Chapter 11

Computer Crime and

Information Technology Security
 Outline
• Learning objectives
• Carter’s taxonomy
• Risks and threats
• IT controls
• COBIT
 Learning objectives
1. Explain Carter’s taxonomy of computer
crime.
2. Identify and describe business risks and
threats to information systems.
3. Discuss ways to prevent and detect computer
crime.
4. Explain the main components of the
5. Control Objectives for Information and
Related Technology (CoBIT) framework and
their implications for IT security.
 • Target
Carter’s
– Computer crimes where the
taxonomy criminal targets (tội phạm nhắm
• Four-part system vào) system or its data
for classifying – Objective: Impact the
computer crime confidentiality, availability, and/or
• A specific crime integrity of data stored on the
may fit more than computer.
one classification – Example: DOS attack
• The taxonomy
provides a useful • Instrumentality
framework for – Uses computer to further
discussing criminal end
computer crime in
– The computer is used to commit
all types of
a crime.
organizations.
– Example: Phishing
 Carter’s taxonomy
• Incidental
– Computer not required, but related to crime
– Example: Extortion – criminal offense of obtaining
money, property, or services from an institution, through
coercion.
•Cyberextortionist: An individual or group who uses email as an
offensive force. The group or individual usually sends a company
a threatening email stating that they have received confidential
information about their company and will exploit a security leak or
launch an attack that will harm the company's network.
• Associated
– New versions of old crimes
– Example: Cash larceny – lừa đảo chiếm đoạt tiền
 Risks and threats
• Fraud
– Computer fraud: Any illegal act for which
knowledge of computer technology is used to
commit the offense.
– Ex: Data diddling – Intentional modification of
information
• Error
– Ex: Coding error, programming error
• Service interruption and delays
– Accidental service interruption: (ex) shutting down
the wrong machine.
– Willful neglect: (ex) outdated antivirus software
– Malicious service interruption: hacker launching a
denial of service attack an organization's web site.
 Risks and threats
• Disclosure of confidential information
– Disclosure of sensitive information
• Intrusions
– To gain access to a network or a system by bypassing
security controls or exploiting a lack of adequate control
– Ex: Hacking for fun
• Information Theft
– Ex: R&D data for new products, customer lists, trade
secrets, marketing plans, advertising campaigns
• Information Manipulation
– Ex: “Salami technique”–unnoticeable slices of a
financial transaction are removed and transferred to
another account
– Redirect interest smaller than penny to his own account
 Risks and threats
• Malicious software (malware)
– Virus infecting a system and modifying its data
– Worm replicating over the network causing a
bottleneck
– Trojan horse allowing an unauthorized
backdoor into a system
– Logic bombs: a piece of code intentionally
inserted into a software system that will set off
a malicious function when specified conditions
are met.
• For example, a programmer may hide a piece of
code that starts deleting files (such as a salary
database trigger), should they ever be terminated
from the company.
 Risks and threats
• Denial-of-service attacks (DOS)
– Prevent computer systems and networks from
functioning in accordance with their intended
purposes.
– Cause loss of service to the users by consuming
scarce resources such as bandwidth, memory, or
processor cycles
– Can disrupt configuration info. or physical
components.
– Distributed denial-of-service (DDoS) attack)
• an attempt to make an online service unavailable by
overwhelming it with traffic from multiple sources.
• They target a wide variety of important resources, from
banks to news websites, and present a major challenge
to making sure people can publish and access important
 Risks and threats
• Web site Defacements
– an attack on a website that changes the visual
appearance of the site or a webpage.
– typically the work of system crackers, who break
into a web server and replace the hosted website
with one of their own.
– generally meant as a kind of electronic graffiti
(or digital graffiti) and, as other forms of
vandalism, is also used to spread messages by
politically motivated "cyber protesters" or
hacktivists.
 IT controls
Confidentiality

C-I-A triad

Data Integrity Availability

 IT controls
• Confidentiality
– Condition that exists when data are held in
confidence and are protected from unauthorized
disclosure.
• Data Integrity
– Data stored in an information system should be
the same as those in the source documents.
– Data should be correctly processed from source
data and should NOT be exposed to accidental
or malicious alteration or destruction.
• Availability
– Achieved when the required data can be
obtained within the required time frame.
 IT controls
• Physical controls
– To protect computers, related
equipment, and their contents from
espionage, theft, and destruction or
damage by accident, fire, or natural
disasters.
– Guards, locks, fire & smoke detectors,
fire suppression systems, emergency
generators
 IT controls
• Technical controls
– Use of safeguards incorporated in computer and
telecommunication hardware and software.
– Firewalls: first line of defense in protecting the corporate
network from network-based threats. (Window Firewall,
McAfee etc.)
– Intrusion detection (protection) systems: detects
potentially malicious data and access patterns.
– Access Controls
• Identification: the user provides information in order for the
system to recognize him or her
• Authentication: Once identified, the use must prove his or her
identity
• Authorization: the user is granted the privileges associated with
his or profile
 IT controls
• Technical controls
– Cryptography: transform data to
a. hide them
b. prevent them from being modified
c. prevent unauthorized access to them
– Most cryptography uses mathematical
functions (algorithms) to turn ordinary data into
an incomprehensible format.
 IT controls
• Administrative controls
1. to provide supplemental controls
2. to protect information processing resources
3. to ensure that all employees have proper
authorization to access computing resources

– Security policies
– Security procedures
– Security awareness and training
– Adequate supervision of employees
– Security reviews and audits
COBIT
• Control Objectives • Two main parts
for Information – Principles
and Related Five ideas that form the
Technology foundation of strong IT
• Information governance and
Systems Audit and management
Control
Association – Enablers
(ISACA) Seven tools that match the
• Framework for IT capabilities of IT tools with
governance and users’ needs
management
COBIT
COBIT