ACC330 Exam3 : Comprehensive Mid
Term & End Term Exam
Bluesnarfing - Stealing (snarfing) contact lists, images, and other data using flaws in
Bluetooth applications.
Buffer overflow attack - Inputting so much data that the input buffer overflows. The
overflow contains code that takes control of the computer.
Chipping - Planting a chip that records transaction data in a legitimate credit card
reader.
Denial-of-service attack - An attack designed to make computer resources
unavailable to its users. For example, sending so many e-mail messages that the
Internet service provider's e-mail server is overloaded and shuts down.
Evil twin - A wireless network with the same name as another wireless access point.
Users unknowingly connect to the evil twin; hackers monitor the traffic looking for
useful information.
Keylogger - Using spyware to record a user's keystrokes.
Lebanese Looping - Inserting a sleeve into an ATM that prevents it from ejecting the
card. The perpetrator pretends to help the victim, tricking the person into entering the
PIN again. Once the victim gives up and leaves, the thief removes the card and uses
it and the PIN to withdraw money.
Man-in-the-middle (MITM) attack- - A hacker placing himself between a client and a
host to intercept network traffic; also called session hijacking.
Packet sniffers - Inspecting information packets as they travel across computer
networks.
Phishing - Communications that request recipients to disclose confidential
information by responding to an e-mail or visiting a website
Piggybacking - 1. Clandestine use of someone's Wi-Fi network.2. Tapping into a
communications line and entering a system by latching onto a legitimate user.3.
Bypassing physical security controls by entering a secure door when an authorized
person opens it.
Ransomware - Software that encrypts programs and data until a ransom is paid to
remove it.
Rootkit - A means of concealing system components and malware from the
operating system and other programs; can also modify the operating system.
Round-down fraud - Truncating interest calculations at two decimal places and
placing truncated amounts in the perpetrator's account.
,salami technique - Stealing tiny slices of money over time.
Shoulder surfing - When perpetrators look over a person's shoulders in a public
place to get information such as ATM PIN numbers or user IDs and passwords.
Skimming- - Double-swiping a credit card in a legitimate terminal or covertly swiping
a credit card in a small, hidden, handheld card reader that records credit card data
for later use.
Social engineering - Techniques that trick a person into disclosing confidential
information.
Spoofing - Altering some part of an electronic communication to make it look as if
someone else sent the communication to gain the trust of the recipient. Many things
are spoofed, such as email addresses, caller IDs, IP addresses, address resolution
protocols, SMS messages, web pages, and domain name systems.
Steganoghrapy - Concealing data within a large MP3 or other file (often image files).
SQL insertion (injection) - Inserting a malicious SQL query such that it is passed to
and executed by an application program.
Trojan horse - Unauthorized code in an authorized and properly functioning program.
Typosquatting/URL hijacking - Websites with names similar to real websites; users
making typographical errors are sent to a site filled with malware.
Virus - Executable code that attaches itself to software, replicates itself, and spreads
to other systems or files. When triggered, it makes unauthorized alterations to the
way a system operates.
Worm - Similar to a virus; a program rather than a code segment hidden in a host
program. Actively transmits itself to other systems. It usually does not live long but is
quite destructive while alive.
XSS Attack - Cross -site scripting) A vulnerability in dynamic web pages that allows
an attacker to bypass a browser's security mechanisms and instruct the victim's
browser to execute code, thinking it came from the desired website. (Malicious code
embedded in a Web link.)
internal controls - the processes and procedures implemented to provide reasonable
assurance that control objectives are met efficiently and in an error free manner
SCALP - segregation of duties, comparisons, adequate records, limited access,
proper approvals
adequate records (A in SCALP) - "garbage in garbage out" encourage data entry
controls ex) require a last name for a flight
, SOX - Sarbanes-Oxley Act (biggest part is establishing board)
SOX section 404 - about internal controls, govern what is good and what internal
controls looks like, mgt takes ownership in controls. In FS there must be a statement
about I/C including the risks
SOX section 302 - personal certification of financial statements by corporate
executives, about limited liability now CEO has to personally sign FS and if it's wrong
the CEO is liable)
COBIT - Control Objectives for Information and Related Technology, another
framework controlling management of IT (IT does not mean error free)
COSO - Committee of Sponsoring Organizations, professionals everywhere monitor
this, mindset of how you implement controls in a framework
control environment (1 in COSO) - company culture (foundation for all other internal
control components)
risk appetite (2 in COSO) - amount of risk company is willing to make
control activities (3 in COSO) - rules that provide assurance control objectives are
met/ risk response carried out (when the auditor actually comes in)
info and communication (4 in COSO) - communication from management to
employees so internal controls informs
monitoring activities (5 in COSO) - enforce those controls
S in SCALP - segregation of accounting duties, your people are tyour best control
(risk versys salaries), not too much responsibility for one person
CAR - custody, authorization, records
C in car - custody- handling cash, tools, inv, fixed assets
A in car - authorization0 authorize transactions and decisions
R in car - records- prepare resource docs, maintain journals etc
C in SCALP - comparison, documents from appropriate sources (controls are
mistakes, customer satisfaction, limits improper behavior)
L in SCALP - limited access (safeguard cash, inventory, supplies, records) and helps
segregation of duties
P in SCALP - proper approvals, specific part of segregation of duties, set materiality
levels, and risk versus empowerment (boss cannot be around you all the time and
approve everything)
Term & End Term Exam
Bluesnarfing - Stealing (snarfing) contact lists, images, and other data using flaws in
Bluetooth applications.
