Chapter 5: Cybersecurity, Risk Management, and Financial Crime

Information Technology for
Management
• Chapter 5: Cybersecurity, Risk Management,

and Financial Crime
Prepared by Dr. Derek Sedlack, South University
Copyright © 2015 John Wiley & Sons, Inc. All rights reserved.
Learning Objectives
The Face and
Cyber Risk
Future of
Management
Cyberthreats
Compliance Mobile, App,

and Internal and Cloud
Control Security
Defending
against
Fraud
Chapter 5
The Face and Future of Cyberthreats
Figure 5.3 Number of reported data records breaches worldwide, 2009-2013.
Chapter 5

• Understanding the Scope of Breaches
– Adobe: 152 million users account information
– eBay: up to 145 million records
– Michaels: 2.6 million payment card numbers and
expiration dates
– Target: 110 million records
– Ubisoft: 58 million records
Chapter 5

• Negligence
– Management not doing enough to defend against
cyberthreats and appear detached from the value of
confidential data (even high-tech companies).
– The CIA and FBI have been hacked – nobody is safe.
– Critical Infrastructure increasingly under attack:
commercial facilities, defense industrial base,
transportation systems, national monuments and icons,
banking and finance, and agriculture and food.
Critical infrastructure are systems and assets so vital to

government that their incapacity or destruction would have a
debilitating effect.
Chapter 5

• Battling Cyberthreats
– Distributed Denial-of-Service (DDoS) attacks use
remote machines (thousands or millions) to request
service that keep organizations from providing a
service over the Internet or crash a network or
website.
– Hackers, crime syndicates, militant groups,
industrial spies, disgruntled employees, and hostile
governments are some groups actively trying to gain
profit, fame, revenge, promote ideology, wage
warfare, terrorize, or disable targets.
Chapter 5
Chapter 5

• Vulnerabilities
– Social Engineering (human hacking): tricking users
or abusing human social norms into gaining
advantage to a system or asset illicitly or legally,
such as gaining access to networks or accounts.
– Bring Your Own Device (BYOD): employees providing
their own devices (mobile devices) for business
purposes to reduce expenses through cut purchase
and maintenance costs.
Chapter 5

• Advanced Persistent Threats (APT)
– Profit-motivated cybercriminals often operate in
stealth mode to continue long-term activities.
– Hackers and hacktivists, commonly with personal
agendas, carry out high-profile attacks to further
their cause.
– LulzSec, Anonymous, Combined Systems, Inc., and
CIA find poorly secured websites, steal information,
and may post it online.
Chapter 5
Prevent
Compliance
attacks
Detect,
Secure and diagnose,
legal sharing and respond
in real time
Acceptable Internal
policies controls
Availability
while Cybersecurity Disaster
restricting Objectives recovery
access
Chapter 5

1. Why was 2013 dubbed the “Year of the Breach”?
2. What causes or contributes to data breaches?
3. Why are cybercriminals so successful?
4. What was the biggest data breach in history?
5. Describe the basic method of a distributed denial-of-service
(DDoS) attack.
6. What is a critical infrastructure? List three types of critical
infrastructures.
7. What are the motives of hacktivists?
8. What is the number one cause of data loss or breaches?
9. Why is social engineering a technique used by hackers to gain
access to a network?
10. What are two BYOD security risks?
11. Explain why APT attacks are difficult to detect.
12. What are the objectives of cybersecurity?
Learning Objectives
The Face and
Cyber Risk
Future of
Management
Cyberthreats

Control Security
Defending
against
Fraud
Chapter 5
Cyber Risk Management
Data and
Information Systems
Security
1: Confidentiality
2: Integrity
3: Availability
Three objectives of data and information systems security.
Chapter 5
Figure 5.6 Basic IT security concepts.
Chapter 5

• Attack Vectors
– Entry points for malware, hackers, hacktivists, and
organized crime including gaps, holes, weaknesses, flaws
that expose an organization to intrusions or other attacks
in:
• Corporate networks
• IT security defenses
• User training
• Policy enforcement
• Data storage
• Software
• Operating systems
• Applications
• Mobile devices
Chapter 5

• Contract Hacker
– Industrialized method of committing cybercrime:
• Operations
• Workforces
• Support services
Chapter 5

• Password Vulnerabilities
– Weak passwords are guessable, short, common,
proper nouns or names, or a word in the dictionary:
• 123456
• password
– Strong passwords contain upper- and lowercase
letter, numbers, and extended characters
(!@#$%^...) and are at least 8 characters long:
• Ur_x&e-w.5h
• =p9M4&x!f26&zR
Chapter 5

