Technology
Information Security Quiz
by Mark Eich
The following is a quick and informative quiz that should raise some questions about information security. As you will see, the answers to questions
concerning information security are often complex. Addressing the issues raised by these questions may require time and effort, but the alternative is
to simply accept that your systems may be at risk. Many businesses cannot afford to take that chance. Check the correct response:
1. As information security increases, performance decreases.
hTrue hFalse
True. Information security always has a related cost. Increasing security may
require additional operational procedures, technology and investment.
Increased security may slow processes down, and the performance of your
people and network may reflect that. Increased security may mean locking
workstations and restricting access to computer rooms or servers. Every
organization must thoughtfully consider how to balance risk and performance
when analyzing information security issues.
2. External hack attacks are more damaging and costly than insider
attacks.
hTrue hFalse
False. Insider attacks are typically much more damaging than more highly
publicized external attacks. Statistics from the Computer Security Institute
indicate the average external attack costs $57,000 while the average internal
attack costs $2,700,000. Insiders possess much more intimate knowledge of
targeted systems, including knowledge of monitoring activities (or lack of
monitoring activities).
3. A properly configured firewall will provide complete information
security from external attacks.
hTrue hFalse
False. The Computer Security Institute indicates that one-third of companies
using firewalls still suffer malicious hacking events. A primary function of
the firewall is to block access to certain ports. A port can be thought of as a
pipeline for a specific application or service. All unnecessary ports should be
blocked at the firewall. However, business needs may demand certain ports
be open. Each open port can create risk, a pathway, to your network. Traffic
across each open port should always be closely monitored for potential
intrusion attempts. A firewall alone is never a total solution. It must be
used in combination with proper network monitoring and intrusion
detection techniques.
4. Once my firewall is in place and configured properly, there is
no need for further monitoring of network traffic.
hTrue hFalse
False. A knowledgeable attacker can nearly always defeat a firewall. As a
result, monitoring is key to any information security program. Remember,
it is one thing to be hacked, it is quite another to know you have been
hacked.
22 LarsonAllen EFFECT / Winter 2002
5. Firewalls should be configured to monitor
outgoing traffic as well as incoming traffic.
hTrue hFalse
True. Many organizations pay close attention to blocking
incoming traffic, but comparatively little attention to
monitoring or blocking outgoing traffic. However, more
risk may exist from within. Disgruntled employees or hackers
who have compromised your network may try to transmit
confidential or sensitive information to competitors.
6. Information security is primarily a technology issue.
hTrue hFalse
False. Information security is a business issue and a culture
issue. A comprehensive information security strategy
addresses three elements: administrative policies and
procedures; physical access controls; and technical access
controls. These elements, correctly addressed, collectively
create a culture of security. Many security professionals
believe that technology represents less than 25 percent of
an overall security picture. While the exact percentage
remains debatable, one thing is clear: humans (end users) are
the weakest link in any information security program.
7. Once a disgruntled insider is terminated from
employment, the security threat is over.
hTrue hFalse
False. Clearly false. Witness the recent dot-com meltdown
that has produced an army of disgruntled, computer-savvy
potential intruders. The FBI has reported an exponential
increase in hacking activity perpetrated by ex-employees.
Disgruntled employees pose perhaps the most serious
computer crime threat an organization will face.
8. Unauthorized software is the most common
insider security breach.
hTrue hFalse
True. Breaches can be relatively innocuous, such as
unauthorized screen savers, games, etc. These can result in
virus transmission or licensing issues. However, breaches can
also be much more dangerous, taking the form of unauthorized
installation of remote access programs which can create an
exploitable back door to the network that is not protected
by the firewall. According to a survey conducted by ICSA.net
and Global Integrity, a whopping 76 percent of respondents
reported an unauthorized software breach in 2000.
9. Information-only Web sites have less risk of financial loss than
transactional e-commerce Web sites.
hTrue hFalse

True. But while information-only sites have less risk of direct financial loss,
the risk to their reputation and corporate image is significant. Organizations
need to closely monitor information-only sites in order to detect and react to
intrusions quickly to avoid embarrassment at the least and permanent damage
to their reputation (and corresponding loss of market share) at the worst.

10. Passwords stop an intruder who gains physical access to a

computer.
hTrue hFalse

False. Passwords are typically only a minor annoyance to a knowledgeable

intruder. Too many organizations spend all their efforts on the technical
aspects of information security and fail to address the administrative and
physical access controls necessary to provide reasonable protection.

11. A user ID and password prevents unfriendly network connections.

hTrue hFalse

False. A physical connection and a network address are all that is required
to connect to a network. The connection then has the ability to monitor and
capture traffic, a process referred to as sniffing. Attackers often use sniffing
techniques to capture sensitive network traffic, including user ID/password
combinations. This information can then be used to escalate privileges for
further attacks.

12. No one in the organization should have access to users’

passwords with the exception of security administration.
hTrue hFalse

False. No one in the organization should have access to users’ passwords,

including security administration. Passwords should be stored in an encrypted
format. New users should be provided a one-time use password for initial
sign on, which immediately expires forcing the user to change it prior to
completing the sign on process. Similar processes should be used for resetting
passwords if users forget them.

13. Encryption should be considered for internal network traffic

as well as external network traffic.
hTrue hFalse

True. As noted above, the process of sniffing (capturing data as it is transmitted

across a network) can be a significant security risk, both internal and external.

14. Securing data in transit is the goal of encryption.

hTrue hFalse

False. Encryption also supports data integrity, authentication and non-

repudiation (verifying that a transmission occurred).

Mark Eich is a CPA and certified information systems auditor (CISA). He is the
principal in charge of enterprise security management (ESM) at LarsonAllen
eSource, LLC. He has 12 years experience with IT auditing and is a frequent
speaker on IT security issues for national trade associations. Contact Mark at
meich@larsonallen.com or 507/434-7015.