Global Finance Industry Security Risk Assessment
Computer Sciences and Information Technology
Table of Contents
1. Introduction
Global Finance Inc (GFI) can be described as a public company specializing in different financial aspects, mainly financial management, wholesale loan processes, and loan application approval, as well as making investments for its customers. The company’s operations are spread across the United States, Canada, and Mexico and employ a workforce comprising of more than 1600 employees. In the past few years, the company recorded an estimated annual growth rate of 8% consistently earning the company recognition through a feature on Fortune magazine. This consistent performance has been attributed to the company’s well-designed management strategy, whose foundation is ensuring that operation performance is scaled through technological innovation and automation.
Unfortunately, GFI has been exposed to several cyberattacks in recent years, leading to the loss of approximately $1.700, 000 in revenue. Immeasurable customer confidence has also been lost due to these attacks. For example, there was an attack on the oracle database in 2012, leading to the loss of the customer database availability for a few days. Although this database was restored and normal operations resumed, the lost confidentiality was very damaging to GFI’s reputation. The company’s CEO John Thompson expresses concerns about these attacks because GFI’s privacy and integrity are affected massively, which might have an overall effect on how the organization conducts business operations in the future.
With the company increasing its technology dependence on most of its operations and decreasing the information technology footprint, the company hired me as a Computer Security Manager reporting directly to Mike Willy, GFI’s Chief Operations Officer. Although Willy and I clearly understand the strategic role played by technology in implementing the company’s business plan, I believe that scaling down on information technology services while outsourcing IT technologies pose considerable risks to both the company’s strategic and security capabilities. A security risk assessment must be conducted, to ensure that the company’s corporate confidential data is secure while enhancing customer information and business intelligence,
1.1. Purpose
This risk assessment aims to determine both the qualitative and quantitative risk estimates related to the company’s IT security vulnerabilities and threats. The risk assessment also seeks to analyze the company’s infrastructure and IT organizational processes to provide acceptable and wide-ranging risks mitigating assessment. Finally, the Assessment will also try to offer solutions to the identified threats and vulnerabilities, which pose considerable risks to the company’s integrity and confidentiality while threatening its strategic capability and IT security framework.
Among the key areas that this risks assessment will cover includes;
a. Identify GFI’s current threats in different areas, key among them being proprietary business intelligence, strategic capability, customer information, and IT security.
b. Identify any weaknesses that might exist in GFI’s company processes and security controls.
Assess the potential business impact of the identified threats and vulnerabilities.
Finally, to provide recommendations meant to enhance the company’s security infrastructure using a proven process and emerging technologies.
1.2. Roles and Responsibilities
Chief Executive Officer -John Thompson
The role of a CEO is to make sure that the long-term strategic business plans of the company are well taken care of to increase shareholder value. As such, Mr. Thompson will give the final verdict while also making decisions regarding whether the strategic information plans align clearly with the company’s strategic business plan. For instance, in this case, the Computer Security Manager gives Mr. Thompson the recommendations on how to implement the penetrating testing software. Mr. Thompson will then consider views from other officers and decide if this recommendation will impact the company’s ROI and its shareholder value.
Chief Operations Officer – Mike Willy
The Chief Operations Officer’s primary role is to oversee the ongoing business operations in the company. In this case, Mike Willy is the second in the command line, and his responsibilities include overusing how information technology projects within the company align with the daily operations. The COO also provides inputs and leadership on how the company’s strategic plan should be implanted. Finally, he Helps the company’s Chief Financial Officer to determine how the operation information technology process will impact the overall operational budget.
Computer Security Manager – Rick Santos
The Computer Security Manager’s primary role to be the company’s business leader whose responsibilities include ensuring the development, management, and implementation of the company’s corporate security vision is well implemented. In this case, Rick Santos’s responsibilities focus on the technological and scientific issues necessary to protect the company’s network integrity and confidentiality while identifying any vulnerability that might help cists on the GFI information system. Undertaking these roles is very important because it will help GFI realize its business objectives while implementing appropriate security control measures necessary to mitigate risks and minimize the likelihood of project failure.
2. Security Risk Assessment
With the right security risks assessment, GIF can prevent security breaches while minimizing the impact of the already realized breaches, thus safeguarding the company’s reputation. Additionally, regular IT security risk assessment can also help organizations to store historical data that can be applied to communicate and effectively gauge the monetary impact that is related to the identified risks. Such an assessment framework would convince the company’s upper management to take appropriate action meant to reduce IT on the threat surface to a given organization.
