Computer fraud and abuse
Download
1 / 36

COMPUTER FRAUD AND ABUSE - PowerPoint PPT Presentation


  • 428 Views
  • Updated On :

COMPUTER FRAUD AND ABUSE. Chapter 3. Introduction. Companies face four types of threats to their information systems: Natural and political disasters Software errors and equipment malfunction Unintentional acts Intentional acts (including computer crime). Fraud Defined.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'COMPUTER FRAUD AND ABUSE' - shanna


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Computer fraud and abuse

COMPUTER FRAUD AND ABUSE

Chapter 3


Introduction
Introduction

  • Companies face four types of threats to their information systems:

    • Natural and political disasters

    • Software errors and equipment malfunction

    • Unintentional acts

    • Intentional acts (including computer crime)


Fraud defined
Fraud Defined

  • Fraudis any and all means a person uses to gain an unfair advantage over another person.

  • Typically, a fraudulant act must involve:

    • A false statement

    • A material fact

    • Knowledge

    • Reliance

    • Injury or loss


Fraud defined1
Fraud Defined

  • Three types of fraud:

    • Misappropriation of assets

    • Corruption

    • Fraudulent statements


Treadway commission
Treadway Commission

  • The National Commission on Fraudulent Financial Reporting (aka, the Treadway Commission) defined fraudulent financial reporting as intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements.


Sas 99
SAS-99

  • SAS 99: The Auditor’s Responsibility to Detect Fraud requires auditors to:

    • Understand fraud

    • Discuss the risks of material fraudulent misstatements

    • Obtain information

    • Identify, assess, and respond to risks

    • Evaluate the results of their audit tests

    • Communicate findings

    • Document their audit work

    • Incorporate a technology focus


Who commits fraud and why
Who Commits Fraud and Why

  • White collar criminals

  • Violent criminals

  • Hackers

  • Computer fraud perpetrators


The Fraud Triangle

Pressure

Opportunity

Rationalization


The fraud triangle pressures
The Fraud Triangle: Pressures

  • The most common pressures were:

    • Financial

      • Not being able to pay one’s debts, nor admit it to one’s employer, family, or friends

      • Business reversals

    • Emotional

      • Fear of loss of status

      • Physical isolation

      • Difficulties in employer-employee relations

    • Lifestyle

      • Status gaining

      • Drug/alcohol addiction

      • Gambling


The fraud triangle pressures1
The Fraud Triangle: Pressures

  • Common pressures in financial statement fraud include the need to:

    • Prop up earnings or stock price OR to reduce earnings

    • Cover the inability to generate cash flow

    • Obtain financing

    • Appear to comply with bond covenants or other agreements


The fraud triangle opportunity
The Fraud Triangle: Opportunity

  • Opportunity is the opening or gateway that allows an individual to:

    • Commit the fraud

    • Conceal the fraud

      • Expensing

      • Lapping

      • Kiting

    • Convert the proceeds


The fraud triangle opportunity1
The Fraud Triangle: Opportunity

  • Common opportunities that enable fraud:

    • Lack of internal controls

    • Failure to enforce controls

    • Excessive trust in key employees

    • Incompetent supervisory personnel

    • Inattention to details

    • Inadequate staff


The fraud triangle opportunity2
The Fraud Triangle: Opportunity

  • Internal controls that may be lacking or un-enforced include:

    • Authorization procedures

    • Clear lines of authority

    • Adequate supervision

    • Adequate documents and records

    • A system to safeguard assets

    • Independent checks on performance

    • Separation of duties


The fraud triangle opportunity3
The Fraud Triangle: Opportunity

  • Management may allow fraud by:

    • Not getting involved in the design or enforcement of internal controls;

    • Inattention or carelessness;

    • Overriding controls; and/or

    • Using their power to compel subordinates to carry out the fraud.


The fraud triangle rationalization
The Fraud Triangle: Rationalization

  • Allows perpetrators to justify their illegal behavior

    • The only way they can commit their frauds and maintain their self image as principled individuals is to create rationalizations.


The fraud triangle summary
The Fraud Triangle: Summary

  • Fraud occurs when:

    • People have perceived, non-shareable pressures;

    • The opportunity gateway is left open; and

    • They can rationalize their actions to reduce the moral impact in their minds (i.e., they have low integrity).

  • Fraud is much less likely to occur when

    • There is low pressure, low opportunity, and high integrity.


Computer fraud
Computer Fraud

  • Any illegal act for which knowledge of computer technology is essential for its perpetration, investigation, or prosecution

  • What are examples of computer fraud?

