Grade: 10/10
Accounting Information
Systems
Ahmed Alamri
900181435
CHAPTER 8 Assignment
INFORMATION SYSTEM CONTROLS for SYSTEMS RELIABILITY
Part 1: Information Security
8.2 Install and run the latest version of the Microsoft Baseline Security Analyzer on
your home computer or laptop. Write a report explaining the weaknesses identified
by the tool and how to best correct them. Attach a copy of the MBSA output to your
report.
I believe you provided your own solutions but it was required to report about the
corrections that appear from the program
8-1
�Ch. 8: Information System Controls for Systems Reliability
1) Weakness: Local Account Password Test: Some user accounts have blank or simple
passwords or could not be analyzed.
Correction: Adopt a strong password policy. This is one of the most effective ways to
ensure system security.
2) Weakness: Disabled windows firewall: Disabling a firewall can therefore leave a
business vulnerable to abuse, allowing viruses to infect interconnected devices, and
giving cybercriminals the opportunity to execute malicious code remotely.
Correction: Enable Firewall
3) Weakness: Incomplete Updates: This check determines whether the system has a
software update installed that required a system restart that has not yet taken place. This
is flagged in the scan report as a potential vulnerability, because if the update was for
security purposes, it may not be providing needed protection until the restart has
completed.
Correction: Check pending and incomplete updates and complete them.
4) Weakness: Password Expiration: This check determines whether any local accounts have
passwords that do not expire. Each local user account that has a password that does not
expire will be listed in the security scan report, with the exception of any user accounts
specified in the [Link] file in the MBSA installation folder
Correction: Passwords should be changed regularly to prevent password attacks.
8-2
� Accounting Information
Systems
8.3 The following table lists the actions that various employees are permitted to perform:
Employe Permitted actions
e
Able Check customer account balances
Check inventory availability
Baker Change customer credit limits
Charley Update inventory records for sales and purchases
Denise Add new customers
Delete customers whose accounts have been written off as uncollectible
Add new inventory items
Remove discontinued inventory items
Ellen Review audit logs of employee actions
Complete the following access control matrix so that it enables each employee to perform
those specific activities:
Customer Inventory Payroll System Log
Employee Master file Master Master File Files
File
Able 1 1 0 0
2 0 0 0
Baker
0 2 0 0
Charley
3 3 0 0
Denise
0 0 0 1
Ellen
Use the following codes:
0 = no access
1 = read only access
2 = read and modify records
3= read, modify, create, and delete records
8-3
�Ch. 8: Information System Controls for Systems Reliability
8.4 Which preventive, detective, and/or corrective controls would best mitigate the
following threats?
a. An employee’s laptop was stolen at the airport. The laptop contained personally
identifying information about the company’s customers that could potentially be
used to commit identity theft.
Preventive: Policies prohibiting the storage of sensitive information on laptops
and demanding encryption of any such information that must exist on the laptop.
Training on how to protect computers from theft when travelling.
Corrective: By installing certain software, the organization may be able to reclaim
the laptop or remotely wipe its contents.
b. A salesperson successfully logged into the payroll system by guessing the payroll
supervisor’s password.
Preventive: Require strong passwords with a minimum length of characters
(10 characters, for example), the usage of different character types, and unique
characters, as well as a demand that passwords be updated often.
Detective: Accounts are locked out after 3-5 failed login attempts, given that
this is a potential guess-the-password attempt by a stranger or hacker.
c. A criminal remotely accessed a sensitive database using the authentication
credentials (user ID and strong password) of an IT manager. At the time the attack
occurred, the IT manager was logged into the system at his workstation at company
headquarters.
Preventive: the system should deny any remote login attempts made by the
same user who is already logged in from a physical workstation.
Detective: Notifying appropriate security personnel of such an occurrence via
the system.
8-4
� Accounting Information
Systems
d. An employee received an email purporting to be from her boss informing her of an
important new attendance policy. When she clicked on a link embedded in the email
to view the new policy, she infected her laptop with a keystroke logger.
Preventive: The best method to avoid such issues is via security awareness.
Employees should be educated about this kind of sophisticated phishing attack.
Detective and corrective: Anti-spyware software that examines and cleans all
identified spyware on an employee's PC automatically as part of the login
procedure for accessing a company's information system.
e. A company’s programming staff wrote custom code for the shopping cart feature on
its web site. The code contained a buffer overflow vulnerability that could be
exploited when the customer typed in the ship-to address.
Preventative: Instruct programmers about secure programming methods,
emphasizing the need to thoroughly check all user input. Management must
commit to secure coding techniques, even if it means delaying the completion,
testing, and deployment of new programmes.
Detective: Ensure that programmes are adequately tested before being
implemented. Internal auditors should test in-house produced software on a
regular basis.
f. A company purchased the leading “off-the-shelf” e-commerce software for linking
its electronic storefront to its inventory database. A customer discovered a way to
directly access the back-end database by entering appropriate SQL code.
Preventative: Require secure code as part of the parameters for any third-party
software. Prior to usage, do a thorough test of the programme. Utilize patch
management software to ensure that supplier fixes and patches are deployed
promptly.
g. Attackers broke into the company’s information system through a wireless access
point located in one of its retail stores. The wireless access point had been purchased
and installed by the store manager without informing central IT or security.
8-5
�Ch. 8: Information System Controls for Systems Reliability
Preventive: Adopt a policy prohibiting the installation of unlawful wireless
access points.
Detective: Conduct frequent audits for the presence of illegal or rogue
wireless access points.
Corrective: Punish workers who breach policies and install rogue wireless
access points.
h. An employee picked up a USB drive in the parking lot and plugged it into their
laptop to “see what was on it,” which resulted in a keystroke logger being installed
on that laptop.
Preventive: Train staff to never enter USB devices into computers unless they
are 100% confident of their source. Anti-spyware software that scans and
removes any spyware discovered on an employee's PC during the login
process.
i. Once an attack on the company’s website was discovered, it took more than 30
minutes to determine who to contact to initiate response actions.
Preventive: Maintain a record of all IT staff contact information who handle
such cases and make it available in case of emergencies for a prompt
response.
j. To facilitate working from home, an employee installed a modem on his office
workstation. An attacker successfully penetrated the company’s system by dialing
into that modem.
Preventive: Conduct routine checks for illegal or rogue modems by phoning
all company-assigned telephone numbers and identifying those linked with
modems.
k. An attacker gained access to the company’s internal network by installing a wireless
access point in a wiring closet located next to the elevators on the fourth floor of a
high-rise office building that the company shared with seven other companies.
Preventive: Secure or lock any wiring cabinets as a precaution. All attempts to
log into the system through a wireless client should need robust
authentication.
8-6
