Case Study Questions

1.

What are the two primary risks to security for Infinite Horizons?

1. Customer data on stolen laptop computers

2. Denial of service attack on the Outlook Web Access server

3. Unauthorized access of the network via the dial-in server

4. Unauthorized access by employees to network data

5. Unauthorized access by employees to the customer relationship database

6. Unauthorized capturing and reading data being transmitted over the VPN connection to the company

2.

What are the four security priorities of Infinite Horizons?

1. Preventing denial of service attacks on the Outlook Web Access server

2. Preventing unauthorized network access

3. Securing communications to client sites

4. Protecting employee data on laptop computers

5. Isolating the HR network from the rest of the network via an internal firewall

6. Providing SSL access to intranet resources

7. Secure authentication of all users

8. Enabling Windows Only authentication on SQL Server

3.

What kind of technology would you use to secure data on the laptop computers?

1. NTFS permissions

2. Encrypting file system

3. Biometric scanner for reading employee fingerprints

4. A strong password policy

4.

What technologies would you implement to guard against data corruption? (Choose all that apply.)

1. Virus scanner

2. Backups

3. Access control

4. Smart card reads

5. Data Encryption

5.

What security policy statement would apply to Infinite Horizons?

1. Employees must use strong passwords to access the network as defined by the network administration group.

2. Employees must not lend their smart card to anyone.

3. Employees will not store company data on their laptops.

4. Hardware that requires user interaction must support a smart card reader.

6.

What technology should Infinite Horizons employ to make sure data moving between it and its clients is secure?

1. TCP/IP

2. Firewall

3. Encryption

4. Dial-up

7.

What technological limitation will Infinite Horizons face with regard to implementing security?

1. Password policy cannot be enforced.

2. Consultants may not be able to connect securely from client sites.

3. Laptop data will not be secure.

4. Data exchanged with clients will not be secure.

8.

What compromises will Infinite Horizons have to make to integrate security with a customer’s network? (Choose all that apply.)

1. Different password policies

2. Data not confidentially exchanged

3. Separate passwords, no single login capability

4. No access control of the data

9.

What is the most important goal when securing assets that Infinite Horizons needs to address in its security policy?

1. Integrity of the SQL Server 2000 database

2. Confidentiality of customer data

3. Physical security of the laptop computers

4. Availability of the Outlook Web Access server

10.

What would be included in the security baseline for a laptop computer at Infinite Horizons?

1. Employees must use a smart card to log on to the laptop.

2. Back up the SQL Server database’s transaction logs every three hours and perform a full backup every night.

3. Passwords must have at least eight characters and be complex.

4. Confidential customer data must be encrypted on a laptop.

1.

A, D. All of the answers describe possible risks to the Infinite Horizons network, but you need to consider probability when determining primary risks to the network. Because the company has had laptops with customer data on them stolen in the past and has had issues with employees having unauthorized access to network data, these two options have a higher probability of occurring and need to be mitigated.

2.

B, C, D, G. You need to pay attention to any primary security risks that you have identified and the new security features that the customer would like implemented when deciding the security priorities of a company. Infinite Horizons wants to secure communications to client sites and, through strong password policies, secure authentication of users. It also recognized that data is compromised when laptops are stolen or employees have unauthorized access to resources.

3.

B. Encryption would afford the best protection to the company’s data if it was stolen or lost, which Infinite Horizons considers a risk because it has experienced it in the past. Another option would be to just not allow certain data to be stored on a laptop. NTFS permissions can protect data through access control and are important, but if someone has physical access to the hardware, NTFS permissions can be easily overcome. Likewise, a biometric scanner and strong passwords can be defeated if an attacker has physical access. In the case of Windows, an attacker can just install another copy and use the built-in administrator to access the data, and it is not too difficult to write a program that will read raw data off a hard drive.

4.

A, B, C. Virus scanning helps prevent data corruption due to viruses, Trojan horses, and worms. Controlling access to data will prevent unauthorized users from corrupting or deleting the data. However, because neither virus scanning nor access control is one hundred percent successful, you will need to make sure that you have good backups and can successfully restore them when needed. Smart card readers and data encryption don’t protect the data from corruption. Smart card readers are used to authenticate the user. This information is certainly useful when creating access control lists, but it is not directly related to preventing data corruption. Data encryption guards against a compromise in confidentiality of the data. Encrypted data can still be corrupted.

5.

A. Option A is the only statement that applies to Infinite Horizons according to the scenario. Infinite Horizons does not use smart card technology, so its policy would not mention smart cards. Infinite Horizons allows company data to be stored on laptops and, according to the scenario, wants to address the issue of protecting it because laptops have been stolen.

6.

C. Encryption is the way to secure data that is moving through a public network like the Internet. TCP/IP is the protocol of the Internet, but it does nothing to secure data. A firewall can prevent certain data from entering or leaving the company, but once the data is out on the Internet, a firewall is of little use. Dial-up access is usually over a public network and data would still need to be protected with encryption.

7.

B. The consultants work at client sites much of the time and may not be able to use a VPN or other secure method to access their company resources. Password policy can be enforced with the Windows Server 2003 Security Configuration And Analysis snap-in. Laptop data can be secured with the Encrypting File System (EFS). Data can be exchanged with clients over an agreed-upon technology like HTTP-S or IPSec.

8.

A, C. Infinite Horizons will not use the same technology for authentication as its customers use so, due to technical constraints, will need separate passwords for the customer’s network. This may lead to employees at Infinite Horizons having to deal with different password policies. Confidential exchange and control of data is a requirement for integration, so no compromises will be made in these areas.

9.

B. While all these goals are important to Infinite Horizons, the company has stated that the confidentiality of customer data is the most important directive. If there are trade-offs to security due to technical limitations or resources, confidentiality of data will be the priority.

10.

D. The security baseline would include all of the procedures necessary to implement the security policy for the technology in question. The security policy for Infinite Horizons does not mention smart cards, so smart cards would not be necessary to access laptops. Performing backups of the SQL Server database would be part of the SQL Server baseline but not the baseline for the laptops. The security baseline for accounts would mention the password policy, but again this does not apply to laptop users.