lOMoARcPSD|5713222

Chapter 5 - Tutorial Solutions

Accounting Information Systems (The University of the South Pacific)

StuDocu is not sponsored or endorsed by any college or university

Downloaded by divnesh chand (chanddivnesh28@gmail.com)
 lOMoARcPSD|5713222

WEEK 6 - CHAPTER 5

Cybersecurity and Risk Management Technology

Review Questions

5.1 The Face and Future of Cyberthreats

1. Define and give an example of an intentional threat and an unintentional threat.
 Intentional threat is the deliberate manipulation or theft of data e.g hacking
 Unintentional threat is unintended manipulation of data which can be caused by
different factors such as human error during data input and environment hazards such
as natural disasters.
4. Why is social engineering a technique used by hackers to gain access to a network?
 It is a clever form of deception as people tend to trust the website or network and enter
their login details.
6. What are the risks caused by data tampering?
 Data tampering is manipulation of data or fraud data being entered
Risks:
 Dirty data
 Poor decision making
 Difficult to detect.
8. Why is Ransomware on the rise? How might companies guard against ransomware
attacks?

 Ransomware is on the rise because most organizations have their data backed up
online and lack of physical backup
 Have offline/physical backups of data.

5.2 Cyberattack Targets and Consequences

2. List three types of critical infrastructures.
 Communications
 IT
 Chemical
4. Why are patches and service packs needed?

1|Page

Downloaded by divnesh chand (chanddivnesh28@gmail.com)

 lOMoARcPSD|5713222

 Patches and service packs are needed to fix vulnerabilities found in OS and
applications such as viruses.
5. Why is it important to protect intellectual property? (life-blood)
 Losing intellectual property could threaten the existence of a company.
 Since it contains trade secrets and commercial values of a company.
7. Explain why data on laptops and computers need to be encrypted.
 To protect sensitive data on the computers and laptops as such devices are prone to
theft.
 So that third party does not gain access to information.
8. Explain how identity theft can occur.

 Wallets being stolen

 Customer’s financial and personal information being compromised due to the
carelessness of financial institution or retail businesses.
 Electronic sharing

5.3 Cyber Risk Management

1. Explain why it is becoming more important for organizations to make cyber risk
management a high priority?
 Due to increasing use of mobile technologies and online data storage facilities
 Also due to the increasing rate of cyberattacks.
5. Why does an organization need to have a business continuity plan?

 To keep the business running even after a disaster such as a power outage.
 So that major activities of business is restored quickly.
 To have a backup in case of an unexpected event. E.g natural disaster

5.4 Defending Against Fraud

2. What level of employee commits the most occupational fraud?
 Senior executives/ senior level managers
4. What federal law requires effective internal controls?
 The Federal Managers' Financial Integrity Act (FMFIA)
 Sarbanes-Oxley Act (SOX)
6. Name the major categories of general controls.
 Physical controls- protection by cameras and security guards
 Access controls – authorization for access of company’s hardware and software
 Data security controls
 Communications network control
 Administrative controls- policies and procedures

2|Page

Downloaded by divnesh chand (chanddivnesh28@gmail.com)

 lOMoARcPSD|5713222

5.5 Frameworks, Standards and Models

1. Who created the Enterprise Risk Management Framework? What is its’ purpose?
 Committee of sponsoring organizations
 Identify potential events that may affect the business.
4. Why do industry groups have their own standards for cybersecurity? Name one
standard.
 To protect their own different customers depending on the type of industry.
 Payment Card Industry Data Security Standard (PCI DSS) created by visa and
MasterCard.
5. Are measurements of direct costs sufficient to reflect total damage sustained by a
cyberattack?
 No, as effects of cyberattacks linger for a long time which result in various intangible
costs tied to the damages sustained.
6. What four components comprise the IT Security Defense-in-Depth model?
 People
 Policies
 Procedures
 technology
7. What are the four steps in the IT Security Defense-in-Depth IT security model?
 Senior management commitment and support
 Acceptable policies and IT security training
 IT security procedures and enforcement
 Hardware and software (kept up to date)

DISCUSS: Critical Thinking Questions

7. How can malware be stopped from stealing or disclosing data from an organization’s
network?
 Install antimalware
 Strong and effective corporate governance.
 Effective internal control system
 Effective fraud prevention measures
9. Why are BYOD, BYOA, and do-not-carry rules important to IT security? Why might
users resist such rules?
 It is important since organization’s devices are prone to cyberattacks.

