Homework SourseGLOBAL FINANCE INC GFI Global Finance Inc GFI is a financial
GLOBAL FINANCE, INC. (GFI)
Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for theircustomers.
The diagram below displays the executive management team ofGFI:
CEO
John Thompson
Vice President Trey Elway
Executive
Assistant Kim Johnson
Executive
Assistant Julie Anderson
Executive
Assistant MichelleWang
CCO
Andy Murphy
COO
MikeWilly
CFO
Ron Johnson
Director of
Marketing John King
Director of HR Ted Young
Figure 1 GFI Executive Organizational Chart
BACKGROUND AND YOUR ROLE
You are the Chief Security Officer, hired by COO Mike Willy, to protect the physical andoperational security of GFI’s corporate information systems. Shortly after starting in your new position, you recognize numerous challenges that you will be facing in this pursuit.
Your primary challenge, as is usually the case, is less technical and more of a political nature. CEO John Thompson has been swept up in the “everything can be solved by outsourcing” movement. He believes that the IT problem is a known quantity and feels the IT function can be almost entirely outsourced at fractions of the cost associated with creating and maintaining an established internal IT department. In fact, the CEO’s strategy has been to prevent IT from becoming a core competency since so many services can be obtained from 3rd parties. Based on this vision, the CEO has already begun downsizing the IT department and recently presented a proposal to his senior management team outlining his plan to greatly reduce the internal IT staff in favor of outsourcing. He plans on presenting this approach to the Board of Directors as soon as he has made a few more refinements in his presentation.
COO Willy’s act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology services combined with a diminishing IT footprint gravely concerned Mike Willy, and he begged to at least bring in an Information Security expert with the experience necessary to evaluate the current security of GFI’s infrastructure and systems. The COO’s worst nightmare is a situation where the Confidentiality, Integrity, and Availability of GFI’s information systems were compromised – bringing the company to its knees – then having to rely on vendors to pull him out of the mess.
COO Willy has reasons for worrying. GFI has experienced several cyber-attacks from outsiders over the past a few years:
• In 2013, the Oracle database server was attacked and its customer database lost its confidentiality, integrity, and availabilityfor several days. Although the company restored the Oracle database server back online, its lost confidentiality damaged the company reputation. GFI ended up paying its customers a large sum of settlement for their loss of data confidentiality.
• In 2014, another security attack was carried out by a malicious virus that infected the entire
network for several days. While infected the Oracle and e-mail servers had to be shut down to quarantine these servers. COO Willy isn’t sure whether the virus entered GFI’s systems through a malicious email, from malware downloaded from the Internet, or via a user’s USB flash drive. Regardless of the source of the infection, the company lost $1,700,000 in revenue and intangible customer confidence.
• In a separate incident in 2014, one of the financial consultants left his company laptop unprotected at the airport while travelling and it was stolen. It contained customer financial data and the hard drive was not encrypted. Financial reparations were paid to impacted customers.
• In 2015, a laptop running network sniffer software was found plugged into a network jack under a desk in one of the unoccupied offices.
It is apparent from the number of successful cyber-attacks that GFI is an organization severely lacking in information security maturity. COO Willy has commissioned you to perform a quantitative and qualitative risk assessment of GFI’s infrastructure to determine where improvements could be made to reduce the risk of future attacks.
CORPORATE OFFICE NETWORKTOPOLOGY
The diagram on the following page displays GFI’s Corporate Office Topology.
The GFI network infrastructure consists of a corporate WAN spanning 10 remote facilities that are interconnected to the GFI headquarters’ central data processing environment. Data is transmitted from a remote site through a VPN gateway appliance that forms a VPN tunnel with the VPN gateway in headquarters. Through this VPN connection, remote office users access the internal Oracle database to update the customer data tables. Through your inspection of the VPN configuration you discover that the data transaction traversing the remote access connection to the corporate internal databases is not encrypted.
Users are authorized to work from home and both dial-up and VPN remote access are available. Dial-up is provided via Private Branch Exchange (PBX) and a Remote Access Server and VPN remote access is provided via the VPN gateway. Authentication is password-based via MS-CHAP V2. Users are also able to take advantage of GFI’s Bring Your Own Device (BYOD) policy and a Wireless antenna allows wireless networking within headquarters. WEP is used to provide wireless security to BYOD users.
