Disclaimer: This is an example of a student written essay.
Click here for sample essays written by our professional writers.

Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UKEssays.com.

Global Finance Incorporated: Security Risk Assessment

Paper Type: Free Essay Subject: Security
Wordcount: 6316 words Published: 8th Feb 2020

Reference this

Contents

I. Background

Purpose

Risk Impact

III. Network Office Topology

Network Security

Access Points

Internal Access

External Access

IV. Access Control

Authentication

Privileged Access

Mobility

Wireless

Cloud Computing

Wireless Access

Encryption

Mobility

Network Intrusion

VIII. Policy Requirements (Assumptions)

IX. Conclusion

I. The Background

 Global Finance Incorporated (GFI) is a financial company specializing in management, loan processing, loan application approval and money management for the investments of customers. GFI is in charge of many accounts widespread across the entire North American continent, and has over 1,600 employees. GFI was featured in Fortune magazine for their famed management strategies which is based on scaling operational performance.

Get Help With Your Essay

If you need assistance with writing your essay, our professional essay writing service is here to help!

Essay Writing Service

 GFI has been under attack by cyber terrorism in recent years, ultimately causing $1.700, 000 in revenue disruption.  This also has disappointed, to say the least, the interest of their customer base. The database server the company used was oracle and it was attacked in 2012, the customer database lost its confidentiality, integrity, and availability. The database was ultimately restored, but this marked a significant blow against the company’s reputation. The attacks were particularly important to the CEO, John Thompson, due to his idea for the business practices to be centered on the principles of confidentiality, integrity and availability. 

 In order to formulate the correct plan of action an altruistic point of view must be addressed to allow for the correct deployment of operational dependence and creating a smaller IT footprint. The computer security manager will be immediately under the Chief Operations Officer, Mike Willy directing this course of action and execute the CEO’s business plan. A route including outsourcing IT will only put forth a greater risk to security and is not advised for this action plan.

 The company’s recent article has attracted attention creating a leap in network traffic and invading attention into the intranets of the company, engineer staff are at the present time, cannot pinpoint the source of the traffic, the amount and recurrence is creating a worry. A risk assessment is warranted due to these issues, a priority must be created for security and this will in turn allow for GFI to secure confidential data, customer data, and business assets.

Purpose

 The purpose of the GFI is to performed assessment on security risks that may create any can of estimate risk that can be in a direct correlation link or connection to the IT security weakness or vulnerabilities and even threats. This assessment allows the GFI to better analyze their personal policies in order to determine any acceptable report for risk mitigation which can allow some solutions to the problems identified on the vulnerabilities and threats. The assessment of any risk on Confidentiality, Integrity and Availability will help GFI to identify any threats that can face the company security as well as customer records, intelligence, strategic planning. This will also help to identify any kind of existing vulnerabilities in the current controls and processes. This assessment will also help show the impact of any potential vulnerabilities and threats and finally allow the fortification of their current security infrastructure and the best technology and practices.

II. Security Risk Assessment

 Risk assessment is a valuable practice to a company as it helps fortify security in areas that may be weak, reduce security breaches and keep away attackers because of known checks against the company’s security. Quote to ensure. On the ISACA website they go into the importance of regular risk assessments “Security risk assessment should be a continuous activity. A comprehensive enterprise security risk assessment should be conducted at least once every two years to explore the risks associated with the organization’s information systems (Schmittling & Munns, 2010).”

Risk Impact

In performing a risk assessment and analysis there is a method of identifying threats and vulnerabilities and ranking them upon importance of the loss of integrity, availability or confidentiality on a low, medium, or high scale. This allows for a more direct impact analysis, allowing for the identification of asset criticality. The method of determination of this level is based on the likelihood of a threat exploitation, and the magnitude of impact. The National Institute of Standards and Technology (NIST) explains the levels described, with the following table the magnitude of impact definitions.

 (Stoneburner, Goguen, & Feringa, 2002) 

III. Network Office Topology

 The GFI network is a corporate WAN that has 10 remote locations that talk to the central processing unit through VPN. RBAC or role-based access control is used and access is restricted to users within the organization. Every role must be established for a certain user in order for that user to gain access to that department, this is how RBAC works to protect the system. Separation of duties is designated with this methodology.