2.1. Risk Impact
The table below summarizes each security objective’s potential impact on integrity, availability, and confidentiality, as described by Dempsey, Witte and Rike (2014).
Figure 1: Retrieved from (Dempsey, Witte & Rike, 2014)
3. Network Office Topology
Global Finance Inc has corporate WAN with ten remote locations for communicating with the company’s central data processing environment via a corporate VPN. The implementation of an access control exists at the company with its access is strictly based on a user’s role within the organization. For instance, in a situation where an engineering manager requires access to data from the engineering department and training department, every user’s role defines the permissions necessary to access these different objects.
3.1. Network Security
In the network’s border layer, the installation of a VPN gateway appliance is done. Ross (2014) indicates that VPNs utilize encryption technologies, tunneling and encryption to come up with a secure connection. Layer Two Tunneling Protocol is used together with the Internet Protocol security (L2TP/IPSec) to ensure that the VPN deployment security is of the highest level possible. VPN’s offer high-security standards because authentication usually works to prevent any authorized users from making connections to an organization’s network. VPN systems using Secure Sockets Layer tend to susceptible to various threats such as the Denial of Service attacks, especially in situations where the software patches have not been updated. As such, updates on software patches should be done regularly with the most recommended approach being to conduct nightly schedules during off-peak hours because it would ensure that the network is not bogged down.
3.2. Access Points
3.2.1. Internal Access
Global Finance Inc employees can internally access the company network through the use of pre-installed and updated individual workstations fitted with antivirus. The organization’s internal network topology includes the use of 10gpbs VLAN switches that have been segregated by the department. With this kind of set up, it means that personnel, servers, and applications have access to the appropriate privileges such that they only require the resources they already have while their activities can be easily monitored through various auditing and reporting systems. The lists of access controls should also be implemented to determine the individuals that have the right to access each VLAN, given the fact that some of them already have classified and sensitive information. These risks can further be mitigated by implementing ACLs because they allow for the control of who can access individual VLANs, databases, applications, and other important files. Failure to enforce these ACLs would pose considerable risks to the confidentiality and integrity of the organization. Additionally, encryption of Wireless Access Points is necessary while the SSIDs should be made invisible. These measures can be reinforced by installing a firewall client with automatic configurations because they enhance protection to the network. Finally, establishing these measures alongside ensuring that strict Web Browser settings are put in place will minimize the risks of malicious attacks such as a denial of services or man-in-the-middle.
Another critical network security measure to consider is Group Policy, which plays a significant role, mainly when applied at the internal organization level. Rafaels (2019) defines Group Policy as an infrastructure allowing for the implementation of specific configurations for both computers and users. Group Policy settings exist within the Group Policy objects (GPOs) that are often linked to Active Directory services such as organizational units, sites, and domains. In this case, Default Domain Policy GPO can be used to manage default Kerberos Policy, Account Policies settings, password policy, and Account Lockout Policy (Rafaels, 2019). These accounts must be from a similar domain, which is the global parent group. As such, group scope for organizational units has to be universal. A failure to ensure that these controls are implemented poses high risks that might result in a confidentiality breach while integrity is also lost.
3.2.2. External Access
RAS servers allow for the realization of external access because they talk to the distribution routers, 10gbps switches, and VPN gateways through a router of about 100 Mbps. Mobile users making dial-up connections have to make authentication (Rafaels, 2019). However, encryption of internal corporate databases remote access is not done which tends to pose considerable threats to the integrity, confidentiality, and availability.
4. Access Control
4.1. Authentication
Compared to the Symmetric system, it tends to be more flexible. The system allows for message encryption using one single key and can only be decrypted using another key designed only for that purpose. In most cases, the public key can be published while the private key cannot. The role of a PKI is to ensure that the certification of the public is kept updated and authorized.
The asymmetric keys comprise of one private and public key each. While the public key is open to everyone, the private key can only be known or used by the owner. PGP can make use of a trusting scheme that allows users to generate two keys, one a public key that can be accessed by everyone since it is stored at a central and accessible location. In contrast, the second key is private that the user holds in confidence. Encryption is often done using the receiver’s public key while the sender’s private key does the signing. Once a message is received, it is decrypted by the recipient using the private key. In contrast, the validation of this message authenticity is done using the public key from the sender.