The network perimeter between the Internet and GFI’s internal network infrastructure is separated by two Border (Core) Routers. These Border Routers then connect to two Distribution Routers and the VPN Gateway. The Distribution Routers connect to a RAS Server, a Wireless Router that provides a bridge between the Wireless Antenna and the internal network, and two Multi-layer switches. The Multilayer switches connect to six (6) Access Layer VLAN switches that segregate the Accounting, Loan Dept, Customer Services, Mgmt, Credit Dept, and Finance VLANs. The Multi-layer switches also connect to a third Multi-layer switch that provides a connection to GFI’s servers in the Trusted Computing Base subnet.
The trusted computing based (TCB) internal network is situated in a physically separated subnet. A bulk of the data processing for GFI is handled by an Oracle database on a high end super computer located in the TCB and the TCB also contains an intranet web server used by the internal support team, a Software Update Services (SUS) server used for patch management, an internal DNS server, an e-mail server, and other support personnel workstations. Although each corporate department is segregated physically on a different subnet, they share access to the corporate data in the TCB network.
90
90
Wireless Antenn9a0
NOTE: The symbol represents a multilayer switch
CONSIDERATIONS WHEN CONDUCTING THE RISK ASSESSMENT:
This Risk Assessment and your suggested security improvements are of critical importance. CEO Thompson is set on outsourcing GFI’s IT competency and you’ve been told of a plan from COO Willy to outsource network management and security functions away from your department and over to a service integrator. COO Willy warns you that the political environment will only become more contentious over time; you must make a compelling case as to what value your department can bring over an integrator to provide security improvements in certain key areas without a significant increase to the IT budget. It is extremely important that you take into account the value of the assets being protected when selecting security controls to mitigate the risks (i.e. don’t spend $1000 to protect an asset worth $500). In addition to what you learned from COO Mike Willy about the previous exploits of GFI’s vulnerabilities and what you gathered when reviewing GFI’s network infrastructure, the COO has provided some additional information that he wants you to take into account:
1. Ever since an article ran in Fortune about GFI, the network engineers report that they’ve noted a significant spike in network traffic crossing into the internal networks. They report that they cannot be certain what or who is generating this traffic, but the volume and frequency of traffic is certainly abnormal. The management is very concerned over securing the corporate confidential data and customer information. Suggestions on improvements to perimeter security and/or methods of identifying the source of intrusions should be presented in your risk assessment.
2. The interrelationship between data and operations concerns COO Mike Willy. Increasingly, some of the ten (10) remote sites have been reporting significant problems with network latency, slow performance, and application time-outs against the Oracle database. The company’s business model is driving higher and higher demand for data, but your capability to respond to these problems are drasticallylimited. Suggestions on reducing network latency or increasing application response time and availability should be presented in your risk assessment.
3. Mobility is important for the organization to interact with the customers and other co-workers in near real-time. However, the COO is concerned with mobility security and would like you to research best practices for mobile computing. Security within the BYOD environment should be presented in your risk assessment.
4. Employees enjoy the flexibility of getting access to the corporate network using a WiFi network. However, the COO is concerned over the security ramifications over the wireless network that is widely open to the company and nearby residents. Security within the wireless environment should be presented in your risk assessment.
5. The company plans to offer its products and services online and requested its IT department to designa Cloud Computing based e-commerce platform. However, the COO is particularly concerned over the cloud computing security in case the customer database is breached.
ASSIGNMENTS
• From the devices and systems identified in the GFI Corporate Network Topology, conduct a thorough asset inventory, assign monetary values to each asset (quantitative), and assign a priority value for each asset (qualitative) that could be used to determine which assets are most critical for restoral in the event of a catastrophic event or attack.
• Evaluate the perimeter security, make a list of access points internal and external (remote), identify vulnerabilities and make suggestions for improvements to perimeter and network security.
• Evaluate the remote access infrastructure, identify vulnerabilities and suggest security improvements to mitigate risks to remote access.
• Address the COO’s concern over the mobility security and design a secure mobile computing (smart phones, tablets, laptops, etc.) in terms of authentication technologies and data protection.
• Identify wireless vulnerabilities and recommend what safeguards, authentication technologies,and network security to protect data should be implemented.
