A financial organization called Global Finance, Inc. is in charge of overseeing a number of accounts in the US, Canada, and Mexico. It employs more than 1600 people, and security is currently a problem. In the recent times, the company has been a victim of crashes and cyber-attacks and because of that it aims at overcoming the issues and guaranteeing its physical infrastructure and operations are secure. A risk assessment process ought to be done to recognize and establish an approach to mitigate the existing issues. The primary goal of doing the risk assessment is to establish the main issues which are affecting GFI's operations and then look for the best approach that can be used to remediate the threats. Security of information is crucial in any organization regardless of the activities it undertakes. As such, in the event you are developing a project, key interest has to be taken concerning the threats or risks likely to take place. It is imperative to handle either tangible or intangible issues associated to security. For GFI to regain its reputation, it is important to comprehend the security issues that should be handled. The report will describe various security efforts aimed at making GFI more secure.
Global Finance Industry Security Risk Assessment
Background Information
Global Finance, Inc. (GFI) is categorized as a financial public company. It is traded on The New York Stock Exchange (NYSE) and it specializes in the management of finance, approval of loan application, overall processing of loans, and money management investment for its clients. GFI has responsibility over thousands of accounts in different states, for example, Canada, the U.S., and Mexico. It has more than 1,600 employees and consistently boasts the annual growth rate at approximately 8 percent. GFI has a management strategy that is well established and centered on scaling performance of operations assisted by automation and innovations in technology.
In the past few years, Global Finance, Inc has been a victim of numerous cyber-attacks from intruders which have given rise to revenue losses of about $1,700, 000 and client confidence which cannot be measured. In 2013, the database server for Oracle got attacked and the database of clients lost confidentiality, trustworthiness, and accessibility for a long duration of time. Despite the restoration of the database server for Oracle, the reputation of the company was destroyed as a result of the confidentiality that was lost. The attacks make CEO John Thompson more concern given that his business plan puts the confidentiality, trustworthiness, and accessibility of the organization at stake.
Due to the increasing reliance of operation on technology combined with a reducing information technology impression, I was employed as a Computer Security Manager (CSM) and I was answerable to Mike Willy who was the COO (Chief Operations Officer). Despite the CEO and I being able to comprehend the vital essence of technology in executing the business plan of Global Finance, Inc., I trust that that cutting IT benefits and outsourcing the technologies of IT pose a risk to security and strategic capability.
The current spike of Global Finance, Inc. in reputation have prompted a huge increment in traffic within the network cutting across the internal network. The network engineers are not able to recognize the origin of traffic; however, the volume and recurrence is a noteworthy concern. With a specific objective of legitimately securing company private information, business knowledge and client data, it is important to submit risk assessment for the security.
Purpose of the Risk Assessment
The risk assessment is fundamentally expected to determine both quantitative and subjective risk estimate which is associated to security threats of IT and vulnerabilities related with the business activities of GFI and break down the IT infrastructure and procedures of GFI organization keeping in mind the objective to give a colossal and adequate evaluation for mitigating risk. The evaluation will concentrate on giving solutions for vulnerabilities and dangers being recognized and which are a threat to the confidentiality, trustworthiness, and accessibility and compromise the security and strategic ability of IT.
The risk assessment will have the responsibility of identify present threats to GFI's Information Technology security, restrictive business insight, client data and strategic ability. It should identify weaknesses affecting the present controls of security and processes of the company, also recognize existing authorizations and controls of security. It ought to evaluate the business implications of threats and vulnerabilities which are known, and likewise evaluate threats and recognize the threats that are acceptable. Lastly, it should give recommendations to reinforce and support the security system of GFI by the help of technologies that are coming up and processes that have been proven.
Duties and Functions
The Chief Executive Officer, John Thompson: Has the role of guaranteeing that the overall business plans of the company increment the value of shareholders. Hence, the CEO will make the final decision as to whether the strategic plans of information technology are in-line with the entire strategic business plan. For instance, in Global Finance, Inc.'s case, the CSM is to give the CEO the suggestion while executing entrance testing programming John is to evaluate the perspectives of the involved officers then determine if it affects Return on Investment and esteem of shareholder.
The Chief Operations Officer (COO), Mike Willy: He manage the businesses of the company's activities/undertakings. The Chief Operation Officer comes second in command and has the responsibility of overseeing the manner in which information technology projects are in-line with the daily activities of the company. The COO also serves as a leader and has a say on the execution of strategic plan of the company and in-line with the CFO (Chief Financial Officer), who is answerable for supervising the manner in which operational information technology activities affect the budget.
