MIS5208 - Spring 2020 - Data Analytics for IT Auditors
DATA ANALYTICS FOR IT AUDITORS AND CYBERSECURITY
Nayana – a South Korean web hosting company dishing out $1m worth of bitcoin to restore the websites and data of its customers that had been held ransom by the Erebus ransomware.
Sure, the business damage (think customer lawsuits) to Nayana of not doing would have been huge, but so would the damage caused by the negative press on the company’s poor cyber hygiene that opened the doors for hackers.
Nayana – a South Korean web hosting company dishing out $1m worth of bitcoin to restore the websites and data of its customers that had been held ransom by the Erebus ransomware.
Sure, the business damage (think customer lawsuits) to Nayana of not doing would have been huge, but so would the damage caused by the negative press on the company’s poor cyber hygiene that opened the doors for hackers.
I learnt auditing skills from this class. The most important skill I learnt is ACL. ACL is an important tool for auditors to test data. Auditors can look for frauds by using ACL. Auditors can build relationship between different tables, and find frauds from the new table. In addition, Benford Analysis can be used to look for suspected frauds. Auditors can analyze the percentage of the first digit to compare with certain percentage rates. If they are not matching, that means there are suspected frauds.
In addition, I learnt what the fraud is and why the organizations have frauds. It is important for an IT auditor to understand the reason and definition of frauds, because IT auditor’s job is to make sure their organizations do not have mistake on system and data.
Intel, AMD, and Arm are three main processor manufacturers that almost all over the world computers use them. Thus, even a small vulnerability can affect the information security of thousands of people.
German publication Heise reported that there are eight new “CVE-listed vulnerability reports describing side-channel attack flaws in Chipzilla’s processors.” For the new types of the attacks, the attackers can extract passwords and other secrets from memory by using the marewares in the PC, and they have many kinds of new variations, which makes the issues become difficult for the Researchers and developers.
Thus, the users should not only wait for the new version of the patch. We should also be careful to identify phishing websites and malware.
http://www.theregister.co.uk/2018/05/03/just_your_monthly_reminder_that_the_spectre_bug_is_still_out_there/
From #DeleteUber to #DeleteFacebook, there is a year of scandal in technology. Thus, how scandal changed tech? Scandal may not result in meaningful regulation or broad-sweeping changes to business models, but it does put a premium on good behavior, forcing tech companies to spend more time thinking about “values” in their strategy.
Lyft, after struggling to get rid of a cloud of scandal, is going to announce its $1.5 million investment in Relief Rides program. Relief Rides will give free rides to victims and first responders after natural disasters or other crises, and it will also provide free rides for veterans and low-income individuals who are going to job interview.
Facebook, how to fix Facebook after scandal is a critical question for the company. Mark Zuckerberg announced it is about a three-year transition to really build up the teams and “will never be unprepared again”. A new privacy feature that will allow users to clear their browsing history on Facebook including what they’ve clicked on and which websites they’ve visited. Instagram is also facing new features including video chatting, AR filters and a tool that “will filter comments and hide ones it detects as bullying”.
So what scandal changed tech is about forcing the company to learn to take a broader view of their responsibility. Privacy is very important to users and customers; the company should realize that this value is important and key for business since consumers will feel that whether the company has sincere desire to do good instead of merely by profit.
http://money.cnn.com/2018/05/02/technology/pacific-newsletter/index.html
Last decade Facebook claimed 20 million users and today they are hosting nearly 2 billion users on social media. For comparison’s sake, they are representing about 30% world population on their social media platform.
There are many potential risks for businesses that are new and less understood. Following I’m going to explore three related social media cyber-security facts.
Social media is always attractive to attackers, but they are ways to hedge the attack risks. The most recommended way is to make the best use of privacy setting available on these platforms and get educated on how much you show expose on these networks.
Another argument is that there is no one holding the control of these platforms. You may be able to stop sharing information but quitting does not mean that your previous information or account will go away too.
Finally, we all know that social media bound with improvement in security. But we should not let this calm user into a false sense of full safety. And the end of the day cyber-security risk is the end user’s problem to own.