• Evaluate the authentication protocols and methodologies within the wired, wireless, mobility and remote access environments and suggest improvements to secure authentication forGFI.
• Evaluate the web system protocols and vulnerabilities within the Intranet server and suggest secure protocol improvements to improve security for web authentication.
• Design a cloud computing environment for the company with a secure means of data protection at rest, in motion and in process.
• Assess all known vulnerabilities on each asset in this environment and impacts if compromised.
• Using the asset inventory and the assigned values (monetary and priority) conduct a quantitative and qualitative risk assessment of the GFI network.
• Recommend risk mitigation procedures commensurate with the asset values from your asset inventory. Feel free to redesign the corporate infrastructure and use any combination of technologies to harden the authentication processes and network securitymeasures.
• Provide an Executive Summary.
• You are welcome to make assumptions for any unknown facts as long as you support your assumptions.
• The Title Page, Table of Contents and References page(s) don’t count in your 15 page minimum!!!
Risk Assessment Paper Rubric
You are given a fictional scenario above describing security issues affecting organizational assets. You willidentify the risks associated with the assets, and recommend mitigating procedures. You will prepare a quantitative / qualitative risk assessment to address risk factors on organizational assets. Your final paper will be 15–25 pages long in a Word document (double-spaced with 12 point font) with APA citations for the resources you used in your research and will be graded using the followingrubric. Criteria
Non-compliant
Minimal
Compliant
Advanced
Inventory assets and prioritize them in the order of mission criticality.
Did not inventory or prioritize assets in the order of mission criticality. (0)
Inventoried assets but did not prioritize them in the order of mission criticality. (3)
Inventoried, prioritized assets, but did not address mission objectives in their asset priority. (6)
Inventoried, prioritized assets and addressed mission objectives in their asset priority. (10)
Evaluate enterprise topology and perimeter protection.
Did not evaluate enterprise topology and perimeter protection. (0)
Evaluated enterprise topology but did not include perimeter protection measures. (3)
Evaluated enterprise topology, perimeter protection measures, but did not address mission objectives. (6)
Evaluated enterprise topology, perimeter protection measures, and addressed mission objectives. . (10)
Evaluate remote access to the networks.
Did not evaluate remote access protocols and safeguards to the network. (0)
Evaluated remote access protocols but did not address security safeguards to the network. (3)
Evaluated remote access protocols, security safeguards to the network, but did not address mission objectives. (6)
Evaluated remote access protocols, security safeguards to the network, and addressed mission objectives. (10)
Evaluate authentication protocols and methodologies.
Did not evaluate authentication protocols and methodologies. (0)
Evaluated authentication protocols, methodologies but with insufficient data or inadequate description. (3)
Evaluated authentication protocols, methodologies with supporting data and description, but lacks mission objectives. (6)
Evaluated authentication protocols, methodologies with supporting data, description; and addressed mission objectives. (10)
Assign asset values to organization assets for quantitative / qualitative risk assessment.
Did not assign asset values to organization assets for quantitative / qualitative risk assessment. (0)
Assigned asset values to organization assets for quantitative / qualitative risk assessment but incomplete. (3)
Assigned asset values to organization assets in a complete inventory, but did not address mission objectives. (6)
Assigned asset values to organization assets in a complete inventory, and addressed mission objectives. (10)
Assess vulnerabilities on each asset and impacts if compromised.
