978-0134474021 Chapter 8 Solutions Manual Part 1

Unlock access to all the studying documents.

View Full Document

CHAPTER 8

CONTROLS FOR INFORMATION SECURITY

SUGGESTED ANSWERS TO DISCUSSION QUESTIONS

8.1 Explain why an organization would want to use all of the following information

security controls: firewalls, intrusion prevention systems, intrusion detection

systems, and a CIRT.

Using this combination of controls provides defense-in-depth. Firewalls and intrusion

8.2 What are the advantages and disadvantages of having the person responsible for

information security report directly to the chief information officer (CIO), who has

overall responsibility for all aspects of the organization’s information systems?

It is important for the person responsible for security (the CISO) to report to senior

One potential disadvantage is that the CIO may not always react favorably to reports

indicating that shortcuts have been taken with regard to security, especially in situations

where following the recommendations for increased security spending could result in

8.3 Reliability is often included in service level agreements (SLAs) when outsourcing.

The toughest thing is to decide how much reliability is enough. Consider an

application like e-mail. If an organization outsources its e-mail to a cloud provider,

what is the difference between 95%, 99%, 99.99%, and 99.9999% reliability?

The differences in promised reliability levels over the course of a year in terms of days

when the e-mail system may not work are:

8-1

Ch. 8: Controls for Information Security

8.4 What is the difference between authentication and authorization?

Authentication and authorization are two related controls designed to restrict access to an

8.5 What are the limitations, if any, of relying on the results of penetration tests to

assess the overall level of security?

Penetration testing provides a rigorous way to test the effectiveness of an organization’s

computer security by attempting to break into the organization’s information system.

Internal audit and external security consulting team perform penetration tests in which

8.6 Security awareness training is necessary to teach employees “safe computing”

practices. The key to effectiveness, however, is that it changes employee behavior.

How can organizations maximize the effectiveness of their security awareness

training programs?

Top management support is always essential for the success of any program an entity

undertakes. Thus, top management support and participation in security awareness

8-2

Accounting Information Systems

8.7 What is the relationship between COSO, COBIT 5, and the AICPA’s Trust Services

frameworks?

8-3

Accounting Information Systems

SUGGESTED SOLUTIONS TO THE PROBLEMS

8.1 Match the following terms with their definitions:

Term Definition

__d__ 1. Vulnerability a. Code that corrects a flaw in a program.

__e__ 18. Penetration test r. The process of applying code supplied by a

vendor to fix a problem in that vendor’s

software.

8-4

Accounting Information Systems

_i___ 20. Cloud computing t. A firewall technique that filters traffic by

examining not just packet header information

but also the contents of a packet.

8.2 The CISO of the ABC company is considering how to increase the strength of employee

passwords. Currently, passwords must be eight characters, they must be case-sensitive,

and they must contain at least two numbers.

a. Calculate the size of the search space of possible passwords given the current

password requirements.

b. Calculate the size of the search space of possible passwords if the current password

requirements were changed so that they must contain at least two special characters

(e.g., $, #, @, etc.) from a list of 33 commonly available symbols.

c. Calculate the size of the search space of possible passwords if the current password

requirements were changed so that passwords must be 12 characters long.

d. Which modification to the current password requirements (adding the requirement to

include special symbols or increasing the length from 8 to 12) increases the strength

of the password the most?

e. Which modification do you recommend? Why?

Solution:

a. The current search space is the number of choices for each character (62 = 26 upper-case

b. There would now be 95 possible choices for each character: 26 upper-case letters, 26

c. There would 62 choices for each character (26 upper-case letters, 26 lower-case letters, and

d. Changing the size of the possible character set (part b) increases the search space by 30.3847

e. Increasing the length – because it increases resistance to brute-force guessing the most. Also,

8-5

Accounting Information Systems

8.3 The following table lists the actions that various employees are permitted to

perform:

Employee Permitted actions

Able Check customer account balances

Baker Change customer credit limits

Charley Update inventory records for sales and purchases

Denise Add new customers

Use the following codes to complete the access control matrix so that it enables each

employee to perform those specific activities:

0 = no access

1 = read only access

Employee

Customer

Master file

Inventory

Master

File

Payroll

Master File

System Log

Files

Able

Baker 2 0 0 0

Use the following codes:

8-6

Accounting Information Systems

8.4 Which preventive, detective, and/or corrective controls would best mitigate the

following threats?

a. An employee’s laptop was stolen at the airport. The laptop contained personally

identifying information about the company’s customers that could potentially be

used to commit identity theft.

