Chapter 8 Solutions

By Charlotte Ferguson,2014-09-20 11:54
7 views 0
Chapter 8 Solutions

    Chapter 8 Solutions

    Q8.4 What is the difference between authentication and authorization?

     Authentication and authorization are two related controls designed to restrict access to an

    organization’s information systems and resources.

     The objective of authentication is to verify the claimed identity of someone attempting to obtain


     The objective of authorization is to limit what an authenticated user can do once they have been

    given access.

    P8.1 Match the following terms with their definitions: Term Definition

    __d__ 1. Vulnerability a. Code that corrects a flaw in a program.

    __s__ 2. Exploit b. Verification of claimed identity.

    __b__ 3. Authentication c. The firewall technique that filters

    traffic by comparing the information in packet

    headers to a table of established connections.

    __m__ 4. Authorization d. A flaw or weakness in a program.

    __f__ 5. Demilitarized zone (DMZ) e. A test to determine the time it takes to

    compromise a system.

    __t__ 6. Deep packet inspection f. A subnetwork that is accessible from

    the Internet but separate from the organization’s

    internal network.

    __o__ 7. router g. The device that connects the

    organization to the Internet.

    __j__ 8. social engineering h. The rules (protocol) that govern routing

    of packets across networks.

    __k__ 9. firewall i. The rules (protocol) that govern the

    division of a large file into packets and

    subsequent reassembly of the file from those


    __n__ 10. hardening j. An attack that involves deception to

    obtain access.

    __l__ 11. CIRT k. A device that provides perimeter

    security by filtering packets.

    __a__ 12. patch l. The set of employees assigned

    responsibility for resolving problems and


    ___u_ 13. virtualization m. Restricting the actions that a user is

    permitted to perform.

    __i__ 14. Transmission Control Protocol n. Improving security by removal or (TCP) disabling of unnecessary programs and features.

    _q___ 15. static packet filtering o. A device that uses the Internet Protocol

    (IP) to send packets across networks.

    __g__ 16. border router p. A detective control that identifies

    weaknesses in devices or software.

    __p__ 17. vulnerability scan q. A firewall technique that filters traffic

    by examining the packet header of a single

    packet in isolation.

    __e__ 18. penetration test r. The process of applying code supplied

    by a vendor to fix a problem in that vendor’s


     s. Software code that can be used to take

    advantage of a flaw and compromise a system. _r___ s. patch management

     t. A firewall technique that filters traffic

    by examining not just packet header _v___ t. cloud computing information but also the contents of a packet.

     u. The process of running multiple

    machines on one physical server.

     v. An arrangement whereby a user

    remotely accesses software, hardware, or other

    resources via a browser.

    P8.3 The following table lists the actions that various employees are permitted to perform:

    Employee Permitted actions

    Able Check customer account balances

    Check inventory availability

    Baker Change customer credit limits

    Charley Update inventory records for sales and purchases

    Denise Add new customers

    Delete customers whose accounts have been written off as uncollectible

    Add new inventory items

    Remove discontinued inventory items

    Ellen Review audit logs of employee actions

    Complete the following access control matrix so that it enables each employee to perform those specific activities:

     Customer Inventory Master Payroll Master FileSystem Log Files

    Employee Master file File


    1 1 0 0

    Baker 2 0 0 0

    Charley 0 2 0 0

    Denise 3 3 0 0

    Ellen 0 0 0 1

Use the following codes:

    0 = no access

    1 = read only access

    2 = read and modify records

    3= read, modify, create, and delete records

    P8.4 Which preventive, detective, and/or corrective controls would best mitigate the following threats?

    a. An employee’s laptop was stolen at the airport. The laptop contained personally identifying information about the company’s customers that could potentially be used to commit

    identity theft.

    Preventive: Policies against storing sensitive information on laptops and requiring that if any such information must exist on the laptop that it be encrypted.

    Training on how to protect laptops while travelling to minimize the risk of theft.

    Corrective: Installation of “phone home” software might help the organization either recover the laptop or remotely erase the information it contains.

    b. A salesperson successfully logged into the payroll system by guessing the payroll supervisor’s password.

    Preventive: Strong password requirements such as at least an 8 character length, use of multiple character types, random characters, and require that passwords be changed frequently.

    Detective: Locking out accounts after 3-5 unsuccessful login attempts; since this was a “guessing” attack, it may have taken more than a few attempts to login.

    c. A criminal remotely accessed a sensitive database using the authentication credentials (user ID and strong password) of an IT manager. At the time the attack occurred, the IT manager was logged into the system at his workstation at company headquarters.

    Preventive: Integrate physical and logical security. In this case, the system should reject any user attempts remotely log into the system if that same user is already logged in from a physical workstation.

    Detective: Having the system notify appropriate security staff about such an incident.

    d. An employee received an email purporting to be from her boss informing her of an important new attendance policy. When she clicked on a link embedded in the email to view the new policy, she infected her laptop with a keystroke logger.

     Preventive: Security awareness training is the best way to prevent such problems. Employees should be taught that this is a common example of a sophisticated phishing scam.

    Detective and corrective: Anti-spyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process for accessing a company's information system.

    e. A company’s programming staff wrote custom code for the shopping cart feature on its web site. The code contained a buffer overflow vulnerability that could be exploited when the customer typed in the ship-to address.

    Preventive: Teach programmers secure programming practices, including the need to carefully check all user input.

    Management must support the commitment to secure coding practices, even if that means a delay in completing, testing, and deploying new programs.

Detective: Make sure programs are thoroughly tested before being put into use

Have internal auditors routinely test in-house developed software.

f. A company purchased the leading “off-the-shelf” e-commerce software for linking

    its electronic storefront to its inventory database. A customer discovered a way to directly access the back-end database by entering appropriate SQL code.

     rd Preventive: Insist on secure code as part of the specifications for purchasing any 3 party


Thoroughly test the software prior to use.

    Employ a patch management program so that any vendor provided fixes and patches are immediately implemented.

    g. Attackers broke into the company’s information system through a wireless access point located in one of its retail stores. The wireless access point had been purchased and installed by the store manager without informing central IT or security.

    Preventive: Enact a policy that forbids installation of unauthorized wireless access points.

    Detective: Conduct routine audits for unauthorized or rogue wireless access points.

    Corrective: Sanction employees who violate policy and install rogue wireless access points.

    h. An employee picked up a USB drive in the parking lot and plugged it into their laptop to “see what was on it,” which resulted in a keystroke logger being installed on that laptop.

    Preventive: Security awareness training. Teach employees to never insert USB drives unless they are absolutely certain of their source.

    Anti-spyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process.

    i. Once an attack on the company’s website was discovered, it took more than 30 minutes to determine who to contact to initiate response actions.

Preventive: Document all members of the CIRT and their contact information.

Practice the incident response plan.

    j. To facilitate working from home, an employee installed a modem on his office workstation. An attacker successfully penetrated the company’s system by dialing into that modem.

    Preventive: Routinely check for unauthorized or rogue modems by dialing all telephone numbers assigned to the company and identifying those connected to modems.

k. An attacker gained access to the company’s internal network by installing a wireless

    access point in a wiring closet located next to the elevators on the fourth floor of a high-rise office building that the company shared with seven other companies.

     Preventive: Secure or lock all wiring closets.

    Require strong authentication of all attempts to log into the system from a wireless client.

Employ an intrusion detection system.

Report this document

For any questions or suggestions please email