Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
CHAPTER 8
CONTROLS FOR INFORMATION SECURITY
SUGGESTED ANSWERS TO DISCUSSION QUESTIONS
8.1 Explain why an organization would want to use all of the following information security controls: firewalls,
intrusion prevention systems, intrusion detection systems, and a CIRT.
Using this combination of controls provides defense-in-depth. Firewalls and intrusion
respond.
8.2 What are the advantages and disadvantages of having the person responsible for
information security report directly to the chief information officer (CIO), who has
overall responsibility for all aspects of the organization’s information systems?
8.3 Reliability is often included in service level agreements (SLAs) when outsourcing.
The toughest thing is to decide how much reliability is enough. Consider an
application like e-mail. If an organization outsources its e-mail to a cloud provider,
what is the difference between 95%, 99%, 99.99%, and 99.9999% reliability?
The differences in promised reliability levels over the course of a year in terms of days
8.4 What is the difference between authentication and authorization?
8.5 What are the limitations, if any, of relying on the results of penetration tests to
assess the overall level of security?
8.6 Security awareness training is necessary to teach employees “safe computing”
practices. The key to effectiveness, however, is that it changes employee behavior.
How can organizations maximize the effectiveness of their security awareness
training programs?
8.7 What is the relationship between COSO, COBIT 5, and the AICPA’s Trust Services
frameworks?
8.1 Match the following terms with their definitions:
Term
Definition
__d__ 1. Vulnerability
a. Code that corrects a flaw in a program.
__s__ 2. Exploit
b. Verification of claimed identity.
__b__ 3. Authentication
c. The firewall technique that filters traffic
by examining only the information in
packet headers to test the rules in an ACL.
__m_ 4. Authorization
d. A flaw or weakness in a program.
__f__ 5. Demilitarized zone (DMZ)
e. A test that determines the time it takes to
compromise a system.
__t__ 6. Deep packet inspection
f. A subnetwork that is accessible from the
Internet but separate from the
organization’s internal network.
__o__ 7. Router
g. The device that connects the organization
to the Internet.
__j__ 8. Social engineering
h. The process of running multiple machines
on one physical server.
__k__ 9. Firewall
i. An arrangement whereby a user remotely
accesses software, hardware, or other
resources via a browser.
__n__ 10. Hardening
j. An attack that involves deception to
obtain access.
__l__ 11. CIRT
k. A device that provides perimeter security
by filtering packets.
__a__ 12. Patch
l. The set of employees assigned
responsibility for resolving problems and
incidents.
___h_ 13. Virtualization
m. Restricting the actions that a user is
permitted to perform.
__q__ 14. Change control and change
management
n. Improving security by removal or
disabling of unnecessary programs and
features.
_c___ 15. Packet filtering
o. A device that uses the Internet Protocol
(IP) to send packets across networks.
__g__ 16. Border router
p. A detective control that identifies
weaknesses in devices or software.
__p__ 17. Vulnerability scan
q. A plan to ensure that modifications to an
information system do not reduce its
security.
__e__ 18. Penetration test
r. The process of applying code supplied by
a vendor to fix a problem in that vendor’s
software.
_r___ 19. Patch management
s. Software code that can be used to take
advantage of a flaw and compromise a
system.
_i___ 20. Cloud computing
t. A firewall technique that filters traffic by
examining not just packet header
information but also the contents of a
packet.
8.2 It is important to periodically run a vulnerability scan to check the software on your
computer. Secunia.com provides tools to either perform an online (Online Software
Inspector) or offline (Personal Software Inspector) scan of your Windows machine. Use one
of those tools to scan your computer. Print out the report and write a brief explanation of the
issues identified and how to fix them.
Alternative assignment for non-Windows computers: Visit the Center for Internet
Security website (www.cisecurity.org). Navigate to the list of “Configuration Benchmarks”
and download the latest benchmark for the operating system on your computer. Compare
the recommendations in that list to your current settings. Write a brief report that explains
what you need to do to more securely configure your computer.
Solution: will vary for each student. Best way to grade is to focus on the quality of explanation
provided for whatever results the student submits.
