...consider when determining vulnerabilities are the vulnerabilities that lie within an organization- internal vulnerabilities. Vulnerability assessments allowed Jacket-X Organization to determine prevalent vulnerabilities within their organization. As observed, there were irregularities within the organizations payroll system. Although Human Resources brought it to the attention to the CIO, there was no documentation of fraudulent activity that occurred. After reviewing the current implementation of the payroll process of Jack-X Organization, there were a couple of red flags that were brought to my attention: • Payroll specialists and administrators both have the ability to add employees to payroll directly. • Payroll specialists can change payroll details during validation. • There is too much “power” given to specialists. • Strong possibilities for false time cards to be created. • Time cards can be modified easily. • Payrolls that are deleted are not recorded (needed for audit). • Direct deposit and paycheck generation systems are not linked. • Reports are easily exported into an Excel file. These are just some of the vulnerabilities that were noticed. To address these vulnerabilities, the following should be considered: • Have clear and concise polices as to the extent of permissions given to specialists and administrators. If it pertains to any managerial content, they should not be able to access this content. • Prohibit payroll details being changed during...
Words: 843 - Pages: 4
...Disaster Plan Nunki J Rosas IT/240 Sunday, April 7th, 2013. John Helt, MISM, MCSE Disaster Plan Scenario: The IST Department of XYZ Computers is located on the first floor. Payroll and all human resources records are processed daily and bi-weekly for 10,000 employees. After payroll is run, data is backed up using tapes. No firewall is in place, and e-mail is on the same server as payroll. XYZ Computers is located in the southern part of the United States in an area that receives heavy rain. During the weekend, a major water pipe broke and flooded the first floor. The water caused extensive damage to the servers, which were also on the first floor. Create a disaster plan to prevent this sort of problem from happening in the future. Proposed solution: The way in which XYZ Computers has their IST Department set up currently is susceptible to many threats. The lack of a firewall is an open invitation for data to be stolen by prying eyes, and the vulnerability of placing the payroll database is in the same server as the email service. The geographic and weather conditions of the location of the company have a high risk of flooding, yet the Servers were installed on the first floor. Lastly, the backup method in place is sort of outdated and there is no mention on how often the backup takes place; additionally, the backup tapes themselves could be damaged, lost, or stolen. These recommendations are an attempt to improve XYZ Computer’s network data security, prevention of...
Words: 1186 - Pages: 5
...implemented was PKI. As noted in the original evaluation, several areas need to be addressed: * Climate/culture of the organization * Employee training for social engineering attacks * Positive identification of employees when granting role-based access * Vulnerabilities within and without the network, specifically to sniffers and eavesdropping * The ease with which the employee changed his pay rate, indicating a single system used for HR profiles rather than segregated duties & systems * The PKI that was installed only addressed the HR system, rather than the entire organization Honestly, the whole environment at this company needs a complete evaluation and overhaul! 2. Outline the other attacks mentioned in the scenario that were not noticed by the organization. * Social Engineering * Sniffing/Eavesdropping * Unauthorized Privilege Escalation * Network Penetration * Spoofing a. Describe the nature of the attacks not noticed by the organization. By “the nature of the attacks” I interpret this to mean the source of the attacks, or the skillset required to carry out the attacks. I believe this employee was tenured based on their ability to: * Hack into the HR system * Successfully intercept the email from audit to the other individuals * Successfully impersonate the individuals the email from audit was sent to * Successfully identify the company president and other employees whose pay records were modified * Successfully...
Words: 801 - Pages: 4
...Vulnerability Assessment for Jacket-X Corporation University of Maryland University College Abstract The Jacket-X Corporation is a manufacturer of industrial-grade gloves, jackets, and other safety-related clothing applications. The Chief Information Officer (CIO) at Jacket-X is concerned with the current Information Technology (IT) security implementations and procedures. He has valid concerns due to reports from Human Resources (HR) stating financial issues with last year’s payrolls. There are also concerns with external network vulnerabilities that possibly can give hackers unauthorized access to company data and information. The CIO has internal IT security concerns due to a recent incident with an executive employee infecting the company’s network with malicious software from a company issued laptop. To help stay current with technology and compliant with federal laws Jacket-X decided to install a new Identity Management (IdM) system with Single Sign On (SSO) features. Several employees and customers do not like the new IdM system due to having privacy and data access concerns. This paper will analyze and discuss potential threats and vulnerabilities within the Jacket-X Corporation enterprise network. The paper will identify various IT security measures that will address the known threats and vulnerabilities. There will be discussions and recommendations made for choosing the best IdM system for Jacket-X. These discussions will also consist of the company addressing...
