AIS e12 CH08

8/19/2019 AIS e12 CH08

1/27

Accounting InformationSystems

CHAPTER 8

INFORMATION SYSTEM CONTROLS for SYSTEMS RELIABILITYPart 1: Information Securit

S!""ESTE# ANS$ERS TO #ISC!SSION %!ESTIONS

8&1 E'()ain *+ an or,ani-ation *ou). *ant to u/e a)) of t+e fo))o*in, information

/ecurit contro)/: fire*a))/0 intru/ion (reention //tem/0 intru/ion .etection

//tem/0 an. a CIRT&

Using this combination of controls provides defense-in-depth. Firewalls and intrusion prevention systems are preventive controls. Intrusion detection systems are used to

identify problems and incidents. The purpose of a Computer Incident esponse Team!CIT" is to respond to and mediate problems and incidents. According to the time-basedmodel of security# information security is ade$uate if the firewalls and intrusion prevention systems can delay attac%s from succeeding longer than the time it ta%es theintrusion detection system to identify that an attac% is in progress and for the CIT torespond.

8&2 $+at are t+e a.anta,e/ an. .i/a.anta,e/ of +ain, t+e (er/on re/(on/i3)e for

information /ecurit re(ort .irect) to t+e c+ief information officer 4CIO50 *+o +a/

oera)) re/(on/i3i)it for a)) a/(ect/ of t+e or,ani-ation6/ information //tem/7

It is important for the person responsible for security !the CIS&" to report to seniormanagement. 'aving the person responsible for information security report to a memberof the e(ecutive committee such as the CI formali)es information security as a topmanagement issue.

&ne potential disadvantage is that the CI& may not always react favorably to reportsindicating that shortcuts have been ta%en with regard to security# especially in situationswhere following the recommendations for increased security spending could result infailure to meet budgeted goals. Therefore# *ust as the effectiveness of the internal audit

function is improved by having it report to someone other than the CF the securityfunction may also be more effective if it reports to someone who does not haveresponsibility for information systems operations.

+-,© 2010 Pearson Education, Inc. Publishing as Prentice Hall

8/19/2019 AIS e12 CH08

2/27

Ch. + Information System Controls for Systems eliability

8& Re)ia3i)it i/ often inc)u.e. in /erice )ee) a,reement/ 4SLA/5 *+en out/ourcin,&T+e tou,+e/t t+in, i/ to .eci.e +o* muc+ re)ia3i)it i/ enou,+& Con/i.er an

a(()ication )i9e emai)& If an or,ani-ation out/ource/ it/ emai) to a c)ou. (roi.er0

*+at i/ t+e .ifference 3et*een ; $+at i/ t+e .ifference 3et*een aut+entication an. aut+ori-ation7

Authentication and authori)ation are two related controls designed to restrict access to anorgani)ation6s information systems and resources.

The ob*ective of authentication is to verify the claimed identity of someone attempting toobtain access.

The ob*ective of authori)ation is to limit what an authenticated user can do once theyhave been given access.

8&

8/19/2019 AIS e12 CH08

3/27


8&? Securit a*arene// trainin, i/ nece//ar to teac+ em()oee/ @/afe com(utin,(ractice/& T+e 9e to effectiene//0 +o*eer0 i/ t+at it c+an,e/ em()oee 3e+aior&

Ho* can or,ani-ation/ ma'imi-e t+e effectiene// of t+eir /ecurit a*arene//

trainin, (ro,ram/7

Top management support is always essential for the success of any program an entityunderta%es. Thus# top management support and participation in security awarenesstraining is essential to ma(imi)e its impact on the employees and managers of the firm.

9ffective instruction and hands-on active learning techni$ues help to ma(imi)e training.:eal life; e(ample should be used throughout the training so that employees can view or at least visuali)e the e(posures and threats they face as well as the controls in place toaddress the e(posures and threats. ole-playing has been shown to be an effectivemethod to ma(imi)e security awareness training especially with regard to social

engineering attac% training.

Training must also be repeated periodically# at least several times each year# to reinforceconcepts and update employees about new threats.

It is also important to test the effectiveness of such training.

Including security practices and behaviors as part of an employee6s performanceevaluation is also helpful as it reinforces the importance of security.

8& $+at i/ t+e re)ation/+i( 3et*een COSO0 COBIT0 an. t+e AICPA6/ Tru/t Serice/frame*or9/7

C&S& is a broad framewor% that describes the various components of internal control. Itdoes not# however# provide any details about IT controls.

C&

8/19/2019 AIS e12 CH08

4/27


S!""ESTE# SOL!TIONS TO THE PROBLEMS

8.1 Matc+ t+e fo))o*in, term/ *it+ t+eir .efinition/:

Term #efinition

• ==d== ,. >ulnerability a& Code that corrects a flaw in a program.

• ==s== 2. 9(ploit 3& >erification of claimed identity.

• ==b== 3. Authentication c& The firewall techni$ue that filterstraffic by comparing the information in pac%et headers to a table of establishedconnections.

•

==m== ?. Authori)ation.& A flaw or wea%ness in a program.

• ==f== /. @emilitari)ed )one !@B" e& A test to determine the time it ta%es tocompromise a system.

• ==t== 4. @eep pac%et inspection f& A subnetwor% that is accessible fromthe Internet but separate from theorgani)ation6s internal networ%.

• ==o== . router ,& The device that connects theorgani)ation to the Internet.

• ==*== +. social engineering +& The rules !protocol" that govern routingof pac%ets across networ%s.

• ==%== . firewall i& The rules !protocol" that govern thedivision of a large file into pac%ets andsubse$uent reassembly of the file fromthose pac%ets.

• ==n== ,5. hardening & An attac% that involves deception toobtain access.

• ==l== ,,. CIT 9& A device that provides perimetersecurity by filtering pac%ets.

• ==a== ,2. patch )& The set of employees assigned

responsibility for resolving problemsand incidents.

• ===u= ,3. virtuali)ation m& estricting the actions that a user is permitted to perform.

• ==i== ,?. Transmission Control

7rotocol !TC7"

n& Improving security by removal ordisabling of unnecessary programs and

+-?© 2010 Pearson Education, Inc. Publishing as Prentice Hall

8/19/2019 AIS e12 CH08

5/27


features.

• =$=== ,/. static pac%et filtering o& A device that uses the Internet 7rotocol

!I7" to send pac%ets across networ%s.

• ==g== ,4. border router (& A detective control that identifieswea%nesses in devices or software.

• ==p== ,. vulnerability scan D& A firewall techni$ue that filters traffic by e(amining the pac%et header of asingle pac%et in isolation.

• ==e== ,+. penetration test r& The process of applying code supplied by a vendor to fi( a problem in thatvendor6s software.

•

• =r=== s. patch management

/& Software code that can be used to ta%eadvantage of a flaw and compromise asystem.

•

• =v=== t. cloud computing

t& A firewall techni$ue that filters traffic by e(amining not *ust pac%et headerinformation but also the contents of a pac%et.

• u& The process of running multiplemachines on one physical server.

• & An arrangement whereby a user

remotely accesses software# hardware#or other resources via a browser.

•

•

• 8.2 In/ta)) an. run t+e )ate/t er/ion of t+e Micro/oft

Ba/e)ine Securit Ana)-er on our +ome com(uter or )a(to(& $rite a re(ort

e'()ainin, t+e *ea9ne//e/ i.entifie. 3 t+e too) an. +o* to 3e/t correct t+em&

Attac+ a co( of t+e MBSA out(ut to our re(ort&

•

• So)ution: will vary for each student. 9(amples of what to e(pect !from a computerrunning Dindows follow

+-/© 2010 Pearson Education, Inc. Publishing as Prentice Hall

8/19/2019 AIS e12 CH08

6/27


•

•

,. The first section should identify the computer !not shown below" and the status of

security updates•

•

+-4© 2010 Pearson Education, Inc. Publishing as Prentice Hall

8/19/2019 AIS e12 CH08

7/27


•

•

•

2. Ee(t is a section about user accounts and Dindows settings

•

•

•

& Then there is a section about other system information

+-© 2010 Pearson Education, Inc. Publishing as Prentice Hall

8/19/2019 AIS e12 CH08

8/27


•

+-+© 2010 Pearson Education, Inc. Publishing as Prentice Hall

8/19/2019 AIS e12 CH08

9/27


8.3 T+e fo))o*in, ta3)e )i/t/ t+e action/ t+at ariou/ em()oee/ are (ermitte.

to (erform:

