978-0133428537 Chapter 8 Solution Manual Part 2

Complexity (types of

characters allowed)

Number of

characters

Length

Number of possible

passwords

Numeric

10 (0-9)

4

104 = 10,000

Alphabetic, not case sensitive

26 (a-z)

8

268 = 2.088+E11

Alphabetic, case sensitive

52 (a-z, A-Z)

8

528 = 5.346+E13

Alphanumeric, case sensitive

62 (0-9, a-z, A-Z)

8

628 = 2.183+E14

Alphanumeric, case sensitive,

12

6212 = 3.226+E21

Alphanumeric, case sensitive,

plus special characters

95 (0-9, a-z, A-Z,

and $, !, #, etc.)

8

958 = 6.634+E15

Alphanumeric, case sensitive,

plus special characters

95 (0-9, a-z, A-Z,

and $, !, #, etc.)

12

9512 = 5.404+E23

b. Complexity requirements (which types of characters are required to be used: numbers,

alphabetic, case-sensitivity of alphabetic, special symbols like $ or !) – interacts with

c. Maximum password age (how often password must be changed) – shorter means more

d. Minimum password age (how long a password must be used before it can be changed) –

e. Maintenance of password history (how many prior passwords does system remember to

f. Account lockout threshold (how many failed login attempts before the account is locked)

g. Time frame during which account lockout threshold is applied (i.e., if lockout threshold

is five failed login attempts, time frame is whether those 5 failures must occur within 15

minutes, 1 hour, 1 day, etc.). – Shorter time frames defeat attempts to guess by reducing the

h. Account lockout duration (how long the account remains locked after exceeding the

8.8 Secure configuration of endpoints includes properly configuring your browser and

smartphone. Visit the Center for Internet Security’s website (www.cisecurity.org). Navigate

to the “Configuration Benchmarks” and download the benchmark for either your favorite

browser or your smartphone. Adjust the settings for java, JavaScript, and plugins to the

recommended settings. Then test the properly configured device on the following tasks:

a. Access your university e-mail account

b. Access your personal e-mail account

c. Use your favorite search engine to find information about travel tours to Easter Island

d. Attempt to book a flight

e. Play an online game (Sudoku, Kenken, etc.)

Required

Write a brief report that explains the effects, if any, of the more secure device configuration when

you attempted each task.

Solution: Reports will vary from student to student. The best way to grade is to review

8.9 Read the article “19 Ways to Build Physical Security into a Data Center,” which

appeared in the CSO Magazine November 2005. (You can find the article at

www.csoonline.com/read/110105/datacenter.html).

Which methods would you expect to find used by almost any major corporation?

Which might likely only be justified at a financial institution?

Solution:

Method

Any Corporation

Extra methods justified at a

Financial Institution

1. Build on the right spot

X

2. Have redundant utilities

X

3. Pay attention to walls

X

4. Avoid windows

X

5. Use landscaping for protection

X

6. Keep a 100-foot buffer zone around

the site

X

7. Use retractable crash barriers at

vehicle entry points

X

8. Plan for bomb detection

X

9. Limit entry points

X

10. Make fire doors exit only

X

11. Use plenty of cameras

X

12. Protect the buildings machinery

X

13. Plan for secure air handling

X

14. Ensure nothing can hide in the walls

and ceilings

X

15. Use two-factor authentication

X

16. Harden the core with security layers

X

17. Watch the exits too

X

18. Prohibit food in the computer rooms

X

19. Install visitor restrooms

X

SUGGESTED SOLUTIONS TO THE CASES

CASE 8-1 Assessing Change Control and Change Management

Read the article “Security Controls that Work” by Dwayne Melancon in the 2007 Issue,

Volume 4 of the Information Systems Control Journal (available

http://www.isaca.org/Journal/Past-Issues/2007/Volume-4/Pages/Security-Controls-That-

Work1.aspx). Write a report that answers the following questions:

1. What are the differences between high-performing organizations and medium- and low-

performing organizations in terms of normal operating performance? Detection of

security breaches? Percentage of budget devoted to IT?

2. Which controls were used by almost all high-performing organizations, but were not

used by any low- or medium-performers?

3. What three things do high-performing organizations never do?

4. What metrics can an IT auditor use to assess how an organization is performing in terms

of change controls and change management? Why are those metrics particularly useful?

SOLUTION: Details will vary, but a good solution should incorporate the following points:

1. Differences between high-performing and medium- and low-performing organizations

are that high-performing organizations – the article lists the following:

• Completed eight times as many projects

• Managed six times as many applications and IT services

• Authorized and implemented 15 times as many changes

2. The article states that all high-performing organizations used two controls that none of

the low- or medium-performers did:

3. The article states that three things high-performing organizations NEVER do:

4. The article identifies these key metrics for IT auditors to track:

• Amount of time devoted to unplanned work—An unplanned work rate higher than 20 to 25

percent is a sure indication of a lack of effective controls and a cultural problem within

IT. It usually means too much time and resources are spent on troubleshooting and

maintaining IT operations and not enough time is spent on improving the business. The

OTHO

CASE 8-2 Role-Play: Designing an Effective Information Security Program

The U.S. Department of Defense has created a simulation called “CyberProtect” that

teaches how various information security tools work together to provide effective

information security, subject to resource constraints. Visit the department’s website

(http://iase.disa.mil/eta/cyber-protect/launchcontent.html) and launch the game. You will

need to enter your name to log in. Play the game for four quarters. Write a report that

describes your performance in the game. The report should be organized by quarter, and

for each quarter should include:

a. A screenshot of the network configuration at the beginning of the quarter.

b. A brief explanation of the rationale for your investment choices that quarter.

c. A printout of the attacks you faced that quarter and whether each succeeded or

failed.

d. A brief statement of what you learned that quarter.