Network Security

 Virtual private network or VPN is implemented into the network allowing for a layer of security. Microsoft TechNet explains that “A VPN client uses special TCP/IP based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server” (Microsoft, 2016). This connection allows for a point-to-point data link which also contains the following properties “VPN [uses] PPTP, L2TP/IPsec, and SSTP” (Microsoft, 2016), allowing for encapsulation, authentication and data encryption during the call. This allows for a certain high level of security to protect the data sessions that are established between the users with the correct role based access implemented onto their user profile VPN client to access the GFI network. However if the VPN systems are not kept up to date they do pose a medium risk to availability due to the potential for denial of service attacks.

Access Points

 Each Access point must be protected properly to account for security risks. Internal access must be secured properly as this will be within GFI’s intranet and must have the proper security controls in place to protect against insider threats. External access must be able to connect securely to avoid any disruption by an outside threats. Each point of entry into the network poses their own individual security risks which must be assessed regularly.

 Internal Access

 Each employee of GFI access the internal network using workstations which are set up with anti-virus programs and configured with all updates prior to use by the individual. The internal network is running on 10 gigabit VLAN capable switches which are separated by each department. Each system is specifically configured with servers and applications for that individual user based upon their access policies to allow for the correct level of classification. This assures that the idea of role based access control, which is actively working to each employee separating the appropriate access level and privileges.  Auditing and reporting systems will also be in place to monitor employee’s activities to guard the company against possible insider threats. The implementation of several security policies will also assist in the protection of the assets. The first security policy will be ACL’s or access control lists, which will determine whom has control to the different VLAN’s and thus control access to classified material. They will also act as the way you will control who connects to different assets on the network such as email, print and application servers. Failure to implement ACL could pose a high risk to confidentiality and integrity. The second security policy will be to configure the firewall clients to protect the network as a line of defense to work with the anti-virus. The third security policy would be to encrypt every wireless access point and disable SSID broadcast. The system administrator should also configure the web proxy and web browser settings to a certain unilateral configuration as a final initial security policy to also guard against risks of malicious attacks such as the widely known, man-in-the middle attacks. These security policy’s if not implemented properly pose a risk for security which could result in a loss of confidentiality or in the case of the DOS attack, a loss in availability.

Many different organizations account for other policies to be configured as well. One of these is the group Policy which contains controls to manage password policy, account lockout, and other policies such as warning messages. Group policy should also be implemented on every computer within the GFI network to allow for protection against a possible loss of integrity.

External Access

 Authentication is an extremely important part of external access because you are allowing for an outside user to join the network which may not be the employee and could be a potential threat. Connection is made externally through the external RAS server which connects to the distribution routers, through VPN and the 10gigabit switches finally through a 100 megabit router. Mobile users are required to authenticate which is good but encryption is also important which in this case it is lacking. This creates a high threat to all of three security objectives, confidentiality, integrity, and availability.

IV. Access Control

 Authentication

 Symmetric systems have certain drawbacks which leaves them at a disadvantage from an Asymmetric system. These drawbacks include security services, scalability and secure key distribution. The security services is the first drawback because in symmetric key cryptography is does not provide authentication or nonrepudiation, but only confidentiality. The scalability being the second drawback because as the increasing number of people whom require to communicate so does the number of keys required, and all keys must be managed. Secure key distribution is the third drawback because the key must be delivered to the destination through a secure courier. Asymmetric systems utilize a more ideal solution, allowing for one key that encrypts and one that can decrypts. These systems utilize a public key which is obtainable by anyone and a private key allowing for a greater variation than symmetric systems.

An asymmetric key system such as PGP allows for an e-mail to be encrypted with the private key and signed by the private key. The receiver would then decrypt then decrypt the message using their private key and then authenticate it using the sender’s public key. Microsoft support explains the 2-key combination as “asymmetric encryption, in which there are two related keys—a key pair. A public key is made freely available to anyone who might want to send you a message. A second, private key is kept secret” (Microsoft, 2007) There are various different asymmetric algorithms, such as RSA, Diffie-Hellman, Digital Signature, and more.

