Beruflich Dokumente
Kultur Dokumente
CHAPTER 7
INFORMATION SYSTEM CONTROLS for SYSTEMS RELIABILITY
SUGGESTED ANSWERS TO DISCUSSION QUESTIONS
7.1
Encryption is the final layer of preventative controls in that encrypting data
provides a barrier against an intruder who has obtained access to company data. Encryption
employing a digital signature and a public key infrastructure (PKI) can also strengthen
authentication procedures and helps to ensure and verify the validity of e-business
transactions. The digital signature is some sort of identifying information about the signer
that is encrypted with the signers private key. This identifying information can only be
decrypted using the corresponding public key. Since a private key is only known to its
owner, only the owner can hold both the public and the private key and be the creator of the
digital signature. Thus, digital signatures can be used to authenticate a particular party
involved in a transaction as being the creator of a document. This provides for nonrepudiation: the creator of the digital signature cannot deny having signed a document.. A
digital certificate is an electronic document that is digitally signed by a trusted third party
that certifies the identity of the owner of a pair of public and private keys. The PKI is a
system that is used to process and manage the public and private keys used in digital
signatures and digital certificates. An organization that handles digital certificates is called a
certificate authority.
1.
2. The effectiveness of control procedures depends on how well employees understand and
follow the organizations security policies. If all employees are taught proper security
measures and taught to follow safe computing practices, such as never opening unsolicited
email attachments, using only approved software, not sharing or revealing passwords, and
taking steps to physically protect laptops, company-wide security will increase.
3. Firewalls use hardware and software to block unauthorized access to the companys
system.
4. A intrusion detection system (IDS) create logs of network traffic that was permitted to
pass the firewall and then analyze those logs for signs of attempted or successful intrusions
This provides a means to monitor the number of attempted intrusions successfully blocked
by the firewall, and can provide early warning signals that the organization is being targeted.
5. A virtual private network (VPN) is a network that controls access to a companys
extranet by using encryption, identification, and authentication tools and techniques.
(Definition from the texts glossary, p.794, 10th ed.)
Additional facts: A virtual private network (VPN) increases system reliability by encrypting
data prior to sending it over the Internet. The data is then decrypted once it arrives at its
intended destination. Thus, a private network is created using the Internet as the network
connection and encryption as the method to make it private and secure the data from public
7-1
disclosure.
7.2
Having the person responsible for information security report directly to the Chief
Information Officer (CIO) raises the visibility and therefore the importance of information
security to all levels of management and to the company at large. Security must be
recognized as a top management issue, having the information security officer report to a
member of the executive committed such as the CIO, formalizes information security as a
top management issue. One potential disadvantage is that the CIO may not always react
favorably to reports indicating that shortcuts have been taken with regard to security,
especially in situations where following the recommendations for increased security
spending could result in failure to meet budgeted goals. Thus, just as the effectiveness of the
internal audit function is improved by having it report to someone other than the CFO, the
security function may also be more effective if it reports to someone who does not have
responsibility for information systems operations.
7.3
The most effective auditor is a person who has training and experience as an auditor and
training and experience as an information systems or computer specialist. However, few
people have such an extensive background, and personnel training and development are
both expensive and time consuming. So, many organizations may find it necessary to
accept some tradeoffs in staffing the Information Systems audit function. Since auditors
generally work in teams, one common solution is to include members who have computer
training and experience. Then, as audit teams are created for specific purposes, care
should be taken to ensure that the members of each audit team have an appropriate mix of
skills and experience. However, in todays technological age, all internal and external
auditors on an audit engagement team must have a sound understanding of basic
information security concepts so that during the course of an audit, they would be able to
identify, report, and communicate security risks and exposures to the security specialists
on the audit team for further assessment and investigation.
7.4
To provide absolute information security an organization must follow Jeff Richards Laws
of Data Security.
1. Dont buy a computer
2. If you buy a computer, dont turn it on.
As this humorous solution indicates, there is no way to make a system absolutely secure.
However, as discussed in the text, there are numerous methods to make a system more
secure.
7.5
Top management support is always essential for the success of any program an entity
undertakes. Thus, top management support and participation in security awareness
training is essential to maximize its impact on the employees and managers of the firm.