• Password Vulnerabilities
– It is hard to remember randomly formatted strong
passwords, so passphrases may help:
I have worked on [system] at IBM since [date]

converts into
IhWo_OS2_aIBMs2008!
– The system and date are variable adding complexity

to an otherwise simple phrase that someone can
actually remember.
Chapter 5

• Phishing
– Deceptive method of stealing confidential
information by pretending to be a legitimate
organization or trusted source, like John Wiley &
Sons, Inc.
– Messages include links to fraudulent phish websites
that looks like the real one.
– When the user clicks the link to the phish site, or a
link on the phish site, they are prompted for
confidential information like credit card numbers,
social security numbers, account numbers, or
passwords.
Chapter 5

Defense-in-Depth
Figure 5.8 IT security defense-in-depth model.
Chapter 5

• Threat Modeling
– Unintentional threats:
• Human Error
• Environmental Hazards
• Computer System Failures
– Intentional threats:
• Theft
• Inappropriate Use
• Deliberate Manipulation
• Strikes, Riots, or Sabotage
• Malicious Damage,
• Destruction
• Miscellaneous Abuses
Chapter 5

• Malware
– A computer program or code that can infect
anything attached to the Internet and is able to
process the code that can propagate, or spread, to
other machines or devices, or replicate, or make
copies of itself.
WORMS BOTNETS
ROOTKITS
VIRUSES
TROJANS KEYLOGGERS BACKDOORS
Chapter 5

• Malware Reinfection, Signatures, Mutations, and
Variants
1. Malware is captured in backups or archives.
Restoring the infected backup or archive also
restores the malware.
2. Malware infects removable media.
3. Most antivirus (AV) software relies on signatures to
identify and then block malware.
Chapter 5

• Data tampering
– A common means of attack that is overshadowed by
other types of attacks.
– Refers to an attack during which someone enters
false or fraudulent data into a computer, or changes
or deletes existing data.
– Data tampering is extremely serious because it may
not be detected; the method often used by insiders
and fraudsters.
Chapter 5

• Botnets
– A botnet is a collection of bots, which are malware-
infected computers.
– Those infected computers, called zombies, can be
controlled and organized into a network of zombies
on the command of a remote botmaster (also called
bot herder).
Chapter 5

• Spear Phishing
– Spear phishers often target select groups of people
with something in common.
– Tricks users into opening an infected e-mail.
– E-mails sent that look like the real thing.
– Confidential information extracted
through seemingly legitimate Website
requests for passwords, user IDs,
PINs, account numbers, and so on.
Chapter 5

• IT Defenses
– Antivirus Software: designed to detect malicious
codes and prevent users from downloading them.
– Intrusion Detection Systems (IDSs): As the name
implies, an IDS scans for unusual or suspicious
traffic (passive defense).
– Intrusion Prevention Systems (IPSs): An IPS is
designed to take immediate action—such as
blocking specific IP addresses—whenever a traffic-
flow anomaly is detected (active defense).
Chapter 5

1. What are threats, vulnerabilities, and risk?
2. Explain the three components of the CIA triad.
3. What is an attack vector? Give an example.
4. What is an exploit? Give an example.
5. What is a contract hacker?
6. Give an example of a weak password and a strong password.
7. How are phishing attacks done?
8. What are the four steps in the defense-in-depth IT security model?
9. Define and give an example of an unintentional threat.
10. Define and give an example of an intentional threat.
11. List and define three types of malware.
12. What are the risks caused by data tampering?
13. Define botnet and explain its risk.
14. Explain spear phishing.
15. What are the functions of an IDS and IPS?
Learning Objectives
The Face and
Cyber Risk
Future of
Management
Cyberthreats

Control Security
Defending
against
Fraud
Chapter 5
Mobile, App, and Cloud Security

• CLOUD COMPUTING AND SOCIAL NETWORK RISKS
– Provide a single point of failure and attack for
organized criminal networks.
– Critical, sensitive, and private information is at risk,
and like previous IT trends, such as wireless
networks, the goal is connectivity, often with little
concern for security.
– As social networks increase their services, the gap
between services and information security also
increases.
Chapter 5

• Patches and Service Packs
– When new vulnerabilities are found in operating
systems, applications, or wired and wireless
networks, patches are released by the vendor or
security organization.
– Service packs are used to update and fix
vulnerabilities in its operating systems.
Chapter 5