Privileged Access

 For the most sensitive data information stores in the GFI networks a secure system must be utilized to protect the valued assets. A system using the Mandatory Access Control or MAC should be used. MAC uses a unique approach to protecting highly sensitive data which is protected under a read/write protected environment based on the user which is very secure as opposed to the Discretionary Access Control or DAC systems. Based on security labeling, MAC is typically used when very important data needs to be stored and its integrity must be 100% assured. In a MAC environment only administrators can change security labels. All data is assigned a level of interest which directly reflects it’s confidentially and mission criticality. Each level a user is granted can only read the information that is one level lower than which they are granted. Access is restricted or authorized to each individual object is directly based on the user’s classification level. Utilizing a MAC system will ensure different aspects of the main three security principles, Confidentiality, Integrity and availability. Redhat, a popular Linux based operating system explains that when properly implemented, MAC, “enables a system to adequately defend itself and offers critical support for application security by protecting against the tampering with, and bypassing of, secured applications. MAC provides strong separation of applications that permits the safe execution of untrustworthy applications.” (Kratky & Ancincova, 2016) Redhat is only one of many different types of MAC based systems.

Mobility

 The ability to work ‘on the go’ is extremely important and the ability to perform required duties and ensure proper interaction with customers and stay current is essentially the aspect of mobility. GFI’s continuity is reliant on its ability to have great mobility. Focusing on mobility can enhance efficiency and productivity in the company allowing employees to have virtual offices in any location that a connection to the internet is available. This allows for customers whom need a GFI representative to be on-site and better serve them. BYOD or bring your own device is another avenue which can be put into place only if properly executed with the correct security measures to limit risk.

Every mobile device is a potential threat to the company which must be addressed with the same concern and as much a liability as any other device which interacts with the GFI Intranet due to its ability to bypass the company’s security measures.

Wireless

 Wireless capability in GFI is a must as it allows for connectivity during situations where otherwise it may not be available. The security protocols associated with Wi-Fi access points are a must, WPA2-Enterprise should be configured with AES or TKIP encryption. SSID broadcast must also be disabled to allow for additional security. Without these basic security protocols, presents a high risk to the internal network and is very inviting to a potential attacker.

Cloud Computing

 The ability to bring GFI’s services to the online consumer brings a tremendous amount of business and due to the fact that it is a rapidly expanding new emerging technology also brings security issues along with it. Data stored on servers outside the intranet do not have the same security protocols or encryption in place allowing for potential risks and possibility of compromise. Utilizing Cloud Computing must also be done with security in mind to allow for proper risk mitigation. I recommend using Amazon Web Service or AWS for GFI’s Cloud Computing needs, it is ahead of any other cloud services provider to date and offers a whole host of features which we can utilize for GFI’s future goals. Miller from the website tech crunch explains that AWS “[separated] the various services to make a centralized development platform that would be useful for third parties” (Miller, 2016).  Amazon web services will adjust specifically to the needs of GFI stating “you can provision exactly the right type and size of computing resources you need to power your newest bright idea or operate your IT department.” (Amazon, 2016).

 I also suggest the use of Trend Micro, whom provides a comprehensive AWS security option called Deep Security, to work specifically with the AWS cloud platform. Deep Security will allow for “security built to protect all of your servers, whether physical, virtual, or cloud” (Trend Micro, 2015), also stating that it “provides comprehensive security in one solution that is purpose-built for virtualized and cloud environments” (Trend Micro, 2015). Trend Micro will integrate with the AWS cloud platform enabling the GFI organization to manage their physical, virtual and cloud servers with consistent security policies. Utilizing effective anti-virus programs will help prevent data breaches and business disruptions and minimize risk.

V. Inventory 

Item

Department

Quantity

Cost

Total Cost

Priority

HP Pavilion 550-035z

Accounting

63

$454

$28,601.37

High (H)

Credit

10

$454

$4,540.00

Medium (M)

Customer Services

12

$454

$5,448.00

M

Finance

49

$454

$22,246.00

H

Loans

25

$454

$11,350.00

M

Management

5

$454

$2,270.00

H

TCB Network

7

$454

$3,178

H

Subtotal

171

$77,633.37

HP Printers

Accounting

7

$400

$2,800.00

Low (L)

Credit

3

$400

$1,200.00

L

Customer Services

3

$400

$1,200.00

L

Finance

5

$400

$2,000.00

L

Loans

5

$400

$2,000.00

L

Management

3

$400

$1,200.00

L

Subtotal

26

$5,200

 

Wireless Access Point (WAP)

 

6

$300

$1,800

H

Private Branch Exchange (PBX)

 

1

$1,400

$1,400

H

VPN Gateway

 

2

$35,000

$70,000

H

10Gbps Routers

 

9

$30,000

$270,000

H

TCB Servers

 

6

$2,000

$12,000

H

Distribution Routers

 

2

$30,000

$60,000

H

Border Routers

 

2

$30,000

$60,000

H

 

Subtotal

8

$475,200

 

 

Grand Total

 

$558,033

 

VI.Network Vulnerabilities 

Technology

Vulnerability or Threat

Risk Level ( RL)

Priority

Wireless Technology

open authentication on wireless connection invites threats into front door

H

H

Encryption

The immediate threat indication as a result of the lack of security policy in place for the encryption of the remote connectivity to the network.

