Chapter 4: Relational Databases made to the data without necessitating a

change in the programs and vice versa.

Learning Objectives  Cross-Functional Analysis - Relationships
between data from various organizational
 Explain the importance and advantages of
departments can be more easily combined.
databases.
 Describe the difference between database
Database Terminology
systems and file-based legacy systems.
 Database Management System (DBMS) -
 Explain the difference between logical and
Interface between software applications
physical views of a database.
and the data in files.
 Explain fundamental concepts of database
 Database Administrator (DBA)
systems such as DBMS, schemas, the data
-Person responsible for maintaining the
dictionary, and DBMS languages.
database
 Describe what a relational database is and
 Data Dictionary
how it organizes data.
-Information about the structure of the
 Create a set of well-structured tables to
database
store data in a relational database.
Example:Field names, descriptions, uses
 Perform simple queries using the Microsoft
Access database.
Logical vs. Physical

 Field - Attributes about an entity

 Physical View - Depends on explicitly
 Record -Related group of fields
knowing:
 File - Related group of records
-How is the data actually arranged in a
 Database - Related group of files
file
- Where is the data stored
on the computer
 Logical View - A Schema separates storage
of data from use of the data
-Unnecessary to explicitly know how and
where data is stored.

Schemas - Describe the logical structure of a

Advantages of Database Systems
 Data Integration - Files are logically
combined and made accessible to various
systems.
 Data Sharing - With data in one place it is
more easily accessed by authorized users.
 Minimizing Data Redundancy and Data
Inconsistency - Eliminates the same data
being stored in multiple files, thus reducing
inconsistency in multiple versions of the
same data.
 Data Independence - Data is separate from
the programs that access it. Changes can be
database.
- Conceptual Level
- Organization wide view of the data
- External Level
- Individual users view of the data
- Each view is a subschema
- Internal Level
- Describes how data are stored and
accessed
- Description of: records,
definitions, addresses, and indexes.

DBMS Languages
 Data Definition Language (DDL)
-Builds the data dictionary
-Creates the database
-Describes the subschema
-Specifies record or field security
constraints
 Data Manipulation Language (DML)
- Changes the content in the database
- Example: Updates, insertions, and
deletions
 Data Query Language (DQL)
- Enables the retrieval, sorting, and
display of data from the database
Relational Database
Relational data model represents the conceptual and
external level schemas as if data are stored in tables.
 Table
- Each row, a tuple, contains data
about one instance of an entity.
This is equivalent to a
record.
- Each column contains data about
one attribute of an entity.
This is equivalent to a
field.
Each row contains multiple
attributes describing an instance of the
entity. In this case, inventory.
Attributes
 Primary Key - An attribute or combination
of attributes that can be used to uniquely
identify a specific row (record) in a table.
 Foreign Key - An attribute in one table that
is a primary key in another table.
 Used to link the two
tables.
Database Design Errors
If database is not designed properly data errors
can occur.
1. Update Anomaly
- Changes to existing data are not correctly
recorded.
 Due to multiple records
with the same data
attributes
2. Insert Anomaly
- Unable to add a record to the database.
3. Delete Anomaly
- Removing a record also removes unintended data
from the database.
Design Requirements for Relational Database
1. Every column must be single valued.
2. Primary keys must contain data (not null).
3. Foreign keys must contain the same data as
the primary key in another table.
4. All other attributes must identify a
characteristic of the table identified by the
primary key.
Normalizing Relational Databases
 Initially, one table is used for all the data in
a database.
 Following rules, the table is decomposed
into multiple tables related by:
o Primary key–foreign key
integration
 Decomposed set of tables are in third
normal form (3NF).
Chapter 5: Computer Fraud
Learning Objectives
 Explain the threats faced by modern
information systems.
 Define fraud and describe the process one
follows to perpetuate a fraud.
 Discuss who perpetrates fraud and why it
occurs, including:
o the pressures, opportunities, and
rationalizations that are present in
most frauds.
 Define computer fraud and discuss the
different computer fraud classifications.
 Explain how to prevent and detect
computer fraud and abuse.
Common Threats to AIS
 Natural Disasters and Terrorist Threats
 Software Errors and/or Equipment
Malfunction
 Unintentional Acts (Human Error)
 Intentional Acts (Computer Crimes)
 Failure to enforce
internal control
system
 Fraudulent financial reporting
o “…intentional or reckless
conduct, whether by act or
omission, that results in
materially misleading financial
statements” (The Treadway
Commission).
Reasons for Fraudulent Financial
Statements
1. Deceive investors or creditors
2. Increase a company’s stock price
3. Meet cash flow needs
4. Hide company losses or other problems
Treadway Commission Actions to Reduce Fraud
1. Establish environment which supports the
integrity of the financial reporting process.
2. Identification of factors that lead to fraud.
3. Assess the risk of fraud within the
company.
4. Design and implement internal controls to
provide assurance that fraud is being
prevented.

