Complete
Solutions for Accounting Information System 12e by Marshall B. Romney Paul J. Steinbart
IF You Want To Purchase A+ Work Then Click The Link
Below , Instant Download
CHAPTER 8
INFORMATION SYSTEM CONTROLS
for SYSTEMS RELIABILITY
Part 1: Information
Security
8.1 Explain
why an organization would want to use all of the following information security
controls: firewalls, intrusion prevention systems, intrusion detection systems,
and a CIRT.
8.2 What are the
advantages and disadvantages of having the person responsible for information
security report directly to the chief information officer (CIO), who has
overall responsibility for all aspects of the organization’s information
systems?
8.3
Reliability is often included in service level agreements (SLAs)
when outsourcing. The toughest thing is to decide how much reliability is
enough. Consider an application like e-mail. If an organization outsources its
e-mail to a cloud provider, what is the difference between 95%, 99%, 99.99%,
and 99.9999% reliability?
8.4 What is the
difference between authentication and authorization?
8.5 What are the limitations, if any, of relying on the results of
penetration tests to assess the overall level of security?
8.6 Security awareness training is necessary to teach employees “safe
computing” practices. The key to effectiveness, however, is that it changes
employee behavior. How can organizations maximize the effectiveness of their
security awareness training programs?
8.7 What is the
relationship between COSO, COBIT, and the AICPA’s Trust Services frameworks?
8.1 Match the
following terms with their definitions:
Term
|
Definition
|
1. Vulnerability
|
1. a. Code that corrects a
flaw in a program.
|
2. Exploit
|
1. b. Verification of claimed
identity.
|
3. Authentication
|
1. c. The firewall technique
that filters traffic by comparing the information in packet headers to a
table of established connections.
|
4. Authorization
|
1. d. A flaw or weakness in a
program.
|
5. Demilitarized zone
(DMZ)
|
1. e. A test to determine the
time it takes to compromise a system.
|
6. Deep packet
inspection
|
1. f. A subnetwork that is
accessible from the Internet but separate from the organization’s internal
network.
|
7. router
|
1. g. The device that
connects the organization to the Internet.
|
8. social engineering
|
1. h. The rules (protocol)
that govern routing of packets across networks.
|
9. firewall
|
1. i. The rules (protocol)
that govern the division of a large file into packets and subsequent
reassembly of the file from those packets.
|
10. hardening
|
1. j. An attack that involves
deception to obtain access.
|
11. CIRT
|
1. k. A device that provides
perimeter security by filtering packets.
|
12. patch
|
1. l. The set of employees
assigned responsibility for resolving problems and incidents.
|
13. virtualization
|
1. m. Restricting the actions
that a user is permitted to perform.
|
14. Transmission
Control Protocol (TCP)
|
1. n. Improving security by
removal or disabling of unnecessary programs and features.
|
15. static packet
filtering
|
1. o. A device that uses the
Internet Protocol (IP) to send packets across networks.
|
16. border router
|
1. p. A detective control
that identifies weaknesses in devices or software.
|
17. vulnerability scan
|
1. q. A firewall technique
that filters traffic by examining the packet header of a single packet in
isolation.
|
18. penetration test
|
1. r. The process of applying
code supplied by a vendor to fix a problem in that vendor’s software.
|
s. patch management
|
1. s. Software code that can
be used to take advantage of a flaw and compromise a system.
|
t. cloud computing
|
1. t. A firewall technique
that filters traffic by examining not just packet header information but also
the contents of a packet.
|
|
1. u. The process of running
multiple machines on one physical server.
|
|
1. v. An arrangement whereby
a user remotely accesses software, hardware, or other resources via a
browser.
|
8.2 Install and run the latest version of the Microsoft Baseline
Security Analyzer on your home computer or laptop. Write a report explaining
the weaknesses identified by the tool and how to best correct them. Attach a
copy of the MBSA output to your report.
1. 1. Then
there is a section about other system information
8.3 The following table
lists the actions that various employees are permitted to perform:
8.4 Which preventive,
detective, and/or corrective controls would best mitigate the following threats?
1. An employee’s laptop was
stolen at the airport. The laptop contained personally identifying information
about the company’s customers that could potentially be used to commit identity
theft.
2. A salesperson successfully
logged into the payroll system by guessing the payroll supervisor’s password.
3. A criminal remotely
accessed a sensitive database using the authentication credentials (user ID and
strong password) of an IT manager. At the time the attack occurred, the IT
manager was logged into the system at his workstation at company headquarters.
4. An employee received an
email purporting to be from her boss informing her of an important new
attendance policy. When she clicked on a link embedded in the email to view the
new policy, she infected her laptop with a keystroke logger.