Rick Santos, Computer Security Manager (CSM): He serves in the capacity of a business leader who has the responsibility of developing, implementing and managing the company security vision, mission and operations. The responsibility of CSM will be centered around scientific and issues associated with technological, and also policy, research and establishment with the objective of protecting the confidentiality, trustworthiness, and reachability of GFI's network, recognize vulnerabilities and risks affecting information system assets of GFI with the goal of achieving the objectives of the company, recognize and put in place measures for security controls aimed at mitigating risks in order to lower the level of risk which can be accommodated and explore variables for risk so us to lower the failures of projects.
Risk Assessment for Security
A successful assessment is capable of avoiding breaches, decrease the effect of acknowledged breaches, and shield GFI from being in the all over for wrong reasons. Customary information technology security assessments of risk also motivate companies to establish a cache of chronicled data which get used to significantly weigh and convey monetary value associated with threats and, basically talk to senior managers to make definitive move to lower the threats (DarkReading, 2013)."
Risk Impact
According to the PUB (2004), the following table gives a summary of the potentials of security objective and their impact on confidentiality, integrity and availability:
Table1: Potential effects definition for Security Objectives (PUB, 2004).
Topology of the Network
The network topology of GFI is made up of a corporate WAN which incorporated ten facilities that are connected remotely to the headquarters of GFI central data processing unit via a corporate Virtual Private Network. Access control that is role-based has been put in place and access is precisely centered around the responsibilities of the user within a business. A scenario of a role-based access control (RBAC) would be, for instance, an Engineering manager wants to gain access to the Engineering department data and also the training department data. Every role should be able to define the privileges guaranteed to access various objects.
Security of Networks
A VPN gateway facility gets introduced in a network's outer layer. As indicated by Microsoft (2013), VPNs utilize a combination of technologies such as tunneling, verification, and encryption to make connections that are secure. To guarantee the installed VPN security is at its best, utilize the Tunneling Protocol of Layer Two together with the safety of the Internet Protocol security (L2TP/IPSec). VPNs guarantee the greatest degree of security since validation prevents users who are not authorized from interfacing the system. The Secure Sockets Layer, VPN systems are defenseless to DoS attacks in case portions of software do not update frequently. It exhibits a direct threat to accessibility. In this manner, software patches and updates ought to be planned daily amid odd times to limit network stalling.
Access Points
Internal Access.
The workers of GFI get access to the internal network by the help of personal workstations that have been pre-inspected and updated with anti-virus. The topology of the internal network incorporates 10gpbs Virtual Local Area Network separated by department. The switches of the Local Area Network are separated by department. Individuals, programs and servers are likely to have the required rights of access only the resources which they should know and their actions ought to be monitored through systems for auditing and reporting. The lists for access control need to be put in place to decide who is to have access to which VLAN, when, and how. Information that some VLAN's possess might be sensitive and classified hence this requires that it gets the attention it deserves. The manner this is mitigated is by deploying the access control lists (ACL) which are to control the people who gain entry to individual VLANs, systems, databases, server printers, emails, and documents. The deployment of the access control lists results in a high risk to the confidentiality and integrity resources. All Access Points for wireless ought to be encrypted and their SSIDs should not be visible. Installation of a firewall client that has capabilities of configuring automatically for the purpose of network protection should be made. In addition to this, if Web Proxy plus Web Browser settings that are stringent will to a great extent lower the risks of malicious attacks for example, Dos (denial of service).
At the internal level of the company, Group Policy must be implemented for the network security. Microsoft (2012) has defined Group Policy as is a framework which makes it possible for people to make personalized configurations for various users and computers. The settings for Group Policy are usually present within the Group Policy objects (GPOs) which are associated to the containers for Active Directory service. The Domain Policy Group Policy Objects ought to govern the default policy of Kerberos, policy for Passwords, policy for Account Lockout and policies of settings for Account. Accounts ought to be from one domain with the parent global group. For that reason, the Group scope for Organizational Units ought to be universal. Not implementing the controls makes the network highly vulnerable and that can give rise to integrity loss and breaching confidentiality.
External Access
It's through the remote access server (RAS) that we can be able to accomplish external access that is capable of talking to routers which distribute, gateways for VPN and switches of 10gbps through a router that has a frequency of 100 mbps. Authentication is required for mobile clients who gain connection via dial up. Be it as it may, accessing the internal databases remotely is not encoded. Therefore, confidentiality, integrity and availability is at high risk.
Access Control
Authentication
The asymmetric key is flexible if compared with the symmetric key. Encoding of messages is done with a single key and can be decoded using the other key. Ordinarily, the public key gets known which is not the case to private key. PKI typically is responsible for ensuring that the key for public certification is ever updated and approved.
