SlideShare a Scribd company logo

My Risk Assessment and Mitigation Strategy by David Bustin

Download as DOCX, PDF
David Bustin
David Bustin

Managing existing threats and vulnerabilities while managing network growth. Identify problems and compare solutions. David Bustin

Technology
1 of 21
1 RUNNINGHEAD: GLOBAL FINANCE,INC.RISKASSESSMENTANDMITIGATION STRATEGY Quantitative and Qualitative Risk Analysis: Proposal for Mitigating Risk David Bustin University of Maryland University College August 10, 2014
Global Finance, INC Risk Assessment and Mitigation Strategy 2 Executive Summary Purpose This report provides an analysis of the technical vulnerabilities of Global Finance, Inc. Enterprise network. Also, included in the document are associated cost of specific compromises and strategic alternatives to mitigating those vulnerabilities. This report does not assure the reader that all implementations and strategies will eliminate attempts to sabotage the network. The document provides a solution for industries best security safeguards to protecting data. Methods of Analysis Historical losses for Global Finance, Inc. exceed the cost of accepting the proposed recommendations. The potential of losses are much greater given time and negligence of properly securing the corporate network. The estimated cost of non-compliance is in excess of the value of all customer accounts plus legal fees and increased business continuity. The business impact analysis results indicate failure in security could bankrupt the organization. Findings Findings indicate an unsecure wireless access, absent DMZ, unencrypted trusted path, and lack of proper authentication and encryption drastically increases network vulnerability. Limitations of the Report This report recognizes limitations in the analysis. The frequency and types of attacks are undetermined. Subsequently, only estimations based on research provide expected losses. Additional capabilities, cloud computing and mobile computing, will undergo a trial and error phase with documentation. To this point, error rates can only be estimated.
Global Finance, INC Risk Assessment and Mitigation Strategy 3 Quantitative and Qualitative Risk Analysis: Proposal for Mitigating Risk A quantitative and qualitative analysis of computer information systems identifies technical and administrative deficiencies which enable prioritizing task to be more efficient. Security is a primary concern in all layers of networks providing a Defense in Depth approach. Identifying known or potential risks, threats, and vulnerabilities aids in drafting the security model which reduces adverse occurrences. An emergency response team should be on-call to resolve problems as soon as possible for limiting damage. Outsourcing IT tasks poses an imbalance in favor of cost over benefit. These issues will be addressed in this document. Also, this paper will prioritize asset inventory for Global Finance, Inc., evaluate the current topology and perimeter protection, evaluate remote access controls and security safeguards, describe current authentication and propose new technology, list and assess vulnerabilities, recommend security for mobile computing, introduce safeguards for wireless computing, and design a cloud computing environment. Though not comprehensive, contained in this paper are the recommendations for a secure computing environment that delivers solutions to past, present, and future technological challenges tailored for business operations. Expanding the network to meet new technological and business demands, a mobile computing environment will be added for employees to utilize Global Finance’s resources while traveling. Ensuring the secure connections for these mobile devices is paramount due to the nature of Global Finance’s business and valuable data they possess. In addition to mobile computing, the IT staff at Global Finance, Inc. will offer cloud computing for conducting e-commerce. In order for the company to grow as well as, maintain a competitive presence, products and services must be available globally at all times. Offering these products and services requires planning for authentication, monitoring
Global Finance, INC Risk Assessment and Mitigation Strategy 4 services, accounting for and prioritizing the new assets. The following section list assets, then prioritizes them based on quantitative and qualitative values. Inventory and Prioritization of Mission-Critical Assets Global Finance, Inc., GFI, has successfully grown approximately 8% for nearly six years. They currently employ over 1,600 people and service customer accounts in Canada, the United States, and Mexico. Expanding business across international borders has contributed to the growth and for GFI to maintain a competitive strategy, computer network operations must also expand. Currently, the company operates ten subnets for remote facilities, an offsite office connected through a virtual private network (VPN) to an internal Oracle database located inside a trusted computing base (TCB) internal network which are all interconnected through 6 virtual local area network (VLAN) switches. These 6 access layer VLAN switches interconnect to 2 Cisco Catalyst 3750 switches. These 2 switches and a VPN gateway connect to a third Cisco Catalyst 3750 switch which bridges the connection to the TCB internal network. The TCB consist of a SUS server for windows updates, Oracle database server for customer account management, domain naming server (DNS) for resolving domain addresses, exchange server for e-mail service, file and print server, web server for internet access, and 7 workstations. The accounting subnet has sixty-three workstations and 7 printers, the loan department subnet has twenty-five workstations and five printers, the customer service subnet has twelve workstations and 3 printers, the management subnet has 5 workstations and 3 printers, the credit department subnet has ten workstations and 3 printers, and the finance subnet has forty-nine workstations and 5 printers. The wide area network (WAN) also includes a wireless antenna intended for employee connectivity, a VPN gateway, 2 Cisco 7201 border routers, 2 Cisco 7500 series