Words: 6831 - Pages: 28
...Threats and Vulnerabilities: Payroll Problems The problem in the payroll department last year may be due to a process that is flawed or by an employee who did not follow the process. The Sr. VP Dale Connor is attempting to bring to Jacket-X an atmosphere were security is an important part of every job at the company. He also realizes this is new thinking for Jacket-X and it will take the employees some time to adapt to the new culture. The need for cyber security is greater now than ever. In 2011, The Ponemon Institute published the Second Annual Cost of Cyber Crime Study. In the study, the institute reports that the median cost of cybercrime in a survey of 50 organizations was $5.9 million annually. Jill Peters is the VP of Human Resources and the payroll function falls in her sphere of responsibility. Jill knows the payroll function but is not a fan of the automation that IT can provide to her department. Jill feels that security can hamper the productivity of her department. The need for security that Dale is trying to foster does not seem to have a champion in Jill. The fact that Jill feels that she and Dale have a good dialogue is encouraging but security will be a hard sell to Jill. The payroll function occurs on the company intranet and the intranet has connectivity with the internet. Cybercriminals may be able to find a way into the company payroll and divert money from the employees into their own pockets. Jacket-X may not have the security in place to repel an...
Words: 1558 - Pages: 7
...Security Monitoring Activities CMGT/442 May 21, 2012 Security Monitoring Activities Any company that considers data an asset must realize the importance of risk management. Managing risk helps a company identify vulnerabilities and allows actions to be taken to reduce or stop these vulnerabilities. Risk management is also helpful in the attainment of goals and higher profits by attempting to eliminate any risk that may cost the company extra money to rectify. This paper will discuss security monitoring activities that must be addressed for both internal information technology (IT) and electronic commerce (e-commerce) applications of an organization. The recommended course of action will also be discussed when potential risks have been identified. According to Bejtlich (2004), security monitoring is defined as the collection, analysis, and escalation of indicators and warnings to detect and respond to intrusions. Security monitoring is an important part of risk management for internal applications such as payroll, human resources, and inventory. Security monitoring should also be used in the risk management of external applications like sales and marketing. Security Monitoring Process Security monitoring should be considered and used as a routine task to monitor and analyze the use of the network. Failure to use security monitoring would indicate that an organization believes there are no credible risks to the network. This thought process could...
Words: 1068 - Pages: 5
...ENTERPRISE CONTINUITY PLANNING Responding to Attacks and Special Circumstances Continued Assessments During a Disaster By Charles Paddock FXT2 – Task 2 November 5th, 2012 A. Perform a post event evaluation of how the organization’s IT staff responded to the attack described in the scenario by doing the following: 1. Describe the nature of the incident. The nature of the incident was that an internal employee successfully hacked into the human resources, payroll and electronic mail systems. The employee was then able to manipulate payroll data, intercept emails and impersonate staff through electronic means. There were a number of techniques used in this attack such as network eavesdropping, IP spoofing, social engineering, man in the middle, and escalation of access privileges. All of these types of attacks are consistent with an experienced hacker who knew what he was after. The incident was only discover because of an auditor reviewing the records and noticed the changes. When the auditor notified management of the discrepancies via email his emails were intercepted and the hacker negotiated higher access privileges by posing as management and IT Staff. 2. Identify who needs to be notified based on the type and severity of the incident. The first call should be to the Security and IT teams to secretly verify the attack and prevent further escalation. In the case where you believe we have been hacked and you do not know the extent of the...
