Information security is a dynamic field and, although accounting professionals have become much savvier on the subject, keeping track of the latest best practices can be a daunting task. How current are you? Take this quiz on information security basics to find out.
1. Because no single antivirus program can protect against all viruses, you can enhance protection by installing several different antivirus programs from trusted vendors. True or False?
2. Your company maintains a virtual private network (VPN) that allows off-site employees to connect to the company network via the Internet. The VPN uses the latest and most secure encryption available, encoding all data from the remote computer all the way to the office server. By loading the VPN software on public computers, like those at hotel business centers, you can transact sensitive and confidential business over your company network with a high level of confidence in the security. True or False?
3. Wired Equivalent Privacy (WEP) encryption on Wi-Fi networks, which was cracked several years ago, should be avoided at all costs. True or False?
4. Using Wi-Fi Protected Access (WPA) encryption and media access control (MAC) address filtering on your Wi-Fi access point does not provide sufficient protection for transacting sensitive and confidential business via the Internet from your wireless device or laptop computer. True or False?
5. You receive an e-mail from your company’s IT administrator warning that a new security hole has been discovered in your corporate software. The e-mail provides a link to a patch site and directs you to download and install a patch to plug the vulnerability. Before clicking on the link and installing the patch, you should verify the legitimacy of the e-mail. True or False?
6. Your company maintains a top-notch information security program. To capitalize on this strength, your marketing manager wants to build an ad campaign promoting your airtight information security. Your company is in an information-intensive industry, so this might lead to a competitive advantage with little downside. True or False?
7. A trusted IT employee quits the company in a huff. Security escorts him off the premises. To prevent potential mischief, you immediately eliminate the employee’s login IDs and passwords from the company information systems and disable all other access to company premises, such as his door keycard and security pass. You and the company can breathe easily. True or False?
8. Shortly after 9/11, your company increased its focus on contingency planning and installed surge suppressors and two-hour uninterruptible power supplies (UPS) on all computing and network equipment. Your employees can now continue to work through a short-term power outage (up to an hour or two) without problems. True or False?
9. You have noticed employees downloading music and videos on their office computers during their breaks. While this technically violates the acceptable use policy, the employees are using headphones, not disturbing others, their productivity is not suffering, and they seem to be enjoying listening to the music while they work. Any action taken to halt the practice would negatively impact morale more than it would enhance security. True or False?
10. Since you are the only person who uses your office computer, and your office is locked every time you leave, even for a moment, there is no need for the hassle of a Windows startup login and password on your computer. True or False?
1. False. Antivirus programs frequently compete with each other, slowing down your system, delivering false positives and possibly interfering with each other’s effectiveness. A single, reputable antivirus software package is your best bet—as long as you keep the signature files updated.
2. False. VPNs offer nearly bulletproof protection against network eavesdropping and Internet interception. They are fine for remote access via your personal laptop. But they do nothing to protect you against the numerous threats posed by public computers. Whether in a hotel business center, Internet cafe or conference lounge, public computers are notorious for security vulnerabilities and threats. Users can unwittingly infect a machine with malware that can elude your VPN and affect your applications.
And no matter how sophisticated the VPN security suite, it cannot detect or protect against keyboard loggers—little devices that may be plugged between the keyboard and computer case itself. What’s more, VPN clients cannot guard against over-the-shoulder peeping or high-resolution surveillance cameras. Loading your VPN on a public computer could even compromise your virtual network’s security.
3. False. Earlier this decade, news surfaced that WEP could be cracked by stimulating, capturing and analyzing huge numbers of packets from a WEP-protected wireless access point. But contrary to popular press coverage, cracking WEP requires a level of sophistication well beyond the capability of most hackers. And manufacturers have altered the design of the equipment to better block such attacks.
Computers built after 2003 are capable of handling the newer, better and more complex WPA encryption techniques. However, all computers on a network must be able to use WPA before it can be utilized for any of them.
WEP might be your only security option if you have older hardware on your network. For low-risk applications, including casual home use, using WEP is far better than using no encryption at all. If you are an attractive target or handle sensitive information, consider upgrading your equipment so you can deploy WPA.
4. True. Many professionals overlook the fact that WPA and WEP protect only the wireless link between the mobile computer and the access point. Once the data hits the access point, some other means of encryption must be used for protection along the remainder of the network path, especially on the Internet. Encryption such as a VPN, Secure Sockets Layer (SSL), or secure HTML (SHTML) provides end-to-end protection and should always be used in addition to the wireless link protection.