Did not assess vulnerabilities on each asset and impacts if compromised. (0)
Assessed vulnerabilities on each asset and impacts if compromised; but incomplete. (3)
Assessed vulnerabilities on each asset and impacts if compromised; of complete inventory but did not address mission objectives. (6)
Assessed vulnerabilities on each asset and impacts if compromised; of complete inventory and addressed mission objectives. (10)
Evaluate web access protocols and vulnerabilities and Cloud Computing
Did not evaluate web access protocols and vulnerabilities and Cloud Computing (0)
Evaluated web access protocols and vulnerabilities or Cloud Computing. (3)
Evaluated web access protocols and vulnerabilities and Cloud Computing but did not address mission objectives. (6)
Evaluated web access protocols and vulnerabilities and Cloud Computing and addressed mission objectives. (10)
| You are given a fictional scenario above describing security issues affecting organizational assets. You willidentify the risks associated with the assets, and recommend mitigating procedures. You will prepare a quantitative / qualitative risk assessment to address risk factors on organizational assets. Your final paper will be 15–25 pages long in a Word document (double-spaced with 12 point font) with APA citations for the resources you used in your research and will be graded using the followingrubric. Criteria | Non-compliant | Minimal | Compliant | Advanced |
| Inventory assets and prioritize them in the order of mission criticality. | Did not inventory or prioritize assets in the order of mission criticality. (0) | Inventoried assets but did not prioritize them in the order of mission criticality. (3) | Inventoried, prioritized assets, but did not address mission objectives in their asset priority. (6) | Inventoried, prioritized assets and addressed mission objectives in their asset priority. (10) |
| Evaluate enterprise topology and perimeter protection. | Did not evaluate enterprise topology and perimeter protection. (0) | Evaluated enterprise topology but did not include perimeter protection measures. (3) | Evaluated enterprise topology, perimeter protection measures, but did not address mission objectives. (6) | Evaluated enterprise topology, perimeter protection measures, and addressed mission objectives. . (10) |
| Evaluate remote access to the networks. | Did not evaluate remote access protocols and safeguards to the network. (0) | Evaluated remote access protocols but did not address security safeguards to the network. (3) | Evaluated remote access protocols, security safeguards to the network, but did not address mission objectives. (6) | Evaluated remote access protocols, security safeguards to the network, and addressed mission objectives. (10) |
| Evaluate authentication protocols and methodologies. | Did not evaluate authentication protocols and methodologies. (0) | Evaluated authentication protocols, methodologies but with insufficient data or inadequate description. (3) | Evaluated authentication protocols, methodologies with supporting data and description, but lacks mission objectives. (6) | Evaluated authentication protocols, methodologies with supporting data, description; and addressed mission objectives. (10) |
| Assign asset values to organization assets for quantitative / qualitative risk assessment. | Did not assign asset values to organization assets for quantitative / qualitative risk assessment. (0) | Assigned asset values to organization assets for quantitative / qualitative risk assessment but incomplete. (3) | Assigned asset values to organization assets in a complete inventory, but did not address mission objectives. (6) | Assigned asset values to organization assets in a complete inventory, and addressed mission objectives. (10) |
| Assess vulnerabilities on each asset and impacts if compromised. | Did not assess vulnerabilities on each asset and impacts if compromised. (0) | Assessed vulnerabilities on each asset and impacts if compromised; but incomplete. (3) | Assessed vulnerabilities on each asset and impacts if compromised; of complete inventory but did not address mission objectives. (6) | Assessed vulnerabilities on each asset and impacts if compromised; of complete inventory and addressed mission objectives. (10) |
| Evaluate web access protocols and vulnerabilities and Cloud Computing | Did not evaluate web access protocols and vulnerabilities and Cloud Computing (0) | Evaluated web access protocols and vulnerabilities or Cloud Computing. (3) | Evaluated web access protocols and vulnerabilities and Cloud Computing but did not address mission objectives. (6) | Evaluated web access protocols and vulnerabilities and Cloud Computing and addressed mission objectives. (10) |
Solution
Global Finance Industry Security Risk Assessment
University of Maryland University College
CMIT 425
December 13, 2015
TABLE OF CONTENTS
1. Background. 3
1.1Purpose. 4
1.2 Roles and Responsibilities. 4
2. Security Risk Assessment. 5
2.1 Risk Impact. 6
3. Network Office Topology. 7
3.1 Network Security. 7
3.2 Access Points. 7
3.2.1 Internal Access. 7
3.2.2 External Access. 8
4. Access Control 9
4.1 Authentication. 9
4.2 Privileged Access. 10
4.3 Mobility. 11
4.4.1 Wireless. 12
4.4.2 Cloud Computing. 12
4.4.3 Email and wireless communication. 13
5. INVENTORY.. 13
6. NETWORK VULNERABILITES. 14
7. SECURITY RISK MANAGEMENT.. 15
7.1 Wireless Access. 16
7.2 Encryption. 17
7.3 Mobility. 17
7.4 Network Intrusion. 18
8. ASSUMPTIONS. 18
9. CONCLUSION.. 19
1. Background
Global Finance, Inc. (GFI) is a public company that specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for their customers. GFI manages thousands of accounts across Canada, the United States, and Mexico, employs over 1,600 people and boasts an annual growth consistently at or around 8%. A well-designed management strategy built on scaling operational performance through automation and technological innovation lead to GFI being featured in Fortune magazine.
