chapter 11 cybersecurity accounting information systems the crossroads of accounting & it ©...

Chapter 11Chapter 11CybersecurityCybersecurity

ACCOUNTING INFORMATION SYSTEMSACCOUNTING INFORMATION SYSTEMSThe Crossroads of Accounting & ITThe Crossroads of Accounting & IT

© Copyright 2012 Pearson Education. All Rights Reserved.

How Secure is Your Credit Card?

Meet Heartland.


What is What is Cybersecurity?Cybersecurity?

Cybersecurity combines people, processes, and technology to continually monitor vulnerabilities and respond proactively to secure the system.

Cybersecurity is a highly technical, specialized field.

The confidential nature of data stored in accounting systems puts increasing pressure on accounting professionals to understand IT security.


10 Domains of Cybersecurity 10 Domains of Cybersecurity (ISC)(ISC)2 2 International Information International Information

Systems Security Systems Security


10 Domains of Cybersecurity 10 Domains of Cybersecurity (ISC)(ISC)2 2 International Information Systems International Information Systems

Security Security


What is the Legal, Regulations, What is the Legal, Regulations, Compliance and Investigations Compliance and Investigations

Domain?Domain?

Cybercrimes: crimes connected to information assets and IT.

Cyberlaws: laws and regulations to prevent, investigate, and prosecute cybercrimes.

Cyber forensics: involves collecting, examining, and preserving evidence of cybercrimes.


93% of electronic records breached were in the financial services industry.

90% of breaches were tied to organized crime.

Legal, Regulations, Compliance and Legal, Regulations, Compliance and Investigations DomainInvestigations Domain

CybercrimeCybercrime


Successful breaches typically involve an attacker exploiting a mistake made by the victim organization




Well-known cyberattacks include:

Salami attacks Typically for very small amounts over numerous accounts that accumulate into significant sumsExample: rounding interest calculations into an attacker’s account.

Social engineering Manipulating an individual into divulging confidential information to be used for fraudulent purposes.Example: Phishing: faked IT email request to email back information regarding your account




Well-known cyberattacks include:

Dumpster diving Rummaging through garbage for discarded documents or digital media.Example: buying discarded computer hardware and extracting data left on the hard drive.

Password sniffingAttempting to obtain passwords by sniffing messages sent between computers on the network.Example: Sniffing messages sent over a free wi-fi network at the local coffee shop to obtain others’ passwords.




Cyberlaws are constantly evolving to meet more sophisticated cyberattacks.

Laws related to cybersecurity originate from:

Legislation

Regulations

Case law


CyberlawCyberlaw


Legislation affecting cyberlaw include:

Sarbanes-OxleyAddresses requirements for proper internal control, including information security and controls.

Gramm-Leach-Bliley Act Requires institutions to have adequate cybersecurity to prevent unauthorized sharing of customer data.

Payment Card Industry Data Security Standards

PCI-DSS legislation require organizations to meet cybersecurity requirements to safeguard credit and debit card data, including security for storage and transmission of payment card data.

Federal Information Security Management Act

Requires federal agencies and their contractors to have information security programs.


CyberlawCyberlaw


Collecting, examining, and preserving evidence of cybercrimes.

Organizations often use law enforcement, regulatory agencies, and outside consultants to conduct cyber forensic investigations.

Legal, Regulations, Compliance Legal, Regulations, Compliance and Investigations Domainand Investigations Domain

Cyber ForensicsCyber Forensics


What is the Information Security What is the Information Security and Risk Management Domain?and Risk Management Domain?

Information security and risk management consists of the preventive and proactive measures taken to prevent cybercrimes.

Information security: policies and procedures required to secure information assets, including IT hardware, software, and stored data.

Information risk management: manages the risk related to information assets and IT and is part of the larger enterprise risk management (ERM).


Information Security and Risk Management Information Security and Risk Management DomainDomain

Security Management PrinciplesSecurity Management PrinciplesFundamental principles of information security include CIA:

Confidentiality: Sensitive data at each point in information processing is secure and protected from unauthorized access

Integrity: Data is accurate and reliable.

Availability: Required data is available as needed by an organization’s users, such as accountants. If data is destroyed, data can be restored so it is available.



Information Security ManagementInformation Security ManagementInformation security management involves developing and enforcing security policies, standards, guidelines and procedures for information.

Three types of information security controls are:

Administrative controls: security policies, standards, guidelines and procedures to screen employees and provide security training.

Technical or logical controls: security policies, standards, guidelines and procedures for access control and configuration of IT infrastructure.