Yang and Hwang (2015) argue that companies tend to use several authentication methods that are used to secure their topology infrastructure and networks. Some of the options that GFI can consider may include;
• IPSec Authentication
• Password Authentication Protocol (PAP)
• Microsoft CHAP
• SSL
• And many more others such as Kerberos.
4.2. Privileged Access
From the classified and sensitive information on Global Finance Inc’s network, the implementation of Mandatory Access Control (MAC) should be undertaken. MAC can introduce specialized approaches towards access control, and it is implemented typically at organizations with the ability to store classified and highly sensitive data. In contrast, access tends to be based on existing security labels. Yang and Hwang (2015) indicates the following to be the characteristics of a Mandatory Access Control;
a. The changes made to a given resource security label can only be done by an administrator and not the data owners.
b. The assigned security level on each data is based on its relative protection value, confidentiality and sensitivity.
c. All users have the right to read from lower classifications compared to the one they have been granted, and they also can write from a higher classification
d. A read/write access is given to users to be executed on objects that bare the same classification.
e. Authorization and restriction of access to specific objects are often based on a particular time within the day, depending on factors such as labeling on a resource and the credentials of the user.
f. Authorization and restriction of access to specific objects are also based on HTTP client’s security characteristics.
4.3. Mobility
To enhance effective interaction between the organization between co-workers and its customers in real-time, mobility is an important consideration. Global Finance Inc intends to increase its size, which means that mobility would enhance productivity by establishing an environment where its employees can have their virtual offices anywhere, as long as there is an internet connection. Mobility tends to empower employees so that they become more productive, and they are also in a better position to serve the customers (Yang & Hwang, 2015). However, although mobility is an important asset to have in any organization, security concerns must also be considered. For instance, mobile devices tend to pose huge threats because they have the potential to bypass a company’s antivirus applications and firewalls.
4.4. Flexibility and Convenience
4.4.1. Wireless
Wireless capabilities within Global Finance Inc provide the company with a lot of flexibility. However, the current wireless network at Global Finance Inc doesn’t employ any form of encryption while the SSID tens to be visible to anyone within the WAP range. As such, this set up the present’s high risks to the CIA. Based on this understanding, it would be recommendable to implement WPA2-Enterprise with TKIP or AES encryption. Additionally, the SSID should also be hidden.
4.4.2. Cloud Computing
E-commerce platforms that are cloud computing based allow Global Finance Inc to provide its customers with different products and services via online platforms. However, although these online platforms provide customers with a convenient method of service delivery, they pose several security concerns because any data whose storage is done remotely can easily be compromised. As such, additional network security stages and standards are required to ensure that these risks are mitigated. I would recommend the use of Microsoft Azure Cloud Computing Platform & Services to mitigate such risks. Yang and Hwang (2015) indicate that Azure can easily integrate with the existing IT environment in an organization through different secure private network connections, storage solutions and hybrid databases, among others. With such capabilities in place, the organization’s assets remain right where they are needed. Moreover, Azure Stack can even be used to run AZURE within an organization’s datacenter. The Azure hybrid clouds are known to provide the best solutions to both worlds by offering more IT options while lowering costs and complexities.
Microsoft Azure already has robust security features, but they need another security layer that can be provided through the McAfee Endpoint Security applicable in the Microsoft Azure Environments. Yang and Hwang (2015) indicate that MESMA can integrate with Microsoft Azure. Through the Azure PowerShell platform, it can deploy easily, thus providing advanced security to an organization’s endpoints.
