The internal auditor for ELC Consulting Inc., a company specializing in online c
ID: 3725367 • Letter: T
Question
The internal auditor for ELC Consulting Inc., a company specializing in online consulting services, noticed that the estimated time for an eventual attack to their systems is only about 30 minutes. In addition, it takes between 8 to 18 minutes to detect the attack and notify appropriate security staff. However, the problem can be fixed, and corrective actions could be implemented within a short time, between 6 to 15 minutes depending on the attack and time of the day.
Does the company satisfy the requirements of the time-based model of security? Why or why not? )
Suppose the company decides to invest $10 K to minimize eventual attacks and threats, and will have the three options. Which one would you recommend and why?
Increase the estimated time to penetrate the system by 2 minutes.
Reduce the time to detect an attack to between 5 minutes (best case) and 12 minutes (worst case).
Reduce the time required to implement corrective actions to between 4 minutes (best case) and 13 minutes (worst case).
Explanation / Answer
The company does not meet the requirements to satisfy the time-based model of security.
The reason is as follows:
Let P be the time taken to penetrate the system, which is = 30 minutes
Let D be the time taken to detect the threat, which is = 8 minutes (best case) and 18 minutes (worst case)
Let C be the time taken to correct the threat, which is = 6 minutes (best case) and 15 minutes (worst case).
For the best case, the system satisfies the time-based model of security, i.e.,
P > D + C
30 > 8 + 6, hence time taken for penetration is greater than the total time for detection and correction.
While for the worst case,
P < D + C
30 < 18 + 15
30 < 33.
Hence, the time taken for penetration is less than the time taken for both detection and correction. Hence, the
system is insecure in worst case.
First option is inconvenient as, even if the time for penetration is increased by 2 minutes, still the penetration time
will be 32 minutes, while in the worst case scenario; the systems are prone to attack for 33 minutes.
Since, the time for penetration is less than the total time for detection and correction; hence this option is not convenient.
Second option is convenient, as the total time for detection and correction for the worst case scenario will be:
= 12 mins + 15 mins
= 27 mins.
Since, this time is less than the time of penetration; hence this option can be adopted.
Third option is inconvenient, as the total time for detection and correction for the worst case scenario will be:
= 18 mins + 13 mins
= 31 mins.
Since, the time for penetration is less than the total time for detection and correction; hence this option is not convenient.
Related Questions
drjack9650@gmail.com
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.