3|Page

Downloaded by divnesh chand (chanddivnesh28@gmail.com)

 lOMoARcPSD|5713222

 No one would like to use their own personal devices for work purposes.
 Hackers can break into employees mobile devices.
 Employees devices can get stolen
14. Why are authentication and authorization important in e-commerce?

 It’s part of access controls, thus will help to prevent identity theft
 So that unauthorized personnel don’t get access to sensitive information.

Cases
Case 2 Business Case: Lax Security at LinkedIn Exposed
1. LinkedIn does not collect the credit card or other financial account information of its
members. Why then would profit-motivated hackers be interested in stealing
LinkedIn’s stored data? What data would they be most interested in?

2. Companies are often slow to self-detect data breaches so a cyberattack can occur
without a company even knowing it has a problem. What effect do you think
LinkedIn’s failure to self-detect its massive data breach had on its popularity and
credibility?

3. Most corporate security incidents are uncovered by a third party, like a security
firm, that picks up on evidence of malicious activity. Why do you think IT security
experts and not LinkedIn discovered the data breach?
 LinkedIn was more profit oriented
4. Explain why LinkedIn’s lax approach to members’ information security and weak
passwords was very surprising to members and information security professionals.
 Since they had huge amounts of profits, they didn’t care about their customers

5. Identify and evaluate the actual and potential business risks and damages from
LinkedIn’s data breach.
 Cleanup cost
 Upgrade costs
 Damages to active customers
 Potential risk can include legal risk
6. In your opinion, was LinkedIn negligent in protecting its main asset? Explain.

 Yes, they kept profits their first priority.

4|Page

Downloaded by divnesh chand (chanddivnesh28@gmail.com)

 lOMoARcPSD|5713222

5|Page

Downloaded by divnesh chand (chanddivnesh28@gmail.com)

 lOMoARcPSD|5713222

Notes
 Data breach- successful retrieval of information by an unauthorized person
 Data incident- unsuccessful unauthorized access to a network.
 (Figure 5.2 pg130) 3 objectives of data and information systems security
 Confidentiality- no unauthorized data disclosure
 Integrity – data and documentation have not been altered in any unauthorized
way
 Availability- accessibility of data when needed by those authorized
 Cyber threats- threats posed by the internet
 Hacking – gaining unauthorized access to a network
 Cracking – gaining unauthorized access to a network by using the flaws in the security
system
 Hacktivist- someone who performs hacking
 Three classes of hackers :
 White hat- someone who breaks into protected systems and network to test
their security
 Black hat – someone who finds computer security vulnerabilities and exploits
them for personal gains
 Gray hat- person who violates ethical standards and principles but not with
intentions as black hat hackers
 Phishing- happens through email where the sender pretends to be a legitimate
organisations such as PayPal or the bank asking the user to perform an action that
could expose his or her computer to cyber threats.
 Spear phishing- targets group of people who have something in common by sending
them all a customized and appealing e-mail which may require them to click a link
which takes them to a fake website where they are required to enter their personal
details.
 Categories of crime ware:
 Spyware- tracking software which may not intend to cause damage e.g tracker
to monitor website accessed.
 Adware- has advertisements
 Malware- computer viruses
 Ransomware- blocks access of a computer until a sum of money is paid
 Trojan horses- creates an unprotected back door into a system.
 A vector is the specific method that malware uses to spread to other computer devices
 Attack vector-entry points hackers use to gain access.
 Malware may reinfect the host for two reasons
1. Malware is captured in backups
2. Malware infects removable devices
 Botnet- group of external attacking entities
 Denial-of-service – where the perpetrator makes a network unavailable to its intended
users by disrupting services of a host connected to the internet.