• Consumerization of Information Technology (COIT)
– Practices that move enterprise data and IT assets to
employees’ mobiles and the cloud, creating a new
set of tough IT security challenges.
– Widely used apps sometimes operate outside of the
organization’s firewall.
– Enterprises take risks with BYOD practices that they
never would consider taking with conventional
computing devices.
Chapter 5

• New Attack Vectors
– BYOD: Hackers steal secrets from employees’
mobile devices without a trace.
– New vulnerabilities are created when personal and
business data and communications are mixed
together.
– All cybersecurity controls can be rendered useless
by an employee-owned device.
– Unacceptable delays or additional investments may
be caused by unsupported devices.
Chapter 5

• Mobile Biometrics
– Voice Patterns
– Fingerprint Analysis
Chapter 5

• Mobile Computing Responses
– Detecting and destroying malicious apps “in the
wild” is rogue app monitoring that may include
major app stores.
– If infected, lost, or stolen, mobile devices can be
equipped with a “kill switch”, a means of erasing
their memory remotely called remote wipe
capability.
Chapter 5

• Do-Not-Carry!
– U.S. companies, government agencies, and
organizations may impose rules that assume mobile
technologies will inevitably be compromised:
• Only “clean” devices are allowed to be brought
inside
• Devices are forbidden from connecting while
abroad
• Some individuals carry no electronics on trips for
compliance
Chapter 5
Business Process Management and

Improvement
1. How do social networks and cloud computing increase
vulnerability?
2. Why are patches and service packs needed?
3. What is consumerization of information technology
(COIT)?
4. Why does BYOD raise serious and legitimate areas of
concern?
5. What are two types of mobile biometrics?
6. Explain rogue app monitoring.
7. Why is a mobile kill switch or remote wipe capability
important?
8. What are the purposes of do-not-carry rules?
Learning Objectives
The Face and
Cyber Risk
Future of
Management
Cyberthreats

Control Security
Defending
against
Fraud
Chapter 5
Defending against Fraud

• CRIME
– Violent Crime involves physical threat or harm.
– Nonviolent Crime uses deception, confidence, and
trickery by abusing the power of their position or by
taking advantage of the trust, ignorance, or laziness
of others, otherwise known as Fraud.
• FRAUD
– Occupational fraud refers to the deliberate misuse
of the assets of one’s employer for personal gain.
Chapter 5
Internal Controls Internal Audit
Chapter 5

• Intelligent Analysis
– Forms insider profiling to find wider patterns of
criminal networks.
• Anomaly Detection
– Audit trails from key systems and personnel records
used to detect anomalous patterns, such as
excessive hours worked, deviations in patterns of
behavior, copying huge amounts of data, attempts
to override controls, unusual transactions, and
inadequate documentation about a transaction.
Chapter 5

• Identity Theft
– Social Security and credit card numbers are stolen
and used by thieves by:
• Stealing wallets
• Dumpster digging
• Bribery
• Employee theft
• Data Breaches
• Ignorance or purposeful irresponsibility
Chapter 5

1. What are the two categories of crime?
2. Explain fraud and occupational fraud.
3. What defenses help prevent internal fraud?
4. What are two red flags of internal fraud?
5. Explain why data on laptops and computers need to be
encrypted.
6. Explain how identity theft can occur.
Learning Objectives
The Face and
Cyber Risk
Future of
Management
Cyberthreats

Control Security
Defending
against
Fraud
Chapter 5
Compliance and Internal Control

• Internal Controls (IC)
– A process to ensure that sensitive data are
protected and accurate designed to achieve:
• Reliability of financial reporting, to protect
investors
• Operational efficiency
• Compliance with laws
• Regulations and policies
• Safeguarding of assets
Chapter 5

• Regulatory Complications
– Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act
(GLBA), Federal Information Security Management
Act (FISMA), USA PATRIOT Act, and many others
depending on industry, corporate filing, and
operating location.
– Frameworks to address compliance:
• Enterprise Risk Management (ERM)
• Control Objectives for Information and Related
Technology (COBIT)
• Payment Card Industry Data Security Standard
(PCI DSS)
Chapter 5

• Controls are Regulated Because…
– Approximately 85 percent of occupational fraud
could have been prevented if proper IT-based
internal controls had been designed, implemented,
and followed.
– Prosecution reduces the likelihood of any employee
adopting an “I can get away with it” attitude.
Chapter 5

• Defense Strategies
1. Prevention and deterrence
2. Detection
3. Contain the damage
4. Recovery
5. Correction
6. Awareness and compliance
• Defense Strategy Controls
– General controls & Application controls
Chapter 5

