GOOD MORNING EVERYONE GOOD MORNING SIR OUR TOPIC is about the INFORMATION SECURITY

AND COMPUTER FRAUD

And this are the Learning Objectives

- Explain information system and computer fraud

-Describe the risks related to information security and systems integrity.

- Understand the concepts of encryption and authentication.

- Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques.

- Define vulnerabilities, and explain how to manage and assess vulnerabilities.

Information security and computer fraud

So it information security protects sensitive information from unauthorized activities, including

inspection, modification, recording, and any disruption or destruction. Information security,
sometimes shortened to InfoSec, is the practice of protecting information While Computer fraud is
a cybercrime and the act of using a computer to take or alter electronic data, or to gain
unlawful use of a computer or system. Computer fraud uses of computers, the Internet,
Internet devices, and Internet services to defraud people or organizations of
resources.

We have here INTEGRITY AND INFORMATION SECURITY

Since 2003, information security management has been ranked as the top one technology issue
for CPA, bali it information security management is a way of protecting an organisation's
sensitive data from threats and vulnerabilities.
Information security is a critical factor in maintaining systems integrity.
-----

The goal of information security management is to protect the confidentiality, integrity and availability
(CIA) of a firm’s information this CIA is the most recognize acronyms in the security industry

Confidentiality- (information is not accessible to unauthorized individuals or processes) or

confidentiality ensures that only an mga authorized parties with sufficient privileges an pwede mag
view iton na information. An example of tool that is commonly use to achieve confidentiality is
encryption. Which will be discuss later on

Integrity- (information is accurate and complete) or an integrity naman is amo an nag eensure na an
data na gin stored on the devices is correct ngan waray unauthorized persons or malicious software
has altered data

Availability- (information and systems are accessible on demand) or kun baga an availability ensures
network resources are readily accessible para han authorized users although it usa na secure
computer must restrict access attempts by unauthorized users it still must allow immediate access to
authorized users
NEXT WE HAVE Information Security Risks and Attacks. Information security risks and attacks include:

• Virus – A self-replicating program that runs and spreads by modifying other programs or files . we all
know virus naman diba since prominent na inin hiya, so virus is self-replicating or it attaches itself to
file. You can get virus from downloading infected files or thru filesharing activities.

Next we have • Worm – A self-replicating, self-propagating, self-contained program that uses

networking mechanisms to spread itself. Or worm is it copies and replicates itself without the help of
the user.

Then • Trojan horse – A non-self-replicating program that seems to have a useful purpose in
appearance, but in reality has a different, malicious purpose. or more like naka disguise la ini hi trojan
horse as a legitimate na software for you to execute malicious software on your computer.

Also a • Spam – Sending unsolicited bulk information - spam is sending messages/ attachment to your
device mostly thru emails so we need to be cautions when opening an email kay it might contain
viruses

Next is • Botnet (Bot) – A collection of software robots that overruns computers to act automatically in
response to the botherder’s control inputs through Internet. Or also botnet is a network of hijacked
computers and devices infected with bot malware and remotely controlled by a hacker it
botnet is gingagamit to send spam

Then • Denial-of-service (DoS) – The prevention of authorized access to resources (such as servers) or
the delaying of time-critical operations. Also dos it’s a kind of attack meant to shut down a
machine or network, making it inaccessible to its intended users

Next is • Spyware – Software that is secretly installed into an information system to gather information
on individuals or organizations without their knowledge of; a type of malicious code. ha spyware naman
from the word spy which is gin rerecord niya an mga websites na gin visit ni user also information
about the users computer system

Then • Spoofing – Sending a network packet that appears to come from a source other than its actual
source. So bali spoofing is pretending to be someone you should trust in order to access
sensitive personal information.

Lastly is • Social engineering – is manipulating someone to take certain action that may not be in that
person’s best interest such as revealing confidential information or granting access to physical assets,
networks, or information. Or basically it social engineering is a manipulating technique na gin gagamit
it hackers to rick people into giving their sensitive and confidential information so this happen in
actual coomunication between the attackers ngan an victim.
ENCRYPTION AND AUTHENTICATION

So this is the asymmetric key encryption key factors.

- The (CA) or certificate Authority is a trusted entity that issues and revokes digital certificates.

- Then Digital Certificate, digital certificate is a digital document issued and digitally signed by the private key of
a Certificate Authority that binds the name of a subscriber to a public key.

-Lastly is the PKI or public key infrastructure is a set of policies, processes, server platforms, software and
workstations used for the purpose of administering certificates and public-private key pairs, including the ability
to issue, maintain, and revoke public key certificates.

NEXT SLIDE IS THE COMPUTER FRAUD AND ABUSE

According to the fraud triangle, three conditions exist for a fraud to be perpetrated.
BTW ini na fraud triangle is a framework used to explain the reason behind an individual’s decision to commit
fraud. And inin na three is..

• Incentive: nag proprovide hin reason to commit fraud. alternatively called pressure, refers to an employee’s
mindset towards committing fraud.

•then Opportunity: for fraud to be perpetrated. Opportunity refers to circumstances that allow fraud to occur.
In the fraud triangle, it is the only component that a company exercises complete control over.

•last is Rationalize or rationalization: the individuals committing the fraud possess an attitude that enables them
to rationalize the fraud.

One reason for uncertainty is that computer fraud is diri hiya well defined. For example, some people gin
coconsider nira na unethical or illegal it copying commercial computer software. On the other side of this
issue naman is, software vendors consider such acts to be criminal. pero Regardless of how broadly
computer fraud is defined, it is still rapidly growing
And Here are some COMMON COMPUTER FRAUD

- Where The theft, misuse, or misappropriation of assets by altering computer-readable records and
files. 
- The theft, misuse, or misappropriation of assets by altering the logic of computer software. 
- The theft or illegal use of computer-readable information. 
- The theft, corruption, illegal copying, or intentional destruction of computer software. 
- The theft, misuse, or misappropriation of computer hardware.

*So Given an identified possible fraud, exposures are the management’s estimates of the potential loss
from the fraud.
*And when we say computer fraud risk assessment it’s a systematic process that assists management and
internal auditors in discovering where and how fraud may occur and whom may commit the specific fraud.
*then an computer fraud risk assessment is often a component of a firm’s enterprise risk management
(ERM) program.

THEN WE HAVE HERE THE STEPS ON HOW TO identify computer fraud firs is
• Identifying relevant IT fraud risk factors.

• Identifying potential IT fraud schemes and prioritizing them based on likelihood and impact.

• Mapping existing controls to potential fraud schemes and identifying gaps.

• Testing operating effectiveness of fraud prevention and detection controls.

• Assessing the likelihood and business impact of a control failure and/or a fraud incident