What Is Fraud? SAS #99

 Gaining an unfair advantage over  Auditors responsibility to detect fraud
another person o Understand fraud
o A false statement, o Discuss risks of material
representation, or disclosure fraudulent statements
o A material fact that induces a  Among members of
person to act audit team
o An intent to deceive o Obtain information
o A justifiable reliance on the  Look for fraud risk
fraudulent fact in which a factors
person takes action o Identify, assess, and respond
o An injury or loss suffered by to risk
the victim o Evaluate the results of audit
 Individuals who commit fraud are tests
referred to as white-collar criminals.  Determine impact of
fraud on financial
Forms of Fraud statements
 Misappropriation of assets o Document and communicate
o Theft of companies’ assets. findings
o Largest factors for theft of  See Chapter 3
assets: o Incorporate a technological
 Absence of internal focus
control system
 The Fraud Triangle Conceal Convert

Commit
Pressure

Opportunity
Opportunity
Rationalization

Three conditions that are

Rationalizations
present when Fraud occurs. • Justification of illegal behavior
1. Justification
Pressure
• I am not being dishonest.
 Motivation or incentive to commit fraud
2. Attitude
Types:
• I don’t need to be honest.
1. Employee
3. Lack of personal integrity
• Financial
• Theft is valued higher
• Emotional
than honesty or integrity.
• Lifestyle
2. Financial
• Industry conditions
• Management
characteristics
Attitude
Lack of
Peronal
Justification
Integrity
Emotional
Lifestyle

Financial
Rationalization

Employee
Co
mputer Fraud
 Any illegal act in which knowledge of
Industry Mgmt
Conditions Characteristics computer technology is necessary for:
o Perpetration
o Investigation
o Prosecution
Financial
Reporting
Rise of Computer Fraud
1. Definition is not agreed on
Opportunity 2. Many go undetected
• Condition or situation that allows a person 3. High percentage is not reported
or organization to: 4. Lack of network security
1. Commit the fraud 5. Step-by-step guides are easily available
2. Conceal the fraud 6. Law enforcement is overburdened
• Lapping 7. Difficulty calculating loss
• Kiting
3. Convert the theft or
misrepresentation to personal gain