5. Inventory
Item Department Quantity Cost Total Cost Priority
Dell Precision Workstations Accounting 50 $500 $25,000 High
Credit 10 $500 $5,000 Moderate
Customer Service 10 $500 $5,000 Moderate
Finance 35 $500 $17,500 High
Loans 20 $500 $10,000 Moderate
Management 10 $500 $5,000 High
TCB Network 10 $500 $5,000 High
Subtotal 145 $72,500
HP LaserJet Printers Accounting 5 $400 $2,000
Credit 1 $400 $400
Customer Service 1 $400 $400
Finance 3 $400 $1,200
Loans 2 $400 $800
Management 1 $400 $400
TCB Network 0 0 0
Subtotal 13 $5,200
Wireless Access Point 3 $300 $900 High
VPN Gateway 2 $35,000 $70,000 High
Border Routers 2 $30,000 $60,000 High
Subtotal 8 $132,300
Grand Total $210,000
6. Network Vulnerabilities
System Vulnerability Risk Priority
Wireless Technology Global Finance Inc wireless network is accessible to the company employees and neighboring residents. This open accessibility presents a very high risk to the company’s network security. High High
Encryption Encryption has not been undertaken on the remote connectivity that exists to and from the corporate database and TBC. This is a high-security risk to Global Finance Inc. High High
Mobility There is no existing system that has been established to prevent malicious programs that might exist on infected devices and applications from interfering with the corporate network. Additionally, no established system exists to safeguard the company’s data from compromise if the device is stolen or gets lost. High High
Network Intrusion There is a huge spike in the network traffic that is crossing the company’s internal networks. At the moment, the origin of this traffic or the person generating it is yet to be identified. Moreover, the frequency and volume of this network also happens to be very abnormal High High
Cloud Computing Failure to ensure that cloud computing is well secured makes it susceptible to occasional data breaches, which can lead to the loss of confidential and high-level corporate information. Medium Medium
7. Risk Mitigation
The current IT processes and network topology at Global Finance Inc present several serious vulnerabilities that require mitigation using both the hard and soft security controls. In the current IT environment, these vulnerabilities have to be addressed to ensure that Global Finance Inc’s data and assets are adequately safeguarded while also ensuring that the company’s business intelligence maintains the CIA model.
7.1. Wireless Access
Currently, wireless network access processes use open authentication approaches. This approach allows any individual within GFI WAP’s proximity and operating any WIFI enabled device to gain access to classified, privileged and sensitive information. The potential threats that Global Finance Inc is exposed to include; Denial of Service attacks, wireless intrusion and phishing, endpoint attacks, among others. Such attacks have the potential to cause quantitative and qualitative damage to the company’s integrity and confidentiality. Based on this understanding, these risks can be mitigated by adhering to the following recommendations;
a. The SSID should be hidden in the Global Finance Inc framework through a process referred to as network cloaking. Adopting this approach prevents the SSID name from being broadcasted by making it appear to be invisible. Although this approach can prevent inexperienced users from accessing the network, it should be taken as a supplementary measure meant to support encryption.
b. Another recommendation should be to implement WPA2-PSK (AES) encryption because it boosts network encryption while also ensure that the high speeds within a given network are maintained.
c. Finally, two networks should be implemented to ensure that guests are segregated from the Global Finance Inc employees. These networks are the Global Finance Inc Emp and Global Finance Inc Guest. The guest network will allow all visitors to have temporary access to establish connections to the Global Finance Inc network. Still, they would not be able to access the company’s sensitive or classified information.
7.2. Encryption
IPSec should be the encryption technique used to secure all information transmitted through the Global Finance Inc VPN, remote systems, or TCB interchanges. “IPSec utilizes parcel separating and cryptography. Cryptography gives client confirmation, guarantees information privacy and trustworthiness, and implements confided in correspondence. The solid cryptographic-based verification and encryption bolster that IPSec gives are particularly compelling to making sure about traffic that must cross untrusted arrange ways, like those on an enormous corporate intranet or the Internet. IPSec additionally is particularly appropriate and effective in enhancing network security, especially to applications that don’t give adequate security to any communication (Trojahn & Ortmeier, 2013). Routers and firewalls will likewise be redesigned to allow IPSec traffic.
7.3. Mobility
Global Finance Inc’s network requires that best practices should be implemented to ensure that BYOD devices do not harm the network. As such, the following recommendations should be considered;
a. Mobile device management tools should be used to track all mobile devices within the organization and also keep track of the operating systems and applications within the company while also conducting patch management. Once these tools identify a malicious application or vulnerability within a specific device, this malicious application or device should be quarantined until a patch or fix is available.
b. Another recommendation is to install endpoint security software like Norton Endpoint Protection, Kaspersky Internet Security or McAfee Mobile Security on all devices. However, although this software is useful in preventing data leakage from the organization, it is not able to protect the company against actions committed by untrusted employees. As such, access control measures, audit logging, and other control measures have to be put in place.
c. It is also recommendable that Global Finance Inc’s resources are separated from personal user resources. In this case, a MAC shall be used to provide access to the company’s employees when they require knowing anything. Adopting these measures means that classified or proprietary information can’t be accessed from any BYOD devices. These steps are undertaken to safeguard the company’s assets and information while allowing its employees the flexibility to use their devices.
d. Finally, authentication techniques like Password Authentication Protocol (PAP) should be applied to access any Global Finance Inc’s network or assets.