Global Finance, INC Risk Assessment and Mitigation Strategy 5 distribution routers, and a remote access server (RAS) linking distribution routers to a private branch exchange (PBX) for connection to the public switched telephone network (PSTN). The current enterprise network configuration includes several critical nodes. These nodes should be prioritized in their value to their purpose and monetary value. The following section identifies the network assets in order of critical to least damaging in the event of a natural disaster, security breach, or virus. Prioritizing these assets aids in security decisions, risk assessments, disaster recovery, and business continuity with least interruption to business. Asset Prioritization and MissionObjectives Identifying mission-critical assets and prioritizing them enables planners to allocate resources for security and network design for optimizing their budget. For Global Finance, Inc., their assets are ranked in the below Table 1 from most critical down to least critical. Table 1. Mission Critical Assets Asset Priority Mission Objective Oracle DB Server Maintains bulk of data processing. Most critical asset. SUS Server Vital for system updates and patches. File & Print Server Stores customer records, data, and critical company documents. Internal DNS Necessary for sharing resources internally across subnets. Intranet Web Server Enables communications and resource sharing between subnets. Exchange E-mail Server Provides communications, finding employees, shared calendars task assignments and storing conversations for referencing. Workstations in TCB Displays an interface to servers on the TCB internal network. 3 Cisco 3750 switches Link between TCB and other subnets, as well as, VPN Gateway for the Offsite Office. 6 Cisco VLAN switches Each department has an assigned switch for communicating and these switches are a single point of failure for each department. Workstations for each department Provides the interface for data. 2 Distribution Routers Aggregates traffic from public for marketing and providing products and services. Also, routes traffic between offsite office and WAN.
Global Finance, INC Risk Assessment and Mitigation Strategy 6 VPN Gateway Provides the secure connection between remote office and TCB internal network. Remote Access Server Allows employees to connect from outside of the network. Improves productivity but is not a highly critical asset. Private Branch Allows employees to dial-in to corporate WAN from home, hotels, Exchange airports, etc. 2 Border (Core) Routers Provides the internet connectivity and routes incoming traffic to internal request. Wireless Antenna & router Allows wireless connectivity to the network and internet. Least critical but one of the most vulnerable. Enterprise Topology Evaluation Enterprise topologies are designed for large, production networks with many users. They encompass people, software, and processes to interoperate, integrate, and standardize polices. Security architecture for enterprise networks are more granular as a result of increased operational responsibilities and the authentication, software deployments, connections, and other network processes presenting a complete defense in depth. Enterprise systems must efficiently manage workload balance to avoid downtime or network lag. Management for authentication and identification is paramount for controlling the proper level of access to the resources. User accounts should be managed centrally and administrator privileges should be consistent. Flexibility in the integration of various network, authentication, and encryption protocols allows efficient network management and ease of integrating software. In an enterprise topology, central management of software enables administrators to remotely load software and respond to user issues. Enterprise topologies are designed with a focus on incorporating business needs. As Shon Harris states, “Not only do the solutions need to apply to the whole enterprise in a standardized manner, they need to map to business needs.” An enterprise network has responsibilities to the business that also include nontechnical considerations that entail industry regulations and laws related to the nature of a specific organization’s business.
Global Finance, INC Risk Assessment and Mitigation Strategy 7 Perimeter Protection Measures and Mission Objectives To secure the corporate wide area networks from external threats, implementing a demilitarized zone (DMZ) is recommended. Within the DMZ, the border and distribution routers, PBX, and RAS will be located. A dual firewall should be installed between the distribution routers and the remote access server to provide filtered traffic from the internet to the DMZ and from the DMZ to the business network. The firewall will be configured to deny all services not permitted and will be monitored regularly. Another firewall configuration should include firewall session tracking to ensure TCP sessions do not last an unusually long time. This is potentially a covert channel attempting to extract internal data through the firewall. Collocated with the firewall in the DMZ, a reverse proxy should be integrated to relieve the workload on associated webserver. The routers should have DMZ host installed on them. Also, end to end point security such as Symantec should be included on the routers, in addition to, intrusion detection system (IDS) sensors and intrusion prevention system. The routers should also have the ability to perform egress and ingress filtering. The DMZ should also include packet sniffers for HTTP traffic attempting to bypass the proxy server, as well as, SMTP, FTP, and other traffic. The IT staff should periodically conduct penetration testing and vulnerability scanning to test configurations and discover weaknesses. The wireless connection providing access to the internal network and internet should have a secure station serial identification (SSID), and password. The SSID should not be broadcast and 802.1i or WPA2 encryption and authentication must be configured. Perimeter protection is a mission critical area for maintaining the confidentiality, integrity, and availability of information and information systems. This segment of the network provides the most vulnerability to vital assets and if compromised by lack of attention, the