Buffer overflow attack - Inputting so much data that the input buffer overflows. The
overflow contains code that takes control of the computer.
Chipping - Planting a chip that records transaction data in a legitimate credit card
reader.
Denial-of-service attack - An attack designed to make computer resources
unavailable to its users. For example, sending so many e-mail messages that the
Internet service provider's e-mail server is overloaded and shuts down.
Evil twin - A wireless network with the same name as another wireless access point.
Users unknowingly connect to the evil twin; hackers monitor the traffic looking for
useful information.
Keylogger - Using spyware to record a user's keystrokes.
Lebanese Looping - Inserting a sleeve into an ATM that prevents it from ejecting the
card. The perpetrator pretends to help the victim, tricking the person into entering the
PIN again. Once the victim gives up and leaves, the thief removes the card and uses
it and the PIN to withdraw money.
Man-in-the-middle (MITM) attack- - A hacker placing himself between a client and a
host to intercept network traffic; also called session hijacking.
Packet sniffers - Inspecting information packets as they travel across computer
networks.
Phishing - Communications that request recipients to disclose confidential
information by responding to an e-mail or visiting a website
Piggybacking - 1. Clandestine use of someone's Wi-Fi network.2. Tapping into a
communications line and entering a system by latching onto a legitimate user.3.
Bypassing physical security controls by entering a secure door when an authorized
person opens it.
Ransomware - Software that encrypts programs and data until a ransom is paid to
remove it.
Rootkit - A means of concealing system components and malware from the
operating system and other programs; can also modify the operating system.
Round-down fraud - Truncating interest calculations at two decimal places and
placing truncated amounts in the perpetrator's account.
,salami technique - Stealing tiny slices of money over time.
Shoulder surfing - When perpetrators look over a person's shoulders in a public
place to get information such as ATM PIN numbers or user IDs and passwords.
Skimming- - Double-swiping a credit card in a legitimate terminal or covertly swiping
a credit card in a small, hidden, handheld card reader that records credit card data
for later use.
Social engineering - Techniques that trick a person into disclosing confidential
information.
Spoofing - Altering some part of an electronic communication to make it look as if
someone else sent the communication to gain the trust of the recipient. Many things
are spoofed, such as email addresses, caller IDs, IP addresses, address resolution
protocols, SMS messages, web pages, and domain name systems.
Steganoghrapy - Concealing data within a large MP3 or other file (often image files).
SQL insertion (injection) - Inserting a malicious SQL query such that it is passed to
and executed by an application program.
Trojan horse - Unauthorized code in an authorized and properly functioning program.
Typosquatting/URL hijacking - Websites with names similar to real websites; users
making typographical errors are sent to a site filled with malware.
Virus - Executable code that attaches itself to software, replicates itself, and spreads
to other systems or files. When triggered, it makes unauthorized alterations to the
way a system operates.
Worm - Similar to a virus; a program rather than a code segment hidden in a host
program. Actively transmits itself to other systems. It usually does not live long but is
quite destructive while alive.
XSS Attack - Cross -site scripting) A vulnerability in dynamic web pages that allows
an attacker to bypass a browser's security mechanisms and instruct the victim's
browser to execute code, thinking it came from the desired website. (Malicious code
embedded in a Web link.)
internal controls - the processes and procedures implemented to provide reasonable
assurance that control objectives are met efficiently and in an error free manner
SCALP - segregation of duties, comparisons, adequate records, limited access,
proper approvals
adequate records (A in SCALP) - "garbage in garbage out" encourage data entry
controls ex) require a last name for a flight
, SOX - Sarbanes-Oxley Act (biggest part is establishing board)
SOX section 404 - about internal controls, govern what is good and what internal
controls looks like, mgt takes ownership in controls. In FS there must be a statement
about I/C including the risks
SOX section 302 - personal certification of financial statements by corporate
executives, about limited liability now CEO has to personally sign FS and if it's wrong
the CEO is liable)
COBIT - Control Objectives for Information and Related Technology, another
framework controlling management of IT (IT does not mean error free)
COSO - Committee of Sponsoring Organizations, professionals everywhere monitor
this, mindset of how you implement controls in a framework
control environment (1 in COSO) - company culture (foundation for all other internal
control components)
risk appetite (2 in COSO) - amount of risk company is willing to make
control activities (3 in COSO) - rules that provide assurance control objectives are
met/ risk response carried out (when the auditor actually comes in)
info and communication (4 in COSO) - communication from management to
employees so internal controls informs
monitoring activities (5 in COSO) - enforce those controls
S in SCALP - segregation of accounting duties, your people are tyour best control
(risk versys salaries), not too much responsibility for one person
CAR - custody, authorization, records
C in car - custody- handling cash, tools, inv, fixed assets
A in car - authorization0 authorize transactions and decisions
R in car - records- prepare resource docs, maintain journals etc
C in SCALP - comparison, documents from appropriate sources (controls are
mistakes, customer satisfaction, limits improper behavior)
L in SCALP - limited access (safeguard cash, inventory, supplies, records) and helps
segregation of duties
P in SCALP - proper approvals, specific part of segregation of duties, set materiality
levels, and risk versus empowerment (boss cannot be around you all the time and
approve everything)
