Part B : 5.13 IS Attack Methods & Techniques

Question 1

Who developed the fraud triangle?

Answer 1

Criminologist Donald R Cressey in the 1950’s.

Question 2

What did Cressey believer were the 3 key elements in the fraud triangle?

Answer 2

1) Motivation - perceived financial (or other) need
2) Rationalization - the way the fraudster justifies the crime to themselves
3) Opportunity - method by which the crime is to be committed

Question 3

How is opportunity for fraud created?

Answer 3

By abuse of position and authority, poor internal controls, poor mgt oversight.

Opportunity is the element over which organisations have the most control.

Question 4

How can opportunity to commit fraud be limited?

Answer 4

Can be limited by security controls such as logical access controls, segregation of duties, human resource security.

Question 5

What are the threats to the business as a result of computer crimes?

Answer 5

1) Financial Loss
2) Legal repercussions
3) Loss of credibility or competitive edge
4) Blackmail, industrial espionage, organised crime
5) Disclosure of confidential, sensitive or embarrassing information
6) Sabotage

Question 6

What is Hactivism?

Answer 6

Occurs when perpetrators make non violent use of illegal or legally ambiguous digital tools in pursuit of political ends.

Question 7

What is important for IS auditors with regards to computer crime?

Answer 7

Important to understand what constitutes computer crime and what constitutes computer abuse.
What constitutes a crime depends upon jurisdiction and court sentence.
Certain breaches of security may be civil or criminal offences.

Question 8

Who are possible perpetrators in computer crime?

Answer 8

1) Hackers (crackers)
2) Script Kiddies
3) Employees
4) IT Personnel
5) End Users
6) Former Employees
7) Nations
8) Interested or educated outsiders - competitors, terrorists, organised crime, -breakers
9) Part-time and temporary personnel
10) Third parties
11) Opportunists - info is inadvertently left unattended or left for destruction and a passerby can access it
12) Accidental unaware - someone who unknowingly perpetrates a violation

Question 9

What is a script kiddie?

Answer 9

Individuals who use scripts and programs written by others to perform their intrusions and are often incapable of writing similar scripts on their own.

Question 10

Source of the attack: Computer is the target of the crime.

Describe
Target of attack
Examples

Answer 10

Perpetrator uses another computer to launch an attack

Specific identified computer

Denial of service (DOS)
Hacking

Question 11

Source of the attack: Computer is the subject of the crime.

Describe
Target of attack
Examples

Answer 11

Perpetrator uses computer to commit crime and the target is another computer

Target may or may not be defined. Perpetrator launches attack with no specific target in mind.

Distributed DOS
Malware

Question 12

Source of the attack: Computer is the tool of the crime.

Describe
Target of attack
Examples

Answer 12

Perpetrator uses computer to commit crime but the target is not the computer

Target is data or information stored on the computer

Fraud
Unauthorised access
Phishing
Installing key loggers

Question 13

Source of the attack: Computer symbolises the crime.

Describe
Target of attack
Examples

Answer 13

Perpetrator lures the user of computers to get confidential information

Target is user of computers

Social engineering methods:
- phishing
- fake web sites
- scam mail
- spam mail
- fake resumes for employment

Question 14

What are the 4 sources of attacks in computer crimes?

Answer 14

1) Computer is target of the crime
2) Computer is subject of crime
3) Computer is tool of the crime
4) Computer symbolises the crime