Effective instruction and hands-on active learning techniques will also help to maximize
training. Many employees have extensive experience and/or expertise in security, these
employees should be involved in the design and execution of the security training. Real
life example should be used throughout the training so that employs can view or at least
visualize the exposures and threats they face as well as the controls in place to address the
exposures and threats. Role-playing has been shown to be an effective method to
maximize security awareness training especially with regard to social engineering attack
training.
7.7
The total quality movement focuses on continuous improvement and the elimination of
errors. Security, like quality, is a moving target which can always be improved. Another
similarity is the need for active top management support. The focus on quality only began
to achieve momentum when top management supported the up-front investment costs to
improve quality and refused to accept the argument that the benefits of further
improvements in quality did not justify the costs required to attain them. Similarly, top
management needs to actively support the goal of ever-improving levels of security and
the investment necessary to achieve that result.
7.8
What are the advantages and disadvantages of biometric security devices, such as
fingerprint readers, in comparison with other security measures such as passwords and
locked doors?
The advantages of biometric security devices include:
Providing security advantages over traditional methods because physical traits are
almost impossible to duplicate.
Ease of use.
Nonbiometric access methods such as passwords and keys can be stolen and used by
others, lost, or forgotten. It is easier for someone else to get access to tokens, smart
cards, or passwords and use them to gain entry to the system. As such, the greatest
advantage of biometric devices is that they ARE the person and so cannot be lost, stolen,
or forgotten.
Drawbacks to such devices include:
Users may not accept certain types of biometric methods. For example, in some
cultures, fingerprints may have negative connotations that preclude their widespread
use for authentication.
7-4
A company wrote custom code for the shopping cart feature on its web site. The code contained a
buffer overflow vulnerability that could be exploited when the customer typed in the ship-to
address.
Solution: Teach programmers secure programming practices, including the need to carefully check
all user input. It is also important for management to support the commitment to secure coding
practices, even if that means a delay in completing, testing, and deploying new programs. Useful
detective controls include to make sure programs are thoroughly tested before being put into use
and to have internal auditors routinely test in-house developed software.
7-5
g. A company purchased the leading off-the-shelf e-commerce software for linking its electronic
storefront to its inventory database. A customer discovered a way to directly access the back-end
database by entering appropriate SQL code.
Solution: Insist on secure code as part of the specifications for purchasing any 3rd party software.
Thoroughly test the software prior to use. Employ a patch management program so that any
vendor provided fixes and patches are immediately implemented.
h. Attackers broke into the companys information system through a wireless access point located in
one of its retail stores. The wireless access point had been purchased and installed by the store
manager without informing central IT or security.
Solution: Enact a policy that forbids any implementation of unauthorized wireless access points.
Conduct routine audits for unauthorized or rouge wireless access points.
i.
An employee picked up a USB drive in the parking lot and plugged it into their laptop to see what
was on it, which resulted in a keystroke logger being installed on that laptop.
Solution: The best preventive control is security awareness training. Teach employees to never
insert USB drives unless they are absolutely certain of their source. In addition, employ antispyware software that automatically checks and cleans all detected spyware on an employee's
computer as part of the logon process for accessing a company's information system.
j.
A competitor intercepted the companys bid for a lucrative contract that was emailed to the local
governments web site. The competitor used the information contained in the email to successfully
underbid and win the contract.
Solution: Encrypt sensitive files sent via email. Send sensitive files over a secure channel.
k. When an earthquake destroyed the companys main data center, the CIO spent half a day trying to
figure out who in the organization needed to be contacted in order to implement the companys cold
site agreement.
Solution: Implement and document emergency response procedures. Periodic testing would likely
uncover any such problems prior to an actual disaster.
l.
Although logging was enabled, the information security staff did not review the logs early enough
to detect and stop an attack that resulted in the theft of information about a new strategic initiative.
Solution: Implement and enforce log review and analysis policies by proper management oversight
of the information security staff or contract with a security information management service to
perform such analysis.
m. To facilitate working from home, an employee installed a modem on his office workstation. An
attacker successfully penetrated the companys system by dialing into that modem.
Solution: Routinely check for unauthorized or rouge modems by dialing all telephone numbers
assigned to the company and identifying those connected to modems.