Words: 1283 - Pages: 6
...• System Integrity/Validation and Final Project Summary o Project Summary o Over the past six weeks, our firm has analyzed the accounting information systems of Kudler Fine Foods. We have discussed their current computer system and evaluated the possibility of threats to it and recommend integrated software solutions. The T3 line at Kudler is clearly more data transmission than is necessary for the company, so it was recommended they switch to T1 dedicated line to reduce costs. Due to the importance of inventory control, we showed management how to take their current inventory data tables and construct pivot tables to improve decision making on inventory. Internal controls were reviewed on payroll, accounts payable, accounts receivable, and inventory processes to ensure the accuracy and validity of data. The review determined that if Kudler does not implement the recommended internal controls system suggested, the business could be under serious threats. Information Technology (IT) auditing is another important improvement that Kudlers should make since our analysis showed that there are risks and vulnerabilities in the AIS process. Our final recommendation will be in the way that the audit process is improved by using computer assisted auditing techniques. This will complete the firm’s analysis and recommendations for Kudler Fine Foods. o Our firm last week analyzed and recommended different types of Information Technology (IT) audits that Kudler Fine...
Words: 1144 - Pages: 5
...information or to theft any identity. Spoofing normally involves sending many packets/messages pretending to be a real legitimate person and spoofed IPs are very hard to back track. There are many different types of spoofing, such as ▪ IP addresses, MAC addresses changing attacks ▪ Link alteration ▪ DNS server spoofing attack ▪ Content theft ▪ E-mail address changing attack 4.2 How Penetration Attack Works? Penetration attack is basically to an attempt to break the security features of a system in order to understand the system or system design and implementation. The main purpose of penetration is to identify methods of gaining access to a system by using common tools and techniques and it can be performed after careful consideration, notification and planning. This attack is carried out by network scanning to obtain the sensitive data and here is an example what type of information can be gathered from this penetration testing. ✓ Domain Name System (DNS) interrogation. ✓...
Words: 934 - Pages: 4
...Case Study Review: U.S. DOT ARRA Website Vulnerabilities Executive Summary The United States experienced an economic shock, commonly referred to as the “Great Recession”, in 2008 that resulted in the most job losses in any year since WWII. Payrolls plummeted, home values dove, and slumps were experienced in almost every sector of the economy. The administration of President Bush had agreed to provide federal loans to prop up the automobile industry and President-elect Obama inherited an economy in collapse. In 2009, the newly elected President Obama signed the American Recovery and Reinvestment Act (ARRA) into law. The Act provided stimulus spending in infrastructure, health, energy, education, unemployment insurance, social welfare programs, and many other areas of government interest. To address concerns from political opposition to that Act, ARRA included strong provisions governing transparency of the spending of taxpayer money. ARRA funds would be dispensed with strong requirements that taxpayers be able to monitor how their tax money is being spent. A major beneficiary of the stimulus funds was the Department of Transportation. To address the transparency issue, the department established a number of websites supported by servers and databases that the public could access to monitor the spending of their tax dollars. The DOT’s expanded web interface inherently exposed it to greater risk. This case study reviews an audit of that risk, the department’s shortfalls...
Words: 820 - Pages: 4
...INTRODUCTION (Task 1) First World Bank Savings and Loan (also referred to as “us”, “we”, “the company”, etc) has been investigating the use of a Linux-based infrastructure architecture. The task team has already made recommendations to evaluate and prototype this kind of set up. Key factors are cost of ownership, scalability, and reliability. Other factors that remain are maintaining confidentiality, integrity, and availability (the CIA triad), and ensuring stable, secure support of the over $100,000,000 in transactions completed annually. As a financial institution, we must also bear in mind compliance with the Gramm-Leach-Bliley Act (GLBA), as well as the Payment Card Industry Data Security Standard (PCI-DSS) since we process credit card transactions, and the Sarbanes-Oxely Act (SOX) as we are publically traded. Regardless of all these factors, rough estimates indicate we can save close to $4,000,000 in licensing fees alone by moving to a Linux-based infrastructure. Despite the open source nature of Linux, we should be able to meet all of the technical, legal, and security needs for this transition. TECHNICAL INFRASTRUCTURE NEEDS (Task 2) Thanks to the task team assigned to this project, an outline of what the network and routing needs has already been completed. The following services will be required to support: • A database server o Recommended solution: DBMS MySQL • A Web server o Recommended solution: Apache • A file server o Recommended solution: Red...