H

H

Cloud Computing

Can be the target of a data breach due to usually low security levels

M

M

Mobility

No security policies in place to protect the internal network from mobile devices, could be the source of many different threats

H

H

Network Intrusion

Increased network traffic volume, unknown creation of traffic.

H

H

 

VII. Risk Mitigation

 GFI has many mission critical vulnerabilities and threats with the identified with the inventory and network vulnerabilities table’s stated. Hardware and software mitigation must be put into place to successfully take care of these security threats. IT security is crucial to today’s expanding environment as more and more technology advances more and more threats become available and a continually growing risk management authority is required to stay on top. To adhere to the Confidentiality, Integrity and availability of GFI data we must address these vulnerabilities and continually perform annual risk assessments.

Wireless Access

Current processes in place call for a configuration which uses open authentication. This is unacceptable and must be immediately addressed due to the security threats it poses allowing for anyone within range of the wireless access point to access the GFI intranet and potentially retrieve, sensitive and classified information. Other attacks which pose a risk are man-in-the-middle data interception attacks, denial of service, and phishing attacks. To mitigate these attacks I suggest we first, disable the SSID broadcast within the Wireless access point configuration. This will prevent users unaware to look for signals that are not broadcasting their SSID. Second, encryption usage will need to be configured using WPA2-PSK (AES) allowing for network encryption and utilization of a passphrase to protect the connections onto the wireless access point. Third, separate networks should be implemented, one with only access to the internet that does not have connection to the GFI intranet and sensitive classified information. The other will be for employee’s only and will also have MAC filtering enabled which will only let specific employee controlled devices with certain MAC addresses onto the network. Utilizing these specific security protocols will address the Confidentiality, Integrity and availability of wireless access.

Encryption

All internal intranet GFI traffic will immediately start to utilize the IPsec encryption technology to ensure the security of the sensitive company data through the remote locations, TCB and VPN routes. IPsec will utilizes a secure path between two devices which may traverse across many insecure intermediate systems, they decide on the protocols, methods, and keys and encode data and send it across the network. Through the two key protocols of Authentication Header and Encapsulating Security Payload IPsec allows for the secure transfer of data. Microsoft explains the basics of IPsec which “supports network-level peer authentication, data origin authentication, data integrity, data confidentiality, and replay protection” (Microsoft, 2016).

Mobility

 Implementation of a proper Bring Your Own Device (BYOD) policy must be in place to ensure the proper security issues are addressed and allowing for these devices to access GFI’s intranet and be exposed to the sensitive and classified data. This will allow for risk mitigation of the threats and vulnerabilities that not having a security policy in place for such devices might bring. All devices must first initially log into a mobile device management (MDM) program, such as VMware’s airwatch, that will track the operating system, applications installed and verify all approved versions are installed on said device or it will be denied access completely to the GFI intranet. One of the approved applications will be a requirement and that will be Trend Micro mobile security, this is required and again will be denied access if the application is not installed or is out of date on the mobile device. This will also allow for extra security controls to be implemented onto the mobile device allowing for logging, encryption and protection from insider threats. Third, the mobile device will not be allowed access onto the more secure MAC system as previously mentioned. This act of privileged access control will allow for the most valued data to be a difficult task to reach creating a defense-in-depth atmosphere making it hard to reach the important data. Lastly after processing through the MDM program and verifying security integrity of the device a second layer of authentication will be required to access the network, via RSA security token based authentication creating an additional layer of security which must be used to gain access to the GFI intranet.

 These procedures will adequately provide security to mitigate the risks involved with BYOD. Creation of an outsourced method would only create a reliance on a vendor in time of crisis and is not recommended.