Global Finance, INC Risk Assessment and Mitigation Strategy 8 business will experience losses. Through frequent training, employees will understand various social engineering techniques and they will be able to respond appropriately. Securing the perimeter is vital, however, ensuring internal and external access points for the network align with a defense in depth strategy. The next section will list GFI’s access points. Internal and External Access Points List Global Finance’s wide area network contains multiple external and internal access points. Their external access points are two routers on the border, connecting an off-site office with a VPN tunnel. Outbound traffic also routes through these two border routers. The network configuration also consist of a private branch exchange system for dial-in users to connect from home, hotels, or other remote places they can connect through. Another external access point is the wireless antenna, which provides the most vulnerability by wirelessly connecting directly to the internal switches and sequentially the subnets of each department. Inside the perimeter of the network, there are two distribution routers, a remote access server, and 6 access layer VLAN switches that segment the WAN with subnets for each department. The remote access provides additional vulnerabilities due to increased exposure and mobility. An evaluation of the protocols will identify the needed security. These are discussed in the following section. Remote Access Protocols Evaluation Specific protocols are specifically designed to enable remote user connection to network resources and grant them access. Users dial-in to the remote access server which serves as a gateway to the internal network. The following text evaluates some dial-up authentication protocols. Extensible Authentication Protocol is a mutual authentication by the remote access client and authenticator such as a RADIUS server. The authenticator request authentication from the remote access client through a name or personal identification number. The query receives a
Global Finance, INC Risk Assessment and Mitigation Strategy 9 response from the remote client and grants access. EAP offers a subtype identified as EAP-TLS. This is a strong protocol which compromised passwords are not enough to bypass the RADIUS server. This protocol would require a hacker with the password that has been compromised to also possess the client-side certificate. This is a great protocol. For the dial-up users, point- topoint protocols is a good choice for server and client encryption. This protocol supports TCP/IP, IPX/SPX, AppleTalk, and many other LAN protocols. Serial Line Internet Protocol is older technology used as a client in Windows NT or 2000 and fails to support dynamic host configuration protocol. This is not a good selection. Password Authentication Protocol (PAP) is only utilized when servers require plaintext passwords and no encryption when passed. This is not a good selection. The encryption for Shiva Password Authentication Protocol is weak and fails to meet the needs of GFI. Challenge Handshake Authentication Protocol reverses encrypted passwords and stores them in plaintext on the remote access server. Also, this is not a good choice. MS-CHAP v2 revised CHAP by storing passwords in encrypted formats. It also requires authentication between authenticator and remote access client by using different encryption keys. This is a good selection. For dial-up encryption protocols, Microsoft Point- toPoint Encryption requires the dial-up authentication protocol to be EAP-TLS or MS-CHAP version 1 or 2. This is not a bad selection but is limited to Microsoft only protocols for authentication. Selecting the most secure protocols for remote authentication and encryption which are compatible provides an external layer of security. Separate protocols are used for the VPN. IPsec, L2TP, and EAP-TLS used together provides the needed security for private and secure communications. There are more security safeguards discussed in the following section to harden the network defense.
Global Finance, INC Risk Assessment and Mitigation Strategy 10 Network Security Safeguards Evaluated Managing the security for a large network entails many safeguards. Symantec Endpoint Protection provides many security features needed for the GFI WAN. The Symantec product is scalable and grows along with the network. Symantec Endpoint Protection offers 5 layers of protection that include network, file, reputation, behavior, and repair. It provides protection from malware by an intrusion protection system and includes browser protection for each node. On files, endpoint scans and eliminates malware, viruses, worms, bots, and root kits. This comprehensive protection is excellent for business. It is flexible by providing scalability and enforces policy. Symantec endpoint protection also reduces operating cost and system downtime, improves productivity through scan performance and displays all features through a central dashboard. Another unique feature for this product is location awareness. Automated detection of the location a system attempting to connect including hotspots, VPNs, or wireless networks. Endpoint protection includes the intrusion prevention system. An intrusion detection system would need to be installed on each workstation and server in the network in the event an intrusion is not prevented. Global Finance Security Issues Global Finance, Inc. has a history of security incidents. Increased traffic flow from external sources drastically increased following an article in Fortune magazine mentioning Global Finance, Inc. Data filtering at the border is too lenient. There is also network lag causing some applications to time out for some employees. Purging the Oracle database, scanning for duplicate copies of files, and large files that are not needed or used is a first step. Also, unneeded processes running on the database should be stopped. The company has also been the victim of multiple cyber-attacks including targeting the Oracle database and malicious virus infected the
