Share
Explore BrainMass

Which preventive, detective, and/or corrective controls woul

Which preventive, detective, and/or corrective controls would best mitigate the following threats?

a. An employee's laptop was stolen at the airport. The laptop contained personally identifying information about the company's customers that could potentially be used to commit identity theft.
b. A salesperson successfully logged into the payroll system by guessing the payroll supervisor's password.
c. A criminal remotely accessed a sensitive database using the authentication credentials (user ID and strong password) of an IT manager. At the time the attack occurred, the IT manager was logged into the system at his workstation at company headquarters.
d. An employee received an email purporting to be from her boss informing her of an important new attendance policy. When she clicked on a link embedded in the email to view the new policy, she infected her laptop with a keystroke logger.
e. The director of R&D quit abruptly after an argument with the CEO. The company cannot access any of the files about several new projects because the R&D director had encrypted them before leaving.
f. A company wrote custom code for the shopping cart feature on its Web site. The code contained a buffer overflow vulnerability that could be exploited when the customer typed in the ship-to address.
g. A company purchased the leading "off-the-shelf" e-commerce software or linking its electronic storefront to its inventory database. A customer discovered a way to directly access the back-end database by entering appropriate SQL code.
h. Attackers broke into the company's information system through a wireless access point located in one of its retail stores. The wireless access point had been purchased and installed by the store manager without informing central IT or security.
i. An employee picked up a USB drive in the parking lot and plugged it into their laptop to "see what was on it," which resulted in a keystroke logger being installed on that laptop.
j. A competitor intercepted the company's bid for a lucrative contract that was emailed to the local government's Web site. The competitor used the information contained in the email to successfully underbid and win the contract.
k. When an earthquake destroyed the company's main data center, the CIO spent half a day trying to figure out who in the organization needed to be contacted in order to implement the company's cold site agreement.
l. Although logging was enabled, the information security staff did not review the logs early enough to detect and stop an attack that resulted in the theft of information about a new strategic initiative.
m. To facilitate working from home, an employee installed a modem on his office workstation. An attacker successfully penetrated the company's system by dialing into that modem.
n. An attacker gained access to the company's internal network by installing a wireless access point in a wiring closet located next to the elevators on the fourth floor of a high-rise office building that the company shared with seven other companies.

Solution Preview

a. An employee's laptop was stolen at the airport. The laptop contained personally identifying information about the company's customers that could potentially be used to commit identity theft.
- All of the data stored on the company's computers should have been encrypted. If the company did not want to go through the time or trouble of encrypting all data, there should have been a minimum policy that any laptop that leaves the office encrypts data automatically, due to the risk of it leaving the office.

b. A salesperson successfully logged into the payroll system by guessing the payroll supervisor's password.
- We know that the employee guessed, but we do not know how many tries it took the employee to guess the correct password. The employee should have been locked out after a minimum number of unsuccessful attempts (three is an average number of attempts). In addition, if the employee was able to guess the manager's password, it indicates that the password was not secure enough. The company should have a policy where the password must be a mix of characters, letters, and numbers of a minimum length. Passwords that are too short (4 characters and under) are easier to guess than longer passwords.

c. A criminal remotely accessed a sensitive database using the authentication credentials (user ID and strong password) of an IT manager. At the time the attack occurred, the IT manager was logged into the system at his workstation at company headquarters.
- There is a twofold solution to this situation. If the manager was already logged in, the company should have a control set where a second user cannot log in to the database while the user is already logged in. If the manager is logged in and another user attempts to enter the database at the same time from a remote location, the log-in attempt by the second person should automatically generate a notification to an executive or another person in a position of authority to notify the appropriate personnel of the attempt.

d. An employee received an email purporting to be ...

Solution Summary

Which preventive, detective, and/or corrective controls would best mitigate the following threats?

a. An employee's laptop was stolen at the airport. The laptop contained personally identifying information about the company's customers that could potentially be used to commit identity theft.
b. A salesperson successfully logged into the payroll system by guessing the payroll supervisor's password.
c. A criminal remotely accessed a sensitive database using the authentication credentials (user ID and strong password) of an IT manager. At the time the attack occurred, the IT manager was logged into the system at his workstation at company headquarters.
d. An employee received an email purporting to be from her boss informing her of an important new attendance policy. When she clicked on a link embedded in the email to view the new policy, she infected her laptop with a keystroke logger.
e. The director of R&D quit abruptly after an argument with the CEO. The company cannot access any of the files about several new projects because the R&D director had encrypted them before leaving.
f. A company wrote custom code for the shopping cart feature on its Web site. The code contained a buffer overflow vulnerability that could be exploited when the customer typed in the ship-to address.
g. A company purchased the leading "off-the-shelf" e-commerce software or linking its electronic storefront to its inventory database. A customer discovered a way to directly access the back-end database by entering appropriate SQL code.
h. Attackers broke into the company's information system through a wireless access point located in one of its retail stores. The wireless access point had been purchased and installed by the store manager without informing central IT or security.
i. An employee picked up a USB drive in the parking lot and plugged it into their laptop to "see what was on it," which resulted in a keystroke logger being installed on that laptop.
j. A competitor intercepted the company's bid for a lucrative contract that was emailed to the local government's Web site. The competitor used the information contained in the email to successfully underbid and win the contract.
k. When an earthquake destroyed the company's main data center, the CIO spent half a day trying to figure out who in the organization needed to be contacted in order to implement the company's cold site agreement.
l. Although logging was enabled, the information security staff did not review the logs early enough to detect and stop an attack that resulted in the theft of information about a new strategic initiative.
m. To facilitate working from home, an employee installed a modem on his office workstation. An attacker successfully penetrated the company's system by dialing into that modem.
n. An attacker gained access to the company's internal network by installing a wireless access point in a wiring closet located next to the elevators on the fourth floor of a high-rise office building that the company shared with seven other companies.

$2.19