Problems [8.1 - 8 PDF

Preview

Summary

Problems 8.1-8.5...

Description

Accounting Information Systems

CHAPTER 8 CONTROLS FOR INFORMATION SECURITY SUGGESTED SOLUTIONS TO THE PROBLEMS 8. 1

Match the following terms with their definitions: De fini t i o n

Term

det ha tc or r e c t safla wi nap r ogr a m. a. Co

__d__ 1. Vulnerability __s__ 2. Exploit

r i fic a t i o nofc l a i me di de n t i t y . b. Ve

__b__ 3. Authentication

efir e wa l lt e c h ni qu et h a tfil t e r st r a fficb y c . Th e xa mi ni n gon l yt hei n f o r ma t i o ni npa c k e t he a d e r st ot e s tt her ul e si na nACL.

__m_ 4. Authorization

wo rwe a kne s si napr o gr a m. d. Afla

__f__ 5. Demilitarized zone (DMZ)

e s tt h a td e t e r mi ne st het i mei tt a ke st o e . At c o mpr o mi s eas y s t e m.

__t__ 6. Deep packet inspection

f . As u bne t wo r kt h a ti sa c c e s s i bl ef r omt he I nt e r n e tbuts e pa r a t ef r o mt heor g a ni z a t i on ’ s i n t e r na ln e t wor k .

__o__ 7. Router

ede vi c et ha tc onne c t st heor g a ni z a t i ont ot he g . Th I nt e r n e t .

__j__ 8. Social engineering

epr oc e s sofr unn i n gmul t i pl ema c h i ne son h. Th oneph y s i c a ls e r v e r .

__k__ 9. Firewall

r r a n g e me n twhe r e b yaus e rr e mo t e l y i . Ana a c c e s s e ss o f t wa r e ,ha r d wa r e , orot he rr e s o ur c e s vi aabr o ws e r .

__n__ 10. Hardening

t t a c kt ha ti n v o l v e sde c e p t i ont oob t a i n j . Ana a c c e s s .

__l__ 11. CIRT

e vi c et h a tpr o v i de sp e r i me t e rs e c u r i t yb y k. Ad fil t e r i n gp a c k e t s .

__a__ 12. Patch

l . Th es e tofe mpl o y e e sa s s i gne dr e s p o ns i bi l i t y f orr e s o l vi n gpr obl e msa n di nc i de nt s .

___h_ 13. Virtualization

s t r i c t i n gt hea c t i o nst ha taus e ri spe r mi t t e d m.Re t ope r f o r m.

__q__ 14. Change control and change management

mpr o vi n gs e c ur i t yb yr e mo v a lordi s a b l i n go f n. I unne c e s s a r ypr o gr a msa n df e a t ur e s .

_c___ 15. Packet filtering

o. Ad e v i c et ha tus e st h eI nt e r ne tPr ot oc ol( I P)t o s e n dpa c k e t sa c r o s sne t wo r ks .

__g__ 16. Border router

e t e c t i v ec ont r o lt h a ti de nt i fie swe a kn e s s e s p. Ad

8-1

©2018 Pearson Education, Ltd.

Ch. 8: Controls for Information Security i nde vi c e sors o f t wa r e .

__p__ 17. Vulnerability scan

l a nt oe ns ur et h a tmod i fic a t i onst oa n q. Ap i n f o r ma t i ons y s t e m dono tr e duc ei t ss e c ur i t y .

__e__ 18. Penetration test

epr oc e s so fa ppl y i n gc odes u p pl i e db ya r . Th v e nd ort ofixapr o bl e mi nt ha tv e ndor ’ s s o f t wa r e .

_r___ 19. Patch management

f t wa r ec odet h a tc a nbeus e dt ot a k e s . So a d v a nt a g eofafla wa ndc ompr omi s eas y s t e m.

_i___ 20. Cloud computing

e wa l lt e c hni quet ha tfil t e r st r a fficb y t . Afir e xa mi ni n gn otj us tpa c k e the a d e ri n f o r ma t i on buta l s ot h ec ont e nt so fapa c k e t .