Global Finance, INC Risk Assessment and Mitigation Strategy 11 network. The wireless connection directly into the internal network is failing to prevent unauthorized user access. Neighboring residents are able to connect with ease. Additionally, the trusted path leading directly from the switch to the trusted computing base internal network is unencrypted. Data from the TCB is shared across all of the other subnets. A successful breach of the perimeter enables a hacker to easily steal or manipulate data at will. Asset Vulnerabilities Assessment and Compromise Listing only the nodes of a network is not sufficient for assessing vulnerabilities. Knowing the software and associated network components are equally important because they also present vulnerabilities. Configuration on devices should apply to simplistic principles in order to reduce cost of change management. Third party applications are another risk. Conducting a qualitative and quantitative assessment provides the organization enough insight for decision making. The qualitative assessment is the prioritization of mission critical assets which is itemized in Table 1 above. The quantitative assessment entails value of assets, threat exposure, and financial loss if compromised. The Oracle database Enterprise Edition cost $10,450 for license update, software, and support. The high end computer price is $6,000. Since the bulk of customer accounts for loans, investments, and financial management are processed on the Oracle database, a compromise of the system could bankrupt Global Finance, Inc. as a result of lawsuits, as well as, customers closing accounts. An estimation of financial loss is in excess of $100 million. Providing identity protection services for affected customers, regaining trust, court cost, potential Federal fines, and many other expenses exceed implementing strong technical security measures upfront. Currently, the TCB shares information across all subnets unencrypted. This is a big vulnerability for sensitive data transmitting over the trusted path. An effective solution for authentication is public key infrastructure and Advanced Encryption
Global Finance, INC Risk Assessment and Mitigation Strategy 12 Standard 256 bit full disk and file data encryption. The WSUS will replace current software on the SUS server and is free. A WSUS server often fails to patch third party software from vendors such as Adobe or Java. Java is known to result in nearly half of exploits. The operating system for the WSUS server is Windows Server 2012. The internal DNS server is Ubuntu 12.04 LTS running ISC BIND version 9 software for $4,500. The Ubuntu software mistakenly modifies certain response fields when enabling a shadow copy. This enables a remote attacker to potentially access sensitive data. The attacker could also use improperly handled fields to overwhelm the system with inbound DNS messages causing denial of services. Patches have been deployed but configuration management and applying them is vital. A crash of the internal DNS would cause data flow to stop and business operations to experience downtime. Microsoft Exchange Server with exchange 2012 cost $4,000. The web server is Microsoft Internet Information Services with software version 8.5 in Windows Server 2012 R2 Datacenter SKU priced at $6,155. Also in the TCB internal network are 7 Dell New Inspiron Desktop computers with Windows 8.1 with monitor bundle for $3,500 total. The 6 other domains also have a total of one hundred and sixty-four computers totally $82,000 at $500 each. There are twenty-six printers at $1,000 each for a total of $26,000. There are 3 Cisco 3750 switches with 10/100 LAN, 4 1 gigabyte SFP slots at $6,995 each for a total of $21,000. The six Cisco VLAN switches, 2960 Series 10/100 with LAN Lite Software, cost $725 each for a total of $4,350. VLAN switches present a vulnerability known as mac spoofing and VLAN hopping. Ensure ports are not set to negotiate trunks. A misconfiguration could allow an attacker access to internal traffic. There are 2 Cisco 7505 distribution routers with a total cost of $15,800 and 2 Cisco 7201 border routers that cost a total of $22,500. The VPN gateway includes a Cisco 3030 that cost $5,930. The remote access server is a Dell Power Edge R320 with a value of $1,109.
Global Finance, INC Risk Assessment and Mitigation Strategy 13 Improper configuration for the RAS allows access for intruders. One vulnerability found in Remote Desktop Protocol (RDP) allows an attacker to take complete control of the system or cause a Denial of Service. Telework would not possible. The PBX server is located on-site and is an IP PBX with call center software. The wireless connectivity is established through a Linksys LRT 214 router that cost $159. The level of security for wireless access is much lower than wired connections. The most robust wireless security, WPA2/TLS, is not difficult. An attacker can simply view tutorials online and download tools for free by querying a search engine. Global Finance, Inc. currently is experiencing neighbor residents accessing the wireless router. This access point is directly connected to the internal switches allowing war-drivers access. Known Vulnerabilities and New Design. Global Finance, Inc. has a history of network attacks as a result of vulnerabilities. Their wireless network is unsecure and open for the public access. Relocating the wireless router outside of range from the perimeter and using mac filtering along with not broadcasting the SSID will reduce the opportunity for unauthorized access. There is also an unencrypted trusted path to the TCB from the switches. Configuring an encryption protocol, SSL/TLS, provides increased difficulty for capturing intelligible data. These protocols apply to all transmitted data on the WAN. These protocols apply to the VPN as well. Filtering traffic at the access points will alleviate congestion of the internal bandwidth and cease applications from stalling. Routine maintenance on workstations, servers, switches, and routers increase performance. Evaluation of Authentication Protocols and Methodologies with Supporting Data There are many authentication protocols but choosing the most reliable and strongest benefits the organization. Extensible Authentication Protocol is a framework of authentication protocols.