8.3 The following table lists the actions that various employees are permitted to
perform:
Employee
Permitted actions
Able
Check customer account balances
Check inventory availability
Baker
Change customer credit limits
Charley
Update inventory records for sales and purchases
Denise
Add new customers
Delete customers whose accounts have been written off as uncollectible
Add new inventory items
Remove discontinued inventory items
Ellen
Review audit logs of employee actions
8.4 Which preventive, detective, and/or corrective controls would best mitigate the
following threats?
a. An employee’s laptop was stolen at the airport. The laptop contained personally
identifying information about the company’s customers that could potentially be
used to commit identity theft.
b. A salesperson successfully logged into the payroll system by guessing the payroll
supervisor’s password.
c. A criminal remotely accessed a sensitive database using the authentication
credentials (user ID and strong password) of an IT manager. At the time the attack
occurred, the IT manager was logged into the system at his workstation at company
headquarters.
d. An employee received an email purporting to be from her boss informing her of an
important new attendance policy. When she clicked on a link embedded in the email
to view the new policy, she infected her laptop with a keystroke logger.
e. A company’s programming staff wrote custom code for the shopping cart feature on
its web site. The code contained a buffer overflow vulnerability that could be
exploited when the customer typed in the ship-to address.
f. A company purchased the leading “off-the-shelf” e-commerce software for linking
its electronic storefront to its inventory database. A customer discovered a way to
directly access the back-end database by entering appropriate SQL code.
g. Attackers broke into the company’s information system through a wireless access
point located in one of its retail stores. The wireless access point had been purchased
and installed by the store manager without informing central IT or security.
An employee picked up a USB drive in the parking lot and plugged it into their
laptop to “see what was on it,” which resulted in a keystroke logger being installed
on that laptop.
h. Once an attack on the company’s website was discovered, it took more than 30
minutes to determine who to contact to initiate response actions.
i. To facilitate working from home, an employee installed a modem on his office
workstation. An attacker successfully penetrated the company’s system by dialing
into that modem.
j. An attacker gained access to the company’s internal network by installing a wireless
access point in a wiring closet located next to the elevators on the fourth floor of a
high-rise office building that the company shared with seven other companies.
8.5 What are the advantages and disadvantages of the three types of authentication
credentials (something you know, something you have, and something you are)?
Type of Credential
Advantages
Disadvantages
Something you know
+ Easy to use
+ Universal - no special hardware
required
+ Revocable – can cancel and create
new credential if compromised
+ Easy to forget or guess
+ Hard to verify who is presenting
the credential
+ May not notice compromise
immediately
Something you have
+ Easy to use
+ Revocable – can cancel and reissue
new credential if compromised
+ Quickly notice if lost or stolen
+ May require special hardware if
not a USB token (i.e., if a smart
card, need a card reader)
+ Hard to verify who is presenting
the credential
Something you are
(biometric)
+ Strong proof who is presenting the
credential
+ Hard to copy/mimic
+ Cannot be lost, forgotten, or stolen
+ Cost
+ Requires special hardware, so not
universally applicable
+ User resistance. Some people may
object to use of fingerprints; some
culture groups may refuse face
recognition, etc.
+ May create threat to privacy. For
example, retina scans may reveal
health conditions.
+ False rejection due to change in
biometric characteristic (e.g.,
voice recognition may fail if have
a cold).
+ Not revocable. If the biometric
template is compromised, it cannot
be re-issued (e.g., you cannot assign
someone a new fingerprint).
8.6 a. Apply the following data to evaluate the time-based model of security for the XYZ
Company. Does the XYZ Company satisfy the requirements of the time-based
model of security? Why?
• Estimated time for attacker to successfully penetrate system = 25 minutes
• Estimated time to detect an attack in progress and notify appropriate
information security staff = 5 minutes (best case) to 10 minutes (worst case)
• Estimated time to implement corrective actions = 6 minutes (best case) to 20
minutes (worst case)
b. Which of the following security investments to you recommend? Why?
1. Invest $50,000 to increase the estimated time to penetrate the system by 4
minutes
2. Invest $50,000 to reduce the time to detect an attack to between 2 minutes (best
case) and 6 minutes (worst case)
3. Invest $50,000 to reduce the time required to implement corrective actions to
between 4 minutes (best case) and 14 minutes (worst case).
Solution: Option 3 is the best choice because it is the only one that satisfies the time-
based model of security under the worst-case conditions:
Option
P (worst case)
D (worst case)
C (worst case)
1
29
10
20
2
25
6
20
3
25
10
14
8.7 Explain how the following items individually and collectively affect the overall level
of security provided by using a password as an authentication credential.
a. Length – interacts with complexity to determine how hard it is to “guess” a password