Physical controls: includes facility access control, environmental controls, and intrusion detection.



Security FrameworksSecurity FrameworksA security framework provides a conceptual structure to address security and control. Security frameworks include:

Control Objectives for Information and Related Technology (COBIT) for managing IT security.

Committee on Sponsoring Organizations of the Treadway Commission (COSO) provides a framework for corporate governance.

International Standardization Organization ISO 27000 contains specifications for an information security management system.© Copyright 2012 Pearson Education. All Rights Reserved.

What is the Security What is the Security Architecture and Design Architecture and Design

Domain?Domain?

Security architecture and design domain relates to security for IT architecture and design.

IT architecture consists of architecture for computers, networks, and databases.


Security Architecture and Design DomainSecurity Architecture and Design Domain

Network ArchitectureNetwork Architecture

Networks are interconnected computers and devices.

Network architecture consists of network hardware and software.

Three categories of networks:Local area networks (LANs)Metropolitan area networks (MANs) Wide area networks (WANs)




Local area network (LAN)




Metropolitan area network (MAN)


What is the Telecommunications, What is the Telecommunications, Network and Internet Security Network and Internet Security

Domain?Domain?

This domain covers security for telecommunications, networks, and the Internet.

Telecommunications, networks, and the Internet all relate to data transmission.


Cyberattacks often target network access points (NAP) because they offer access to the network.

Routers, bridges, and gateways are access points to the network.

Firewalls (software programs) that control traffic between two networks can be installed on these routing devices to prevent unauthorized access.

Telecommunications, Network & Telecommunications, Network & Internet Security DomainInternet Security Domain

Network SecurityNetwork Security



Network SecurityNetwork Security

Enterprise Intranet with Firewalls © Copyright 2012 Pearson Education. All Rights Reserved.

Firewalls play an important role in e-commerce.

If the website server is behind a high-security firewall, the website cannot be accessed by the general public.

If the website is in front of the enterprise firewall, then hackers may deface the website.

To address this dilemma, an enterprise places its web servers behind a low-level security firewall which is the first firewall to the outside world. Another high-level security firewall is located behind the web servers.


Internet SecurityInternet Security




E-Commerce Architecture Using Firewalls and DMZ

Demilitarized zone (DMZ) is the area between the first and second firewall.




Enterprise Intranet with Honeypot

Honeypot is a computer located in the DMZ with attractive, but irrelevant data.

The honeypot is used to distract hackers.

Organizations may catch hackers by tracing them back to their source while the hackers are busy hacking the honeypot.


What is the Control Access What is the Control Access Domain?Domain?

The control access domain addresses security for access to the enterprise system, including computers, networks, routers and databases.

Access control threats include:

Network sniffers that examines traffic on the network

Phishing to obtain confidential information

Identify theft


Security principles for access control include:

Identification

Authentication

Authorization

Accountability

For a user to be allowed access to a secured system (computers and network) the user should be identified, authenticated, and then authorized to access the system.

Access Control DomainAccess Control Domain

Access Control PrinciplesAccess Control Principles


To identify users, usernames and passwords may be required to log in to the system.

Password management involves:

Number of passwords a user has

How frequently the password must be changed

Password format including length and type (e.g., alphanumeric)

Number of incorrect login attempts


Password ManagementPassword Management


Dynamic password: a password that is used once and then changed.

Token device (TD):

Is a hardware device containing a password generator protocol.

Creates a new password each time the token is used.

Eliminates the need for the user to memorize a continually changing password.

Single sign-on (SSO): permits the user to use one username and password to log into various systems.


Password ManagementPassword Management


Biometrics is an access method which identifies the user by analyzing his/her personal attributes.

Biometrics include:

fingerprints

face recognition

retina scans

palm scans


Biometric AccessBiometric Access


Intrusion prevention systems (IPS) attempt to prevent cyberattacks from occurring.

Intrusion detection systems (IDS) are inadequate because the attack has already occurred.

IPS can include sniffers used by the enterprise to detect malicious messages on its own network. The message can be destroyed before causing harm.


Intrusion Prevention SystemsIntrusion Prevention Systems


What is the Operations Security What is the Operations Security Domain?Domain?

Operations security refers to activities and procedures required to keep information technology running securely

IT security management includes responsibility for maintaining security devices and software, such as virus detection, firewalls, Intrusion Prevention Systems (IPS), and Intrusion Detection Systems (IDS). Security assessment is carried out on a scheduled basis to evaluate the security of the various components of the enterprise system.

