INFORMATION SYSTEMS AUDIT

EXER 1: Computer Fraud, Ethics, and Internal Control

SURNAME: MARCOLETA FIRST NAME: LEANE MAE M.I. DL. Section BA-42 Schedule MONDAY / 1:00PM - 4:00PM Date SEPTEMBER 10, 2020
E-mail Address (Gmail Account): marcoleane@gmail.com

COMPUTER FRAUDS/CRIMES TABLE

Brief Description
Computer Crime   of computer
Interest Est. Target Perpetrator Geo-
Case Title fraud/crime Computer Fraud Other facts of the case
Harmed Loss victim Charged graphy
Classification

U.S. v. Swartz
 2.7 million academic papers were stolen by
(D. Mass.)  Wire fraud:
Swartz
August 1, 2011 Systematic
- Int’l  Cumulative maximum penalty of $1 million in
stealing of  Stored Data Fraud C Private Employee
fines and 35 years in prison
Source (Ref.) academic papers.
 Swartz committed suicide at 26yrs old.
https://casetext.com/case/united-states-v-swartz-8
U.S. v. Auernheimer  Accessed 120,000 email addresses through
(D. N.J.) AT&T website.
October 26, 2012  Online trafficking:  Auernheimer was convicted and sentenced to
Identity theft.  Stored Data Fraud C - Private Group (outsider) Int’l
three and a half years in prison
Source (Ref.)  His conviction, however, was vacated on
https://casetext.com/case/united-states-v-auernheimer appeal over the issue of venue.
U.S. v. Barrington  Approximately 30-35 grade changes were
(11th Cir.)  Wire fraud: made to Barrington’s grades
August 11, 2011 Defraud and  Input Fraud  Barrington’s sister received 5 grade changes
I $137,000 Private Int’l
Identity theft. Group (Outsider) from F or C to A
Source (Ref.)  650 unauthorized grade changes had been
https://caselaw.findlaw.com/us-11th-circuit/1577173.html made, involving at least 90 students.
U.S. v. Rodriguez  Exceeding  Rodriguez is a former employee of Social
(11th Cir.) authorized access Security Administration of U.S.
December 27, 2010 and obtaining  Processor Fraud Threat to Public Former Employee  He accessed information for non-business
C - Int’l
information from Health or Safety reasons
Source (Ref.) U.S. agencies.  He obtained personal identifying information of
https://caselaw.findlaw.com/us-11th-circuit/1549806.html 17 persons he knew or their relatives.
U.S. v. Phillips  Steal encrypted  Phillips admitted that he designed the brute-
(5th Cir.) data and force attack program to obtain data
January 24, 2007 passwords &  Stored Data Fraud $5,000 with Juvenile (Outsider)  He was indicated and convicted one count of
C Private Int’l
Infiltrating excess computer fraud pursuant
Source (Ref.) hundreds of  University of Texas spent over $122,000 for the
https://casetext.com/case/us-v-phillips-104/analysis computers. damage and $60,000 to notify the victims.
U.S. v. Valle  Single conspiracy C - Threat to Public Int’l  Valle was an officer in the New York City Police
 (2d Cir,) to kidnap several Department
December 3, 2015 women from his  Processor Fraud  However, he was an active member of an
chats through Health or Safety Employee Internet sex fetish community
Source (Ref.) government  He accessed a gov’t computer program and
https://caselaw.findlaw.com/us-2nd-circuit/1719750.html computers. obtain information from restricted databases.
U.S. v. Keys  Transmission of  Keys turned over the username and password
(9th Cir.) computer code of his former employer, the Tribune company to
June 26, 2017 that resulted in  Input Fraud Former Employee Anonymous group
I $929,977 Private Int’l
and unauthorized  An individual used the credentials given by
Source (Ref.) damage & Identity Keys to made some changes to Los Angeles
https://caselaw.findlaw.com/us-9th-circuit/1865910.html theft. Times article.
U.S. v. Drew  Cyberbullying  Drew conspired with three others to open a
(N.D. Cal) while pretending phony MySpace account as a nonexistent teen
August 28, 2009 to be someone in  Computer Instruction Group (Outsider) named Josh Evans
C - Public Int’l
MySpace website. Fraud  Drew and her associates used "Evans" to bully
Source (Ref.) a teen girl
https://casetext.com/case/us-v-drew-12  The girl had depression and killed herself.
U.S. v. Nosal  Nosal had worked for executive search firm
(9th Cir.)  Data theft through Korn/Ferry International
April 28, 2011 trade secrets.  Processor Fraud Former Employee  After leaving, he talked former colleagues into
C - Private Int’l
accessing a company database and giving him
Source (Ref.) trade secrets to help him launch a competing
https://caselaw.findlaw.com/us-9th-circuit/1565291.html business.
U.S. v. Aleynikov
 Aleynikov was a programmer of a company
(2d Cir.)  Unlawful
 Shortly before leaving his job, he downloaded
April 11, 2011 duplication of  Output Fraud $5,000 or Former Employee
C Private Int’l code he had written for the company
computer related more
Source (Ref.)  Prosecutors charged him with unauthorized
material.
access with theft of trade secrets.
https://casetext.com/case/united-states-v-aleynikov-3
PH v. Ignacio
(N/A)  Computer-related  Ignacio used computer data for the purpose of
June 15, 2014 forgery: Phishing  Stored Data Fraud perpetuating a fraudulent or dishonest design
activity C ₱3,000,000 Private Group (Outsider) Local  Ignacio, however, withdrawn ₱150,000 only
Source (Ref.)  Ignacio was arrested while trying to withdraw
https://www.manilatimes.net/2014/06/15/news/top-stories/doj- the rest of the money from her account.
orders-1st-cybercrime-case-filed/104443/

U.S. v. Morris I $10 million- Private Int’l  Morris claimed that he not aimed to harm but
(2d Cir.)  Created virus that $100 million was made for the innocuous intent to determine
March 7, 1991 destroyed  Processor Fraud Group (Outsider) the vastness of the cyberspace
 computers.  Things went pear-shaped when the worm
Source (Ref.) encountered a critical error and morphed into a
https://h2o.law.harvard.edu/collages/41678 virus affected 6000 computers.
U.S. v. Poulsen  Poulsen guaranteed his success as he took
9th Cir.  Hacked Los control of the phone network and effectively
December 8, 1994 Angeles phone  Processor Fraud Group (Outsider) blocked incoming calls to the radio station’s
I Porsche car Private Int’l
system. number
Source (Ref.)  He won the car but the law caught up to him
https://casetext.com/case/us-v-poulsen-21 and he was sentenced to five years in prison.
U.S. v. Guzner  Guzner was charged and convicted for the
(C.D. Cal.)  Launched DDoS Distributed Denial-of-Service (DDoS) attack
October 17, 2008 attack on a  Together with his gang, they crippled the
website to destroy  Stored Data Fraud A - Private Group (Outsider) Int’l Church of Scientology website for several days
Source (Ref.) its system.  He was ultimately sentenced to 2years
https://www.courtlistener.com/docket/4144338/united-states-v- probation and was ordered to pay the Church of
guzner/ Scientology $37,500.
U.S. v. Smith  Harming multiple  The Melissa virus would infect Microsoft Word
(2d Cir.) computers and documents and automatically disseminates
November 29, 2012 anti-virus  Stored Data Fraud Group (Outsider) itself as an attachment via email
I $80,000,000 Private Int’l
softwares.  It would mail out to the first 50 names listed in
Source (Ref.) an infected computer’s Outlook email address
https://caselaw.findlaw.com/us-2nd-circuit/1616796.html box.

NUMBER 4:
 A. Computer Fraud Classification (Pie Chart) C. Perpetrators/Fraudsters (Pie Chart)

Computer Fraud Classification Perpetrators/Fraudsters

7% 13% Input Fraud 13% Employee

Processor Fraud
Former Employee
Computer Instruction Fraud
Juvenile (Outsider)
Store Data Fraud
Group (Outsider)
40% Output Fraud 53% 27%
33%

7% 7%

B. Interest Harmed (Pie Chart) D. Target Victims (Pie Chart)

Interest Harmed Target Victims

7% 13%
Private
Confidentiality
7% Public
Integrity
Threat to Public Health or
33% Availability Safety
60%

80%

NUMBERS 5 & 6:
Common Examples of Internal Control Weaknesses: Recommended Preventive Controls:

1. Dated or Ineffective information systems.
2. Lack of physical and logical security.
3. Job roles and responsibilities not clearly defined.
4. No formal and ethical policies issued.
5. Inadequate documentation or records.
1. List the systems in your business and the key performance measures you need from each. Working systematically though these will help you stay competitive and efficient.
2. Having firewalls and protective devices or software on computer systems is an important component to help prevent security breaches.
3. Job roles and responsibilities should be clear and preferably be in writing.  This will ease the process of separating duties.
4. A code of ethics can provide guidelines of how employees should deal with potential misbehavior about company values and commitments.
5. Financial documents should be pre-numbered to ensure all transactions are recorded and accounted for.

Reference: https://www.lbahs.com/blog/common-internal-control-deficiencies-found-in-small-businesses/