an account?
Just a few more details

So we can recommend you notes for your school.

Reset Password

Please enter below the email address you registered with and we will send you a link to reset your password.

Add your courses

Get notes from the top students in your class.