5. A company’s programming
staff wrote custom code for the shopping cart feature on its web site. The code
contained a buffer overflow vulnerability that could be exploited when the
customer typed in the ship-to address.
6. A company purchased the
leading “off-the-shelf” e-commerce software for linking its electronic
storefront to its inventory database. A customer discovered a way to directly
access the back-end database by entering appropriate SQL code.
7. Attackers broke into the
company’s information system through a wireless access point located in one of
its retail stores. The wireless access point had been purchased and installed
by the store manager without informing central IT or security.
8. An employee picked up a USB
drive in the parking lot and plugged it into their laptop to “see what was on
it,” which resulted in a keystroke logger being installed on that laptop.
9. Once an attack on the
company’s website was discovered, it took more than 30 minutes to determine who
to contact to initiate response actions.
10. To facilitate working from
home, an employee installed a modem on his office workstation. An attacker
successfully penetrated the company’s system by dialing into that modem.
11. An attacker gained access
to the company’s internal network by installing a wireless access point in a
wiring closet located next to the elevators on the fourth floor of a high-rise
office building that the company shared with seven other companies.
8.5 What are
the advantages and disadvantages of the three types of authentication
credentials (something you know, something you have, and something you are)?
8.6 a. Apply the following data to evaluate the time-based
model of security for the XYZ Company. Does the XYZ Company satisfy the
requirements of the time-based model of security? Why?
§ Estimated time for attacker
to successfully penetrate system = 25 minutes
§ Estimated time to detect an
attack in progress and notify appropriate information security staff = 5
minutes (best case) to 10 minutes (worst case)
§ Estimated time to implement
corrective actions = 6 minutes (best case) to 20 minutes (worst case)
Which of the following security investments to you recommend? Why?
1. 1. Invest
$50,000 to increase the estimated time to penetrate the system by 4 minutes
2. 2. Invest
$50,000 to reduce the time to detect an attack to between 2 minutes (best case)
and 6 minutes (worst case)
3. 3. Invest
$50,000 to reduce the time required to implement corrective actions to between
4 minutes (best case) and 14 minutes (worst case).
8.7 Explain how the following items individually and collectively
affect the overall level of security provided by using a password as an
authentication credential.
a. Length
b. Complexity
requirements (which types of characters are required to be used: numbers,
alphabetic, case-sensitivity of alphabetic, special symbols like $ or !) –
c. Maximum
password age (how often password must be changed)
d. Minimum
password age (how long a password must be used before it can be changed)
e. Maintenance
of password history (how many prior passwords does system remember to prevent
reselection of the same password when required to change passwords)
f. Account
lockout threshold (how many failed login attempts before the account is locked)
g. Time
frame during which account lockout threshold is applied (i.e., if lockout
threshold is five failed login attempts, time frame is whether those 5 failures
must occur within 15 minutes, 1 hour, 1 day, etc.).
h. Account
lockout duration (how long the account remains locked after exceeding the
maximum allowable number of failed login attempts)
8.8 The chapter briefly discussed the following three common attacks
against applications
a. Buffer overflows
b. SQL injection
c. Cross-site scripting
Required
Research each of these three attacks and write a report that
explains in detail how each attack actually works and that describes suggested
controls for reducing the risks that these attacks will be successful.
b. SQL injection
c. Cross-site scripting
8.9 Physical security is
extremely important. Read the article “19 Ways to Build Physical Security into
a Data Center,” which appeared in the CSO Magazine November 2005. (You can find
the article at
www.csoonline.com/read/110105/datacenter.html).
Which methods would you expect to find used by almost any major
corporation?
Which might likely only be justified at a financial institution?
Case 8.1 Costs of
Preventive Security
Firewalls are one of the most fundamental and important security
tools. You are likely familiar with the software-based host firewall that you
use on your laptop or desktop. Such firewalls should also be installed on every
computer in an organization. However, organizations also need corporate-grade
firewalls, which are usually, but not always, dedicated special-purpose
hardware devices. Conduct some research to identify three different brands of
such corporate-grade firewalls and write a report that addresses the following
points:
§ Cost
§ Technique (deep packet
inspection, static packet filtering, or stateful packet filtering)
§ Ease of configuration and
use
Case 8.2 Developing an
Information Security Checklist
Design a checklist for assessing each of the 11 detailed
information security control objectives. The checklist should contain questions
to which a Yes response represents a control strength, a No response represents
a control weakness, plus a possible N/A response.
Provide a brief reason for asking each question. Organize your
checklist as follows:
Question
|
Yes
|
No
|
N/A
|
Reason for asking
|
1. Is there regular
security awareness training?
|
|
|
|
Training is one of the
most important preventive controls because many security incidents happen due
to either human error or social engineering.
|
|
|
|
|
|
|
|
|
|
|
No comments:
Post a Comment