Accounting Chapter 8 Homework Software Code That Can Used Take Advantage Flaw And Compromise System R

Accounting Information

Systems

CHAPTER 8

INFORMATION SYSTEM CONTROLS for SYSTEMS RELIABILITY

Part 1: Information Security

SUGGESTED ANSWERS TO DISCUSSION QUESTIONS

8.1 Explain why an organization would want to use all of the following information

security controls: firewalls, intrusion prevention systems, intrusion detection

systems, and a CIRT.

Using this combination of controls provides defense-in-depth. Firewalls and intrusion

8.2 What are the advantages and disadvantages of having the person responsible for

information security report directly to the chief information officer (CIO), who has

overall responsibility for all aspects of the organization’s information systems?

It is important for the person responsible for security (the CISO) to report to senior

management. Having the person responsible for information security report to a member

of the executive committee such as the CIO, formalizes information security as a top

management issue.

Ch. 8: Information System Controls for Systems Reliability

8-2

8.3 Reliability is often included in service level agreements (SLAs) when outsourcing.

The toughest thing is to decide how much reliability is enough. Consider an

application like e-mail. If an organization outsources its e-mail to a cloud provider,

what is the difference between 95%, 99%, 99.99%, and 99.9999% reliability?

The differences in promised reliability levels over the course of a year in terms of days

when the e-mail system may not work are:

8.4 What is the difference between authentication and authorization?

Authentication and authorization are two related controls designed to restrict access to an

organization’s information systems and resources.

8.5 What are the limitations, if any, of relying on the results of penetration tests to

assess the overall level of security?

Penetration testing provides a rigorous way to test the effectiveness of an organization’s

computer security by attempting to break into the organization’s information system.

Internal audit and external security consulting team perform penetration tests in which

Accounting Information

Systems

8-3

8.6 Security awareness training is necessary to teach employees “safe computing”

practices. The key to effectiveness, however, is that it changes employee behavior.

How can organizations maximize the effectiveness of their security awareness

training programs?

Top management support is always essential for the success of any program an entity

undertakes. Thus, top management support and participation in security awareness

training is essential to maximize its impact on the employees and managers of the firm.

8.7 What is the relationship between COSO, COBIT, and the AICPA’s Trust Services

frameworks?

COSO is a broad framework that describes the various components of internal control. It

does not, however, provide any details about IT controls.

Ch. 8: Information System Controls for Systems Reliability

8-4

SUGGESTED SOLUTIONS TO THE PROBLEMS

8.1 Match the following terms with their definitions:

Term

Definition

__d__ 1. Vulnerability

a. Code that corrects a flaw in a program.

__s__ 2. Exploit

b. Verification of claimed identity.

__b__ 3. Authentication

c. The firewall technique that filters

traffic by comparing the information in

packet headers to a table of established

connections.

__m__ 4. Authorization

d. A flaw or weakness in a program.

compromise a system.

the Internet but separate from the

organization to the Internet.

__j__ 8. social engineering

h. The rules (protocol) that govern routing

of packets across networks.

__k__ 9. firewall

i. The rules (protocol) that govern the

division of a large file into packets and

subsequent reassembly of the file from

those packets.

obtain access.

security by filtering packets.

and incidents.

permitted to perform.

disabling of unnecessary programs and

features.

Accounting Information

Systems

8-5

(IP) to send packets across networks.

__g__ 16. border router

p. A detective control that identifies

weaknesses in devices or software.

__p__ 17. vulnerability scan

__e__ 18. penetration test

by a vendor to fix a problem in that

_r___ s. patch management

s. Software code that can be used to take

advantage of a flaw and compromise a

system.

_v___ t. cloud computing

packet.

u. The process of running multiple

machines on one physical server.

t. A firewall technique that filters traffic

by examining not just packet header

information but also the contents of a

8.2 Install and run the latest version of the Microsoft Baseline Security Analyzer on

your home computer or laptop. Write a report explaining the weaknesses identified

by the tool and how to best correct them. Attach a copy of the MBSA output to your

report.

Solution: will vary for each student. Examples of what to expect (from a computer

running Windows 7 follow:

Ch. 8: Information System Controls for Systems Reliability

8-6

8-7

2. Next is a section about user accounts and Windows settings:

3. Then there is a section about other system information

Ch. 8: Information System Controls for Systems Reliability

8-8

Accounting Information

Systems

8.3 The following table lists the actions that various employees are permitted to

perform:

Employee

Permitted actions

Able

Check customer account balances

Check inventory availability

Complete the following access control matrix so that it enables each employee to perform

those specific activities:

Employee

Customer

Master file

Inventory

Master

File

Payroll

Master File

System Log

Files

Able

1

0

2

0

2

0

1

Use the following codes:

0 = no access

1 = read only access

2 = read and modify records

3= read, modify, create, and delete records

Ch. 8: Information System Controls for Systems Reliability

8-10

8.4 Which preventive, detective, and/or corrective controls would best mitigate the

following threats?

a. An employee’s laptop was stolen at the airport. The laptop contained personally

identifying information about the company’s customers that could potentially be

used to commit identity theft.

Preventive: Policies against storing sensitive information on laptops and requiring that if

any such information must exist on the laptop that it be encrypted.

b. A salesperson successfully logged into the payroll system by guessing the payroll

supervisor’s password.

Preventive: Strong password requirements such as at least an 8 character length, use of

c. A criminal remotely accessed a sensitive database using the authentication

credentials (user ID and strong password) of an IT manager. At the time the attack

occurred, the IT manager was logged into the system at his workstation at company

headquarters.

Preventive: Integrate physical and logical security. In this case, the system should reject

d. An employee received an email purporting to be from her boss informing her of an

important new attendance policy. When she clicked on a link embedded in the email

to view the new policy, she infected her laptop with a keystroke logger.

Preventive: Security awareness training is the best way to prevent such problems.

Employees should be taught that this is a common example of a sophisticated phishing

scam.

Accounting Information

Systems

8-11

e. A company’s programming staff wrote custom code for the shopping cart feature on

its web site. The code contained a buffer overflow vulnerability that could be

exploited when the customer typed in the ship-to address.

Preventive: Teach programmers secure programming practices, including the need to

carefully check all user input.

f. A company purchased the leading “off-the-shelf” e-commerce software for linking

its electronic storefront to its inventory database. A customer discovered a way to

directly access the back-end database by entering appropriate SQL code.

Preventive: Insist on secure code as part of the specifications for purchasing any 3rd

party software.

g. Attackers broke into the company’s information system through a wireless access

point located in one of its retail stores. The wireless access point had been purchased

and installed by the store manager without informing central IT or security.

Preventive: Enact a policy that forbids installation of unauthorized wireless access

points.

Ch. 8: Information System Controls for Systems Reliability

8-12

h. An employee picked up a USB drive in the parking lot and plugged it into their

laptop to “see what was on it,” which resulted in a keystroke logger being installed

on that laptop.

Preventive: Security awareness training. Teach employees to never insert USB drives

i. Once an attack on the company’s website was discovered, it took more than 30

minutes to determine who to contact to initiate response actions.

Preventive: Document all members of the CIRT and their contact information.

j. To facilitate working from home, an employee installed a modem on his office

workstation. An attacker successfully penetrated the company’s system by dialing

into that modem.

Preventive: Routinely check for unauthorized or rogue modems by dialing all telephone

k. An attacker gained access to the company’s internal network by installing a wireless

access point in a wiring closet located next to the elevators on the fourth floor of a

high-rise office building that the company shared with seven other companies.

Preventive: Secure or lock all wiring closets.