GFI has experienced several cyber-attacks over the past a few years, resulting in $1.700, 000 in revenue losses and unmeasurable customer confidence. In 2012, the Oracle database server was attacked and its customer database lost confidentiality, integrity, and availability for several days. Although we restored the Oracle database server back online, its lost confidentiality damaged the company’s reputation. These attacks are a cause of great concern to CEO John Thompson, whose business plan places the company’s confidentiality, integrity, and availability at a premium.
Due to the increasing operational dependence on technology combined with a diminishing IT footprint, I was hired as the Computer Security Manager and report directly to the Chief Operations Officer Mike Willy. Although the CEO and I understand the strategic importance of technology in executing GFI’s business plan, I believe that that cutting IT services and outsourcing IT technologies are a risk to security and strategic capability.
GFI’s recent spike in notoriety have led to a significant increase in network traffic crossing into the internal networks, network engineers are unable to identify traffic origination, but the volume and frequency is a major concern. In order to properly secure corporate confidential data, business intelligence and customer information, a security risk assessment is submitted.
This risk assessment is primarily intended to determine the quantitative and qualitative estimate of risk related to IT security threats and vulnerabilities associated with GFI business practices and analyze GFI’s IT organizational processes and infrastructure in order to provide a wide-ranging and acceptable risk mitigating assessment. This assessment will focus on providing solutions to identified vulnerabilities and threats that are a risk to confidentiality, integrity, and availability and threaten IT security and strategic capability. This risk assessment will:
1.2. Roles and Responsibilities
John Thompson, Chief Executive Officer
The CEO’s role is to ensure that the company’s long term strategic business plans increase shareholder value. Therefore, the CEO will have final say and decide whether the IT strategic plans are aligned with the overall strategic business plan. For example, in the case of GFI, the CSM will present to the CEO the recommendation to implement penetration testing software. The CEO will weigh the other officers’ views and decide whether it has an impact on ROI and shareholder value.
Mike Willy, Chief Operations Officer
The COO oversees ongoing business operations within the company. The COO is second in command and is responsible for overseeing how IT projects are aligned with day-to-day operations. He also provide leaderships and input for implementation of the company’s strategic plan and along with the Chief Financial Officer, is accountable for overseeing how operational IT processes impact the budget.
Rick Santos, Computer Security Manager
The CSM serves as the business leader responsible for the development, implementation and management of the organization’s corporate security vision, strategy and programs. His responsibility will be focused on scientific and technological issues, as well as policy, research and development in order to protect GFI’s network confidentiality, integrity, and availability, identify vulnerabilities and threats to GFI information system resources in order to achieve business objectives, identify and implement security controls measures in order to mitigate the risks to reduce the risk to level that can be tolerated and examine risk variables in order to reduce project failures.
2. Security Risk Assessment
An effective security risk assessment can prevent breaches, reduce the impact of realized breaches, and keep GFI from appearing in the spotlight for all the wrong reasons. “Regular IT security risk assessments also enable organizations to build up a cache of historical data that can be used to effectively gauge and communicate monetary impact related to risks -- and, hopefully, convince upper management to take decisive action to reduce the organization\'s threat surface (DarkReading, 2013).”
2.1 Risk Impact
According to the National Institute of Standards and Technology (NIST) (2004), the following table summarizes each security objective’s potential impact on confidentiality, integrity and availability:
Potential Impacts of Security Objectives
3. Network Office Topology
GFI is comprised of a corporate WAN that includes 10 remote sites that communicate with the central data processing environment through a corporate VPN. Role-based access control is implemented and access is strictly based on the roles of the user within an organization. An example of RBAC would be if an Engineering manager would need access to Engineering dept. data as well as the training dept. data. Each role would define the permissions that are needed to access different objects.
3.1 Network Security
A VPN gateway appliance is installed in the border layer of the network. According to Microsoft (2013), “VPNs use a combination of tunneling, authentication, and encryption technologies to create secure connections. To ensure the highest level of security for a VPN deployment, use Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPSec).” VPN’s provide the highest level of security because authentication prevents unauthorized users from connecting to the network. Secure Sockets Layer (SSL) VPN systems are susceptible to Denial of Service attacks if software patches are not kept up to date. This presents a moderate risk to availability. Therefore, software patches and updates should be scheduled nightly during off-peak hours to minimize bogging down the network.
