Page 251 - COSO Guidance Book
P. 251

Another monitoring software is FlexiSpy, which has additional spyware features, such as the ability to
                                                           18
            record phone calls and listen to the environment.  However, many smartphones would need to be
            jailbroken before FlexiSpy can be installed on the device. For example, an Apple device would have to
            have its operating system modified in order to install FlexiSpy on an iPhone, iPad, etc.

            A risk unique to mobile devices is that a public charging station could be compromised by a cyberthief. A
            public USB charging port or cable might have a device attached to it that can place malware on or
            perhaps steal data from your smartphone. One control is to use a power-only USB cable. This type of
            cable omits the pins in the physical connection that allow data transfer. Another solution is to insert a
            device (a USB “condom”) between a normal charging cable and the USB port. A USB condom blocks data
                                   19
            from being transmitted.

            Other schemes

            Password cracking — One common tool used by cybercriminals is employing software to break into a
                                                                                                               20
            user’s password-protected system. One tool, PwCrack, has existed for decades to accomplish this task.
            Another well-known vendor providing password-cracking services for law enforcement and others is
            Elcomsoft.

            The length of time to crack a password depends on the length and composition of the password,
            encryption methodology, and other factors. Password controls are discussed later.

            Spoofing — Spoofing is often confused with phishing, whose purpose is to extract information. Spoofing
            causes malicious software to be downloaded onto the device by using email that appears to be from a
            trusted source. Similar to phishing, the email might contain official looking company logos, etc. Controls
            for spoofing are similar to controls for phishing.

            Pharming — Malware downloaded onto the user’s computer will redirect the web browser from the typed-
            in legitimate website to a fake copy of that website. Information provided by the user at the fake website
            will be captured. The user will be connected to the fake website even if the user clicks on the website
            stored in the browser history file. Spyware detection software can assist in detecting this scheme.


            Controls
            There are numerous internal controls that can help protect IT resources (data, computers, mobile
            devices, etc.) from attacks by both known and unknown cybercriminals. These controls follow:

            1.  Passwords. Passwords should be required to access data files, bank accounts, and other sensitive
               resources. Best practices note that passwords should be complex, i.e., contain upper- and lower-case
               letters, numbers, special characters, and be at least eight characters in length. Passwords should be
               changed frequently based on a risk assessment. Some systems require the user to change
               passwords as often as monthly.



            18
              https://www.flexispy.com
            19
              https://www.groovypost.com/howto/prevent-juice-jacking-public-charging-station/
            20
              https://www.pwcrack.com/
            © 2020 Association of International Certified Professional Accountants. All rights reserved.    5-17
   246   247   248   249   250   251   252   253   254   255   256