IT security operational responsibilities relate to how the enterprise system operates. It includes input/output controls, accounting for software licenses, training for all employees regarding security procedures, conducting vulnerability checks, and developing contingency plans for cyberattacks.


What is the Physical and What is the Physical and Environmental Security Domain?Environmental Security Domain?

The physical and environmental security domain addresses the physical security of information technology components, such as hardware and software.

Physical threats include natural environmental disasters, such as fire and flood, supply system threats, man-made threats, and politically motivated threats.


What is the Application Security What is the Application Security Domain?Domain?

The application security domain addresses security and controls for application software, including input, processing, and output.

Application software includes accounting and spreadsheet software that accounting professionals use daily.


Malware (malicious software) is spread throughout an enterprise system by email, fake advertisements, Internet downloads, and shared drives.

Malware includes:

Viruses

Bots

Worms

Logic bombs

Trojan horses

Spam

Application Security DomainApplication Security Domain

MalwareMalware


Bots: (short for robots) a tiny piece of programming code which installs itself on a Zombie (infected computer). Bots monitor the Zombie computer and transmit information back to the Master (hacker’s computer).


MalwareMalware


Viruses: a small computer program that infects other application software by attaching to and disrupting the application’s function. Antivirus software can detect and remove viruses.

Logic bombs: malware that executes when a specified event happens within the computer, as for example, when the user logs into his or her bank account.

Trojan horses: malware disguised as a legitimate program that may be downloaded and installed by users without realizing it is a virus.

Spam: malware sent by email. Spam can be a virus, bot, logic bomb, worm, or Trojan horse.


MalwareMalware


What is the Business Continuity and What is the Business Continuity and Disaster Recovery Domain?Disaster Recovery Domain?

This domain addresses an enterprise’s business continuity and disaster recovery plan.

The goals of a disaster recovery plan include:

Minimize disruption, damage, and loss from a disaster

Provide a temporary method for processing business and accounting transactions

Resume normal operations quickly © Copyright 2012 Pearson Education. All Rights Reserved.

Accounting data backups are critical and should be scheduled on a regular basis.

Grandfather-Father-Son method involves making multiple backups, one each day, for example.

Monday backup (Grandfather)

Tuesday backup (Father)

Wednesday backup (Son)

and so on....

Business Continuity and Disaster Recovery Business Continuity and Disaster Recovery DomainDomain

Backup MethodsBackup Methods


Backup facilities can include:

Reciprocal agreements between organizations can be used to provide backup services.

Internal sites can be used by large organizations with multiple locations.

Hot site is a commercial disaster recovery service that can be leased by an enterprise to provide IT services in the event of a disaster, fully operational in a few hours.

Warm site is a commercial disaster recovery service that is only partially configured with some equipment and may take a few days to be operational.

Cold site is a commercial disaster recovery service providing air conditioning, wiring, and plumbing, but no IT equipment, taking several days to be operational.

Business Continuity and Disaster Recovery Business Continuity and Disaster Recovery DomainDomain

Backup FacilitiesBackup Facilities


What is the Cryptography Domain?What is the Cryptography Domain?

Cryptography is encoding data in a form that only the sender and intended receiver can understand.

Encryption is a method of converting plaintext data into an unreadable form called ciphertext.

Ciphertext is converted back to plain text using decryption.


Encryption methods determine the number of keys and how the keys are used to encode and decode data.

Encryption methods include:

Symmetric cryptography or 1 key method: This method uses 1 key to encode and the same key to decode. Both the sender and the recipient have the same key

Cryptography DomainCryptography Domain

Encryption MethodsEncryption Methods

Symmetric Cryptography (1 Key Method)



Asymmetric cryptography or 2 key method: Uses two keys with one key used to encode and a second related, but different key to decode the message.

Public key: key used to encrypt the message.

Private key: key used to decode the message.



Asymmetric Cryptography (2 Key Method)



Digital envelope or 3 key method: combines symmetric and asymmetric cryptography. The intended recipient’s key is transmitted using the 2 Key method in a digital envelope.




Encryption is a useful tool for protecting data in transit and when stored in databases.

As encryption tools have improved, crackers (high-level hackers) use more sophisticated techniques to bypass data encryption.

Example: malware that captures keystrokes for data as the user is entering the data into the computer screen. Data is captured by the cracker before there is a chance for it to be encrypted.




chapter 11 cybersecurity accounting information systems the crossroads of accounting & it ©...

Documents

pearson education

accounting systems

account legal

domains of cybersecurity

information assets

victim organization

crossroads of accounting

accounting professionals