Applying these recommendations will allow Global Finance Inc the flexibility necessary for effective mobile computing while ensuring that a defense-in-depth posture is maintained without increasing any maintenance or management requirements.
7.4. Network Intrusion
Network traffic volume has been reported to have increased significantly, and as such, the recommendations that I would make include installing signature-based Intrusion Detection Systems, which tend to be more proactive in terms of reacting to threats within an organization. These systems can achieve these milestones because they can monitor the network activities quite easily to produce tangible reports in which the organization personnel can make the right analysis and secure their network appropriately. When these Intrusion Detection Systems are placed alongside firewalls, they can scan both inbound and outbound traffic effectively.
Another recommendation would utilize penetration testing software such as Metasploit, which provides an explosive framework consisting of numerous powerful tools as well as the utilities required for penetration testing. One of the most crucial phases of penetration testing is intelligence gathering because it provides a solid platform for the ultimate payload delivery. Additionally, intelligence gathering techniques like port scanning are commonly used to exploit any vulnerability within a given network.
8. Assumptions
The Computer Security Manager at Global Finance Inc, Mr. Rick Santos has to manage and operate the company’s network while making the following assumptions;
a. That network users are not going to allow any unauthorized parties from acquiring access to their confidential data or login information entrusted to them.
b. Every team member within the company, whether employed or a casual worker, will report on any security incident or issues that they might encounter with the company’s hardware or network.
c. The GIF’s computer security team will be responsible for creating, implementing and maintain a security policy.
d. The Systems Administrator should approve all changes while the CSM makes the authorization. Additionally, the administrator will implement while the CSM will test, verify and maintain the network system.
e. Finally, any position changes or employee termination has to be communicated to the company’s Computer Security Manager within a timely fashion so that nay privileges can be adjusted or revoked as necessary.
9. Conclusion
Security remains an inevitable expense that any company should undertake if it desires to enhance the safety of its operations and guarantee its customers with integrity and confidential processes. Global Finance Inc maintains a lot of data containing classified and confidential information stored at different locations and the transmission of this data going through a variety of mediums and using different methods. As such, Global Finance Inc cannot be reluctant about the integrity ad confidentiality of this network being compromised because the company risks losing sensitive data. Risk management refers to processes that identify and mitigate the vulnerabilities with the network processes. Resolving any issues that might exist within encryption management or wireless networks will ensure that Global Finance Inc can solve most of the threats that it currently faces. Moreover, a well-established risk management plan that is accompanied by solid security awareness training, alongside unique employee credentials requiring multi-level authentication, offer the right security that Global Finance Inc requires to preserve the integrity and confidentiality of its network. When all these factors are put into mind, it is recommendable that any outsourcing considerations should be halted until the established security concerns have been resolved conclusively.
10. References
Dempsey, K., Witte, G., & Rike, D. (2014). Summary of NIST SP 800-53 revision 4, security and privacy controls for federal information systems and organizations. DOI:10.6028/nist.cswp.02192014
Rafaels, R. (2019). Guide to understanding security controls: NIST SP 800-53 rev 5.
Ross, R., Katzke, S., Johnson, L. A., Swanson, M., Stoneburner, G., & Rogers, G. (2007). Recommended security controls for federal information systems and organizations. DOI:10.6028/nist.sp.800-53r2
Ross, R. S. (2014). Assessing security and privacy controls in federal information systems and organizations: DOI:10.6028/nist.sp.800-53ar4
Smith, R. W. (2004). undefined. The Definitive Guide to Samba 3, 261-292. DOI:10.1007/978-1-4302-0683-5_10
Stoneburner, G., Goguen, A., & Feringa, A. (2002). undefined. DOI:10.6028/nist.sp.800-30
Stoneburner, G., Goguen, A., & Feringa, A. (2002). undefined.
Trojahn, M., & Ortmeier, F. (2013). undefined. 2013 IEEE Seventh International Conference on Software Security and Reliability Companion. DOI:10.1109/sere-c.2013.14
undefined. (2016). International Journal of Science and Research (IJSR), 5(1), 1581-1584. DOI:10.21275/v5i1.nov153159
Yang, D., & Hwang, I. (2015). Security enhancement methods for mobile POS system. 2015 2nd ACM International Conference on Mobile Software Engineering and Systems. DOI:10.1109/mobilesoft.2015.40