•

E

m

()

o

ee

Permitte. action/

• A

ble

• Chec% customer account balances

• Chec% inventory availability

•

8/19/2019 AIS e12 CH08

10/27


er File

• Able •

• ,

•

• ,

•

• 5

•

• 5

•

•

8/19/2019 AIS e12 CH08

11/27


use of multiple character types# random characters# and re$uire that passwords bechanged fre$uently.

•

• #etectie: oc%ing out accounts after 3-/ unsuccessful login attempts8 since thiswas a :guessing; attac%# it may have ta%en more than a few attempts to login.

•

c& A crimina) remote) acce//e. a /en/itie .ata3a/e u/in, t+e aut+entication

cre.entia)/ 4u/er I# an. /tron, (a//*or.5 of an IT mana,er& At t+e time t+e attac9

occurre.0 t+e IT mana,er *a/ )o,,e. into t+e //tem at +i/ *or9/tation at com(an

+ea.Duarter/&

•

• Preentie: Integrate physical and logical security. In this case# the system should

re*ect any user attempts remotely log into the system if that same user is already logged

in from a physical wor%station.•

• #etectie 'aving the system notify appropriate security staff about such an

incident.

•

.& An em()oee receie. an emai) (ur(ortin, to 3e from +er 3o// informin, +er of an

im(ortant ne* atten.ance (o)ic& $+en /+e c)ic9e. on a )in9 em3e..e. in t+e emai)

to ie* t+e ne* (o)ic0 /+e infecte. +er )a(to( *it+ a 9e/tro9e )o,,er&

•

• Preentie: Security awareness training is the best way to prevent such problems.

9mployees should be taught that this is a common e(ample of a sophisticated phishing

scam.•

• #etectie an. correctie Anti-spyware software that automatically chec%s and

cleans all detected spyware on an employeeGs computer as part of the logon process foraccessing a companyGs information system.

•

•

e& A com(an6/ (ro,rammin, /taff *rote cu/tom co.e for t+e /+o((in, cart feature on

it/ *e3 /ite& T+e co.e containe. a 3uffer oerf)o* u)nera3i)it t+at cou). 3e

e'()oite. *+en t+e cu/tomer t(e. in t+e /+i(to a..re//&

•

• Preentie: Teach programmers secure programming practices# including the

need to carefully chec% all user input.

•

• anagement must support the commitment to secure coding practices# even if

that means a delay in completing# testing# and deploying new programs.

•

+-,,© 2010 Pearson Education, Inc. Publishing as Prentice Hall

8/19/2019 AIS e12 CH08

12/27


• #etectie: a%e sure programs are thoroughly tested before being put into use

•

• 'ave internal auditors routinely test in-house developed software.

•

•

f& A com(an (urc+a/e. t+e )ea.in, @offt+e/+e)f ecommerce /oft*are for )in9in,

it/ e)ectronic /torefront to it/ inentor .ata3a/e& A cu/tomer .i/coere. a *a to

.irect) acce// t+e 3ac9en. .ata3a/e 3 enterin, a((ro(riate S%L co.e&

•

• Preentie: Insist on secure code as part of the specifications for purchasing any

3rd party software.

•

• Thoroughly test the software prior to use.

•

• 9mploy a patch management program so that any vendor provided fi(es and

patches are immediately implemented.

•

,& Attac9er/ 3ro9e into t+e com(an6/ information //tem t+rou,+ a *ire)e// acce//

(oint )ocate. in one of it/ retai) /tore/& T+e *ire)e// acce// (oint +a. 3een (urc+a/e.

an. in/ta))e. 3 t+e /tore mana,er *it+out informin, centra) IT or /ecurit&

•

• Preentie: 9nact a policy that forbids installation of unauthori)ed wireless

access points.