8.2

The CISO of the ABC company is considering how to increase the strength of employee passwords. Currently, passwords must be eight characters, they must be case-sensitive, and they must contain at least two numbers. a. Calculate the size of the search space of possible passwords given the current password requirements. b. Calculate the size of the search space of possible passwords if the current password requirements were changed so that they must contain at least two special characters (e.g., $, #, @, etc.) from a list of 33 commonly available symbols. c. Calculate the size of the search space of possible passwords if the current password requirements were changed so that passwords must be 12 characters long. d. Which modification to the current password requirements (adding the requirement to include special symbols or increasing the length from 8 to 12) increases the strength of the password the most? e. Which modification do you recommend? Why?

Solution: a. The current search space is the number of choices for each character (62 = 26 upper-case letters, 26 lower-case letters, and 10 digits) raised to the length (8): 628= 2.1834E+14. b. There would now be 95 possible choices for each character: 26 upper-case letters, 26 lowercase letters, 10 digits, and 33 special characters. Thus the total search space would be 958 = 6.6342E+15. c. There would 62 choices for each character (26 upper-case letters, 26 lower-case letters, and 10 digits). Thus the search space would be 6212 = 3.22627E+21. d. Changing the size of the possible character set (part b) increases the search space by 30.3847 (6.6342E+15/2.1834E+14); changing the length (part c) increases the search space by 14,776,336 (3.22627E+21/2.1834E+14). Thus, changing the length by 50% (from 8 to 12 characters) increases the search space much more than does increasing the character set size by 50% (changing from 62 to 95 choices). e. Increasing the length – because it increases resistance to brute-force guessing the most. Also, easier to type alphanumeric passwords than ones that also have to contain special characters.

8-2

©2018 Pearson Education, Ltd.

Accounting Information Systems

8.3

The following table lists the actions that various employees are permitted to perform: Employe e Able

Permitted actions Check customer account balances Check inventory availability

Baker

Change customer credit limits

Charley

Update inventory records for sales and purchases

Denise

Add new customers Delete customers whose accounts have been written off as uncollectible Add new inventory items Remove discontinued inventory items

Ellen

Review audit logs of employee actions

Use the following codes to complete the access control matrix so that it enables each employee to perform those specific activities: 0=n oa c c e s s 1=r e a do nl ya c c e s s 2=r e a da n dmo d i f yr e c o r d s 3=r e a d ,mod i f y ,c r e a t e ,a n dd e l e t er e c o r ds Customer Master file

Inventory Master File

Payroll Master File

System Log Files

1

1

0

0

Baker

2

0

0

0

Charley

0

2

0

0

Denise

3

3

0

0

Ellen

0

0

0

1

Employee Able

Us et h ef o l l o wi n gc o de s :

8-3

©2018 Pearson Education, Ltd.

Ch. 8: Controls for Information Security

8 . 4

Which preventive, detective, and/or corrective controls would best mitigate the following threats? a. An employee’s laptop was stolen at the airport. The laptop contained personally identifying information about the company’s customers that could potentially be used to commit identity theft. Preventive: Policies against storing sensitive information on laptops and requiring that if any such information must exist on the laptop that it be encrypted. Training on how to protect laptops while traveling to minimize the risk of theft. Corrective: Installation of “phone home” software might help the organization either recover the laptop or remotely erase the information it contains. b. A salesperson successfully logged into the payroll system by guessing the payroll supervisor’s password. Preventive: Strong password requirements such as at least an 8-character length, use of multiple character types, random characters, and require that passwords be changed frequently. Detective: Locking out accounts after 3-5 unsuccessful login attempts; since this was a “guessing” attack, it may have taken more than a few attempts to login. c. A criminal remotely accessed a sensitive database using the authentication credentials (user ID and strong password) of an IT manager. At the time the attack occurred, the IT manager was logged into the system at his workstation at company headquarters. Preventive: Integrate physical and logical security. In this case, the system should reject any user attempts remotely log into the system if that same user is already logged in from a physical workstation. Detective: Having the system notify appropriate security staff about such an incident. d. An employee received an email purporting to be from her boss informing her of an important new attendance policy. When she clicked on a link embedded in the email to view the new policy, she infected her laptop with a keystroke logger. Preventive: Security awareness training is the best way to prevent such problems. Employees should be taught that this is a common example of a sophisticated phishing scam. Detective and corrective: Anti-spyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process for 8-4

©2018 Pearson Education, Ltd.

