Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Accounting Information
Systems
8-13
8.5 What are the advantages and disadvantages of the three types of authentication
credentials (something you know, something you have, and something you are)?
Type of Credential
Advantages
Disadvantages
Something you
know
+ Easy to use
+ Universal - no special hardware
required
+ Revocable – can cancel and create
new credential if compromised
+ Easy to forget or guess
+ Hard to verify who is
presenting the credential
+ May not notice compromise
immediately
Something you are
(biometric)
+ Strong proof who is presenting the
credential
+ Hard to copy/mimic
+ Cannot be lost, forgotten, or stolen
+ Cost
+ Requires special hardware, so
not universally applicable
+ User resistance. Some people
may object to use of
fingerprints; some culture
groups may refuse face
recognition, etc.
Ch. 8: Information System Controls for Systems Reliability
8-14
8.6 a. Apply the following data to evaluate the time-based model of security for the XYZ
Company. Does the XYZ Company satisfy the requirements of the time-based
model of security? Why?
• Estimated time for attacker to successfully penetrate system = 25 minutes
Solution: XYZ Company is secure under their best case scenario but they do not meet
security requirements under their worst case scenario.
P = 25 Minutes
b. Which of the following security investments to you recommend? Why?
1. Invest $50,000 to increase the estimated time to penetrate the system by 4
minutes
2. Invest $50,000 to reduce the time to detect an attack to between 2 minutes (best
case) and 6 minutes (worst case)
3. Invest $50,000 to reduce the time required to implement corrective actions to
between 4 minutes (best case) and 14 minutes (worst case).
Solution: Option 3 is the best choice because it is the only one that satisfies the time-
Accounting Information
Systems
8-15
8.7 Explain how the following items individually and collectively affect the overall level
of security provided by using a password as an authentication credential.
a. Length – interacts with complexity to determine how hard it is to “guess” a password
or discover it by trial-and-error testing of every combination. Of the two factors,
length is more important because it has the biggest impact on the number of possible
passwords.
b. Complexity requirements (which types of characters are required to be used: numbers,
alphabetic, case-sensitivity of alphabetic, special symbols like $ or !) - interacts with
c. Maximum password age (how often password must be changed) – shorter means more
Ch. 8: Information System Controls for Systems Reliability
8-16
d. Minimum password age (how long a password must be used before it can be changed) –
this combined with history prevents someone from just keeping their same password,
e. Maintenance of password history (how many prior passwords does system remember to
prevent reselection of the same password when required to change passwords) – the
larger this is, the longer the time before someone can reuse a password. For example, a
f. Account lockout threshold (how many failed login attempts before the account is locked)
– this is designed to stop guessing attacks. However, it needs to account for typos,
g. Time frame during which account lockout threshold is applied (i.e., if lockout threshold
is five failed login attempts, time frame is whether those 5 failures must occur within 15
minutes, 1 hour, 1 day, etc.). – Shorter time frames defeat attempts to guess.
h. Account lockout duration (how long the account remains locked after exceeding the
maximum allowable number of failed login attempts) – longer lockouts defeat attempts to
Accounting Information
Systems
8-17
8.8 The chapter briefly discussed the following three common attacks against
applications
a. Buffer overflows
Required
Research each of these three attacks and write a report that explains in detail how
Solution: Reports will vary from student to student; however, the reports should contain
at least some of the following basic facts gathered from the text, cgisecurity.net, and
Wikipedia:
a. Buffer overflows
One of the more common input-related vulnerabilities is what is referred to as a buffer
overflow attack, in which an attacker sends a program more data than it can handle.
Buffer overflows may cause the system to crash or, even worse, may provide a command
prompt, thereby giving the attacker full administrative privileges, and control, of the
device. Because buffer overflows are so common, it is instructive to understand how they
work.
Note that buffer overflows can only occur if the programmer failed to include a check on
the amount of data being input. Thus, sound programming practices can prevent buffer
overflow attacks. Therefore, internal auditors should routinely test all applications
developed in-house to be sure that they are not vulnerable to buffer overflow attacks.
Ch. 8: Information System Controls for Systems Reliability
8-18
b. SQL injection
Many web pages receive an input or a request from web users and then, to address the
input or the request, they create a Structured Query Language (SQL) query for the
c. Cross-site scripting
Cross site scripting (also known as XSS) occurs whenever a web application sends user
input back to the browser without scrubbing it. The problem is that if the input is a script,
the browser will execute it. The attack requires tricking a user into clicking on a
Accounting Information
Systems
8.9 Physical security is extremely important. Read the article “19 Ways to Build
Physical Security into a Data Center,” which appeared in the CSO Magazine
November 2005. (You can find the article at
www.csoonline.com/read/110105/datacenter.html).
Which methods would you expect to find used by almost any major corporation?
Which might likely only be justified at a financial institution?
Solution:
Depending on the sensitivity and value of the data processed and stored at a data center,
all of the 19 methods could be used by a corporation. For example, IBM is extremely
concerned about the loss of data and trade secrets due to disasters and corporate
Method
Any Corporation
Extra methods justified at
a Financial Institution
1. Build on the right spot
X
5. Use landscaping for protection
X
6. Keep a 100-foot buffer zone
around the site
X
7. Use retractable crash barriers at
vehicle entry points
X
Ch. 8: Information System Controls for Systems Reliability
8-20
13. Plan for secure air handling
X
14. Ensure nothing can hide in the
walls and ceilings
X
15. Use two-factor authentication
X
Accounting Information
Systems
SUGGESTED SOLUTIONS TO THE CASES
CASE 8.1 Costs of Preventive Security
Firewalls are one of the most fundamental and important security tools. You are likely
familiar with the software-based host firewall that you use on your laptop or desktop. Such
firewalls should also be installed on every computer in an organization. However,
organizations also need corporate-grade firewalls, which are usually, but not always,
dedicated special-purpose hardware devices. Conduct some research to identify three
different brands of such corporate-grade firewalls and write a report that addresses the
following points:
• Cost
Specifics of the solution will differ depending upon the brand identified. The instructor may wish
to require students to turn in copies of their source materials. At a minimum, solution should
clearly demonstrate that students understand the different types of firewalls and have read and
understood the review of a product’s ease of configuration and ease of use.
Ch. 8: Information System Controls for Systems Reliability
8-22
CASE 8.2 Developing an Information Security Checklist
Design a checklist for assessing each of the 11 detailed information security control
objectives. The checklist should contain questions to which a Yes response represents a
control strength, a No response represents a control weakness, plus a possible N/A
response.
Provide a brief reason for asking each question. Organize your checklist as follows:
Question
Yes
No
N/A
Reason for asking
1. Is there regular security awareness
training?
Training is one of the most
important preventive
Accounting Information
Systems
8-23
Suggested solution (answers will vary, key is to address each objective)
COBIT
Control
Objective
Possible questions
DS5.1
• Does the person responsible for information security report to the C-suite?
DS5.3
• Do all employees have unique user IDs?
• Are all employees required to use passwords?
• Are there policies to ensure that passwords are sufficiently strong?
• Are access rights assigned by employee role?
• Are access rights approved by management?
DS5.5
• Are there periodic vulnerability assessments?
• Are there periodic penetration tests?
• Is logging enabled?
• Are logs regularly reviewed?
Ch. 8: Information System Controls for Systems Reliability
DS5.7
• Is documentation related to firewalls and IPS stored securely and with
restricted access?
• Are firewalls and other security devices protected with appropriate logical
and physical access controls?
DS5.8
• Is sensitive information encrypted?
• Are there procedures for issuing and revoking encryption keys?