Preventive: Policies against storing sensitive information on laptops and requiring that if

Corrective: Installation of “phone home” software might help the organization either

b. A salesperson successfully logged into the payroll system by guessing the payroll

supervisor’s password.

Preventive: Strong password requirements such as at least an 8-character length, use of

Detective: Locking out accounts after 3-5 unsuccessful login attempts; since this was a

c. A criminal remotely accessed a sensitive database using the authentication

credentials (user ID and strong password) of an IT manager. At the time the

attack occurred, the IT manager was logged into the system at his workstation at

company headquarters.

Preventive: Integrate physical and logical security. In this case, the system should reject

d. An employee received an email purporting to be from her boss informing her of

an important new attendance policy. When she clicked on a link embedded in the

email to view the new policy, she infected her laptop with a keystroke logger.

Preventive: Security awareness training is the best way to prevent such problems.

8-7

Accounting Information Systems

e. A company’s programming staff wrote custom code for the shopping cart feature

on its web site. The code contained a buffer overflow vulnerability that could be

exploited when the customer typed in the ship-to address.

Detective: Make sure programs are thoroughly tested before being put into use

f. A company purchased the leading “off-the-shelf” e-commerce software for

linking its electronic storefront to its inventory database. A customer discovered

a way to directly access the back-end database by entering appropriate SQL

code.

Preventive: Insist on secure code as part of the specifications for purchasing any 3rd party

software.

g. Attackers broke into the company’s information system through a wireless

access point located in one of its retail stores. The wireless access point had been

purchased and installed by the store manager without informing central IT or

security.

Preventive: Enact a policy that forbids installation of unauthorized wireless access

points.

h. An employee picked up a USB drive in the parking lot and plugged it into their

laptop to “see what was on it,” which resulted in a keystroke logger being

installed on that laptop.

Preventive: Security awareness training. Teach employees to never insert USB drives

unless they are absolutely certain of their source.

8-8

Accounting Information Systems

i. Once an attack on the company’s website was discovered, it took more than 30

minutes to determine who to contact to initiate response actions.

Preventive: Document all members of the CIRT and their contact information.

j. To facilitate working from home, an employee installed a modem on his office

workstation. An attacker successfully penetrated the company’s system by

dialing into that modem.

Preventive: Routinely check for unauthorized or rogue modems by dialing all telephone

k. An attacker gained access to the company’s internal network by installing a

wireless access point in a wiring closet located next to the elevators on the fourth

floor of a high-rise office building that the company shared with seven other

companies.

Preventive: Secure or lock all wiring closets.

8-9

Accounting Information Systems

8.5 What are the advantages and disadvantages of the three types of authentication

credentials (something you know, something you have, and something you are)?

Type of Credential Advantages Disadvantages

Something you know + Easy to use

+ Easy to forget or guess

Something you have + Easy to use

+ May require special hardware if

Something you are

(biometric)

+ Strong proof who is presenting the

credential

+ Cost

+ Requires special hardware, so not

8-10

Accounting Information Systems

8.6 a. Use the following facts to assess the time-based model of security for the ABC

Company; how well does the existing system protect ABC? Assume that the best-,

average-, and worst-case estimates are independent for each component of the model.

b. The company is considering investing up to an additional $100,000 to improve its

security. Given the following possibilities, which single investment would you

recommend? Which combination of investments would you recommend? Explain your

answer.

8-11

Accounting Information Systems

8-12