The pair of keys that is asymmetric is made up of a key that is public and another that is private. People can know the public key, and private key must be known to the owner who uses it. PGP utilizes a trusting plan in which a client has created two keys for usage, one which is public, centrally stored, and can be accessed by all people and another that is private and held confidently by the user. Whenever an email is sent, it is encoded with the public key of the receiver and marked by the private key of the sender. At the point when the message arrives at the receiver, it is decoded with the private key and authenticated with the public key of the sender.
TechRepublic (2001) outlines various approaches for authentication that companies utilize to guarantee the safety of their networks topologies and infrastructures. Available options for companies incorporate among others, the following: Authentication for IPSec, SSO (Single Sign-On), PAP (Password Authentication Protocol), Biometrics, Smart Card, CHAPs from Microsoft, EAP (The extensible Authentication Protocol), the SSL, Kerberos, among others.
Privileged Access
Given that the network of GFI houses sensitive and classified information, then the MAC (Mandatory Access Control) must be put in place. Mandatory Access Control brings about a strategy which is more specialized to the controlling of access. It is fundamentally put in place at companies that have information that is highly sensitive and classified, and its access is centered around some labels of security. CGI Security (2012) outlines the following as the attributes of the Mandatory Access Control which include, data owners cannot make alterations to the security label of resources, this can only be done by administrators. The security levels assigned to individual data portrays their standard of sensitivity, confidentiality, and safety value. Users can be able to read from the classification that is lower compared to what they have access, for example, a user who is categorized as "secret" is in a position of reading documents that are unclassified. Any users can be in a position to write a classification which is at a higher level, for example, it is possible for a user who is "secret" to post information to a resource that is Top Secret. Any user can read/write objects which are under a similar classification, for instance, a user who is "secret" can only read/write to a document that is secret. Access authorization and restricting to objects is based on different times of the day and is defendant on labeling of resource and the credentials of the users following the set policies. Lastly, authorization and restriction of access to objects considering the security attributes of HTTP user, for example, originating IP address, domain name, information for version, among others.
Mobility
Mobility is a key factor that a company requires for it to associate in real-time between customers and workers. GFI is slowly growing in size, therefore it requires mobility to enhance its productivity by establishing an environment which can enable employees have virtual offices at any place where there is availability of Wi-Fi. With mobility employees get empowered improve their productivity and be in a position to assist consumers better. Additionally, bring your own device (BYOD) is allowed though various security concerns need to be addressed. Mobile devices have the potential of bypassing the firewall and antivirus programs of the company thus posing threats to the company.
Wireless
Wireless connections within the GFI make it more flexible. Despite that, the GFI wireless network has shortcomings that compromise its safety, at the moment it lacks encryption and its SSID can be seen by all the individuals within the WAP. It presents availability, integrity and confidentiality with a high treat. I therefore recommend that WPA2-Enterprise be implemented with either the AES encryption approach.
Cloud Computing
With the presences of e-business platforms that are cloud computing based, it will be possible for GFI to provide its products and services electronically; though security concerns may arise. Information that is stored remotely can be compromise easily, hence, there is need for more security platforms and network policies to reduce the risks. For that reason, I recommend the application of "Microsoft Azure Cloud Computing Platform & Services." Microsoft (2015) indicates that Azure integrates with much easy with the IT environment that is existing by the help of the greatest network of private connections that are safe, database that are hybrid and solutions for storage, and residency and encryption features for data, as a result resources are held right where they are required. Azure has no limitation concerning where it can be run, an individual can run it on his or her personal datacenter through the Azure Stack. The cloud solutions of Azure hybrid provide the best information technology options, its less complex, and relatively affordable. "The McAfee Endpoint Security for Microsoft Azure Environments" will be utilized to give additional security level to the robust security characteristics of Microsoft Azure. McAfee (2015) indicates that "it is possible for MESMA to integrate with the Microsoft Azure and is executed with much easy by the help of the platform of Azure PowerShell, gives security that is advanced for all its endpoints.