3.2 Access Points
3.2.1 Internal Access
GFI employees access the network internally by using pre-inspected and up-to-date individual workstations with anti-virus. Internal network topology includes 10gpbs VLAN switches segregated by department. Personnel, applications and servers will have the appropriate access privileges to only the required resources they have the “need to know” and their activities should be monitored via auditing and reporting systems. Access control lists should be implemented to determine who will have access to each VLAN. Some VLAN’s contain sensitive and classified information. The way you mitigate this is by implementing ACL’s. These ACL’s will control who access the individual VLAN’s, application, databases, email, file and printer servers. Not implementing ACL’s poses a high risk to integrity and confidentiality. Wireless Access Points should be encrypted and SSID’s be made invisible. A firewall client should be installed with automatic configurations to protect the network. This along with Web Proxy and stringent Web Browser settings will no doubt minimize the risk of inadvertent or malicious attacks like man-in-the middle and denial of service.
Group Policy is also essential for network security at the internal organizational level. According to Microsoft (2012), “Group Policy is an infrastructure that allows you to implement specific configurations for users and computers. Group Policy settings are contained in Group Policy objects (GPOs), which are linked to the following Active Directory service containers: sites, domains, or organizational units (OUs).” The Default Domain Policy GPO should manage the default Kerberos Policy, Password policy, Account Lockout Policy and Account Policies settings. Accounts should be from the same domain as the parent global group. Therefore, Group scope for OU’s (Organizational Units) should be global. Failure to implement these controls pose a high risk that could result in a loss of integrity and breaches in confidentiality.
3.2.2 External Access
External access is accomplished via RAS servers which talk to distribution routers, VPN gateways and 10gbps switches via a 100 mbps router. Mobile users who connect through dial up are required to authenticate. However, remote access to the corporate internal databases is not encrypted. This poses a high threat to confidentiality, integrity and availability.
4. Access Control
4.1 Authentication
Asymmetric key is more flexible then the Symmetric system. Messages are encrypted with one key and can be decrypted only by the other key. Normally the public key is published but the private key is not. PKI normally deals with making sure that the public key certification are up to date and authorized.
Asymmetric pair of keys is made up of one public key and one private key. The public key can be known to everyone, and the private key must be known and used only by the owner. PGP utilizes a trusting scheme where a user is generated 2 keys for utilization, one public key that is centrally stored that is accessible by everyone and a private key that is held by the user in confidence. The email is encrypted with the receiver’s public key and signed by the sender’s private key. When message is received the recipient decrypts the message with their private key and validates its authenticity with the sender’s public key.
According to TechRepublic (2001), companies have several authentication methods to to ensure the secure of their networks and topology infrastructures. The options available to companies include, but are not limited to, the following:
4.2 Privileged Access
Based on the sensitive and classified information housed on GFI’s networks, Mandatory Access Control should be implemented. MAC introduces a more specialized approach to access control. MAC is typically implemented at organizations which house highly sensitive and classified data and access is based on security labels. According to CGI Security (2012), the following are characteristics of MAC:
4.3 Mobility
Mobility is important for the organization to interact with the customers and other co-workers in near real-time. With GFI increasing in size, mobility can boost productivity by creating an environment where employees can have virtual offices anywhere Wi-Fi is available. Mobility empowers employees to be more productive and better able to serve the consumer. In addition, BYOD is possibility but it involves security concerns.
Mobile devices are threat for their potential to bypass the company’s firewall and antivirus applications.
4.4.1 Wireless
There is no debating the fact that wireless capabilities provide flexibility within GFI. However, the GFI wireless network currently does not employ any encryption and the SSID is visible to anyone within the range of the WAP. This presents a high risk to CIA.I strongly recommend implementing WPA2-Enterprise with AES or TKIP encryption. The SSID will also be hidden.
