Chapter 14: Computer Crime & Information Technology Security

Chapter 14: Computer Crime & Information Technology Security

End-of-chapter Activities - Student

End of Chapter Activities

1.  Reading review questions:

  1. What four common classifications are often associated with computer crime?
  2. What computer-crime related risks and threats are associated with information systems?
  3. What categories are commonly associated with computer criminals? Describe each category.
  4. How can organizations safeguard against computer crime? How can they detect it and recover from it if it happens? What role does COBIT play in those tasks?
  5. What is COBIT? What are the seven information criteria discussed in the COBIT framework?
  6. Respond to the questions for this chapter’s opening vignette.

·  What is computer crime? What broad categories apply to the situations described above?

·  How can accountants help safeguard organizations against computer crime?

2.  Making choices and exercising judgment:

  1. What would motivate someone to engage in computer crime?
  2. Chapter 7 discussed the AICPA Top Ten Technologies. Choose one of the technologies; explain how it might be used to engage in computer crime.
  3. Suggest at least three specific internal controls you’d employ to prevent, detect or correct the computer crime you identified above.
  4. Brad Willman contributed to the arrest of several pedophiles in Canada and the United States. But, he collected evidence for his investigation by hacking into others’ computers. Read about this case in “Internet Vigilante” by Cori Howard in Maclean’s (6 June 2005). What model of ethics, discussed in Chapter 3, best describes Willman’s actions? Were Willman’s actions ethical? What legal action, if any, should be taken against Willman?

3.  Field work:

  1. Use your university library or www.findarticles.com to locate and read “Computer Crime Surveys Yield Mixed Results” by T. McCollum (Internal Auditor, August 2004). Prepare a brief oral or written report on the article, relating it to the material presented in this chapter.
  2. Use a literature search to investigate one or more of the following computer criminals. Describe each one’s crime; also compare and contrast them in terms of personal characteristics and motivations.
  3. Christopher Phillips (University of Texas)
  4. Gary McKinnon (aka “Solo”)
  5. Julian Lush (Manchester, Connecticut)

4.  Which element(s) of Carter’s taxonomy apply to each of the following situations? If more than one category applies, explain why.

  1. A bookkeeper steals cash as it comes into the company. The bookkeeper later falsifies accounting entries using general ledger software to cover the trail.
  2. A bored teenager initiates a denial of service attack on his internet service provider’s information system.
  3. A disgruntled employee uses a previously installed “back door” into an information system to lock out other users by changing their passwords.
  4. A gang of criminals breaks into a local retail store. They steal all the store’s computers, and then later hack into them for the purpose of identity theft.
  5. A pair of computer criminals uses e-mail to contact victims for an illegal pyramid scheme. They use money from new investors, rather than profits, to pay off old investors, keeping most of the money themselves.
  6. A recently fired employee laid the groundwork for corporate espionage by installing spyware on the company’s network.
  7. A student discovers the password to his university’s information system. He then hacks the system to change grades for himself and his friends.
  8. A woman impersonates her wealthy employer, stealing personal information about the employer from her bank’s information system.

5.  Which type(s) of business risks / threats described in the chapter best applies to each situation below? If more than one applies, explain why.

  1. Blackmail based on stolen information
  2. Concurrent attacks against a determined target
  3. Digital graffiti
  4. Discovery of customer social security numbers by external parties
  5. Hacking
  6. Intentional modification of information
  7. Mistakes in data entry
  8. Power failure
  9. Salami technique
  10. Stealing research and development data for new products
  11. Trojan horse

6.  Fill in the blanks below with appropriate terms related to the types of computer criminals discussed in the chapter.

  1. ______ represent the largest threat to a company’s information systems and underlying computer infrastructure.
  2. ______has been getting into spamming, phishing, extortion and all other profitable branches of computer crime.
  3. ______could seriously disrupt power grids, ______, transportation and others if they were to exploit vulnerabilities to disrupt or shutdown critical functions.
  4. A _____ describes a young inexperienced hacker who uses tools and scripts written by others for the purpose of attacking systems.
  5. Corporate ______have begun turning to ______techniques to gather the information they desire.
  6. Cyber-criminals possess ______and have turned to hacking, not for the ______but for the ______.
  7. The term hacker originally described someone who wanted to ______of computers and attempted to ______to the limit.

7.  Classify each of the following controls as physical, technical or administrative. Then, describe each control in your own words.

  1. Access control software
  2. Adequate supervision of employees
  3. Badges
  4. Encryption
  5. Firewalls
  6. Internal audits
  7. Intrusion detection systems
  8. Locks
  9. Ongoing training regarding security issues
  10. Security guards
  11. Security policy
  12. Smoke detectors
  13. Universal power supplies

8.  COBIT information criteria:

Indicate which of the COBIT information criteria are violated in each of the following independent scenarios. Justify your choices.

  1. Financial statements for the year ended 31 December 2005 are completed and published in June 2006.
  2. A company with $1 million in annual revenues maintains an accounting information system with paper journals and ledgers.
  3. Employee names, identification numbers, job classifications and addresses are posted on a company web site.
  4. A careless employee spilled a soft drink on a file server. The server was damaged and could not be used for three days.
  5. The CEO and CFO fail to provide the documents required by the Sarbanes-Oxley Act.

