Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Complexity (types of
characters allowed)
Number of
characters
Length
Number of possible
passwords
Numeric
10 (0-9)
4
104 = 10,000
Alphabetic, not case sensitive
26 (a-z)
8
268 = 2.088+E11
Alphabetic, case sensitive
52 (a-z, A-Z)
8
528 = 5.346+E13
Alphanumeric, case sensitive
62 (0-9, a-z, A-Z)
8
628 = 2.183+E14
Alphanumeric, case sensitive,
12
6212 = 3.226+E21
Alphanumeric, case sensitive,
plus special characters
95 (0-9, a-z, A-Z,
and $, !, #, etc.)
8
958 = 6.634+E15
Alphanumeric, case sensitive,
plus special characters
95 (0-9, a-z, A-Z,
and $, !, #, etc.)
12
9512 = 5.404+E23
b. Complexity requirements (which types of characters are required to be used: numbers,
alphabetic, case-sensitivity of alphabetic, special symbols like $ or !) - interacts with
c. Maximum password age (how often password must be changed) – shorter means more
d. Minimum password age (how long a password must be used before it can be changed) –
e. Maintenance of password history (how many prior passwords does system remember to
f. Account lockout threshold (how many failed login attempts before the account is locked)
g. Time frame during which account lockout threshold is applied (i.e., if lockout threshold
is five failed login attempts, time frame is whether those 5 failures must occur within 15
minutes, 1 hour, 1 day, etc.). – Shorter time frames defeat attempts to guess by reducing the
h. Account lockout duration (how long the account remains locked after exceeding the
8.8 Secure configuration of endpoints includes properly configuring your browser and
smartphone. Visit the Center for Internet Security’s website (www.cisecurity.org). Navigate
to the “Configuration Benchmarks” and download the benchmark for either your favorite
browser or your smartphone. Adjust the settings for java, JavaScript, and plugins to the
recommended settings. Then test the properly configured device on the following tasks:
a. Access your university e-mail account
b. Access your personal e-mail account
c. Use your favorite search engine to find information about travel tours to Easter Island
d. Attempt to book a flight
e. Play an online game (Sudoku, Kenken, etc.)
Required
Write a brief report that explains the effects, if any, of the more secure device configuration when
you attempted each task.
Solution: Reports will vary from student to student. The best way to grade is to review
8.9 Read the article “19 Ways to Build Physical Security into a Data Center,” which
appeared in the CSO Magazine November 2005. (You can find the article at
www.csoonline.com/read/110105/datacenter.html).
Which methods would you expect to find used by almost any major corporation?
Which might likely only be justified at a financial institution?
Solution:
Method
Any Corporation
Extra methods justified at a
Financial Institution
1. Build on the right spot
X
2. Have redundant utilities
X
3. Pay attention to walls
X
4. Avoid windows
X
5. Use landscaping for protection
X
6. Keep a 100-foot buffer zone around
the site
X
7. Use retractable crash barriers at
vehicle entry points
X
8. Plan for bomb detection
X
9. Limit entry points
X
10. Make fire doors exit only
X
11. Use plenty of cameras
X
12. Protect the buildings machinery
X
13. Plan for secure air handling
X
14. Ensure nothing can hide in the walls
and ceilings
X
15. Use two-factor authentication
X
16. Harden the core with security layers
X
17. Watch the exits too
X
18. Prohibit food in the computer rooms
X
19. Install visitor restrooms
X
SUGGESTED SOLUTIONS TO THE CASES
CASE 8-1 Assessing Change Control and Change Management
Read the article “Security Controls that Work” by Dwayne Melancon in the 2007 Issue,
Volume 4 of the Information Systems Control Journal (available
http://www.isaca.org/Journal/Past-Issues/2007/Volume-4/Pages/Security-Controls-That-
Work1.aspx). Write a report that answers the following questions:
1. What are the differences between high-performing organizations and medium- and low-
performing organizations in terms of normal operating performance? Detection of
security breaches? Percentage of budget devoted to IT?
2. Which controls were used by almost all high-performing organizations, but were not
used by any low- or medium-performers?
3. What three things do high-performing organizations never do?
4. What metrics can an IT auditor use to assess how an organization is performing in terms
of change controls and change management? Why are those metrics particularly useful?
SOLUTION: Details will vary, but a good solution should incorporate the following points:
1. Differences between high-performing and medium- and low-performing organizations
are that high-performing organizations – the article lists the following:
• Completed eight times as many projects
• Managed six times as many applications and IT services
• Authorized and implemented 15 times as many changes
2. The article states that all high-performing organizations used two controls that none of
the low- or medium-performers did:
3. The article states that three things high-performing organizations NEVER do:
4. The article identifies these key metrics for IT auditors to track:
• Amount of time devoted to unplanned work—An unplanned work rate higher than 20 to 25
percent is a sure indication of a lack of effective controls and a cultural problem within
IT. It usually means too much time and resources are spent on troubleshooting and
maintaining IT operations and not enough time is spent on improving the business. The
OTHO
CASE 8-2 Role-Play: Designing an Effective Information Security Program
The U.S. Department of Defense has created a simulation called “CyberProtect” that
teaches how various information security tools work together to provide effective
information security, subject to resource constraints. Visit the department’s website
(http://iase.disa.mil/eta/cyber-protect/launchcontent.html) and launch the game. You will
need to enter your name to log in. Play the game for four quarters. Write a report that
describes your performance in the game. The report should be organized by quarter, and
for each quarter should include:
a. A screenshot of the network configuration at the beginning of the quarter.
b. A brief explanation of the rationale for your investment choices that quarter.
c. A printout of the attacks you faced that quarter and whether each succeeded or
failed.
d. A brief statement of what you learned that quarter.