Inventory Assets
Item Department Quantity Cost Total Cost Priority Mission Objective HP Workstations Accounting 100 $1000 $100,000 High Avail the financial help and accounting services to the company Credit 20 $1000 $10,000 Moderate Estimate, evaluate and reduce risks associated to credit, its limits and its support plans. Customer care 20 $1000 $20,000 Moderate Answer questions. Finance 70 $1000 $70,000 High Managed the overall financial planning Loans 40 $1000 $40,000 Moderate Receive, processes, and recover loans. Management 20 $1000 $20,000 High Oversee all activities Network 20 $1000 $20,000 High Ensure corporate interconnectivity for the purpose of data processing
personnel workstations 290 $290,000
Canon LaserJet Printers Accounting 10 $800 $10000 Credit 2 $800 $1600 Customer care 2 $800 $400 Finance 6 $800 $4800 Loans 4 $800 $3200 Management 2 $800 $1600 TCB Network 0 0 0 Subtotal 26 $20,800 WAP 6 $600 $3600 High Private Branch Exchange 2 $2800 $5600 High VPN 4 $70,000 $280,000 High Border Routers 4 $60,000 $240,000 High Subtotal 16 $529,200 Grand Total $579,000 Network Vulnerabilities
System/Entity Vulnerability Level of Risk Priority
Wireless network Technology The wireless network has no password thus open for use by the company and people in the surrounding. It makes it prone to threats associated with Confidentiality, Integrity, and Availability. High High
Encryption Access of company data remotely lacks encryption. High High
Mobility System to prevent malicious applications on devices are infected from having access to company networks absent. Also absent is the system safeguarding data from being compromised in case a device gets either stolen or lost. High High
Intrusion in the Network Significant spike in the traffic of the network getting into the interior networks. The origin of the person generating the traffic cannot be recognized, despite the volume and frequency of the traffic being extraordinary. High High
Cloud Computing Cloud computing is has proved to be susceptible to major breaches of data if not properly secured. Medium Medium
Risk Mitigation
As noted above, the present network topologies and information technology procedures of GFI give many crucial vulnerabilities which need to be reduces by use of the soft and hard controls of security. Within today's information technology environment, it is important that we take care of the following vulnerabilities so that we can sufficiently protect the data of GFI, its resources and business intelligence while striving to uphold availability, integrity and confidentiality.
Wireless Access
Presently, the wireless network access processes use an authentication methodology that is open making it possible for people within the range GFI's WAP and have devices that are wi-fi enabled to gain access to information that is privileged, sensitive and classified. With such, GFI is exposed to potential threats such as interception of data, DoS, intrusion and phishing of wireless, and endpoint attacks. The attacks are capable of affecting the confidentiality, integrity, and availability of data qualitatively and quantitatively. For the purpose of mitigating the mentioned risks, the following should be implemented;
• SSID's will be covered up inside GFI's system. It is referred to as organize shrouding. Concealing the SSID quits telecom the SSID name, hence making it look imperceptible.
• Two methods need to be worked out to isolate guests from the employees of GFI. GFI_Emp to represent employees and GAI_Guest to represent guests. GAI_Guest will be concerned with guests who have impermanent access to associate which has the GFI plan though they lack admittance to sensitive, exclusive or grouped data.
Assumptions
The CSM has the responsibility of operating and managing GFI's network based on the following assumptions:
• The users won't allow unauthorized individuals to have access personal sensitive information such as logins or any private data which they possess, by chance or something else.
• Each person from the group, regardless of whether utilized by the company or a temporary worker, is to report recognized security issues hey face while using the GFI's equipment or the network.
• A security strategy needs to be made, executed, then kept up by the company security group.
• Any change required an endorsement from the Systems Admin, approval from the CSM, carried out by overseer, and along these lines confirmed, tried, and kept up by the CSM.
• The proprietor of the system that a user requests access grants the access
• Shifting a position or ending an employment has to be communicate to the CSM in a convenient way so access grants can be disavowed or balanced as required.
Conclusion
Security is a cost that ought to be incurred by any organization which has a goal of ensuring that information for users and confidential procedures is secure. Several security threats exist in GFI''s network environment, therefore, need for the issues to be addressed promptly to make the network environment more secure. With the right plan in place, it is possible to solve the issues quickly to guarantee a secure company network. After fixing the issues addressed in the risk assessment, it is critical maintain vigilance over the security of GFI's network. By so doing, we be guaranteed that sensitive data and equipment are secure from any kind of threats.
References
Microsoft. (2012). Read-Only Domain Controller: Branch office guide. Retrieved from Technet: https://technet.microsoft.com/en-us/library/dd734758(v=ws.10).aspx
PUB, F. (2004). Standards for Security Categorization of Federal Information and Information Systems.
Plans, B. E. A. (2014). Assessing Security and Privacy Controls in Federal Information Systems and Organizations. NIST Special Publication, 800, 53A.
Ropelato, J. (2014). Mobile security software. TopTen Reviews. Retrieved from: http://mobile-security-software-review.toptenreviews.com
Shinder, Debra Littlejohn. Computer networking essentials. Cisco Press, 2001.
Stoneburner, G., Goguen, A. Y., & Feringa, A. (2002). Sp 800-30. risk management guide for information technology systems.