Global Finance, INC Risk Assessment and Mitigation Strategy 14 EAP-TLS is a secure subset protocol for wireless transport and supported among many vendors. Client-side certificates are required and not favored but is the reason they are the de facto for wireless transport authentication protocols. Host Identity Protocol (HIP) is a host identification protocol for IP networks and supplies a host identity name space for the public key security infrastructure complimentary to PKI. Expanding the WAN to include mobile computing, HIP is a very useful protocol. MS-CHAPv2 works well with the VPN and on the RADIUS server. Mutual authentication is required between each end by sending a peer challenge on a Response packet and authenticator response on a success packet. Remote Authentication Dial In User Service (RADIUS) offers centralized management for authentication, authorization, and accounting for remote users to connect to the internal network from outside. A RADIUS client is installed on the remote access server. Secure Mobile Computing DesignProposal and CEO Concerns on Mobile Security Today’s high computing business world requires near real time access to network resources for providing customer service while traveling. The Cisco Next-Generation WAN Architecture (NGWAN) provides the necessary security for authentication and data protection. There are five core modules listed as follows: Regional WAN: Provides connectivity between distant sites with remote locations. Metro: Connects remote offices with data centers, WAN core: Interconnects regional networks and data centers within a country or globally, Enterprise Edge: Connects the enterprise network to external networks and services, Enterprise interconnect: Connects all WAN, campus, and data center network modules together. NGWAN also connects to the cloud and collaborative services for distant support on projects by coworkers. NGWAN uses TrustSec architecture for authentication, access control, and user policies for a secure environment. For Bring Your Own Device (BYOD), employee mobile
Global Finance, INC Risk Assessment and Mitigation Strategy 15 devices, partitioning corporate data from personal data will be conducted by GFI IT staff. Mobile Device Management software allows securing, monitoring, management, and support for deployed devices. Wireless Vulnerabilities Wireless vulnerabilities contain all of the same vulnerabilities as the wired networks they are connected to and possess a few more. Wireless connections using Bluetooth technology include many types of Bluetooth attacks. Bluesnarfing attacks easily gain access to retrieve information, bluebugging involves eavesdropping on calls and sending out text or calls from the victim number, and bluejacking enables an intruder to send electronic business cards with offensive material on the victim’s device. For wireless connectivity to a wireless router, eavesdropping and corporate espionage are vulnerabilities which an adversary can simply monitor communications and steal corporate secrets and information. Wardriving is another threat to wireless network connectivity, whereas, an attacker can attack a global positioning system to a mobile device that has a program such as netstumbler to map access points for intruding into wireless access. Configuration in wireless networks is a priority. Broadcasting a SSID is the same as advertising the network name. Administrators should not broadcast the SSID, name the connection different than the WAN, and change the manufactures default password. Rogue access points are vulnerabilities that are easily exploited. These can be accidental as a result of an employee plugging a laptop into the wireless router. MAC filtering should be configured to only allow specified devices. The following section summarizes security safeguards, authentication technologies, and network security. Recommended Wireless Safeguards, Authentication Technologies, & Network Security The current network configuration places the wireless access point inside the border directly
Global Finance, INC Risk Assessment and Mitigation Strategy 16 bypassing security in perimeter protection. Relocating the wireless router in the DMZ would require access to the internal network to pass through the series of security checks identical to remote access connections. Configuring the wireless router to not broadcast SSID, disable the SSID Guest, name the SSID different than the WAN, applying a secure password, selecting WPA2/AES for encryption and authentication, MAC filtering, enabling the wireless firewall, and monitoring traffic provides a sufficient level of security for incorporating a wireless connection. The access point should be configured to pass HTTPS vice HTTP for protecting username, passwords, and avoid passing plaintext. Wireless standard 802.11ac is the newest technology allowing dual-band connections of 2.4 Gigahertz and 5 Gigahertz. Wireless connections possess additional vulnerabilities but with proper configuration settings and monitoring, those vulnerabilities can be deterred. Expanding the network to meet evolving business needs is not limited to various connectivity methods. As a result of expanding business internationally, newer methods of data storage have emerged. Cloud computing offers data storage by third parties. There are risk and benefits discussed in the following section. Cloud Computing Environment Design Cloud computing provides advantages and disadvantages over traditional storage methods. There are different options for cloud computing to include internal or external private storage, public storage by third parties, and hybrid. A recent design is virtual private cloud (VPC). This method works by a third party allocating a specific storage space, ip based, on a public cloud. The design for VPC was developed to resolve concerns about security and control over proprietary data. For GFI to institute VPC, a virtualization environment should be configured on TCB servers. This option, cloud computing, saves the company on expensive server hardware and software upgrades with associated maintenance cost. GFI will also have
Global Finance, INC Risk Assessment and Mitigation Strategy 17 access to processing use, storage, memory, and software over the internet resulting in lower management oversight, in addition to, administrative cost. Rapid scalability is nearly automated within cloud computing. Environmental factors including natural disasters or fire and flooding become non factors with advanced offsite storage. Virtualization in a private cloud offers a self- service portal to access resources. Additionally, private cloud management by third parties handle privacy and protection regulations. VMware applications are loaded on desktops and servers. For GFI IT staff to manage the virtualization, IT Service Management (ITSM), is included in the management layer. Risk Assessment Probability and Impact Discovered on Assets Banking and financial institutions are by nature targets for attacks. They possess money, credit, and personal information on a large scale. The risk of exposure increases the opportunity and potential for attacks. Given, the increase in more powerful, easy to use, and availability of tools to hack information systems, the risk rises. The vast majority of attempted attacks can be deterred or mitigated with a thorough security policy that is practiced. Incorporating a DefenseIn-Depth layered security approach will enable the IT staff to identify an intruder and defend against the attack before it is successful or spreads throughout the network. The probability of attack is high and the potential of a successful attack is low when integrating the strategy outlined in this document. A compromise on the TCB internal network would violate the integrity, confidentiality, and availability of customer data as it is stored, shared, and processed there. The cost are critically high in the event of a breach in the TCB. Loss of customers, lawsuits, regulatory fines, and change management are expected. A compromise of network switches has the potential to stop traffic flow from one or all of the subnets. Personal and corporate data could be manipulated or retrieved and damages are less than attacks on the
Global Finance, INC Risk Assessment and Mitigation Strategy 18 TCB. With access to the switches, an intruder could map their attack to a specific target such as the finance department to steal financial data. Router attacks could provide an attacker the ability to flood the network with erroneous traffic or deploy a denial of service and affect online business. A hack of the RAS would potentially disrupt remote services for employee’s connectivity from home or hotels. An attack on the PBX could cost GFI an unpredictable amount of money as a result of fraudulent use in calling cost. The wireless router is the least expensive node but provides the easiest path for access if it is not properly configured, monitored, and located on the network. Once this access point has been connected to by an intruder, they will have access to network switches and the internet within the same connection. From there, they can download malicious content or hacking tools for systems discovered in the reconnaissance phase of the attack. Recommended Risk Mitigation Procedures and MissionObjectives The first recommendation is to move the wireless connection to the DMZ in order to prevent direct access to the internal network and subnets. The next step in mitigating threats is to implement the PKI for authentication and associated encryption protocols. All traffic traversing internally should be encrypted. The third step is to design and implement the DMZ recommended earlier in this document. The DMZ will provide the needed buffer from the path with the highest exposure to the internet. The VPN should contain the SSL/TLS protocols and close monitoring and prompt reporting of suspicious activity decreases the opportunity for a successful attack.
Global Finance, INC Risk Assessment and Mitigation Strategy 19 Conclusion Increasing availability of more powerful hacking tools with increased exposure to the internet and mobile computing adds risks. Budgeting and reaction time to attacks are vital to the success of a corporate network and ultimately the existence of a business. Outsourcing involves cost not recognized by retaining IT staff. Scheduling appointments for consultation, unclear duties and responsibilities requiring rework, and uncertainty of knowledge level are contributing factors to higher cost for outsourcing. Many types of attacks can be mitigated successfully when caught and responded to in time. Outsourcing requires appointments and their staff getting familiar with the organizations network. Retaining IT staff can often prevent attacks by daily monitoring and adjustments to the network. Maintaining control of corporate data and avoiding liabilities are recognized through employing an IT staff. Outsourcing carries a risk of valuable data being extracted either accidentally or purposefully and taken out of the company’s possession.
Global Finance, INC Risk Assessment and Mitigation Strategy 20 References Harris, S., & Kumar, P. V. (2013). CISSP all-in-one exam guide, sixth edition (6th ed.). New York: McGraw-Hill. http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/NGWANArchOver .pdf
Global Finance, INC Risk Assessment and Mitigation Strategy 21

