Chapter 5

www.themegallery.com
Financial Information Systems
AN-NAJAH
NATIONAL UNIVERSITY
Faculty of Economics and
Social Sciences
Department of Finance
Dr. Muath Asmar

Chapter 5
Cybersecurity
© Copyright 2014 Pearson Education. All Rights Reserved.

How Secure is Your Credit Card?
Meet Heartland.

What is Cybersecurity?
Cybersecurity combines people, processes, and technology
to continually monitor vulnerabilities and respond proactively
to secure the system.
Cybersecurity is a highly technical, specialized field.
The confidential nature of data stored in accounting systems
puts increasing pressure on accounting professionals to
understand IT security.

10 Domains of Cybersecurity
(ISC)2 International Information Systems
Security
1. Legal, regulations, compliance, and investigations
2. Information security and risk management
3. Security architecture and design
4. Telecommunications, network, and Internet security
5. Access control
6. Operations security
7. Physical and environmental security
8. Application security
9. Business continuity and disaster recovery
10. Cryptography
Learn Info Security Tech, Avoid Oops Please,
Accountants Beware Cybercrime!

What is the Legal, Regulations,
Compliance and Investigations Domain?
Cybercrimes: crimes connected to
information assets and IT.
Cyberlaws: laws and regulations to prevent,
investigate, and prosecute cybercrimes.
Cyber forensics: involves laws and
regulations to prevent, investigate, and
prosecute cybercrimes.
, examining, and preserving evidence of
cybercrimes.

93% of electronic records breached were in
the financial services industry.
90% of breaches were tied to organized crime.
Legal, Regulations, Compliance and
Investigations Domain
Cybercrime

Successful breaches typically involve an attacker
exploiting a mistake made by the victim
organization
Cybercrime

Well-known cyberattacks include:
Salami attacks
Typically for very small amounts over numerous accounts that
accumulate into significant sums
Example: rounding interest calculations into an attacker’s account.
Social engineering
Manipulating an individual into divulging confidential information to be
used for fraudulent purposes.
Example: Phishing: faked IT email request to email back information
regarding your account
Cybercrime

Well-known cyberattacks include:
Dumpster diving
Rummaging through garbage for discarded documents or digital media.
Example: buying discarded computer hardware and extracting data left
on the hard drive.
Password sniffing
Attempting to obtain passwords by sniffing messages sent between
computers on the network.
Example: Sniffing messages sent over a free Wi-Fi network at the local
coffee shop to obtain others’ passwords.
Cybercrime

Cyberlaws are constantly evolving to meet more
sophisticated cyberattacks.
Laws related to cybersecurity originate from:
Legislation
Regulations
Case law
Cyberlaw

Legislation affecting cyberlaw include:
Sarbanes-Oxley
Addresses requirements for proper internal control, including
information security and controls.
Gramm-Leach-Bliley Act
Requires institutions to have adequate cybersecurity to prevent
unauthorized sharing of customer data.
Payment Card Industry Data Security Standards
PCI-DSS legislation require organizations to meet cybersecurity
requirements to safeguard credit and debit card data, including security
for storage and transmission of payment card data.
Federal Information Security Management Act
Requires federal agencies and their contractors to have information
security programs.
Cyberlaw

Collecting, examining, and preserving evidence of
cybercrimes.
Organizations often use law enforcement,
regulatory agencies, and outside consultants to
conduct cyber forensic investigations.
Cyber Forensics

What is the Information Security and
Risk Management Domain?
Information security and risk management
consists of the preventive and proactive
measures taken to prevent cybercrimes.
Information security: policies and procedures
required to secure information assets,
including IT hardware, software, and stored
data.
Information risk management: manages the
risk related to information assets and IT and is
part of the larger enterprise risk management
(ERM).

Information Security and Risk Management Domain
Security Management Principles
Fundamental principles of information security include
CIA:
Confidentiality: Sensitive data at each point in
information processing is secure and protected from
unauthorized access
Integrity: Data is accurate and reliable.
Availability: Required data is available as needed by
an organization’s users, such as accountants. If data is
destroyed, data can be restored so it is available.

Information Security Management
Information security management involves developing and
enforcing security policies, standards, guidelines and procedures
for information.
Three types of information security controls are:
Administrative controls: security policies, standards,
guidelines and procedures to screen employees and provide
security training.
Technical or logical controls: security policies, standards,
guidelines and procedures for access control and configuration of
IT infrastructure.
Physical controls: includes facility access control,
environmental controls, and intrusion detection.

