CH ccc10 Control, Security and Audit
CH ccc10 Control, Security and Audit
6. Cyber-Attacks
Cyber-attacks are malicious attempts by individuals or organizations to breach the information
systems of another individual or organization.
1. Phishing
Phishing is a cyber-attack where the attacker sends fraudulent communications, often emails,
that appear to come from a reputable source to trick individuals into revealing sensitive
information.
• Methods Used:
o Deceptive Emails: Messages that prompt the recipient to click on a malicious
link or download an attachment.
o Spoofed Websites: Fake websites designed to mimic legitimate ones to steal
login credentials.
• Common Targets:
o Individuals: Personal bank accounts, social media profiles.
o Organizations: Employee credentials, customer data.
For example, an individual might receive an email that looks like it's from their bank, asking
them to verify their account details. Unsuspecting users who click the link and enter their
information are actually providing it directly to cyber-attackers.
2. Pharming
Pharming is a cyber-attack that redirects users from a legitimate website to a fraudulent one
without their knowledge, aiming to steal personal information.
• Techniques Employed:
o DNS Poisoning: Altering the domain name system entries to redirect traffic.
o Malware Installation: Infecting a user's computer to manipulate web traffic.
• Impact:
o Data Theft: Harvesting usernames, passwords, and financial information.
o Credential Compromise: Unauthorized access to user accounts.
A user may type in the correct URL of their bank's website, but due to DNS poisoning, they are
taken to a fake site that looks identical. Any information entered is captured by the attacker.
3. Hacking
Hacking involves unauthorized access to or control over computer network security systems for
some illicit purpose.
• Types of Hacking:
o Black Hat Hacking: Malicious hacking for personal gain.
o White Hat Hacking: Ethical hacking to identify security flaws.
• Common Goals:
o Data Breach: Stealing sensitive information.
o System Disruption: Causing systems to malfunction or shut down.
• Methods of Access:
o Malware Infection: Installing remote access trojans (RATs) on the user's
device.
o Phishing Links: Trick users into downloading malicious software.
• Risks:
o Privacy Invasion: Capturing images or videos without consent.
o Blackmail: Using obtained footage to extort victims.
An attacker might send an email with an attachment that, when opened, installs malware giving
them control over the user's webcam. The attacker can then record activities or take snapshots
without the user's knowledge.
6. File Hijacker/Ransomware
File hijacker, commonly known as ransomware, is a type of malware that encrypts the
victim's files, making them inaccessible, and demands a ransom for the decryption key.
• How It Works:
o Encryption of Files: Uses strong encryption algorithms to lock files.
o Ransom Demand: Displays a message demanding payment, often in
cryptocurrency.
• Preventive Measures:
o Regular Backups: Keeping copies of important data.
o Security Software: Using antivirus and anti-malware programs.
A hospital might fall victim to ransomware where patient records are encrypted. The attackers
demand a ransom to restore access, putting patient care at risk and forcing the hospital to choose
between paying the ransom or attempting to recover the data through other means.
7. Cyber Risk
Any risk of financial loss, disruption, or damage to an organization's reputation from a failure of
its information technology systems.
1. Unauthorized Access
Unauthorized access occurs when an individual gains access to a system, network, or data
without permission.
• Causes:
o Weak Passwords: Simple or default passwords that are easily guessed or
cracked.
o Phishing Attacks: Deceptive communications designed to trick individuals into
revealing login credentials.
o Insider Threats: Employees or contractors accessing data beyond their
authorized privileges.
For example, if an employee falls victim to a phishing email and unknowingly provides their
login details to an attacker, the attacker can access confidential company information without
authorization.
• Targets:
o Personally Identifiable Information (PII): Names, addresses, Social Security
numbers.
o Financial Information: Credit card details, bank account numbers.
o Intellectual Property: Trade secrets, proprietary algorithms, product designs.
A cyber-attacker might infiltrate a company's network to steal customer credit card information,
leading to financial fraud and legal consequences for the organization.
3. Financial Loss
Financial loss refers to the monetary damages that an organization may suffer as a result of
cyber incidents.
• Direct Costs:
o Theft of Funds: Cybercriminals stealing money directly from accounts.
o Ransom Payments: Paying attackers to regain access to encrypted data.
o Incident Response Expenses: Costs for forensic investigations and
remediation efforts.
• Indirect Costs:
o Business Interruption: Loss of revenue during downtime.
o Regulatory Fines: Penalties for failing to comply with data protection laws.
o Legal Fees: Costs associated with lawsuits from affected parties.
In the case of a ransomware attack, an organization may face significant expenses to restore
operations, including potential ransom payments, IT recovery costs, and lost revenue due to
halted business activities.
4. Damage to Reputation
Damage to reputation occurs when a cyber incident leads to a loss of trust and confidence
among customers, partners, and the public.
• Consequences:
o Customer Attrition: Clients may choose competitors due to security concerns.
o Negative Publicity: Media coverage highlighting the organization's
vulnerabilities.
o Investor Confidence Loss: Share prices may drop as stakeholders lose faith.
Following a data breach that exposes customer information, an organization might experience a
decline in sales as consumers lose trust in its ability to safeguard their data.