These days we are surrounded with different kind of frauds which may appear so small but they have harmful effects on our lives and even our society. With a quick careful look around our lives we can see many small illegal activities that are not obvious, and we do not notice them. Bribery is one of the illegal activities that is very harmful for society such as police bribery. Corruption in government organizations plays an important role in spreading bribery in many societies, and in particular in their law enforcement entities such as police departments.
If people do not obey the law of their land especially in countries with restricted laws, they must be punished, and would not have any chance to escape from the law enforcements. However, countries with corrupted system can encourage people to break the laws without being concerned about the consequence of their actions. Police bribery is one of the common issues in such countries. For instance, in Malaysia police bribery is very common, and people can get away from their crimes by bribery. I lived in Malaysia for 6 years, and I witnessed many briberies to avoid getting tickets for speeding, or even avoid getting DU and other crimes. Because of this problem, the number of accidents and other casualties is relatively high. I witnessed bribery on streets on a regular basis, even though I was a student at the time, and didn’t spend a lot of time outside. The case of bribery must have been a lot worse in a city as large as Kuala Lumpur. The link below is showing one of the many case of bribery that was captured on a video.
http://www.theindependent.sg/malaysian-traffic-police-caught-on-video-taking-bribes/
On 21st April, Saturday, Mike Green, Deputy CISO at Express Scripts, led our Data Analytics class. Mike put up an informative presentation to discuss about privacy and data security. I thoroughly liked his presentation where he talked about different methodologies that cyber criminals/ hackers adopt to compromise sensitive information, most commonly referred as personally identifiable information (PII), of internet users. Additionally, among several interesting topics that Mike covered in the class, I enjoyed when he allowed the students with an opportunity to use the website that let us know if any of our accounts have been comprised in a data breach (haveibeenpawned.com).
To see Mike take such pride in his work and experiences and share them with future IT Auditors and Cyber Security professional was truly inspiring!
After Facebook and our class guest speaker, Mike Green’s lecture, I start thinking seriously about risks in our social media. Comparing with Facebook, Instagram and Snapchat, I think LinkedIn is more dangerous because most of us contained our real information in that, including real name, education background, working information and so on. I have read a news yesterday about Flaw in LinkedIn AutoFill Plugin Lets Third-Party Sites Steal Your Data. In the article, it discloses a new vulnerability discovered in Linkedin’s popular AutoFill functionality found leaking its users’ sensitive information to third party websites without the user even knowing about it. LinkedIn provides an AutoFill plugin for a long time that other websites can use to let LinkedIn users quickly fill in profile data, including their full name, phone number, email address, ZIP code, company and job title, with a single click. A legitimate website would likely place a AutoFill button near the fields the button can fill, but according to Cable, an attacker could secretly use the AutoFill feature on his website by changing its properties to spread the button across the entire web page and then make it invisible.
https://thehackernews.com/2018/04/linkedin-account-hack.html
Blog:Summary Of Data Analytics class
Internal auditors with data analytics experience are becoming the rock stars of the profession. Not only are they in high demand among leading companies.
We learnt about ACL Analytics which is a data extraction and analysis software used for fraud detection & prevention, and risk management. By sampling large data sets, ACL data analysis software is used to find irregularities or patterns in transactions that could indicate control weaknesses or fraud. While doing ACL labs I learnt how to navigate through the application and earned basic analysis skills.
I learnt and performed Benford analysis where I analyzed the probability that the first digit of a number 1 is about 30% while the probability the first digit is 9 in each of the four places in any number. Benford’s law tests only the frequencies of the digits and it successfully created a table that counts transaction amounts that start with digits 1 through 9. Developed a fraud policy for the company was a great opportunity.
Study about fraud different fraud defense methods, Importance of fraud prevention, create a culture of honest, Hire right to reduce risks, assess and mitigate fraud, detect fraud early, approaches to fraud investigation, Options for legal actions in US. Recognizing the Symptoms of Fraud. Investigating Theft. How do perpetrators convert and spend stolen funds.Government records can assist in the following the financial tracks of the suspected perpetrators.