Security Frameworks
A security framework provides a conceptual structure to
address security and control. Security frameworks
include:
Control Objectives for Information and Related
Technology (COBIT) for managing IT security.
Committee on Sponsoring Organizations of the
Treadway Commission (COSO) provides a framework
for corporate governance.
International Standardization Organization ISO
27000 contains specifications for an information security
management system.

What is the Security Architecture
and Design Domain?
Security architecture and design domain relates
to security for IT architecture and design.
IT architecture consists of architecture for
computers, networks, and databases.

Security Architecture and Design Domain
Network Architecture
Networks are interconnected computers and devices.
Network architecture consists of network hardware and
software.
Three categories of networks:
Local area networks (LANs)
Metropolitan area networks (MANs)
Wide area networks (WANs)

Local area network (LAN)

Metropolitan area network (MAN)

Wide area network (WAN)

LAN Cluster

Enterprise Intranet

Network Protocols
Ethernet protocol is a software program commonly used to connect computers to create a LAN.
Internet protocol (IP) is a software program that provides routing services to messages transmitted
over the Internet. This protocol provides the IP addresses, which uniquely identify the sender and
receiver's computers (for example, 193.168.0.103).
Transport control protocol (TCP) provides message transportation services between sending and
receiving computers. The Internet uses TCP and IP (TCP/IP suite) to address and transport messages
from sender to receiver.
Electronic data interchange (EDI) is a protocol that allows the enterprise network to connect to the
network of vendors and suppliers through proprietary lines.

What is the Telecommunications,
Network and Internet Security Domain?
This domain covers security for
telecommunications, networks, and the Internet.
Telecommunications, networks, and the Internet
all relate to data transmission.

Cyberattacks often target network access points
(NAP) because they offer access to the network.
Routers, bridges, and gateways are access points to
the network.
Firewalls (software programs) that control traffic
between two networks can be installed on these
routing devices to prevent unauthorized access.
Telecommunications, Network & Internet
Security Domain
Network Security

Security Domain
Network Security
Enterprise Intranet with Firewalls

Firewalls play an important role in e-commerce.
If the website server is behind a high-security firewall,
the website cannot be accessed by the general public.
If the website is in front of the enterprise firewall, then
hackers may deface the website.
To address this dilemma, an enterprise places its web
servers behind a low-level security firewall which is the
first firewall to the outside world. Another high-level
security firewall is located behind the web servers.
Security Domain
Internet Security

Security Domain
Internet Security
E-Commerce Architecture Using Firewalls and DMZ
Demilitarized zone (DMZ) is the area between
the first and second firewall.

Security Domain
Internet Security
Enterprise Intranet with Honeypot
Honeypot is a
computer located in
the DMZ with
attractive, but
irrelevant data.
The honeypot is used
to distract hackers.
Organizations may
catch hackers by
tracing them back to
their source while the
hackers are busy
hacking the honeypot.

What is the Control Access Domain?
The control access domain addresses security for
access to the enterprise system, including computers,
networks, routers and databases.
Access control threats include:
Network sniffers that examines traffic on the network
Phishing to obtain confidential information
Identify theft

Security principles for access control include:
Identification
Authentication
Authorization
Accountability
For a user to be allowed access to a secured system
(computers and network) the user should be identified,
authenticated, and then authorized to access the
system.
Access Control Domain
Access Control Principles

To identify users, usernames and passwords may be
required to log in to the system.
Password management involves:
Number of passwords a user has
How frequently the password must be changed
Password format including length and type (e.g.,
alphanumeric)
Number of incorrect login attempts
Password Management

Dynamic password: a password that is used once
and then changed.
Token device (TD):
Is a hardware device containing a password
generator protocol.
Creates a new password each time the token is
used.
Eliminates the need for the user to memorize a
continually changing password.
Single sign-on (SSO): permits the user to use one
username and password to log into various systems.
Password Management

Biometrics is an access method which identifies the
user by analyzing his/her personal attributes.
Biometrics include:
fingerprints
face recognition
retina scans
palm scans
Biometric Access

Intrusion prevention systems (IPS) attempt to
prevent cyberattacks from occurring.
Intrusion detection systems (IDS) are inadequate
because the attack has already occurred.
IPS can include sniffers used by the enterprise to
detect malicious messages on its own network. The
message can be destroyed before causing harm.
Intrusion Prevention Systems

What is the Operations Security Domain?
Operations security refers to activities and procedures required to
keep information technology running securely
IT security management includes responsibility for maintaining
security devices and software, such as virus detection, firewalls,
Intrusion Prevention Systems (IPS), and Intrusion Detection
Systems (IDS). Security assessment is carried out on a scheduled
basis to evaluate the security of the various components of the
enterprise system.
IT security operational responsibilities relate to how the enterprise
system operates. It includes input/output controls, accounting for
software licenses, training for all employees regarding security
procedures, conducting vulnerability checks, and developing
contingency plans for cyberattacks.