•

• #etectie Conduct routine audits for unauthori)ed or rogue wireless access

points.

•

• Correctie: Sanction employees who violate policy and install rogue wireless

access points.

•

+& An em()oee (ic9e. u( a !SB .rie in t+e (ar9in, )ot an. ()u,,e. it into t+eir

)a(to( to @/ee *+at *a/ on it0 *+ic+ re/u)te. in a 9e/tro9e )o,,er 3ein, in/ta))e.

on t+at )a(to(&

•

• Preentie: Security awareness training. Teach employees to never insert US<

drives unless they are absolutely certain of their source.

•

• Anti-spyware software that automatically chec%s and cleans all detected spyware

on an employeeGs computer as part of the logon process.

•

+-,2© 2010 Pearson Education, Inc. Publishing as Prentice Hall

8/19/2019 AIS e12 CH08

13/27


i& Once an attac9 on t+e com(an6/ *e3/ite *a/ .i/coere.0 it too9 more t+an

minute/ to .etermine *+o to contact to initiate re/(on/e action/&

•

• Preentie: @ocument all members of the CIT and their contact information.•

• 7ractice the incident response plan.

•

•

& To faci)itate *or9in, from +ome0 an em()oee in/ta))e. a mo.em on +i/ office

*or9/tation& An attac9er /ucce//fu)) (enetrate. t+e com(an6/ //tem 3 .ia)in,

into t+at mo.em&

•

• Preentie: outinely chec% for unauthori)ed or rogue modems by dialing all

telephone numbers assigned to the company and identifying those connected to modems.•

9& An attac9er ,aine. acce// to t+e com(an6/ interna) net*or9 3 in/ta))in, a *ire)e//

acce// (oint in a *irin, c)o/et )ocate. ne't to t+e e)eator/ on t+e fourt+ f)oor of a

+i,+ri/e office 3ui).in, t+at t+e com(an /+are. *it+ /een ot+er com(anie/&

•

• Preentie: Secure or loc% all wiring closets.

•

• e$uire strong authentication of all attempts to log into the system from a wireless

client.

•

• 9mploy an intrusion detection system.

•

+-,3© 2010 Pearson Education, Inc. Publishing as Prentice Hall

8/19/2019 AIS e12 CH08

14/27


8&< $+at are t+e a.anta,e/ an. .i/a.anta,e/ of t+e t+ree t(e/ of

aut+entication cre.entia)/ 4/omet+in, ou 9no*0 /omet+in, ou +ae0 an.

/omet+in, ou are57

•

T(e of

Cre.entia)

A.anta,e/ #i/a.anta,e/

• Something

you %now

• H 9asy to use

• H Universal - no special

hardware re$uired

• H evocable can cancel

and create new credential ifcompromised

• H 9asy to forget or guess

• H 'ard to verify who is

presenting the credential

• H ay not notice

compromise immediately

• Something

you have

• H 9asy to use

• H evocable can cancel

and reissue new credential ifcompromised

• H Juic%ly notice if lost or

stolen

• H ay re$uire special

hardware if not a US< to%en!i.e.# if a smart card# need a cardreader"

• H 'ard to verify who is


• Something

you are!biometric"

• H Strong proof who is


• H 'ard to copyKmimic

• H Cannot be lost# forgotten#

or stolen

• H Cost

• H e$uires special

hardware# so not universallyapplicable

• H User resistance. Some

people may ob*ect to use offingerprints8 some culturegroups may refuse facerecognition# etc.

• H ay create threat to

privacy. For e(ample# retinascans may reveal health

conditions.

• H False re*ection due to

change in biometriccharacteristic !e.g.# voicerecognition may fail if have acold".

+-,?© 2010 Pearson Education, Inc. Publishing as Prentice Hall

8/19/2019 AIS e12 CH08

15/27


• H Eot revocable. If the

biometric template iscompromised# it cannot be

re-issued !e.g.# you cannotassign someone a newfingerprint".