6|Page

Downloaded by divnesh chand (chanddivnesh28@gmail.com)

 lOMoARcPSD|5713222

 Three form of DoS:

1. Distributed DoS (DDoS)- crashing a network or website by bombarding it with
traffic
2. Telephony DoS (TDoS)- flooding network with phone calls
3. Permanent DoS (PDoS)- completely prevent the system or device from
working.
 Data tampering- manipulating data to make it have errors
 Critical infrastructure- systems and assets which are vital to the country, and if
destructed it can have numerous impacts on the country.
 Examples of critical infrastructure are : Chemical, communications , IT
 Clean dirty data through globalization and data mining
 Intellectual property- life blood of an organisations since it contains trade secrets and
other sensitive information about the firm.
 BYOD- employees using their own devices for business purposes.
 Patches and services packs are used to fix vulnerability.
 5 key factors leading to increase in cyberattacks: (Table 5.5 pg146)
1. Interconnected, wireless network business environment
2. Cheaper computer and storage devices
3. Decreasing skills of hacker
4. International cybercrimes
5. Lack of management support
 IT defenses (3 essential defenses):
1. Antivirus software- antimalware tools
2. Intrusion detection system (IDSs)- scan for something unusual
3. Intrusion prevention systems (IPSs) – blocking certain IP address
 Basic IT security concept (Figure 5.7 pg147)
 Risk- probability of a threat exploiting a vulnerability, resulting cost of loss and
damage.
 Exploit- to attack on a vulnerability
 Threat – someone/something that can cause loss or damage
 Vulnerability – weakness of flaw in the system
 Asset –something of value that needs to be protected e.g customer data
 Table 5.8 pg148 terminology
 Minimum security defenses for mobile
 Biometric control – automated method of verifying the identity of a person e.g
finger print
 Mobile biometrics- such as voice and fingerprint biometrics can improve
security
 Voice biometrics
 Do-not carry rules
 Business continuity plan- means maintain business functions or restoring quickly after
a major disruption.

7|Page

Downloaded by divnesh chand (chanddivnesh28@gmail.com)

 lOMoARcPSD|5713222

 Corporate governance- rules and processes by which an organisations is controlled

(preventing and detecting frauds)
 10 principles of cooperate governance (Af121)
 Internal control is designed to achieve:
 Safeguarding of assets
 Reliability of reports
 Compliance with law
 5 components of internal control:
1. controlled environment
2. controlled activities
3. risk assessment
4. information and communication
5. monitoring
 2 major controls – general and application control
 Application control- input, processing and output
 3 reasons to commit fraud (fraud triangle ) - Opportunity, pressure and rationalization
 Opportunity- loophole gives opportunities, high level managers
 Pressure – financial difficulties, reaching targets, mangers manipulate profits is called
annex management
 Rationalization- personal justification of the dishonest act
 3 major controls – preventive, detective, collective
 Preventive- Placed before frauds and errors occur e.g separation of duties/rotation of
duties
 Detective- process controls i.e when in process e.g auditing
 Collective- placed after frauds or errors have occurred. E.g bank reconciliation
(verification)
 Two widely accepted frameworks to guide IT governance are:
1. Enterprise Risk Management (ERM)- integrates internal control, Sarbanes-
oxley act and strategic planning
2. Control objectives for Information and Related Technology (COBIT)

 8 components of ERM (Table 5.11 pg156)
 Internal environment
 Objective setting
 Event identification
 Risk assessment
 Risk response
 Control activities
 Information and communication
 Monitoring
 COBIT- provides framework for management and IS audit to bridge the gap between
control requirements and business risks

8|Page

Downloaded by divnesh chand (chanddivnesh28@gmail.com)

 lOMoARcPSD|5713222

 COBIT 5 principles (Figure 5.11 pg156)

 Meeting stakeholder needs
 Covering the enterprise end-to-end
 Applying a single integrated framework
 Enabling a hostile approach
 Separating governance from management
 IT security defense-in-depth model (Figure 5.12 pg158)
 Step 1 :senior management commitment and support
 Step 2: acceptable use policies and IT security training
 Step 3: IT security procedures and enforcement.
 Step 4: hardware and software (kept up-to-date)

9|Page

Downloaded by divnesh chand (chanddivnesh28@gmail.com)