Chapter 8 Solutions
Q8.4 What is the difference between authentication and authorization?
Authentication and authorization are two related controls designed to restrict access to an
organization’s information systems and resources.
The objective of authentication is to verify the claimed identity of someone attempting to obtain
The objective of authorization is to limit what an authenticated user can do once they have been
P8.1 Match the following terms with their definitions: Term Definition
__d__ 1. Vulnerability a. Code that corrects a flaw in a program.
__s__ 2. Exploit b. Verification of claimed identity.
__b__ 3. Authentication c. The firewall technique that filters
traffic by comparing the information in packet
headers to a table of established connections.
__m__ 4. Authorization d. A flaw or weakness in a program.
__f__ 5. Demilitarized zone (DMZ) e. A test to determine the time it takes to
compromise a system.
__t__ 6. Deep packet inspection f. A subnetwork that is accessible from
the Internet but separate from the organization’s
__o__ 7. router g. The device that connects the
organization to the Internet.
__j__ 8. social engineering h. The rules (protocol) that govern routing
of packets across networks.
__k__ 9. firewall i. The rules (protocol) that govern the
division of a large file into packets and
subsequent reassembly of the file from those
__n__ 10. hardening j. An attack that involves deception to
__l__ 11. CIRT k. A device that provides perimeter
security by filtering packets.
__a__ 12. patch l. The set of employees assigned
responsibility for resolving problems and
___u_ 13. virtualization m. Restricting the actions that a user is
permitted to perform.
__i__ 14. Transmission Control Protocol n. Improving security by removal or (TCP) disabling of unnecessary programs and features.
_q___ 15. static packet filtering o. A device that uses the Internet Protocol
(IP) to send packets across networks.
__g__ 16. border router p. A detective control that identifies
weaknesses in devices or software.
__p__ 17. vulnerability scan q. A firewall technique that filters traffic
by examining the packet header of a single
packet in isolation.
__e__ 18. penetration test r. The process of applying code supplied
by a vendor to fix a problem in that vendor’s
s. Software code that can be used to take
advantage of a flaw and compromise a system. _r___ s. patch management
t. A firewall technique that filters traffic
by examining not just packet header _v___ t. cloud computing information but also the contents of a packet.
u. The process of running multiple
machines on one physical server.
v. An arrangement whereby a user
remotely accesses software, hardware, or other
resources via a browser.
P8.3 The following table lists the actions that various employees are permitted to perform:
Employee Permitted actions
Able Check customer account balances
Check inventory availability
Baker Change customer credit limits
Charley Update inventory records for sales and purchases
Denise Add new customers
Delete customers whose accounts have been written off as uncollectible
Add new inventory items
Remove discontinued inventory items
Ellen Review audit logs of employee actions
Complete the following access control matrix so that it enables each employee to perform those specific activities:
Customer Inventory Master Payroll Master FileSystem Log Files
Employee Master file File
1 1 0 0
Baker 2 0 0 0
Charley 0 2 0 0
Denise 3 3 0 0
Ellen 0 0 0 1
Use the following codes:
0 = no access
1 = read only access
2 = read and modify records
3= read, modify, create, and delete records
P8.4 Which preventive, detective, and/or corrective controls would best mitigate the following threats?
a. An employee’s laptop was stolen at the airport. The laptop contained personally identifying information about the company’s customers that could potentially be used to commit
Preventive: Policies against storing sensitive information on laptops and requiring that if any such information must exist on the laptop that it be encrypted.
Training on how to protect laptops while travelling to minimize the risk of theft.
Corrective: Installation of “phone home” software might help the organization either recover the laptop or remotely erase the information it contains.
b. A salesperson successfully logged into the payroll system by guessing the payroll supervisor’s password.
Preventive: Strong password requirements such as at least an 8 character length, use of multiple character types, random characters, and require that passwords be changed frequently.
Detective: Locking out accounts after 3-5 unsuccessful login attempts; since this was a “guessing” attack, it may have taken more than a few attempts to login.
c. A criminal remotely accessed a sensitive database using the authentication credentials (user ID and strong password) of an IT manager. At the time the attack occurred, the IT manager was logged into the system at his workstation at company headquarters.
Preventive: Integrate physical and logical security. In this case, the system should reject any user attempts remotely log into the system if that same user is already logged in from a physical workstation.
Detective: Having the system notify appropriate security staff about such an incident.
d. An employee received an email purporting to be from her boss informing her of an important new attendance policy. When she clicked on a link embedded in the email to view the new policy, she infected her laptop with a keystroke logger.
Preventive: Security awareness training is the best way to prevent such problems. Employees should be taught that this is a common example of a sophisticated phishing scam.
Detective and corrective: Anti-spyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process for accessing a company's information system.
e. A company’s programming staff wrote custom code for the shopping cart feature on its web site. The code contained a buffer overflow vulnerability that could be exploited when the customer typed in the ship-to address.
Preventive: Teach programmers secure programming practices, including the need to carefully check all user input.
Management must support the commitment to secure coding practices, even if that means a delay in completing, testing, and deploying new programs.
Detective: Make sure programs are thoroughly tested before being put into use
Have internal auditors routinely test in-house developed software.
f. A company purchased the leading “off-the-shelf” e-commerce software for linking
its electronic storefront to its inventory database. A customer discovered a way to directly access the back-end database by entering appropriate SQL code.
rd Preventive: Insist on secure code as part of the specifications for purchasing any 3 party
Thoroughly test the software prior to use.
Employ a patch management program so that any vendor provided fixes and patches are immediately implemented.
g. Attackers broke into the company’s information system through a wireless access point located in one of its retail stores. The wireless access point had been purchased and installed by the store manager without informing central IT or security.
Preventive: Enact a policy that forbids installation of unauthorized wireless access points.
Detective: Conduct routine audits for unauthorized or rogue wireless access points.
Corrective: Sanction employees who violate policy and install rogue wireless access points.
h. An employee picked up a USB drive in the parking lot and plugged it into their laptop to “see what was on it,” which resulted in a keystroke logger being installed on that laptop.
Preventive: Security awareness training. Teach employees to never insert USB drives unless they are absolutely certain of their source.
Anti-spyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process.
i. Once an attack on the company’s website was discovered, it took more than 30 minutes to determine who to contact to initiate response actions.
Preventive: Document all members of the CIRT and their contact information.
Practice the incident response plan.
j. To facilitate working from home, an employee installed a modem on his office workstation. An attacker successfully penetrated the company’s system by dialing into that modem.
Preventive: Routinely check for unauthorized or rogue modems by dialing all telephone numbers assigned to the company and identifying those connected to modems.
k. An attacker gained access to the company’s internal network by installing a wireless
access point in a wiring closet located next to the elevators on the fourth floor of a high-rise office building that the company shared with seven other companies.
Preventive: Secure or lock all wiring closets.
Require strong authentication of all attempts to log into the system from a wireless client.
Employ an intrusion detection system.