Accounting Chapter 8 Homework The Program Will Then Return Control The Address Pointed The Stack Buffer

Accounting Information

Systems

8-13

8.5 What are the advantages and disadvantages of the three types of authentication

credentials (something you know, something you have, and something you are)?

Type of Credential

Advantages

Disadvantages

Something you

know

+ Easy to use

+ Universal – no special hardware

required

+ Revocable – can cancel and create

new credential if compromised

+ Easy to forget or guess

+ Hard to verify who is

presenting the credential

+ May not notice compromise

immediately

Something you are

(biometric)

+ Strong proof who is presenting the

credential

+ Hard to copy/mimic

+ Cannot be lost, forgotten, or stolen

+ Cost

+ Requires special hardware, so

not universally applicable

+ User resistance. Some people

may object to use of

fingerprints; some culture

groups may refuse face

recognition, etc.

Ch. 8: Information System Controls for Systems Reliability

8-14

8.6 a. Apply the following data to evaluate the time-based model of security for the XYZ

Company. Does the XYZ Company satisfy the requirements of the time-based

model of security? Why?

• Estimated time for attacker to successfully penetrate system = 25 minutes

Solution: XYZ Company is secure under their best case scenario but they do not meet

security requirements under their worst case scenario.

P = 25 Minutes

b. Which of the following security investments to you recommend? Why?

1. Invest $50,000 to increase the estimated time to penetrate the system by 4

minutes

2. Invest $50,000 to reduce the time to detect an attack to between 2 minutes (best

case) and 6 minutes (worst case)

3. Invest $50,000 to reduce the time required to implement corrective actions to

between 4 minutes (best case) and 14 minutes (worst case).

Solution: Option 3 is the best choice because it is the only one that satisfies the time-

Accounting Information

Systems

8-15

8.7 Explain how the following items individually and collectively affect the overall level

of security provided by using a password as an authentication credential.

a. Length – interacts with complexity to determine how hard it is to “guess” a password

or discover it by trial-and-error testing of every combination. Of the two factors,

length is more important because it has the biggest impact on the number of possible

passwords.

b. Complexity requirements (which types of characters are required to be used: numbers,

alphabetic, case-sensitivity of alphabetic, special symbols like $ or !) – interacts with

c. Maximum password age (how often password must be changed) – shorter means more

Ch. 8: Information System Controls for Systems Reliability

8-16

d. Minimum password age (how long a password must be used before it can be changed) –

this combined with history prevents someone from just keeping their same password,

e. Maintenance of password history (how many prior passwords does system remember to

prevent reselection of the same password when required to change passwords) – the

larger this is, the longer the time before someone can reuse a password. For example, a

f. Account lockout threshold (how many failed login attempts before the account is locked)

– this is designed to stop guessing attacks. However, it needs to account for typos,

g. Time frame during which account lockout threshold is applied (i.e., if lockout threshold

is five failed login attempts, time frame is whether those 5 failures must occur within 15

minutes, 1 hour, 1 day, etc.). – Shorter time frames defeat attempts to guess.

h. Account lockout duration (how long the account remains locked after exceeding the

maximum allowable number of failed login attempts) – longer lockouts defeat attempts to

Accounting Information

Systems

8-17

8.8 The chapter briefly discussed the following three common attacks against

applications

a. Buffer overflows

Required

Research each of these three attacks and write a report that explains in detail how

Solution: Reports will vary from student to student; however, the reports should contain

at least some of the following basic facts gathered from the text, cgisecurity.net, and

Wikipedia:

a. Buffer overflows

One of the more common input-related vulnerabilities is what is referred to as a buffer

overflow attack, in which an attacker sends a program more data than it can handle.

Buffer overflows may cause the system to crash or, even worse, may provide a command

prompt, thereby giving the attacker full administrative privileges, and control, of the

device. Because buffer overflows are so common, it is instructive to understand how they

work.

Note that buffer overflows can only occur if the programmer failed to include a check on

the amount of data being input. Thus, sound programming practices can prevent buffer

overflow attacks. Therefore, internal auditors should routinely test all applications

developed in-house to be sure that they are not vulnerable to buffer overflow attacks.