7-6
7.2
Solution: The article in the Journal of Accountancy is very well written and the instructions are
easy to follow. If students follow the instructions they will have no problem completing the
problem and will learn a new tool for Excel. It is expected that the instructor will familiarized
themselves with the article prior to grading the assignment; however, the following are some
screenshot of what the instructor may expect from student submissions.
Part b.
7-7
7-8
7-9
7-12
7.3
Inventory
Update
Program
Payroll
Master
File
Inventory
Master
File
System
Log Files
Salesperson
Payroll clerk
Human Resources
Manager
Payroll Programmer
Inventory Programmer
CISO
System User
The Microsoft Baseline Security Analyzer (MBSA) allows users to scan a computer for
common security misconfigurations. MBSA will scan the operating system and other
installed components, such as Internet Information Services (IIS) and SQL Server, for
security misconfigurations and whether or not they are up-to-date with respect to
recommended security updates. Grading depends upon instructors judgment about the
quality of the report. The MBSA will provide a list of weaknesses and how to correct
7-13
those weaknesses.
7.5
Grading depends upon instructors judgment about the quality of the report; however, the
students report should contain the students perspective on how these websites promote
computer security and controls.
The SANS Institute (www.sans.org) is basically commercial site selling security training.
However, the site does contain over 1500 white papers on computer security that are
divided into 71 different categories that range from Acceptable Use to Work Monitoring.
Students should be able to find articles on almost any topic of interest to them about
auditing.
The National Security Agency (www.nsa.gov) is a governmental website that explains and
promotes the National Security Agency. Of interest to auditors is their work on data
security. The work that is publicly available can be accessed from their Research link
which lists their published scholarly work and work presented at conferences. Many
articles deal with software, data, and systems security.
The Information Systems Audit and Control Association (www.isaca.org) is a very
extensive source of information for the auditor. Just about anything on this website would
be of use to an auditor depending on their level of experience and responsibility. Since this
website is so extensive, instructors may want to recommend that students limit this portion
of their report to three areas of student interest on the web site.
The Information Systems Security Association (www.issa.org) is the website for a
professional organization on security. Students will find Whitepapers and Webcasts on all
security topics of general and specific interest. The draw back for this website is that
access is limited to members. There is a student membership available for $30 and free 90
day trial membership. Students will have to join the organization as a student or trial
membership to gain access to the information contained in the website.
CERT (www.cert.org) is the website for the Carnegie Mellon University Software
Engineering Institute (SEI). The website is a good resource for information about
software assurance, secure systems, organizational security, and coordinated response.
The resources available are extensive, but they are also written for academics, so they may
be a little deep for some students who have little experience with programming.
The American Instituted of Certified Public Accountants (www.aicpa.org) is an excellent
website for information pertinent to auditors. Students may access the website and the
associated journal articles that target professionals. Students will have an easier time
accessing and reading the information contained in this website since the target audience is
7-14
accounting professionals.
The National Institute of Standards (www.nist.gov) is a government sponsored website.
The Computer Security Division is the link within the site that is of the greatest interest
and use for accounting students. It contains a great deal of information on computer
security.
The Computer Crime and Intellectual Property Section of the U.S. Department of Justice
(www.cybercrime.gov) is another government website that provides information related to
cyber crime in form of news releases and cases. The case summaries located in the news
releases will be of the most use to the students.
7.6
Grading depends upon instructors judgment about the quality of the report. Beware that
although the Center for Internet Security does not charge for their benchmarking software
downloads, they do require that the student register with their organization. Some
students may object to this. In addition, it is unlikely that a lab administrator will allow
students to download any software to lab hardware.
7.7
a. XYZ Company is secure under their best case scenario but they do not meet security
requirements under their worst case scenario.
P = 25 Minutes
D = 5 Minutes (Best Case) 10 Minutes (Worst Case)
C = 6 Minutes (Best Case), 20 minutes (Worst Case)
Time-base model: P > D + C
Best Case Scenario P is greater than D + C (25 > 5 + 6)
Worst Case Scenario P is less than D + C (25 < 10 + 20)
Currently, under the worst case scenario, security is ineffective. As shown by the following
table, any of the 3 options will result in effective security, even under the worst case
scenario.