• Authentication
– Provides a means of ensuring that the user is who
s/he claims to be.
• Biometrics
– An automated method of verifying the identity of a
person, based on physical or behavioral
characteristics using systems that match the
characteristic against a stored profile.
Chapter 5

• Biometrics – Authentication Factors
– Something you are saying, seeing, touching…
– Something you know…
– Something you have…
Chapter 5

• Disaster Recover v. Business Continuity
– DR is a backup plan that ensures a business can
recover after a major disruption, but over an
extended timeline.
– BC refers to maintaining business functions or
restoring them quickly after a major disruption.
Fires, earthquakes, floods, power outages, malicious
attacks, and other types of disasters are reasons
businesses should have a business continuity plan.
Chapter 5

• Auditing Web Sites
– A good preventive measure to manage the legal risk
by reviewing content of the site, which may offend
people or be in violation of copyright laws or other
regulations (e.g., privacy protection).
Chapter 5

• Cost-Benefit Analysis
– Measuring expect losses is critical in understanding
the business impact of a disruption. Expected loss
can be calculated as:
Expected Loss = P1 * P2 * L
where
– P1 = probability of attack (estimate, based on
judgment)
– P2 = probability of attack being successful
(estimate, based on judgment)
– L = loss occurring if attack is successful
Chapter 5

• Cost-Benefit Analysis
Example:
P1 (.02) * P2 (.10) * L ($1,000,000)
Expected loss from this occurrence is
(.02) * (.10) = .002 * 1,000,000 = $2,000
Chapter 5

• Business Impact Analysis (BIA)
– Estimates the consequences of disruption of a
business function and collects data to develop
recovery strategies with potential loss scenarios first
identified during the risk assessment.
– Some examples:
• Lost sales and income
• Delayed sales or income
• Increased expenses (e.g., overtime labor,
outsourcing, expediting costs, etc.)
• Regulatory fines
Chapter 5

1. Why are internal controls needed?
2. What federal law requires effective internal controls?
3. Why do the SEC and FTC impose huge fines for data
breaches?
4. What are the two types of controls in a defense strategy?
5. Explain authentication and two methods of authentication.
6. What are biometric controls? Give an example.
7. Why do organizations need a business continuity plan?
8. Why should websites be audited?
9. How is expected loss calculated?
10. Explain business impact analysis.

Chapter 5: Cybersecurity, Risk Management, and Financial Crime

Uploaded by

Copyright:

Available Formats

Chapter 5: Cybersecurity, Risk Management, and Financial Crime

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 5: Cybersecurity, Risk Management, and Financial Crime

Uploaded by

Copyright:

Available Formats

Information Technology for

• Chapter 5: Cybersecurity, Risk Management,

Prepared by Dr. Derek Sedlack, South University

Compliance Mobile, App,

The Face and Future of Cyberthreats

Figure 5.3 Number of reported data records breaches worldwide, 2009-2013.

The Face and Future of Cyberthreats

The Face and Future of Cyberthreats

Critical infrastructure are systems and assets so vital to

The Face and Future of Cyberthreats

The Face and Future of Cyberthreats

The Face and Future of Cyberthreats

The Face and Future of Cyberthreats

The Face and Future of Cyberthreats

The Face and Future of Cyberthreats

Compliance Mobile, App,

Cyber Risk Management

Three objectives of data and information systems security.

Cyber Risk Management

Figure 5.6 Basic IT security concepts.

Cyber Risk Management

Cyber Risk Management

Cyber Risk Management

Cyber Risk Management

I have worked on [system] at IBM since [date]

– The system and date are variable adding complexity

Cyber Risk Management

Cyber Risk Management

Figure 5.8 IT security defense-in-depth model.

Cyber Risk Management

Cyber Risk Management

TROJANS KEYLOGGERS BACKDOORS

Cyber Risk Management

Cyber Risk Management

Cyber Risk Management

Cyber Risk Management

Cyber Risk Management

Cyber Risk Management

Compliance Mobile, App,

Mobile, App, and Cloud Security

Mobile, App, and Cloud Security

Mobile, App, and Cloud Security

Mobile, App, and Cloud Security

Mobile, App, and Cloud Security

The Face and Future of Cyberthreats

The Face and Future of Cyberthreats

Business Process Management and

Compliance Mobile, App,

Defending against Fraud

Defending against Fraud

Internal Controls Internal Audit

Defending against Fraud

Defending against Fraud

Defending against Fraud

Compliance Mobile, App,

Compliance and Internal Control

Compliance and Internal Control

Compliance and Internal Control

Compliance and Internal Control