Computer Fraud Classifications

 Input Fraud - Alteration or falsifying input
 Processor Fraud - Unauthorized system use
 Computer Instructions Fraud- Modifying
software, illegal copying of software, using
software in an unauthorized manner,
creating software to undergo unauthorized
activities.
 Data Fraud - Illegally using, copying,
browsing, searching, or harming company
data
 Output Fraud - Stealing, copying, or
misusing computer printouts or displayed
information.
Chapter 6: Computer Fraud and Abuse
Techniques
 Learning Objectives
 Compare and contrast computer attack and
abuse tactics.
 Explain how social engineering techniques
are used to gain physical or logical access to
computer resources.
 Describe the different types of malware
used to harm computers.
Computer Attacks and Abuse
 Hacking - Unauthorized access,
modification, or use of a computer system
or other electronic device
 Social Engineering - Techniques, usually
psychological tricks, to gain access to
sensitive data or information.
o Used to gain access to secure
systems or locations
 Malware - Any software which can be used
to do harm.
 attacker instructions.
Types of Computer Attacks
 Botnet—Robot Network
o Network of hijacked computers
o Hijacked computers carry out
processes without users
knowledge
o Zombie—hijacked computer
 Denial-of-Service (DoS) Attack
o Constant stream of requests made
to a Web-server (usually via a
Botnet) that overwhelms and shuts
down service
 Spoofing
o Making an electronic
communication look as if it comes
from a trusted official source to
lure the recipient into providing
information.
Types of Spoofing
 E-mail - E-mail sender appears as if it
comes from a different source
 Caller-ID - Incorrect number is
displayed
 IP address - Forged IP address to
conceal identity of sender of data over
the Internet or to impersonate another
computer system
 Address Resolution Protocol (ARP)-
Allows a computer on a LAN to
intercept traffic meant for any other
computer on the LAN
 SMS - Incorrect number or name
appears, similar to caller-ID but for text
messaging
 Web page - Phishing (see below)
 DNS - Intercepting a request for a Web
service and sending the request to a
false service.
Hacking Attacks
 Cross-Site Scripting (XSS) - Unwanted code
is sent via dynamic Web pages disguised as
user input.
 Buffer Overflow - Data is sent that exceeds
computer capacity causing program
instructions to be lost and replaced with
 SQL Injection (Insertion)- Malicious code is
inserted in the place of query to a database
system.
 Man-in-the-Middle - Hacker places
themselves between client and host.
Additional Hacking Attacks
 Password Cracking - Penetrating system
security to steal passwords
 War Dialing- Computer automatically dials
phone numbers looking for modems.
 Phreaking- Attacks on phone systems to
obtain free phone service.
 Data Diddling- Making changes to data
before, during, or after it is entered into a
system.
 Data Leakage- Unauthorized copying of
company data.
Hacking Embezzlement Schemes
 Salami Technique- Taking small amounts
from many different accounts.
 Economic Espionage- Theft of information,
trade secrets, and intellectual property.
 Cyber-Bullying- Internet, cell phones, or
other communication technologies to
support deliberate, repeated, and hostile
behavior that torments, threatens,
harasses, humiliates, embarrasses, or
otherwise harms another person.
 Internet Terrorism - Act of disrupting
electronic commerce and harming
computers and communications.
 Internet Misinformation - Using the
Internet to spread false or misleading
information
Hacking for Fraud
 Internet Misinformation - Using the
Internet to spread false or misleading
information
 Internet Auction
- Using an Internet auction site to
defraud another person
- Unfairly drive up bidding
- Seller delivers inferior merchandise
or fails to deliver at all
- Buyer fails to make payment
 Internet Pump-and-Dump - Using the
Internet to pump up the price of a stock and
then selling it.
Social Engineering Techniques
 Identity Theft- Assuming someone else’s
identity
 Pretexting- Inventing a scenario that will lull
someone into divulging sensitive
information
 Posing- Using a fake business to acquire
sensitive information
 Phishing - Posing as a legitimate company
asking for verification type information:
passwords, accounts, usernames
 Pharming - Redirecting Web site traffic to a
spoofed Web site.
 Typesquatting - Typographical errors when
entering a Web site name cause an invalid
site to be accessed
 Tabnapping - Changing an already open
browser tab
 Scavenging - Looking for sensitive
information in items thrown away
 Shoulder Surfing - Snooping over
someone’s shoulder for sensitive
information.
More Social Engineering
 Lebanese Loping - Capturing ATM pin and
card numbers
 Skimming - Double-swiping a credit card
 Chipping - Planting a device to read credit
card information in a credit card reader
 Eavesdropping - Listening to private
communications
Type of Malware
 Spyware - Secretly monitors and collects
personal information about users and sends
it to someone else
- Adware - Pops banner ads on a
monitor, collects information about the
user’s Web-surfing, and spending habits,
and forward it to the adware creator
 Key logging - Records computer activity,
such as a user’s keystrokes, e-mails sent
and received, Web sites visited, and chat
session participation
 Trojan Horse- Malicious computer
instructions in an authorized and otherwise
properly functioning program
-Time bombs/logic bombs
 -Idle until triggered by a specified
date or time, by a change in the system, by
a message sent to the system, or by an
event that does not occur.
More Malware
 Trap Door/Back Door
o A way into a system that bypasses
normal authorization and
authentication controls
 Packet Sniffers
o Capture data from information
packets as they travel over
networks
o Rootkit
 Used to hide the presence
of trap doors, sniffers, and
key loggers; conceal
software that originates a
denial-of-service or an e-
mail spam attack; and
access user names and
log-in information
 Superzapping
o Unauthorized use of special system
programs to bypass regular system
controls and perform illegal acts,
all without leaving an audit trail