A. To enable the organisation to respond appropriately to business, operational and financial risks
B. To eliminate the possibility of impacts from poor judgement and human error
C. To help ensure the quality of internal and external reporting
D. To help ensure compliance with applicable laws and regulations
Responding to risks involves identifying, assessing, and mitigating potential threats that could
hinder the organization's objectives.
• Business Risks: Potential events that could negatively impact the organization's ability
to achieve its goals.
o Example: Market competition or changes in consumer preferences.
• Operational Risks: Risks arising from internal processes, systems, or human factors.
o Example: Machinery breakdowns or employee errors.
• Financial Risks: Risks related to the organization's financial health and stability.
o Example: Cash flow shortages or investment losses.
For instance, a manufacturing company may implement internal controls such as regular
maintenance schedules to mitigate operational risks like machinery failure. Similarly, financial
controls like budgeting and financial forecasting help in managing financial risks by ensuring
adequate cash flow and investment planning.
Quality reporting ensures that the information provided both internally to management and
externally to stakeholders is accurate, reliable, and timely.
• Accuracy and Reliability: Ensuring that data is free from errors and faithfully
represents the organization's financial position.
For example, implementing reconciliation processes ensures that internal financial records
match external bank statements, thereby enhancing the accuracy and reliability of both internal
and external reports. This reduces the risk of reporting errors that could mislead stakeholders or
result in regulatory penalties.
Compliance involves adhering to laws, regulations, and standards that govern the organization's
operations.
• Legal Compliance: Following laws and regulations relevant to the industry and
geographic location.
o Example: Adhering to the General Data Protection Regulation (GDPR) for data
privacy.
For instance, a healthcare organization must comply with the Health Insurance Portability and
Accountability Act (HIPAA) to protect patient information. Implementing internal controls such
as access restrictions and regular audits helps ensure that the organization adheres to these legal
requirements, thereby avoiding fines and maintaining trust with patients.
Question 2:
Which term correctly completes this statement?
Some controls are provided automatically by the system and cannot be by-passed, ignored
or overridden: for example, having to input a password to enter a computer system. These
are classified as ______ controls.
Non-Discretionary Controls
Non-discretionary controls are automated safeguards embedded within systems to ensure that
specific protocols are always followed, regardless of user intent or actions.
• Automated Implementation: These controls are built into the system and operate
without the need for manual input.
o Example: Requiring a password to access a computer system.
• Cannot Be Bypassed: Users are unable to circumvent these controls, ensuring consistent
enforcement.
o Example: System-enforced encryption that cannot be disabled by the user.
• Consistent Enforcement: Provides uniform security measures across all users and
scenarios.
o Example: Automatic logout after a period of inactivity to prevent unauthorized
access.
For instance, a company’s IT system may require all employees to input a password that meets
certain complexity requirements before accessing the network. This control cannot be bypassed,
ensuring that only authorized individuals gain access, thereby enhancing overall security.
A. Operations
B. Organisation
C. Oversight
Question 4:
Which of the following is NOT an internal check?
Internal Check
Internal check refers to the system of procedures and controls within an organization designed
to prevent errors and fraud by ensuring that the work of one person is independently verified
by another.
For instance, in a retail environment, one employee may be responsible for authorizing
discounts, another for handling cash transactions, and a third for recording sales in the financial
system. This separation ensures that no single individual has control over all aspects of a
transaction, thereby minimizing the risk of theft or manipulation.
Pre-lists, post-lists, and control totals are tools used to ensure the completeness and accuracy
of transactions.
• Control Totals: Totals that are calculated before and after processing to ensure
consistency.
o Example: The total amount of cash expected in the cash register before the
day’s sales are recorded should match the actual total after sales are processed.
For example, a company might prepare a pre-list of all expected invoices for a billing period.
After processing, the post-list of actual invoices is compared to the pre-list to identify any
discrepancies. Control totals, such as the total amount billed, are also compared to ensure that
all transactions have been accurately recorded.
Question 5:
Which of the following statements about internal audit is true?
Internal Audit
For instance, in a corporation, an internal audit team may assess the effectiveness of IT security
measures. Since the audit team does not have a role in the IT department's daily operations, their
evaluation remains objective and credible, ensuring unbiased results.
Question 6:
The use of uninterruptible (protected) power supplies is a method of protecting data and IT
systems from what sort of security threat?
A. Accidental damage
B. Weather
C. Hacking
Lightning strike or electrical storms are a key cause of power supply failures and surges which
may effect computer functions.
Fire and accidental damage are also physical threats to data and equipment.
Question 7:
Which of the following would be classed as a contingency control in an information
system?
Audit trails (showing who has accessed a system and what they have done).
Question 8:
Which of the following statements about external auditors is NOT correct?
Question 9:
In the context of audit, what are 'substantive tests' designed to accomplish?
Substantive tests 'substantiate' the figures in the accounts. They are used to discover whether
figures are correct or complete, not why they are incorrect or incomplete, or how the figures 'got
there'.
Establishing whether internal controls are being applied as prescribed is the aim of compliance
tests.