4.4.2 Cloud Computing
Cloud Computing based e-commerce platforms will allow GFI to offer its products and services online. However, there are concerns over security. Any data stored remotely poses a risk for being compromise. Therefore, it requiresadditionalstages of security and network standards to mitigate these risks. I recommend utilizing Microsoft Azure Cloud Computing Platform & Services. According to Microsoft 2015), Azure easily integrates with your existing IT environment through the largest network of secure private connections, hybrid database and storage solutions, and data residency and encryption features — so your assets stay right where you need them. You can even run Azure in your own datacenter with Azure Stack. Azure hybrid cloud solutions give you the best of both worlds: more IT options, less complexity and cost.”
McAfee Endpoint Security for Microsoft Azure Environments will be used to provide another level of security to Microsoft Azure’s already robust security features. According to McAfee (2015), “MESMA integrates with Microsoft Azure and deploys easily using the Azure PowerShell platform, provides advanced security for all of your endpoints — physical, virtual, and cloud servers, includes antivirus, anti-malware, host intrusion prevention, device control, host-based firewall, dynamic application control, and more to tackle malware, zero-day threats, and evasion attacks at every vector — mobile, data, web, email, and network.
5. Inventory
Item
Department
Quantity
Cost
Total Cost
Priority
Mission Objective
Dell Precision Workstations
Accounting
50
$500
$25,000
High
Provides accounting services and financial support to the organization, Payroll and Inventory
Credit
10
$500
$5,000
Moderate
Measure, monitor and mitigate the credit risk, credit limits and credit support arrangements.
Customer Service
10
$500
$5,000
Moderate
Prevention and solution.
Finance
35
$500
$17,500
High
Oversees financial planning and management activities, budgeting and forecasting, reporting and compliance, and creation of value
Loans
20
$500
$10,000
Moderate
Receives and processes all loan applications.
Management
10
$500
$5,000
High
Responsible for the oversight of all operations involved in the development and support of information systems.
TCB Network
10
$500
$5,000
High
All corporate data processing is completed and internal support team has its own intranet web
server, a SUS server, an internal DNS, an e-mail system, and other support personnel workstations
Subtotal
145
$72,500
HP LaserJet Printers
Accounting
5
$400
$2,000
Credit
1
$400
$400
Customer Service
1
$400
$400
Finance
3
$400
$1,200
Loans
2
$400
$800
Management
1
$400
$400
TCB Network
0
0
0
Subtotal
13
$5,200
Wireless Access Point
3
$300
$900
High
Private Branch Exchange
1
$1400
$1,400
High
VPN Gateway
2
$35,000
$70,000
High
Border Routers
2
$30,000
$60,000
High
Subtotal
8
$132,300
Grand Total
$210,000
6.Network Vulnerabilities
System/Entity
Vulnerability
Risk Level
Priority
Wireless Technology
Wireless network is widely open to the company and nearby residents. This presents a high risk to CIA.
High
High
Encryption
Remote connectivity to and from the TBC and corporate databases is not encrypted.This presents a high risk to CIA.
High
High
Mobility
No system in place to prevent malicious programs on infected devices from accessing corporate networks. No system in place to safeguard data from being compromised in the event that a device is lost or stolen.
High
High
Network Intrusion
Significant spike in network traffic crossing into the internal networks. Origin of who is generating traffic cannot be identified, but the volume and frequency of traffic is abnormal.
High
High
Cloud Computing
Cloud computing is susceptible to data breaches if not secured properly.
Medium
Medium
7. RiskMitigation
As stated above, GFI’s current network topology and IT processes present several critical vulnerabilities that must be mitigated with both soft and hard security controls. In today’s IT environment, it is vital they we address the following vulnerabilities in order to adequately safeguard GFI data, assets and business intelligence in keeping with the CIA model.
7.1 Wireless Access
The wireless network access processes currently utilize an open authentication approach. This allows anyone within proximity of GFI WAP’s with a wi-fi enabled device to access to privileged, sensitive and classified information. Potential threats this exposes GFI to include but are not limited to are: data interception, Denial of Service, wireless intrusion, wireless phishing and endpoint attacks. These attacks can cause both qualitative and quantitative damages to confidentiality, integrity, and availability. In order to mitigate these risks, the following recommendations should be adhered to:
7.2 Encryption
IPSec will be the encryption method used to protect all data transmitted via GFI remote networks, VPN and TCB communications. “IPSec uses packet filtering and cryptography. Cryptography provides user authentication, ensures data confidentiality and integrity, and enforces trusted communication. The strong cryptographic-based authentication and encryption support that IPSec provides is especially effective for securing traffic that must traverse untrusted network paths, such as those on a large corporate intranet or the Internet. IPSec also is especially effective for securing traffic that uses protocols and applications that do not provide sufficient security for communications (Microsoft 2013).” Routers, firewalls and intrusion detection devices will also be configured to permit IPSec traffic.