•

•

+-,/© 2010 Pearson Education, Inc. Publishing as Prentice Hall

8/19/2019 AIS e12 CH08

16/27


8&? a& A(() t+e fo))o*in, .ata to ea)uate t+e time3a/e. mo.e) of /ecurit for t+e

GY Com(an& #oe/ t+e GY Com(an /ati/f t+e reDuirement/ of t+e time3a/e.

mo.e) of /ecurit7 $+7

•

E/timate. time for attac9er to /ucce//fu)) (enetrate //tem 2< minute/

E/timate. time to .etect an attac9 in (ro,re// an. notif a((ro(riate

information /ecurit /taff < minute/ 43e/t ca/e5 to 1 minute/ 4*or/t ca/e5

E/timate. time to im()ement correctie action/ ? minute/ 43e/t ca/e5 to 2

minute/ 4*or/t ca/e5

•

• So)ution: LMB Company is secure under their best case scenario but they do not

meet security re$uirements under their worst case scenario.

• 7 1 2/ inutes

• @ 1 / inutes !

8/19/2019 AIS e12 CH08

17/27


8& E'()ain +o* t+e fo))o*in, item/ in.ii.ua)) an. co))ectie) affect t+e

oera)) )ee) of /ecurit (roi.e. 3 u/in, a (a//*or. a/ an aut+entication

cre.entia)&• a. Len,t+ interacts with comple(ity to determine how hard it is to :guess; a

password or discover it by trial-and-error testing of every combination. &f the twofactors# length is more important because it has the biggest impact on the number of possible passwords.

• To understand this# consider that the number of possible passwords 1 (y# where (

1 the number of possible characters that can be used and y 1 the length. As thefollowing table shows# increasing the length increases the number of possibilitiesmuch more than does the same proportionate increase in comple(ity

•

Com()e'it 4t(e/ of

c+aracter/ a))o*e.5

Num3er of

c+aracter/

•

L

e

n

,

t

+

Num3er of

(o//i3)e

(a//*or./

• Eumeric • ,5 !5-" • ? • ,5? 1 ,5#555

• Alphabetic# not case

sensitive

• 24 !a-)" • + • 24+ 1

2.5++H9,,

• Alphabetic# case

sensitive

• /2 !a-)# A-

B"

• + • /2+ 1

/.3?4H9,3

• Alphanumeric# case

sensitive

• 42 !5-# a-)#

A-B"

• + • 42+ 1

2.,+3H9,?


sensitive#

• • ,

2

• 42,2 1

3.224H92,


sensitive# plus specialcharacters

• / !5-# a-)#

A-B# andP# Q# R# etc."

• + • /+ 1

4.43?H9,/


sensitive# plus specialcharacters

• / !5-# a-)#

A-B# andP# Q# R# etc."

• ,

2

• /,2 1

/.?5?H923

•


8/19/2019 AIS e12 CH08

18/27


• 3. Com()e'it reDuirement/ 4*+ic+ t(e/ of c+aracter/ are reDuire. to 3e u/e.:

num3er/0 a)(+a3etic0 ca/e/en/itiit of a)(+a3etic0 /(ecia) /m3o)/ )i9e J or K5 - interactswith comple(ity to determine how hard it is to :guess; a password or discover it by trial-and-

error testing of every combination.

•

• c. Ma'imum (a//*or. a,e 4+o* often (a//*or. mu/t 3e c+an,e.5 shorter means

more fre$uent changes which increases security

•

+-,+© 2010 Pearson Education, Inc. Publishing as Prentice Hall

8/19/2019 AIS e12 CH08

19/27


• .. Minimum (a//*or. a,e 4+o* )on, a (a//*or. mu/t 3e u/e. 3efore it can 3e

c+an,e.5 this combined with history prevents someone from *ust %eeping their same

password# because it prevents repeatedly changing passwords until the system allows use ofthe same password once again.

•

• e. Maintenance of (a//*or. +i/tor 4+o* man (rior (a//*or./ .oe/ //tem

remem3er to (reent re/e)ection of t+e /ame (a//*or. *+en reDuire. to c+an,e

(a//*or./5 the larger this is# the longer the time before someone can reuse a password. For e(ample# a password history of ,2 combined with a minimum age of , month means that thesame password cannot be used until after a year. Eote that this re$uires setting a minimumage. &therwise# if the minimum age is )ero# someone could repeatedly change their passwordas many times as the system6s history setting# and then change it one more time# this last time

setting it to be the current password.•

• f . Account )oc9out t+re/+o). 4+o* man fai)e. )o,in attem(t/ 3efore t+e account i/

)oc9e.5 this is designed to stop guessing attac%s. 'owever# it needs to account for typos#accidentally hitting the CA7S &C %ey# etc. to prevent loc%ing out legitimate users. Itseffect also depends on the ne(t variable# time frame.

•

• ,. Time frame .urin, *+ic+ account )oc9out t+re/+o). i/ a(()ie. 4i&e&0 if )oc9out

t+re/+o). i/ fie fai)e. )o,in attem(t/0 time frame i/ *+et+er t+o/e < fai)ure/ mu/t occur

*it+in 1< minute/0 1 +our0 1 .a0 etc&5& Shorter time frames defeat attempts to guess.•

• +. Account )oc9out .uration 4+o* )on, t+e account remain/ )oc9e. after e'cee.in,

t+e ma'imum a))o*a3)e num3er of fai)e. )o,in attem(t/5 longer loc%outs defeatattempts to guess. Too short a value on this parameter may enable an attac%er to try to guess( times# get loc%ed out for only a few minutes# and then start guessing again.


8/19/2019 AIS e12 CH08

20/27


• 8&8 T+e c+a(ter 3rief) .i/cu//e. t+e fo))o*in, t+ree common attac9/ a,ain/t

a(()ication/

a& Buffer oerf)o*/

3& S%L inection

c& Cro///ite /cri(tin,

ReDuire.

Re/earc+ eac+ of t+e/e t+ree attac9/ an. *rite a re(ort t+at e'()ain/ in .etai)

+o* eac+ attac9 actua)) *or9/ an. t+at .e/cri3e/ /u,,e/te. contro)/ for re.ucin,

t+e ri/9/ t+at t+e/e attac9/ *i)) 3e /ucce//fu)&

•

• So)ution eports will vary from student to student8 however# the reports should

contain at least some of the following basic facts gathered from the te(t# cgisecurity.net#and Di%ipedia

•

a& Buffer oerf)o*/

•

• &ne of the more common input-related vulnerabilities is what is referred to as a

buffer overflow attac%# in which an attac%er sends a program more data than it canhandle.

8/19/2019 AIS e12 CH08

21/27


•

3& S%L inection

•

• any web pages receive an input or a re$uest from web users and then# to address

the input or the re$uest# they create a Structured Juery anguage !SJ" $uery for thedatabase that is accessed by the webpage. For e(ample# when a user logs into a webpage#the user name and password will be used to $uery the database to determine if they are avalid user. Dith SJ in*ection# a user inputs a specially crafted SJ command that is passed to the database and e(ecuted# thereby bypassing the authentication controls andeffectively gaining access to the database. This can allow a hac%er to not only steal datafrom the database# but also modify and delete data or the entire database.

•

To prevent SJ in*ection attac%s# the web server should be reprogrammed so thatuser input is not directly used to create $ueries sent to the database.

•

c& Cro///ite /cri(tin,

•

• Cross site scripting !also %nown as LSS" occurs whenever a web application

sends user input bac% to the browser without scrubbing it. The problem is that if the inputis a script# the browser will e(ecute it. The attac% re$uires tric%ing a user into clic%ing ona hyperlin% to a trusted website that is vulnerable to cross site scripting. The hyperlin%

will ta%e the victim to that website# but it also contains a script. Dhen the user6s browservisits the trusted website# it sends the input !the embedded script in the hyperlin%" bac% tothe browser. The browser then e(ecutes that script and sends information# often coo%iesthat may contain authentication credentials# bac% to the attac%er.

• The best protection is that web sites should never replay user input verbatim bac%

to the browser# but should always convert it to harmless 'T code first.

•

+-2,© 2010 Pearson Education, Inc. Publishing as Prentice Hall

8/19/2019 AIS e12 CH08

22/27


8&; P+/ica) /ecurit i/ e'treme) im(ortant& Rea. t+e artic)e @1; $a/ to Bui).