Situation
Current best
case
Current worst
case
Option 1 best
case
Option 1 worst
case
Option 2 best
case
Option 2 worst
Cost Differential
$0
Protection Time
25
Detection Time
5
Correction Time
6
$0
25
10
20
$50,000
35
$50,000
35
10
20
$40,000
25
$40,000
25
20
7-15
case
Option 3 best
$60,000
case
Option 3 worst $60,000
case
25
25
10
10
Cost effectiveness can be assessed in several ways. Perhaps the simplest is to calculate the cost
per minute improvement, as follows:
Option 1: Costs of $50,000 will provide 10 minutes better protection = $5,000 per minute.
Option 2: Costs of $40,000 will cut detection time by 4 to 6 minutes = $6,667 to $10,000 per
minute
Option 3: Costs of $60,000 will cut response time by 2 to 10 minutes = $6,000 to $30,000 per
minute
Alternatively, a conservative approach would compare the buffer time provided under the worst
case scenarios, as follows:
Option 1: Costs of $50,000 to provide 5 minutes of buffer time (35 > 10 + 20) = $10,000 per
minute buffer time.
Option 2: Costs of $40,000 to provide 1 minute of buffer time (25 > 4 + 20) = $40,000 per
minute of buffer time
Option 3: Costs of $60,000 to provide 5 minutes of buffer time (25 > 10 + 10) = $12,000 per
minute of buffer time.
It is also possible to compare buffer times provided under the best case scenarios, as follows:
Option 1: Costs of $50,000 to provide 24 minutes of buffer time (35 > 5 + 6) = $2,083 per minute
buffer time.
Option 2: Costs of $40,000 to provide 18 minutes of buffer time (25 > 1+6) = $2,222 per minute
of buffer time
Option 3: Costs of $60,000 to provide 16 minutes of buffer time (25 > 5 + 4) = $3,750 per
minute of buffer time.
Note that if invested in all three options, the results would be:
Situation
All 3 options
Cost Differential
$150,000
Protection Time
35
7-16
Detection Time
1
Correction Time
4
best case
All 3 options
worst case
$150,000
35
10
Investing in all 3 options improves the formula (P > D + C) by 16 (best case) to 40 (worst case)
minutes at a cost of $150,000 = $3,750 (best case) to $9,375 (worst case) per minute.
Investing in all 3 options also provides a total buffer time of 21 minutes (worst case scenario) at a
cost of $150,000 = $7,143 per minute of buffer time. Under the best-case scenario, investing in all
3 options would provide a total buffer of 30 minutes at a cost of $150,000 = $5,000 per minute.
7-17
7.8
To encrypt a file or folder:
1. Open Windows Explorer.
2. Right-click the file or folder that you want to encrypt, and then click Properties.
3. On the General tab, click Advanced.
4. Select the Encrypt contents to secure data check box.
To create new user accounts:
1. Click Start, Control Panel, double click User Accounts, follow prompts for User Account
Creation Wizard. To create/change the password, double click on new user account icon,
select Change The Password menu option and follow the prompts.
a. Actions that can be performed using the new User Account
1.
2.
3.
4.
5.
6.
7.
8.
Description
Password
Types of
length
characters
(maximum
and minimum)
Frequency of
mandatory
changes
Password
history (can
an old
password be
used again)
Explanations of the reason for any differences should focus on the relative value/importance of the
data contained in each system.
7.10
Solution: Reports will vary from student to student; however, the reports should contain at
least some of the following basic facts gathered from the text, cgisecurity.net, and wikipedia:
a. Buffer overflows
One of the more common input-related vulnerability is what is referred to as a buffer
overflow attack, in which an attacker sends a program more data than it can handle. Buffer
overflows may cause the system to crash or, even worse, may provide a command prompt,
thereby giving the attacker full administrative privileges, and control, of the device. Because
buffer overflows are so common, it is instructive to understand how they work.
Most programs are loaded into RAM when they run. Oftentimes a program may need to
temporarily pause and call another program to perform a specific function. Information about
the current state of the suspended program, such as the values of any variables and the address
in RAM of the instruction to execute next when resuming the program, must be stored in
RAM. The address to go to find the next instruction when the subprogram has finished its task
is written to an area of RAM called the stack. The other information is written into an
adjoining area of RAM called a buffer. A buffer overflow occurs when too much data is sent to
the buffer, so that the instruction address in the stack is overwritten. The program will then
return control to the address pointed to in the stack. In a buffer overflow attack, the input is
designed so that the instruction address in the stack points back to a memory address in the
buffer itself. Since the buffer has been filled with data sent by the attacker, this location
contains commands that enable the attacker take control of the system.