Accounting Information Systems

accessing a company's information system. e. A company’s programming staff wrote custom code for the shopping cart feature on its web site. The code contained a buffer overflow vulnerability that could be exploited when the customer typed in the ship-to address. Preventive: Teach programmers secure programming practices, including the need to carefully check all user input. Management must support the commitment to secure coding practices, even if that means a delay in completing, testing, and deploying new programs. Detective: Make sure programs are thoroughly tested before being put into use Have internal auditors routinely test in-house developed software. f. A company purchased the leading “off-the-shelf” e-commerce software for linking its electronic storefront to its inventory database. A customer discovered a way to directly access the back-end database by entering appropriate SQL code. Preventive: Insist on secure code as part of the specifications for purchasing any 3rd party software. Thoroughly test the software prior to use. Employ a patch management program so that any vendor provided fixes and patches are immediately implemented. g. Attackers broke into the company’s information system through a wireless access point located in one of its retail stores. The wireless access point had been purchased and installed by the store manager without informing central IT or security. Preventive: Enact a policy that forbids installation of unauthorized wireless access points. Detective: Conduct routine audits for unauthorized or rogue wireless access points. Corrective: Sanction employees who violate policy and install rogue wireless access points. h. An employee picked up a USB drive in the parking lot and plugged it into their laptop to “see what was on it,” which resulted in a keystroke logger being installed on that laptop. Preventive: Security awareness training. Teach employees to never insert USB drives unless they are absolutely certain of their source. Anti-spyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process. 8-5

©2018 Pearson Education, Ltd.

Ch. 8: Controls for Information Security

i. Once an attack on the company’s website was discovered, it took more than 30 minutes to determine who to contact to initiate response actions. Preventive: Document all members of the CIRT and their contact information. Practice the incident response plan.

j. To facilitate working from home, an employee installed a modem on his office workstation. An attacker successfully penetrated the company’s system by dialing into that modem. Preventive: Routinely check for unauthorized or rogue modems by dialing all telephone numbers assigned to the company and identifying those connected to modems. k. An attacker gained access to the company’s internal network by installing a wireless access point in a wiring closet located next to the elevators on the fourth floor of a high-rise office building that the company shared with seven other companies. Preventive: Secure or lock all wiring closets. Require strong authentication of all attempts to log into the system from a wireless client. Employ an intrusion detection system.

8-6

©2018 Pearson Education, Ltd.

Accounting Information Systems

8.5

What are the advantages and disadvantages of the three types of authentication credentials (something you know, something you have, and something you are)?

Type of Credential

Advantages

Disadvantages

Something you know

+ Easy to use

+ Easy to forget or guess

+ Universal - no special hardware required

+ Hard to verify who is presenting the credential

+ Revocable – can cancel and create new credential if compromised

+ May not notice compromise immediately

+ Easy to use

+ May require special hardware if not a USB token (i.e., if a smart card, need a card reader)

Something you have

+ Revocable – can cancel and reissue new credential if compromised + Quickly notice if lost or stolen Something you are (biometric)

+ Strong proof who is presenting the credential + Hard to copy/mimic + Cannot be lost, forgotten, or stolen

+ Hard to verify who is presenting the credential + Cost + Requires special hardware, so not universally applicable + User resistance. Some people may object to use of fingerprints; some culture groups may refuse face recognition, etc. + May create threat to privacy. For example, retina scans may reveal health conditions. + False rejection due to change in biometric characteristic (e.g., voice recognition may fail if have a cold). + Not revocable. If the biometric template is compromised, it cannot be re-issued (e.g., you cannot assign someone a new fingerprint).