5. True. A common phishing technique involves sending an e-mail pretending to be a trusted insider, and directing a recipient to click on a link. There are many ways to fake a return e-mail address, and just as many ways to fake a URL so that it points to a site other than what appears in the link. The link actually points to a malicious Web site, where a Trojan or other malware can automatically be installed by the browser.
Before clicking on a link in an e-mail, always verify the e-mail is legitimate and actually came from the party it purports to be from. In accounting, you would never act on a demand for immediate payment, even from a trusted vendor, without first verifying the demand’s authenticity. Likewise, you should not follow directions in an e-mail until you’ve satisfied yourself it is authentic. Many businesses spread the word via e-mail bulletins about patches and other precautions IT is asking users to take. If you haven’t seen an alert or if your company doesn’t issue such warnings, contact an IT administrator before clicking on a link.
6. False. Bragging about your security is an open invitation for sophisticated hackers to try their hand at breaking in. No matter how good your security is, it can never be 100% safe. It is better to keep a low profile and hope the best hackers won’t notice your organization. It is true that security-through-obscurity is no protection, but advertising your pride is tantamount to issuing a challenge for those who otherwise might not have had any reason to bother your company. It’s not worth the risk of becoming an attractive target.
7. False. Trusted IT employees are problematic because they have access to the inner sanctum of the information system. An employee can stew a long time before leaving and take advantage of his position to plant a time bomb, open a backdoor access, or otherwise introduce vulnerabilities to the system. Anytime an IT person leaves, you must be on high alert on multiple fronts.
8. False. UPS systems rely on batteries, and the shelf life of a UPS battery is seldom more than a couple of years. Surge suppressors also lose their effectiveness as their components age. Equipment that hasn’t been tested or updated since 2001 probably offers little or no protection today. If you don’t have a schedule for inspecting and updating your equipment regularly, you may not have the protection you think.
Also, your contingency plan should consider lighting, ventilation, sanitation and other essential systems necessary for employees to continue working during a power failure. Some fire codes and local ordinances prohibit the occupancy of buildings without commercial power unless alternate electrical sources are provided for fire detection, lighting and security systems, among other services.
Finally, keep in mind that relying on even the best UPS system to support continuing operations is like placing a net under a trapeze. Most of those systems are only intended to support a safe landing for your interrupted IT operations.
9. False. Several issues must be considered when employees download music or videos at work. Employees could be downloading and trafficking in illegal copies of copyrighted material, exposing your company to legal risks. Also, media files are often large. The downloads may bog down your network.
Furthermore, failure to enforce an acceptable use policy leads to lackadaisical attitudes and diminishes respect for other policies. Finally, and most importantly, there is always the danger of a virus or Trojan riding into your network by piggybacking on, or even being disguised as, a popular media title or link.
10. False. If your computer is not protected by startup passwords, there is always a possibility an intruder can copy data from your hard drive. It’s crucial to keep your computer locked down by using startup IDs and passwords. The couple of seconds of effort, even several times per day, may be well worth the protection of your data.
Here’s an additional consideration: Running your computer under a default account means that all programs have administrator privileges. If a virus makes it through your virus-checker, it can do some damage. It is better to have two logins, one as administrator and one with restricted privileges. Log in using the restricted account for normal day-to-day operations, preventing viruses and other malware from loading and executing. You can log in as the administrator if you need to add programs or software.
Scoring: If you answered nine or 10 questions correctly, keep up the good work. You are well-versed on the latest developments. Continue to update your knowledge about risks to information security assets and the best countermeasures.
If you answered seven or eight questions correctly, that’s not bad, but it might be time to think more broadly about peripheral threats and potential weaknesses in your systems. Reading the latest security literature is essential.
If you answered fewer than seven questions correctly, reassess your strategy for staying current on developments in information security. Knowledge building should be a part of your information security strategic plan. You may also need to assess the vulnerability of your information assets.
David R. Fordham, CPA, CMA, Ph.D., and Bradley M. Roof, CPA, CMA, Ph.D., teach accounting at James Madison University in Harrisonburg, Va. Their e-mail addresses, respectively, are email@example.com and firstname.lastname@example.org .
AICPA’s Information Technology Center IT Membership Section, www.aicpa.org/infotech
Overview of the Certified Information Technology Professional Credential, www.aicpa.org/CITP
2008 Top 10 Technology Initiatives, www.aicpa.org/toptech
2007 Top Technology Initiatives Web Seminar: Safeguarding Information Assets, Part I, http://infotech.aicpa.org/Events/September+2007+Top+Technology+Initiatives+Web+Seminar.htm , and Part II, http://infotech.aicpa.org/Events/November+2007+Top+Technology+