Professional Documents
Culture Documents
2. External hack attacks are more damaging and costly than insider 6. Information security is primarily a technology issue.
attacks. hTrue hFalse
hTrue hFalse
False. Information security is a business issue and a culture
False. Insider attacks are typically much more damaging than more highly issue. A comprehensive information security strategy
publicized external attacks. Statistics from the Computer Security Institute addresses three elements: administrative policies and
indicate the average external attack costs $57,000 while the average internal procedures; physical access controls; and technical access
attack costs $2,700,000. Insiders possess much more intimate knowledge of controls. These elements, correctly addressed, collectively
targeted systems, including knowledge of monitoring activities (or lack of create a culture of security. Many security professionals
monitoring activities). believe that technology represents less than 25 percent of
an overall security picture. While the exact percentage
3. A properly configured firewall will provide complete information remains debatable, one thing is clear: humans (end users) are
security from external attacks.
the weakest link in any information security program.
hTrue hFalse
False. A knowledgeable attacker can nearly always defeat a firewall. As a True. Breaches can be relatively innocuous, such as
result, monitoring is key to any information security program. Remember, unauthorized screen savers, games, etc. These can result in
it is one thing to be hacked, it is quite another to know you have been virus transmission or licensing issues. However, breaches can
hacked. also be much more dangerous, taking the form of unauthorized
installation of remote access programs which can create an
exploitable back door to the network that is not protected
by the firewall. According to a survey conducted by ICSA.net
and Global Integrity, a whopping 76 percent of respondents
reported an unauthorized software breach in 2000.
True. But while information-only sites have less risk of direct financial loss,
the risk to their reputation and corporate image is significant. Organizations
need to closely monitor information-only sites in order to detect and react to
intrusions quickly to avoid embarrassment at the least and permanent damage
to their reputation (and corresponding loss of market share) at the worst.
False. A physical connection and a network address are all that is required
to connect to a network. The connection then has the ability to monitor and
capture traffic, a process referred to as sniffing. Attackers often use sniffing
techniques to capture sensitive network traffic, including user ID/password
combinations. This information can then be used to escalate privileges for
further attacks.
Mark Eich is a CPA and certified information systems auditor (CISA). He is the
principal in charge of enterprise security management (ESM) at LarsonAllen
eSource, LLC. He has 12 years experience with IT auditing and is a frequent
speaker on IT security issues for national trade associations. Contact Mark at
meich@larsonallen.com or 507/434-7015.