Note that buffer overflows can only occur if the programmer failed to include a check on
the amount of data being input. Thus, sound programming practices can prevent buffer
overflow attacks. Therefore, internal auditors should routinely test all applications developed
in-house to be sure that they are not vulnerable to buffer overflow attacks.
b. SQL injection
Many web pages receive an input or a request from web users and then to address the input or
the request, they create a Structured Query Language (SQL) query for the database that is
accessed by the webpage. For example, when a user logs into a webpage, the user name and
password will be used to query the database to determine if they are a valid user. With SQL
injection, it is possible to send a specially crafted user name and password that will change the
SQL query into something else; i.e. inject something new into the SQL query and thereby
bypass the authentication controls and effectively gain access to the database. This can allow
a hacker to not only steal data from the database, but also modify and delete data or the entire
7-19
database.
c. Cross-site scripting
Cross site scripting (also known as XSS) occurs when a web application gathers malicious
data from a user. The data is usually gathered in the form of a hyperlink which contains
malicious content within it. The user will most likely click on this link from another website,
instant message, or simply just reading a web board or email message. Usually the attacker
will encode the malicious portion of the link to the site so the request is less suspicious
looking to the user when clicked on. After the data is collected by the web application, it
creates an output page for the user containing the malicious data that was originally sent to it,
but in a manner to make it appear as valid content from the website. Many popular guestbook
and forum programs allow users to submit posts with html and javascript embedded in them.
If for example I was logged in as "john" and read a message by "joe" that contained malicious
javascript in it, then it may be possible for "joe" to hijack my session just by reading his
bulletin board post.
7.11
Depending on the sensitivity and value of the data processed and stored at a data center, all of the
19 methods could be used by a corporation. For example, IBM is extremely concerned about the
loss of data and trade secrets due to disasters and corporate espionage and employs all 19
methods; however, most corporations do not employ all 19 methods. Thus, the following solution
is an approximation of the methods that a typical corporation may employ and the more extensive
methods that a financial institution would choose. The methods that any corporation would also
be employed at financial institutions, but are not checked to more clearly highlight the differences.
Method
1.
2.
3.
4.
5.
6.
Any Corporation
Extra methods
justified at a
Financial Institution
7-20
Cost
SonicGuard
Pro 5060
$9,371
Fortinet
1000A
$24,745
Deep
packet, Web
content,
stateful
inspection
$28,500
Deep
packet, Web
content,
stateful
inspection
$14,995
Dynamic
packet
filtering,
stateful
inspection
Barracuda
910
SunScreen
Secure Net
3.1
Filtering
Capability
Deep packet
& Web
content
Other Security
Features
IPSec VPN,
layered anti-virus,
anti-spyware,
intrusion
prevention
IPSec VPN,
layered anti-virus,
anti-spyware,
intrusion
prevention, antispam
IPSec VPN,
layered anti-virus,
anti-spyware,
intrusion
prevention, antispam
VPN
7-21
Ease of
Configuration
Complex
-Professional
network
administrator
needed
Complex
-Professional
network
administrator
needed
Ease of Use
Complex
-Professional
network
administrator
needed
Complex
-Professional
network
administrator
needed
Complex
-Professional
network
administrator
needed
Complex
-Professional
network
administrator
needed
Complex
-Professional
network
administrator
needed
Complex
-Professional
network
administrator
needed
.
7-2 The answers to this case will vary by student. Make sure that the student prepares questions
for preventative, detective, and corrective controls with appropriate subcategories for each
topic and questions that can be answered with a yes, no, or not applicable. For example,
under the heading of preventive controls, there should be questions about the existence of
various authentication methods, an access control matrix, training, physical access controls,
firewalls, wireless access, host and application hardening, and encryption. Questions should
be objective and focus on the existence of specific controls that the text suggests should be
in place, such as The main firewall employs stateful packet inspection. In this way, yes
answers are evidence that security is effective, whereas no answers are evidence of
potential security vulnerabilities.
7-22