What is the Physical and
Environmental Security Domain?
The physical and environmental security domain
addresses the physical security of information
technology components, such as hardware and
software.
Physical threats include natural environmental
disasters, such as fire and flood, supply system
threats, man-made threats, and politically
motivated threats.

What is the Application Security Domain?
The application security domain addresses
security and controls for application software,
including input, processing, and output.
Application software includes accounting and
spreadsheet software that accounting
professionals use daily.

Malware (malicious software) is spread throughout
an enterprise system by email, fake advertisements,
Internet downloads, and shared drives.
Malware includes:
Viruses
Bots
Worms
Logic bombs
Trojan horses
Spam
Application Security Domain
Malware

Bots: (short for robots) a tiny piece of programming code which installs
itself on a Zombie (infected computer). Bots monitor the Zombie computer
and transmit information back to the Master (hacker’s computer).
Malware

Viruses: a small computer program that infects other application
software by attaching to and disrupting the application’s function.
Antivirus software can detect and remove viruses.
Logic bombs: malware that executes when a specified event
happens within the computer, as for example, when the user logs
into his or her bank account.
Trojan horses: malware disguised as a legitimate program that
may be downloaded and installed by users without realizing it is a
virus.
Spam: malware sent by email. Spam can be a virus, bot, logic
bomb, worm, or Trojan horse.
Malware

What is the Business Continuity and
Disaster Recovery Domain?
This domain addresses an enterprise’s business
continuity and disaster recovery plan.
The goals of a disaster recovery plan include:
Minimize disruption, damage, and loss from a
disaster
Provide a temporary method for processing
business and accounting transactions
Resume normal operations quickly

Accounting data backups are critical and should be
scheduled on a regular basis.
Grandfather-Father-Son method involves making
multiple backups, one each day, for example.
Monday backup (Grandfather)
Tuesday backup (Father)
Wednesday backup (Son)
and so on....
Business Continuity and Disaster Recovery Domain
Backup Methods

Backup facilities can include:
Reciprocal agreements between organizations can be used to
provide backup services.
Internal sites can be used by large organizations with multiple
locations.
Hot site is a commercial disaster recovery service that can be leased
by an enterprise to provide IT services in the event of a disaster, fully
operational in a few hours.
Warm site is a commercial disaster recovery service that is only
partially configured with some equipment and may take a few days to be
operational.
Cold site is a commercial disaster recovery service providing air
conditioning, wiring, and plumbing, but no IT equipment, taking several
days to be operational.
Business Continuity and Disaster Recovery Domain
Backup Facilities

What is the Cryptography Domain?
Cryptography is
encoding data in a
form that only the
sender and intended
receiver can
understand.
Encryption is a
method of converting
plaintext data into an
unreadable form called
ciphertext.
Ciphertext is
converted back to plain
text using decryption.

Encryption methods determine
the number of keys and how the
keys are used to encode and
decode data.
Encryption methods include:
Symmetric cryptography or 1
key method: This method uses 1
key to encode and the same key
to decode. Both the sender and
the recipient have the same key
Cryptography Domain
Encryption Methods
Symmetric Cryptography (1 Key Method)

Asymmetric cryptography or 2
key method: Uses two keys with
one key used to encode and a
second related, but different key to
decode the message.
Public key: key used to
encrypt the message.
Private key: key used to
decode the message.
Cryptography Domain
Encryption Methods
Asymmetric Cryptography (2 Key Method)

Digital envelope or 3 key method: This method combines
symmetric and asymmetric cryptography. First, the intended
recipient’s message is encoded using symmetric encryption, and
then the key to decode the message is encrypted using recipient's
public-key encryption.
Cryptography Domain
Encryption Methods

Encryption is a useful tool for protecting data in transit and
when stored in databases.
As encryption tools have improved, crackers (high-level
hackers) use more sophisticated techniques to bypass data
encryption.
Example: malware that captures keystrokes for data as the user
is entering the data into the computer screen. Data is
captured by the cracker before there is a chance for it to be
encrypted.
Cryptography Domain
Encryption Methods

Exercise
1. Write down a message using the encryption key shown in Figure 11.14.
2. Exchange your encrypted message with a classmate.
3. Decipher your classmate’s message using the decryption key shown in Figure
11.14.
4. Compare your decryption with your classmate’s original message. How did
you do?
My Connection
Study Less. Learn More. Make Connections.

Chapter 5

More Related Content

What's hot (20)

Similar to Chapter 5 (20)

More from Dr. Muath Asmar (20)

Recently uploaded (20)

Chapter 5

Editor's Notes