Kế toán, kiểm toán - Chapter 6: Computer fraud and abuse techniques

Chapter 6Computer Fraud and Abuse TechniquesCopyright © 2012 Pearson Education6-1Learning ObjectivesCompare and contrast computer attack and abuse tactics.Explain how social engineering techniques are used to gain physical or logical access to computer resources.Describe the different types of malware used to harm computers.Copyright © 2012 Pearson Education6-2Computer Attacks and AbuseHackingUnauthorized access, modification, or use of a computer system or other electronic deviceSocial EngineeringTechniques, usually psychological tricks, to gain access to sensitive data or informationUsed to gain access to secure systems or locationsMalwareAny software which can be used to do harmCopyright © 2012 Pearson Education6-3Types of Computer AttacksBotnet—Robot NetworkNetwork of hijacked computersHijacked computers carry out processes without users knowledgeZombie—hijacked computerDenial-of-Service (DoS) AttackConstant stream of requests made to a Web-server (usually via a Botnet) that overwhelms and shuts down serviceSpoofingMaking an electronic communication look as if it comes from a trusted official source to lure the recipient into providing informationCopyright © 2012 Pearson Education6-4Types of SpoofingE-mailE-mail sender appears as if it comes from a different sourceCaller-IDIncorrect number is displayedIP addressForged IP address to conceal identity of sender of data over the Internet or to impersonate another computer systemAddress Resolution Protocol (ARP)Allows a computer on a LAN to intercept traffic meant for any other computer on the LANSMSIncorrect number or name appears, similar to caller-ID but for text messagingWeb pagePhishing (see below)DNSIntercepting a request for a Web service and sending the request to a false serviceCopyright © 2012 Pearson Education6-5Hacking AttacksCross-Site Scripting (XSS)Unwanted code is sent via dynamic Web pages disguised as user input.Buffer OverflowData is sent that exceeds computer capacity causing program instructions to be lost and replaced with attacker instructions.SQL Injection (Insertion)Malicious code is inserted in the place of query to a database system.Man-in-the-MiddleHacker places themselves between client and host.Copyright © 2012 Pearson Education6-6Additional Hacking AttacksPassword CrackingPenetrating system security to steal passwordsWar DialingComputer automatically dials phone numbers looking for modems.PhreakingAttacks on phone systems to obtain free phone service.Data DiddlingMaking changes to data before, during, or after it is entered into a system.Data LeakageUnauthorized copying of company data.Copyright © 2012 Pearson Education6-7Hacking Embezzlement SchemesSalami TechniqueTaking small amounts from many different accounts.Economic EspionageTheft of information, trade secrets, and intellectual property.Cyber-BullyingInternet, cell phones, or other communication technologies to support deliberate, repeated, and hostile behavior that torments, threatens, harasses, humiliates, embarrasses, or otherwise harms another person.Internet TerrorismAct of disrupting electronic commerce and harming computers and communications.Internet MisinformationCopyright © 2012 Pearson Education6-8Hacking for FraudInternet MisinformationUsing the Internet to spread false or misleading informationInternet AuctionUsing an Internet auction site to defraud another personUnfairly drive up biddingSeller delivers inferior merchandise or fails to deliver at allBuyer fails to make paymentInternet Pump-and-DumpUsing the Internet to pump up the price of a stock and then selling itCopyright © 2012 Pearson Education6-9Social Engineering TechniquesIdentity TheftAssuming someone else’s identityPretextingInventing a scenario that will lull someone into divulging sensitive informationPosingUsing a fake business to acquire sensitive informationPhishingPosing as a legitimate company asking for verification type information: passwords, accounts, usernamesPharmingRedirecting Web site traffic to a spoofed Web site.TypesquattingTypographical errors when entering a Web site name cause an invalid site to be accessedTabnappingChanging an already open browser tabScavengingLooking for sensitive information in items thrown awayShoulder SurfingSnooping over someone’s shoulder for sensitive informationCopyright © 2012 Pearson Education6-10More Social EngineeringLebanese LopingCapturing ATM pin and card numbersSkimmingDouble-swiping a credit cardChippingPlanting a device to read credit card information in a credit card readerEavesdroppingListening to private communicationsCopyright © 2012 Pearson Education6-11Type of MalwareSpywareSecretly monitors and collects personal information about users and sends it to someone elseAdwarePops banner ads on a monitor, collects information about the user’s Web-surfing, and spending habits, and forward it to the adware creatorKey loggingRecords computer activity, such as a user’s keystrokes, e-mails sent and received, Web sites visited, and chat session participationTrojan HorseMalicious computer instructions in an authorized and otherwise properly functioning programTime bombs/logic bombsIdle until triggered by a specified date or time, by a change in the system, by a message sent to the system, or by an event that does not occurCopyright © 2012 Pearson Education6-12More MalwareTrap Door/Back DoorA way into a system that bypasses normal authorization and authentication controlsPacket SniffersCapture data from information packets as they travel over networksRootkitUsed to hide the presence of trap doors, sniffers, and key loggers; conceal software that originates a denial-of-service or an e-mail spam attack; and access user names and log-in informationSuperzappingUnauthorized use of special system programs to bypass regular system controls and perform illegal acts, all without leaving an audit trailCopyright © 2012 Pearson Education6-13