Words: 1376 - Pages: 6
...1. Discuss common forms of attack on Microsoft systems using the text Internet, and/or your job as reference for full credit. When considering the security of a system you will need to determine all the possible threats, vulnerabilities, and attacks. You will also need to consider the appropriate tradeoffs between security on one hand, and usability and cost on the other. A threat is the possibility of system compromise. For example, a threat could be the potential for unauthorized people to gain access to sensitive information, such as credit card information or health records. Microsoft (2005) Threats usually involve confidential information. An attack takes advantage of an existing vulnerability. For example, suppose a malicious user knows that some users have weak passwords and tries guessing them until gaining access to restricted resources. It is important to realize the different types of security attacks you might encounter. Once you understand these, you will learn the appropriate countermeasures to take. Microsoft (2005) The three main types of attacks are: Disclosure of data, Corruption of data, and Denial of service. Disclosure refers to unauthorized or inappropriate access to sensitive data. This is probably the most common form of attack. An example of disclosure is a file that holds confidential payroll information. If this file finds its way into the hands of someone who should not be privy to the data, then the data has been disclosed. Data corruption is mainly...
Words: 496 - Pages: 2
...security audit may people tends to confuse it with information systems audit. Information system audit is a substantial, expansive term that envelops boundary of obligations, equipment an server administration, incidents and problem administration, safety, network division, privacy and security assurance (Pathak, 2004). Then again, as the name suggests, information security audit has a one point plan and that is the security of information and data when it is at the point of being transmitted and stored. Here, information should not be mistaken for just electronic information as print information is similarly critical and its security is secured during the audit process. There is a process that is followed when conducting information security audit. The first step in the information security audit is identifying assets and classifying them. This is the methodology of distinguishing valuable resources and classifying them into groups that are manageable. There are different approaches to assemble this information, including talking with key IT staff, inspecting any past reviews, and exploring stock records. In the wake of distinguishing resources, group them in relation to availability, integrity and confidentiality. Example of resources that need confidentiality that is strict are under study grades, bank records, and health records. Resources that oblige integrity (significance they can't be modified) incorporate payroll and lesson plans. Resources that need to be available anytime...
Words: 1075 - Pages: 5
...Risk Evaluation Lauren A Lewis Accounting Information Systems ACC/542 June 23,2014 Yasin Dadabhoy Internal Control and Risk Evaluation Internal controls and risk assessments are an essential part for an organization to be successful. Management at Kudler Fine Foods has reviewed the flowcharts prepared and is requesting information on controls that will be required. Risks are the negative events that may occur causing a change in an organizations productivity. Internal controls are the policies and procedures put in place to reduce unexpected occurrences related with the risks. This brief will discuss the risks of Kudler Fine Food’s current Accounting Information System evaluated by Learning Team A. It will also identify all risk and control points by incorporating the controls and risk into the flowcharts. Team A will design internal controls to ease risks to the systems, and discuss other controls, outside the system, that Kudler Fine Foods may need When evaluating Kudlers accounting information systems and the integration of the automation we found that Kudlers focus should be on payroll, accounts payable, accounts receivable, and inventory processes. Theses processes have risk involved. This brief will focus on Kudlers internal and external controls, which include polices and procedures, HR compliance/code of conduct and computer information access. Kudler must maintain a policy and procedures system documenting in detail how each procedure should be completed...
Words: 828 - Pages: 4
...internal control concepts within an organization, ethical and moral values that must be followed. This paper will analyze and evaluate the areas of risk in the system. These risk are payroll, accounts receivable, accounts payable, and inventory. Risks in the System There will always be a numerable amount of risks associated with all aspects of accounting. For example, common risks displayed in a system would be security breaches, errors in manual input, and cases of fraud. These risks put leaders and managers in pressure to keep the operation organized and ethical. It also increases the risk of inappropriate accounting and unethical decisions regarding disclosure methods. Other risks that are associated with the system are the establishment of illegal programs that have the capability to breach security walls. Some programs are capable of corrupting files with viruses, deleting important files, and intentionally causing programs and applications to malfunction. If these risks are never assessed it can significantly damage an organization’s reputation and essentially be the cause of its downfall. It is recommended for companies to back up confidential information into an external storage that can be accessible in emergency situations. Controls and Risks into the Flowcharts The main concern regarding payroll as a risk is that its internal...
Words: 1066 - Pages: 5