Ch. 8: Information System Controls for Systems Reliability

8-18

b. SQL injection

Many web pages receive an input or a request from web users and then, to address the

input or the request, they create a Structured Query Language (SQL) query for the

c. Cross-site scripting

Cross site scripting (also known as XSS) occurs whenever a web application sends user

input back to the browser without scrubbing it. The problem is that if the input is a script,

the browser will execute it. The attack requires tricking a user into clicking on a

Accounting Information

Systems

8.9 Physical security is extremely important. Read the article “19 Ways to Build

Physical Security into a Data Center,” which appeared in the CSO Magazine

November 2005. (You can find the article at

www.csoonline.com/read/110105/datacenter.html).

Which methods would you expect to find used by almost any major corporation?

Which might likely only be justified at a financial institution?

Solution:

Depending on the sensitivity and value of the data processed and stored at a data center,

all of the 19 methods could be used by a corporation. For example, IBM is extremely

concerned about the loss of data and trade secrets due to disasters and corporate

Method

Any Corporation

Extra methods justified at

a Financial Institution

1. Build on the right spot

X

2. Have redundant utilities

X

3. Pay attention to walls

4. Avoid windows

X

5. Use landscaping for protection

X

6. Keep a 100-foot buffer zone

around the site

X

7. Use retractable crash barriers at

vehicle entry points

X

8. Plan for bomb detection

9. Limit entry points

X

10. Make fire doors exit only

X

11. Use plenty of cameras

X

Ch. 8: Information System Controls for Systems Reliability

8-20

13. Plan for secure air handling

X

14. Ensure nothing can hide in the

walls and ceilings

X

15. Use two-factor authentication

X

17. Watch the exits too

X

19. Install visitor restrooms

X

Accounting Information

Systems

SUGGESTED SOLUTIONS TO THE CASES

CASE 8.1 Costs of Preventive Security

Firewalls are one of the most fundamental and important security tools. You are likely

familiar with the software-based host firewall that you use on your laptop or desktop. Such

firewalls should also be installed on every computer in an organization. However,

organizations also need corporate-grade firewalls, which are usually, but not always,

dedicated special-purpose hardware devices. Conduct some research to identify three

different brands of such corporate-grade firewalls and write a report that addresses the

following points:

• Cost

Specifics of the solution will differ depending upon the brand identified. The instructor may wish

to require students to turn in copies of their source materials. At a minimum, solution should

clearly demonstrate that students understand the different types of firewalls and have read and

understood the review of a product’s ease of configuration and ease of use.

Ch. 8: Information System Controls for Systems Reliability

8-22

CASE 8.2 Developing an Information Security Checklist

Design a checklist for assessing each of the 11 detailed information security control

objectives. The checklist should contain questions to which a Yes response represents a

control strength, a No response represents a control weakness, plus a possible N/A

response.

Provide a brief reason for asking each question. Organize your checklist as follows:

Question

Yes

No

N/A

Reason for asking

1. Is there regular security awareness

training?

Training is one of the most

important preventive

Accounting Information

Systems

8-23

Suggested solution (answers will vary, key is to address each objective)

COBIT

Control

Objective

Possible questions

DS5.1

• Is information security a topic at meetings of the Board of Directors?

• Does the person responsible for information security report to the C-suite?

DS5.3

• Do all employees have unique user IDs?

• Are all employees required to use passwords?

• Are there policies to ensure that passwords are sufficiently strong?

• Are access rights assigned by employee role?

• Are access rights approved by management?

DS5.5

• Are there periodic vulnerability assessments?

• Are there periodic penetration tests?

• Is logging enabled?

• Are logs regularly reviewed?

Ch. 8: Information System Controls for Systems Reliability

DS5.7

• Is documentation related to firewalls and IPS stored securely and with

restricted access?

• Are firewalls and other security devices protected with appropriate logical

and physical access controls?

DS5.8

• Is sensitive information encrypted?

• Are there procedures for issuing and revoking encryption keys?

• Are patches applied on a timely basis?