Network Intrusion

 The shortly discovered of an increased in the volume of the network traffic after the GFI article in Fortune should be considered as immediate threat and should install the Intrusion Detective System IDS as well as Security Information and Event Management SIEM as a combat solution for the vulnerabilities. The IDS devices will help in monitoring internet traffic and activities meanwhile SIEM will be responsible in finding specific logs that will aid in identifying threats causing the volume of traffic. Together with other security policy which is in place, they will work to enhance a better security measures against all the insider threats. IP personnel should regularly help in testing the effectiveness of SIEM and IDS so as to exploit all the internet issue within GFI so that any intrusion identification will allow IT department to fully configure the firewall in order to counteract any vulnerabilities found.

VIII. Policy Requirements (Assumptions)

Additionally all the security recommendations that have already been put forth in this document the following security policies are deem to be put into practice in order to permit for further enhancements in security.

      The entire organization security policy for employee’s personal log-in will be established in which every employee will be asked to sign and adhere to it. The employees will also acknowledged by stating that their personal log-in shall not be share by any other users.

      The active and effective reporting of all security problems including threats by GFI employees and contractors is required immediately and mandatory.

      The System Administrator must have his approver and of the acting CSM for all the changes made in the management procedure as well as testing, verification and maintenance including all the changes and updates that are made in the security system the policies.

      All changes in the employment status for contractors and employees must have the CSM carbon copied for the security to make proper adjustments to all their level of access.

IX. Conclusion

 It is very important for risk assessment and management to be conducted  and doing so annually so as to provide a better security measures given the security infraction history that has occurred, it is therefore possible that vulnerabilities could still be unknown and the GFI must put into effect all considerations and majors if haven the possibilities to do so. Considering that Security Procedure is an ongoing activities, it will be very essential for the GFI to guarantee the safety of the most sensitive and confidential information. The GFI customers and employees should be assured of the main three security objectives which are Confidentiality, Integrity and Availability to be able to take action mitigate any identified network vulnerabilities and threats. These GFI methods if been resolved internally will increase GFI customer’s possibilities and satisfaction on the face of adversity. The GFI internal repair will maintain the capability and confidence in the shareholders and thereby increase the stock seeing what investments have made. Outsourcing will never be the solution with cost effectives and can probably lead to other overhead costs, so it will be a good thing for GFI to self-invest for the better and for the future or the organization.

References

 

  • Amazon. (2016). What is Cloud Computing. Retrieved from Amazon Web Services: http://aws.amazon.com/what-is-cloud-computing/?sc_channel=PS&sc_campaign=acquisition_US&sc_publisher=google&sc_medium=cloud_computing_hv_b&sc_content=sitelink&sc_detail=amazon%20web%20services&sc_category=cloud_computing&sc_segment=what_is_cloud_computing
  • Kratky, R., & Ancincova, B. (2016). Redhat. Retrieved from Red Hat Enterpise Linux 6 Security-Enchanced Linux: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/chap-Security-Enhanced_Linux-Introduction.html
  • Microsoft. (2007, 10 26). Description of Symmetric and Asymmetric Encryption. Retrieved from Microsoft Support: https://support.microsoft.com/en-us/kb/246071
  • Microsoft. (2016). IPsec. Retrieved from Microsoft TechNet: https://technet.microsoft.com/en-us/library/bb531150.aspx
  • Microsoft. (2016). What is VPN? Retrieved from Microsoft TechNet: https://technet.microsoft.com/en-us/library/cc731954(v=ws.10).aspx
  • Miller, R. (2016, July 2). How AWS came to be. Retrieved from Tech Crunch: https://techcrunch.com/2016/07/02/andy-jassys-brief-history-of-the-genesis-of-aws/
  • Schmittling, R., & Munns, A. (2010). Performing a Security Risk Assessment. Retrieved from ISACA: http://www.isaca.org/journal/archives/2010/volume-1/pages/performing-a-security-risk-assessment1.aspx
  • Stoneburner, G., Goguen, A., & Feringa, A. (2002, July). Risk Management Guide for Information Technology Systems. Retrieved from Department of Health & Human Services: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf
  • Trend Micro. (2015). Deep Security 9.6. Retrieved from Trend Micro: http://www.trendmicro.com/cloud-content/us/pdfs/business/datasheets/ds_deep-security.pdf

 

Cite This Work

To export a reference to this article please select a referencing stye below:

Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.

Related Services

View all

DMCA / Removal Request

If you are the original writer of this essay and no longer wish to have your work published on UKEssays.com then please: