Kenya Stanley 2-2-13 ACC 564 CH 8 HMWK 8.4 & 8.7 8.4 a.

An employees laptop was stolen at the airport. The laptop contained personally identifying information about the companys customers that could potentially be used to commit identity theft. Solution: Encrypt data stored on company laptops. b. A salesperson successfully logged into the payroll system by guessing the payroll supervisors password. Solution: Employ and enforce strong password techniques such as at least an 8 character length, multiple character types, random characters, changed frequently. Also lock out accounts after 3-5 unsuccessful login attempts. c. A criminal remotely accessed a sensitive database using the authentication credentials (user ID and strong password) of an IT manager. At the time the attack occurred, the IT manager was logged into the system at his workstation at company headquarters. Solution: Integrate physical and logical security. In this case, the system should reject any attempts from any user to remotely log into the system if that same user is already logged in from a physical workstation. The system should also notify appropriate security staff about such an incident. d. An employee received an email purporting to be from her boss informing her of an important new attendance policy. When she clicked on a link embedded in the email to view the new policy, she infected her laptop with a keystroke logger. Solution: Security awareness training is the best way to prevent such problems. Employees should be taught that this is a common example of a sophisticated phishing scam. Detective and corrective controls include employing anti-spyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process for accessing a company's information system. e. The director of R&D quit abruptly after an argument with the CEO. The company cannot access any of the files about several new projects because the R&D director had encrypted them before leaving. Solution: Employ a policy that files can only be encrypted using company encryption software and where IT security has access to the encryption keys through some form of key escrow. Internal Audit should test encrypted files and encryption keys. f. A company wrote custom code for the shopping cart feature on its web site. The code contained a buffer overflow vulnerability that could be exploited when the customer typed in the ship-to address. Solution: Teach programmers secure programming practices, including the need to carefully check all user input. It is also important for management to support the commitment to secure coding practices, even if that means a delay in completing, testing, and deploying new programs. Useful detective controls include to make sure programs are thoroughly tested before being put into use and to have internal auditors routinely test in-house developed software.

g. A company purchased the leading off-the-shelf e-commerce software for linking its electronic storefront to its inventory database. A customer discovered a way to directly access the back-end database by entering appropriate SQL code. Solution: Insist on secure code as part of the specifications for purchasing any 3 party software. Thoroughly test the software prior to use. Employ a patch management program so that any vendor provided fixes and patches are immediately implemented. h. Attackers broke into the companys information system through a wireless access point located in one of its retail stores. The wireless access point had been purchased and installed by the store manager without informing central IT or security. Solution: Enact a policy that forbids any implementation of unauthorized wireless access points. Conduct routine audits for unauthorized or rouge wireless access points. i. An employee picked up a USB drive in the parking lot and plugged it into their laptop to see what was on it, which resulted in a keystroke logger being installed on that laptop. Solution: The best preventive control is security awareness training. Teach employees to never insert USB drives unless they are absolutely certain of their source. In addition, employ antispyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process for accessing a company's information system. j. A competitor intercepted the companys bid for a lucrative contract that was emailed to the local governments web site. The competitor used the information contained in the email to successfully underbid and win the contract. Solution: Encrypt sensitive files sent via email. Send sensitive files over a secure channel.
rd

k. When an earthquake destroyed the companys main data center, the CIO spent half a day trying to figure out who in the organization needed to be contacted in order to implement the companys cold site agreement. Solution: Implement and document emergency response procedures. Periodic testing would likely uncover any such problems prior to an actual disaster. l. Although logging was enabled, the information security staff did not review the logs early enough to detect and stop an attack that resulted in the theft of information about a new strategic initiative. Solution: Implement and enforce log review and analysis policies by proper management oversight of the information security staff or contract with a security information management service to perform such analysis. m. To facilitate working from home, an employee installed a modem on his office workstation. An attacker successfully penetrated the companys system by dialing into that modem. Solution: Routinely check for unauthorized or rouge modems by dialing all telephone numbers assigned to the company and identifying those connected to modems. n. An attacker gained access to the companys internal network by installing a wireless access point in a wiring closet located next to the elevators on the fourth floor of a high-rise office building that the company shared with seven other companies.

Solution: Secure or lock all wiring closets. Require strong authentication of all attempts to log into the system from a wireless client. Employ an intrusion detection system. . 8.7 Explain how the following items individually and collectively affect the overall level of security provided by using a password as an authentication credential. a. b. c. d. e. f. g. Length Complexity requirements Maximum password age Minimum password age Maintenance of password history Account lockout threshold Account lock duration

The strength of a password is directly related to its length. Most security experts recommend that strong passwords include at least eight characters. Using a mixture of upper and lower case alphabetic, numeric, and special characters greatly increases the strength of the password. Passwords should not be words found in a dictionary. Nor should they be words with either a preceding or following numeric character. They must also not be related to the employees personal interests or hobbies; special purpose password cracking dictionaries that contain the most common password related to various topics are available on the internet. The role that passwords play in securing an organization's network is often underestimated and overlooked. Passwords should be changed at regular intervals. Most users should change their passwords at lease every 90 days; users with access to sensitive information should change their passwords more often, possibly every 30 days. Most important, passwords must be kept secret to be effective. However, a problem with strong passwords, such as dX%m8K#2, is that they are not easy to remember. Consequently, when following the requirements for creating strong passwords, people tend to write those passwords down. This weakens the value of the password by changing it from something they know to something they have, which can then be stolen and used by anyone. The period of inactivity before an account is locked is 120 days. Resubmission requires with all appropriate signatures is required to reactivate accounts. Accounts are locked after three consecutive unsuccessful attempts to logon. The role that passwords play in securing an organization's network is often underestimated and overlooked. Passwords provide the first line of defense against unauthorized access to your organization. The Microsoft Windows Server 2003 family has a new feature that checks the complexity of the password for the Administrator account during setup of the operating system. If the password is blank or does not meet complexity requirements, the Windows Setup dialog box appears, warning.