9.  Internal controls:

For each situation presented in the preceding problem, suggest one or more internal controls. Classify the controls as preventive, detective or corrective. You may find it helpful to refer back to Chapter 4 to complete this problem.

10.  COBIT standards:

The chapter gave you an introduction to the COBIT framework by discussing information criteria and accountability. COBIT also contains several specific standards for IT security, organized into five areas: strategic alignment, value delivery, resource management, risk management and performance measurement. Point your web browser to www.isaca.org. Create a free account, which will give you access to the COBIT documents. Work with a group of students to examine the standards in at least one of the five areas; prepare an oral or written presentation of your work, with particular emphasis on how the standards you investigated can help organizations fight computer crime.

11.  The C-I-A triad contains three elements: confidentiality, integrity and availability. Refer back to one or more of the professional codes of ethics discussed in the first part of the text. How are the elements of the ethical code(s) you selected related to the triad? For example, confidentiality and integrity are explicitly mentioned in the IMA Code of Ethics.

12.  Crossword puzzle:

Across

7. Developed a four-part taxonomy for computer crime

8. Another name for technical security controls

10. Type of computer crime that exploits weak internal controls

Down

1. Element of the CIA triad that refers to timely access to necessary information

2. The most precious asset of most organizations

3. Type of behavior associated with service interruptions and delays

4. For many hackers, fraud is this type of crime

5. Key component of an organization's information security management system

6. Control type concerned with identifying unwanted events

9. A type of malicious software that reproduces over a network

13.  Terminology:

Please match each item on the right to the most appropriate item on the left.

ã McGraw-Hill Companies, 2008

Chapter 14 2

Chapter 14: Computer Crime & Information Technology Security

End-of-chapter Activities - Student

1.  Confidentiality

2.  Creating fake refunds to benefit a friend

3.  Data diddling

4.  Human element

5.  Incidental

6.  Instrumentality

7.  Logic bomb

8.  Salami technique

9.  Sarbanes-Oxley Act

10.  Willful neglect

a.  Computers used to carry out a crime

b.  Crime classification which does not necessarily require a computer

c.  Data is protected from unauthorized disclosure

d.  Designed to help restore consumer confidence

e.  Information manipulation

f.  Intentionally changing information in a system

g.  Interest of less than one cent diverted to computer criminal’s account

h.  Most vulnerable part of an information system

i.  One type of service interruption / delay

j.  Shuts down a payroll system if a specific employee number is delete

ã McGraw-Hill Companies, 2008

Chapter 14 2

Chapter 14: Computer Crime & Information Technology Security

End-of-chapter Activities - Student

ã McGraw-Hill Companies, 2008

Chapter 14 2

Chapter 13: Event-driven AIS

14. Multiple choice questions:

1.  The name most closely associated with a taxonomy of computer crime is:

  1. Sarbanes
  2. Oxley
  3. Legault
  4. Carter

2.  Computer crime has been defined as any illegal act for which knowledge of __ is used to commit the offense.

  1. Database software
  2. Hacking techniques
  3. Computer technology
  4. Spamming

3.  Which of the following is most closely associated with a computer worm?

a.  Sapphire

b.  Online gambling

c.  Organized crime

d.  All of the above are associated with computer worms.

4.  Which of the following is not a type of computer criminal?

  1. Script kiddie
  2. Hacker
  3. Salami criminal
  4. Terrorist

5.  Administrative security controls include:

a.  Management constraints.

b.  Operational procedures.

c.  Accountability procedures.

d.  All of the above.

6) The COBIT framework includes ___ information criteria.

a. Three

b. Four

c. Seven

d. Some other number

7) Which of the following is not a domain in COBIT?

a. Prevent and correct

b. Plan and organize

c. Acquire and implement

d. Monitor and evaluate

8) In COBIT, accountability flows downward from:

a. External auditors to internal auditors

b. The audit committee to internal auditors

c. Stockholders to the audit committee

d. Stakeholders to the board of directors

9) Which of the following uses an algorithm to secure information transmitted between computers?

a. Password rotation

b. Firewalls

c. Encryption

d. Security audit

10) In COBIT, which of the following flows upward from the board of directors to stakeholders?

a. Financial and internal control disclosures

b. Accountability

c. Disclosures regarding information governance control

d. All of the above

15. Statement evaluation:

Indicate whether each of the following statements is (a) always true, (b) sometimes true or (c) never true. Explain your responses for those that are sometimes true.

1.  A specific instance of computer crime can involve multiple categories from Carter’s taxonomy.

2.  Computer crime involves using a computer to commit a crime.

3.  Computer crime is perpetrated by organized crime groups.

4.  Confidentiality, availability and data integrity comprise the CIA triad.

5.  Each element of the CIA triad is also mentioned in COBIT’s information criteria.

6.  Hackers may be motivated by profit or by entertainment.

7.  Information technology controls can be physical, technical or administrative.

8.  Organizations that implement COBIT are immune to computer crime.

9.  Perpetrators of computer crime come from outside the organization.

10.  The “salami technique” is an example of information manipulation.

ã McGraw-Hill Companies, 2008

Solutions Manual, Chapter 13 9

Top View