    • unauthorized use, access, modification, copying, and destruction of software or data

    • theft of money by altering computer records or the theft of computer time

    • theft or destruction of computer hardware

    • use or the conspiracy to use computer resources to commit a felony

    • intent to illegally obtain information or tangible property through the use of computers


Csi fbi 2004 computer crime and security survey
CSI/FBI 2004 Computer Crime and Security Survey

  • Sabotage $871,000

  • System penetration $901,500

  • Website defacement $958,100

  • Misuse of public Web application $2,7747,000

  • Telecom fraud $3,997,500

  • Laptop theft $6,734,500

  • Financial fraud $7,670,500

  • Abuse of wireless network $10,159,250

  • Insider Net abuse $10,601,055

  • Theft of proprietary info $11,460,000

  • Denial of service $26,064,050

  • Virus $55,053,900

  • Total losses for 2004 $141,496,560


Computer fraud1
Computer Fraud

  • Economic espionage

  • Cybersleuths


Computer fraud classifications
Computer Fraud: Classifications

Data

Fraud

Output

Fraud

Input

Fraud

Processor

Fraud

Computer

Instructions

Fraud


Computer fraud classifications1
Computer Fraud: Classifications

  • Processor Fraud

    • Involves unauthorized system use

    • Includes theft of computer time and services.


Computer fraud classifications2
Computer Fraud: Classifications

  • Computer Instructions Fraud

    • Involves tampering with software that processes company data

    • May include:

      • Modifying the software

      • Making illegal copies

      • Using it in an unauthorized manner


Computer fraud classifications3
Computer Fraud: Classifications

  • Data Fraud

    • Involves:

      • Altering or damaging a company’s data files; or

      • Copying, using, or searching the data files without authorization.

    • Sale of stolen data


Computer fraud classifications4
Computer Fraud: Classifications

  • Output Fraud

    • Stealing or misusing system output.

    • Use computers and peripheral devices to create counterfeit outputs


Computer fraud and abuse techniques
Computer Fraud and Abuse Techniques

  • Data diddling

  • Data leakage

  • Denial of service attacks

  • Eavesdropping

  • Email threats

  • Email forgery

  • Hacking

  • Phreaking

  • Hijacking

  • Identity theft


Computer fraud and abuse techniques1
Computer Fraud and Abuse Techniques

  • Internet misinformation

  • Internet terrorism

  • Logic time bombs

  • Masquerading or impersonation

  • Packet sniffers

  • Password cracking

  • Phishing

  • Piggybacking

  • Round-down technique

  • Salami technique


Computer fraud and abuse techniques2
Computer Fraud and Abuse Techniques

  • Social engineering

  • Software piracy

  • Spamming

  • Spyware

  • Keystroke loggers

  • Superzapping

  • Trap doors

  • Trojan horse

  • War dialing

  • War driving


Computer fraud and abuse techniques3
Computer Fraud and Abuse Techniques

  • Virus

  • Worms

  • The low-tech, do-it-yourself attack


Deterring and detecting computer fraud
Deterring and Detecting Computer Fraud

  • Measures to decrease the potential for fraud and resulting losses:

    • Make fraud less likely to occur

    • Increase the difficulty of committing fraud

    • Improve detection methods

    • Reduce fraud losses


Deterring and detecting computer fraud1
Deterring and Detecting Computer Fraud

  • Make fraud less likely to occur

    • Culture that stresses integrity

    • Organizational structure, management philosophy, and operating style

    • Independent audit committee

    • Assign authority and responsibility

    • Identify risky areas

    • Develop a comprehensive set of security policies

    • Implement human resource policies that send messages about ethical behavior and integrity

    • Effectively supervise employees


Deterring and detecting computer fraud2
Deterring and Detecting Computer Fraud

  • Train employees in integrity and ethical considerations, as well as security and fraud prevention measures.

  • Require annual employee vacations and periodic rotation of duties

  • Implement project development and acquisition controls

  • Prosecute fraud perpetrators more vigorously


Deterring and detecting computer fraud3
Deterring and Detecting Computer Fraud

  • Increase the difficulty of committing fraud

    • Develop a strong system of internal controls

    • Segregate the accounting functions of:

      • Authorization

      • Recording

      • Custody

    • Implement segregation of duties between systems functions

    • Restrict physical and remote access to system resources


Deterring and detecting computer fraud4
Deterring and Detecting Computer Fraud

  • Require authorization of transactions and activities

  • Adequate design of documents and records

  • Safeguard all assets, records, and data

  • Require independent checks

  • Implement computer-based controls

  • Encryption of stored and transmitted data

  • Install latest updates to software


Deterring and detecting computer fraud5
Deterring and Detecting Computer Fraud

  • Improve detection methods

    • Create an audit trail

    • Conduct periodic audits

    • Install fraud detection software

    • Implement a fraud hotline

    • Employ a computer security officer

    • Monitor system activities

    • Use intrusion detection systems


Deterring and detecting computer fraud6
Deterring and Detecting Computer Fraud

  • Reduce Fraud Losses

    • Maintain adequate insurance

    • Develop comprehensive fraud contingency, disaster recovery, and business continuity plans

    • Backup copies

    • Monitor system activity


Summary
Summary

  • We have:

    • Defined fraud

    • Described the Fraud Triangle (the fraud process)

    • Discussed who perpetrates a fraud and why they do it, including:

      • Pressures

      • Opportunities

      • Rationalizations

    • Defined computer fraud

    • Discussed computer fraud classifications

    • Compared and contrasted the approaches and techniques used to commit computer fraud


ad