P+/ica) Securit into a #ata Center0 *+ic+ a((eare. in t+e CSO Ma,a-ine

Noem3er 2

8/19/2019 AIS e12 CH08

23/27


• . imit entry points • L •

• ,5. a%e fire doors e(it only • L •

• ,,. Use plenty of cameras • L •

• ,2. 7rotect the buildings

machinery

• L •

• ,3. 7lan for secure air handling • • L

• ,?. 9nsure nothing can hide in

the walls and ceilings

• •

• L

• ,/. Use two-factor

authentication

• L •

• ,4. 'arden the core with

security layers

• L •

• ,. Datch the e(its too • L •

• ,+. 7rohibit food in the

computer rooms

• L •

• ,. Install visitor restrooms • L •

•

•

•

+-23© 2010 Pearson Education, Inc. Publishing as Prentice Hall

8/19/2019 AIS e12 CH08

24/27


S!""ESTE# SOL!TIONS TO THE CASES

•

CASE 8&1 Co/t/ of Preentie Securit

Fire*a))/ are one of t+e mo/t fun.amenta) an. im(ortant /ecurit too)/& You are

)i9e) fami)iar *it+ t+e /oft*are3a/e. +o/t fire*a)) t+at ou u/e on our )a(to( or .e/9to(&

Suc+ fire*a))/ /+ou). a)/o 3e in/ta))e. on eer com(uter in an or,ani-ation& Ho*eer0

or,ani-ation/ a)/o nee. cor(orate,ra.e fire*a))/0 *+ic+ are u/ua))0 3ut not a)*a/0

.e.icate. /(ecia)(ur(o/e +ar.*are .eice/& Con.uct /ome re/earc+ to i.entif t+ree

.ifferent 3ran./ of /uc+ cor(orate,ra.e fire*a))/ an. *rite a re(ort t+at a..re//e/ t+e

fo))o*in, (oint/:

Co/t

Tec+niDue 4.ee( (ac9et in/(ection0 /tatic (ac9et fi)terin,0 or /tatefu) (ac9et

fi)terin,5

Ea/e of confi,uration an. u/e

•

• Specifics of the solution will differ depending upon the brand identified. The instructor

may wish to re$uire students to turn in copies of their source materials. At a minimum# solutionshould clearly demonstrate that students understand the different types of firewalls and have readand understood the review of a product6s ease of configuration and ease of use.

•

+-2?© 2010 Pearson Education, Inc. Publishing as Prentice Hall

8/19/2019 AIS e12 CH08

25/27


CASE 8&2 #ee)o(in, an Information Securit C+ec9)i/t

O3tain a co( of COBIT 4aai)a3)e at ***&i/aca&or,5 an. rea. /ection #S

8/19/2019 AIS e12 CH08

26/27


• Suggested solution !answers will vary# %ey is to address each ob*ective"

•

CO

BI

T

C

on

tr

o)

O

3

ec

tie

•

•

Po//i3)e Due/tion/

• @S/

.,

• @oes the person responsible for information security report to the C-suite

• Is information security a topic at meetings of the

8/19/2019 AIS e12 CH08

27/27


• Is logging enabled

• Are logs regularly reviewed

• @S/

.4

• Is there a computer incident response team !CIT"

• @oes membership of the CIT include all appropriate functions

• Is there a written incident response plan

• 'as the plan been practiced this year

• @S/

.

• Is documentation related to firewalls and I7S stored securely and with

restricted access

• Are firewalls and other security devices protected with appropriate logical

and physical access controls• @S/

.+

• Is sensitive information encrypted

• Are there procedures for issuing and revo%ing encryption %eys

• @S/

.

• @o all computers run up-to-date anti-malware

• Are patches applied on a timely basis

• @S/

.,5

• Are firewalls and I7S used to protect the perimeter

• Are firewalls used to segregate functions within the corporate networ%

• Are intrusion detection systems used

• @S/

.,,

• Is sensitive information encrypted prior to transmission over the Internet

•

+-2

AIS e12 CH08

Documents

Transcript of AIS e12 CH08