8-7

©2018 Pearson Education, Ltd.

Ch. 8: Controls for Information Security

8.6

a.

   b.

     

Use the following facts to assess the time-based model of security for the ABC Company; how well does the existing system protect ABC? Assume that the best-, average-, and worst-case estimates are independent for each component of the model. Estimated time that existing controls will protect the system from attack = 15 minutes (worst case), 20 minutes (average case), and 25 minutes (best case) Estimated time to detect that an attack is happening = 5 minutes (best case), 8 minutes (average case) and 10 minutes (worst case) Estimated time to respond to an attack once it has been detected = 6 minutes (best case), 14 minutes (average case), and 20 minutes (worst case) The company is considering investing up to an additional $100,000 to improve its security. Given the following possibilities, which single investment would you recommend? Which combination of investments would you recommend? Explain your answer. An investment of $75,000 would change the estimates for protection time to 19 minutes (worst case), 23 minutes (average case), and 30 minutes (best case). An investment of $75,000 would change the estimates for detection time to 2 minutes (best case), 4 minutes (average case), and 7 minutes (worst case). An investment of $75,000 would change the estimates for response time to 3 minutes (best case), 6 minutes (average case), and 10 minutes (worst case). An investment of $25,000 would change the estimates for protection time to 17 minutes (worst case), 22 minutes (average case), and 28 minutes (best case). An investment of $25,000 would change the estimates of detection time to 4 minutes (best case), 7 minutes (average case) and 9 minutes (worst case). An investment of $25,000 would change the estimates for response time to 4 minutes (best case), 9 minutes (average case), and 12 minutes (worst case).

8-8

©2018 Pearson Education, Ltd.

Accounting Information Systems

Solution: Part a: Best case for P (25 minutes):

Average case for P (20 minutes)

Worst case for P (15 minutes)

D=5

D=8

D=10

R=6

Good

Good

Good

R=14

Good

Good

Good

R=14

Good

Bad

Bad

R=14

Bad

Bad

Bad

R=20

Neutral

Bad

Bad

R=20

Bad

Bad

Bad

R=20

Bad

Bad

Bad

R=6

D=5

D=8

D=10

Good

Good

Good

R=6

D=5

D=8

D=10

Good

Good

Bad

CONCLUSION: Only if R is best case and D is at least average is ABC secure Part b:

First, look at the 3 options for investing $75,000 Best case for P (30 minutes):

R=6

D=5

D=8

D=10

Good

Good

Good

Average case for P (23 minutes)

R=6

Worst case for P (19 minutes)

D=5

D=8

D=10

Good

Good

Good

R=6

D=5

D=8

D=10

Good

Good

Good

R=14

Good

Good

Good

R=14

Good

Good

Bad

R=14

Neutral

Bad

Bad

R=20

Good

Good

Neutral

R=20

Bad

Bad

Bad

R=20

Bad

Bad

Bad

Best case for P (25 minutes):

Average case for P (20 minutes)

Overall, case for the $75,000 investment in D is worse than investing $75,000 in P

Worst case for P (15 minutes)

D=2

D=4

D=7

R=6

Good

Good

Good

R=14

Good

Good

Good

R=14

Good

Good

Bad

R=14

Bad

Bad

Bad

R=20

Good

Good

Bad

R=20

Bad

Bad

Bad

R=20

Bad

Bad

Bad

Best case for P (25 minutes):

R=3

D=5

D=8

D=10

Good

Good

Good

R=6

D=2

D=4

D=7

Good

Good

Good

Average case for P (20 minutes)

R=6

D=2

D=4

D=7

Good

Good

Good

Overall, case for $75,000 in response better than 7K on P or 75K on D

Worst case for P (15 minutes)

D=5

D=8

D=10

R=3

Good

Good

Good

R=3

D=5

D=8

D=10
...