7.3 Mobility
The following best practices will be implemented to ensure that BYOD devices will not harm the company’s network:
These methods will no doubt allow GFI the flexibility inherent to mobile computing and BYOD programs, while still maintaining a defense-in-depth posture without increasing management and maintenance requirements.
7.4 Network Intrusion
Network personnel have reported a significant increase in the volume of network traffic. Therefore, I recommend installing reactive, signature based Intrusion Detection Systems. IDS systems monitor network activities and produce tangible reports that IT personnel can analyze use to better secure the network. These IDS devices should be placed in conjunction with firewalls and will scan all outbound and inbound traffic. Along with IDS systems, I also recommend penetration testing software like Metasploit. Metasploit is an exploitation framework that consists of many powerful tools and utilities needed for penetration testing. Intelligence gathering is believed to be the most important phase of the penetration test process because it lays the foundation for ultimate payload delivery. Intelligence gathering methods like port scanning are often used to exploit vulnerabilities
8. ASSUMPTIONS
The CSM operates and manages the network of GAI with the following assumptions in place:
9. CONCLUSION
Security is an expense that must be undertaken by any company that desires to guarantee the security of its consumer data and confidential processes. GAI maintains a plethora of Top Secret information that is stored at various locations and transmitted through a variety of methods. GAI cannot afford for its confidentiality, integrity, or availability to be compromised at any point in time as such an event would compromise sensitive data.
Risk management is a process that identifies and seeks to mitigate the vulnerabilities the network possesses. By resolving the issues that exist within the wireless network and encryption management, GAI can resolve a large amount of the threats it currently faces. An established risk management plan accompanied by security awareness trainings, unique employee credentials, and the use of multi-level authentication can provide the level of security GAI needs to preserve the confidentiality, integrity, and availability of its network.
With all of this in mind, it is the recommendation of the CSM that the outsourcing consideration be put on hold until the current security concerns are resolved.
| Item | Department | Quantity | Cost | Total Cost | Priority | Mission Objective |
| Dell Precision Workstations | Accounting | 50 | $500 | $25,000 | High | Provides accounting services and financial support to the organization, Payroll and Inventory |
| Credit | 10 | $500 | $5,000 | Moderate | Measure, monitor and mitigate the credit risk, credit limits and credit support arrangements. | |
| Customer Service | 10 | $500 | $5,000 | Moderate | Prevention and solution. | |
| Finance | 35 | $500 | $17,500 | High | Oversees financial planning and management activities, budgeting and forecasting, reporting and compliance, and creation of value | |
| Loans | 20 | $500 | $10,000 | Moderate | Receives and processes all loan applications. | |
| Management | 10 | $500 | $5,000 | High | Responsible for the oversight of all operations involved in the development and support of information systems. | |
| TCB Network | 10 | $500 | $5,000 | High | All corporate data processing is completed and internal support team has its own intranet web server, a SUS server, an internal DNS, an e-mail system, and other support personnel workstations | |
| Subtotal | 145 | $72,500 | ||||
| HP LaserJet Printers | Accounting | 5 | $400 | $2,000 | ||
| Credit | 1 | $400 | $400 | |||
| Customer Service | 1 | $400 | $400 | |||
| Finance | 3 | $400 | $1,200 | |||
| Loans | 2 | $400 | $800 | |||
| Management | 1 | $400 | $400 | |||
| TCB Network | 0 | 0 | 0 | |||
| Subtotal | 13 | $5,200 | ||||
| Wireless Access Point | 3 | $300 | $900 | High | ||
| Private Branch Exchange | 1 | $1400 | $1,400 | High | ||
| VPN Gateway | 2 | $35,000 | $70,000 | High | ||
| Border Routers | 2 | $30,000 | $60,000 | High | ||
| Subtotal | 8 | $132,300 | ||||
| Grand Total | $210,000 |
