The computer security should focus on important aspects such as proper integration, accessibility, control and auditability. The management of an organization must be in a position to determine as to whom to allow access to the net work, able to use the audit function. The security can be provided by use of physical methods and by use of logical methods.
As regards the physical methods, the banks can provide guards, video surveillance, biometric methods, locking up machines and terminals. The security can also be ensured by using logical methods such as user ID and password, use of smart cards, cryptography i.e. data encryption etc.
An organization’s network can be isolated from other net works by use of combination of hard ware and software and this device is called firewall. It uses proxy server and packet filtering software tools, routers etc.
When by use of mathematical algorithms, a message is transformed in to an incomprehensible data, this process is called encryption. It is used to protect data in transit over the net works from unauthorized interception andmanipulation. It can also bemade use to verify authenticity of a transaction or document.
It is the reverse of encryption. It brings the data into its normal form, where it could be used conveniently.
It is the electronic signature of a person in relation to a record in electronic form.. It is generated by transformation of the electronic records using cryptography and a hash function. It can ensure authentication, integrity, non-repudiation. (more details available in this chapter elsewhere.
Public Key Infrastructure
The infrastructure that supports the implementation and operations of certificate based key cryptographic system is called PKI. It uses pairs of asymmetric keys that comprises a private key and a public key.
A Computer Virus is a computer program or code that can replicate itself and spread from one computer system to another system. A computer virus has the capacity to corrupt or to delete data on your computer and it can utilize an e-mail program to spread the virus to other computer systems. In the worst case scenario, it can even delete everything on your hard disk.
Some examples of Computer Virus are Trojan viruses. stealth viruses, worms, malware (malicious software), Disk Killer, Stone virus, Sunday, Cascade, Nuclear, Word Concept, etc.
Terms associated with Information Security Attacks
1) Phishing: It relates to receipt of unsolicited emails by customers of banks, requesting them to enter their username, password etc. to access their account for some reason. Customers are directed to a fraudulent replica of the original bank’s website on clicking the links to enter their Information, remaining unaware that fraud has occurred.
Thereafter fraudster has access to the customer’s online bank account.
2) Vishing: Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private, personal and financial information for the purpose of financial reward. The term is a combination of ‘voice’ and phishing, In Vishing, a stammer calls and pretends to be a bank representative seeking to verify account
information. It is typically used to steal credit card numbers.
3) Malware: Malware is maliciously crafted software code. This type of malicious software can perform the following operations:
a) Account information theft: Malware can capture the keystrokes for your login information. It can also potentiallymonitor and capture other data used to authenticate the identity (like special images or words).
b) Fake website substitution: Malware can generate web pages that appear to be legitimate but are not. They replace a bank’s website with a page that looks identical, except ‘web address’. It enables an attacker to intercept user information. If an individual submits information, it is sent to both the bank and the malicious attacker without his/ her knowledge.
c) Account hijacking: Malware can hijack the browser and transfer funds without one’s knowledge.When a person attempts to login a bank website, software launches a hidden browser window on the computer, logs in to bank account, reads account balance and creates a secret fund transfer to the intruder-owned account.
In computer audit, more than accuracy and conformity to the systems and procedures, the main focus is on collecting and validating evidences to ensure safeguarding assets, maintaining data integrity, achieving organisational goals of computerisation effectively and ensuring effective usage of resources.
- Safeguarding assets – This function ensures that the assets viz. hardware, software, data files, system documents etc. are fully protected from fire, destruction, editing, alteration, damage etc., which could be accidental or otherwise. Both will cause harm to the organisational interest. Internal control system should ensure a constant basis to protect the assets relating to computerisation.
- Data integrity ensures accuracy, consistency and completeness of the data. This becomes more difficult whenmultiple users use the system who gain access to common data being shared by them. This envisages to have sound system where the data integrity and confidentiality are ensured.
- System efficiency – This focuses on whether the system is economic and cost effective. The resources in making this system functional like cost of the machine, time, peripherals, consumables etc. spent on the system are giving value addition for the entire function.
- Achieve organizational goals This function of the audit ensures whether the objectives of the organisation in introducing the computerisation or data processing system, are achieved. This will help to find out whether the operational efficiency, its service functionalities are enhanced after computerisation. This is constant evaluation of the system and also comparison from the manual of operations to a computerised functioning.