Which preventive, detective and or corrective controls would best mitigate the f
ID: 2444850 • Letter: W
Question
Which preventive, detective and or corrective controls would best mitigate the following threats
1 A salesperson successfuly logged into the payroll system by guessing the payrolls supervisor's password
2 An employee received an email purposting to be from her boss informing her of an important new attendance policy. When she clicked on a link embedded in the email to view the new policy, she infected her laptop with a keystroke logger
3 A company purchased the leading ''off the shelf'' e commerce software for linking its electronic storefront to its inventory database. A customer discovered a way to directly access the bank end database by entering appropraite SQL code
4 An employee picked up a USB drive in the parking lot and plugged it into his laptop to ''see what was on it''. As a result a keystroke logger was intslalled on that laptop
5 To facilitate working from home, an employee installed a modem on his office workstation. An attacker succesfully penetrated the company's system by dialling into that modem
Explanation / Answer
Which preventive, detective and or corrective controls would best mitigate the following threats
1 A salesperson successfuly logged into the payroll system by guessing the payrolls supervisor's password
Preventive: Strong password requirements such as at least an 8 character length, use of multiple character types, random characters, and require that passwords be changed frequently.
Detective: Locking out accounts after 3-5 unsuccessful login attempts; since this was a “guessing” attack, it may have taken more than a few attempts to login.
2 An employee received an email purposting to be from her boss informing her of an important new attendance policy. When she clicked on a link embedded in the email to view the new policy, she infected her laptop with a keystroke logger
Preventive: Security awareness training is the best way to prevent such problems. Employees should be taught that this is a common example of a sophisticated phishing scam.
Detective and corrective: Anti-spyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process for accessing a company's information system.
3 A company purchased the leading ''off the shelf'' e commerce software for linking its electronic storefront to its inventory database. A customer discovered a way to directly access the bank end database by entering appropraite SQL code
Preventive: Insist on secure code as part of the specifications for purchasing any 3rd party software.
Thoroughly test the software prior to use.
Employ a patch management program so that any vendor provided fixes and patches are immediately implemented.
4 An employee picked up a USB drive in the parking lot and plugged it into his laptop to ''see what was on it''. As a result a keystroke logger was intslalled on that laptop
Preventive: Security awareness training. Teach employees to never insert USB drives unless they are absolutely certain of their source.
Anti-spyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process.
5 To facilitate working from home, an employee installed a modem on his office workstation. An attacker succesfully penetrated the company's system by dialling into that modem
Preventive: Routinely check for unauthorized or rogue modems by dialing all telephone numbers assigned to the company and identifying those connected to modems.
Related Questions
drjack9650@gmail.com
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.