Recommended

Case Problem for Global Finance, Inc.
Case Problem for Global Finance, Inc.Case Problem for Global Finance, Inc.
Case Problem for Global Finance, Inc.
David Bustin
 
New Approaches to Security and Availability for Cloud Data
New Approaches to Security and Availability for Cloud DataNew Approaches to Security and Availability for Cloud Data
New Approaches to Security and Availability for Cloud Data
EMC
 
ZS Infotech v1.0
ZS Infotech v1.0ZS Infotech v1.0
ZS Infotech v1.0
Muhammad Zubair
 
BMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 YearsBMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 Years
Chris Farwell
 
How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?
IBM Security
 
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enough
EMC
 
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET Journal
 
Forrester: How Organizations Are Improving Business Resiliency with Continuou...
Forrester: How Organizations Are Improving Business Resiliency with Continuou...Forrester: How Organizations Are Improving Business Resiliency with Continuou...
Forrester: How Organizations Are Improving Business Resiliency with Continuou...
EMC
 

Recommended

Case Problem for Global Finance, Inc.
Case Problem for Global Finance, Inc.Case Problem for Global Finance, Inc.
Case Problem for Global Finance, Inc.
David Bustin
 
New Approaches to Security and Availability for Cloud Data
New Approaches to Security and Availability for Cloud DataNew Approaches to Security and Availability for Cloud Data
New Approaches to Security and Availability for Cloud Data
EMC
 
ZS Infotech v1.0
ZS Infotech v1.0ZS Infotech v1.0
ZS Infotech v1.0
Muhammad Zubair
 
BMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 YearsBMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 Years
Chris Farwell
 
How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?
IBM Security
 
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enough
EMC
 
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET- An Approach Towards Data Security in Organizations by Avoiding Data Br...
IRJET Journal
 
Forrester: How Organizations Are Improving Business Resiliency with Continuou...
Forrester: How Organizations Are Improving Business Resiliency with Continuou...Forrester: How Organizations Are Improving Business Resiliency with Continuou...
Forrester: How Organizations Are Improving Business Resiliency with Continuou...
EMC
 
2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck
Richard (Dick) Kaufman
 
Analyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - ChinaAnalyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - China
EMC
 
Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...
PortalGuard
 
Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documents
e.law International
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)
Arpin Consulting
 
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Fasoo
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesData Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Seccuris Inc.
 
Dlp notes
Dlp notesDlp notes
Dlp notes
anuepcet
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
Lifeline Data Centers
 
DLP Executive Overview
DLP Executive OverviewDLP Executive Overview
DLP Executive Overview
Kim Jensen
 
5 Myths About Data Loss Prevention
5 Myths About Data Loss Prevention5 Myths About Data Loss Prevention
5 Myths About Data Loss Prevention
Gary Bahadur
 
Big Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouBig Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to You
DATAVERSITY
 
En msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdataEn msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdata
Online Business
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix LLC
 
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATEENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
IJNSA Journal
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
Info Security
Info SecurityInfo Security
Info Security
chris20854
 
Peoplesoft Erp
Peoplesoft ErpPeoplesoft Erp
Peoplesoft Erp
Appsian
 
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
LindaWatson19
 
PACE-IT, Security+ 2.3: Risk Mitigation Strategies
PACE-IT, Security+ 2.3: Risk Mitigation StrategiesPACE-IT, Security+ 2.3: Risk Mitigation Strategies
PACE-IT, Security+ 2.3: Risk Mitigation Strategies
Pace IT at Edmonds Community College
 
Common Risk Mitigation Strategies Employed by Organizations
Common Risk Mitigation Strategies Employed by OrganizationsCommon Risk Mitigation Strategies Employed by Organizations
Common Risk Mitigation Strategies Employed by Organizations
David Aufhauser
 
Risk asssessment
Risk asssessmentRisk asssessment
Risk asssessment
BradleyBarnes16
 

More Related Content

What's hot

Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documents
e.law International
 
Big Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouBig Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to You
DATAVERSITY
 
En msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdataEn msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdata
Online Business
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix LLC
 
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATEENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
IJNSA Journal
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 

What's hot (19)

2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck2016 01-05 csr css non-confidential slide deck
2016 01-05 csr css non-confidential slide deck
 
Analyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - ChinaAnalyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - China
 
Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...
 
Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documents
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)
 
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
Gartner Security & Risk Management Summit 2014 - Defending the Enterprise Aga...
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesData Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective Strategies
 
Dlp notes
Dlp notesDlp notes
Dlp notes
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
DLP Executive Overview
DLP Executive OverviewDLP Executive Overview
DLP Executive Overview
 
5 Myths About Data Loss Prevention
5 Myths About Data Loss Prevention5 Myths About Data Loss Prevention
5 Myths About Data Loss Prevention
 
Big Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouBig Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to You
 
En msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdataEn msft-scrty-cntnt-e book-protectyourdata
En msft-scrty-cntnt-e book-protectyourdata
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdf
 
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATEENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATE
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
Info Security
Info SecurityInfo Security
Info Security
 
Peoplesoft Erp
Peoplesoft ErpPeoplesoft Erp
Peoplesoft Erp
 
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
A New Frontier in Securing Sensitive Information – Taneja Group, April 2007
 

Viewers also liked

Common Risk Mitigation Strategies Employed by Organizations
Common Risk Mitigation Strategies Employed by OrganizationsCommon Risk Mitigation Strategies Employed by Organizations
Common Risk Mitigation Strategies Employed by Organizations
David Aufhauser
 
JPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment ReportJPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment Report
Divya Kothari
 
Assessment Of Risk Mitigation
Assessment Of Risk MitigationAssessment Of Risk Mitigation
Assessment Of Risk Mitigation
Eneni Oduwole
 
Operational Risk Management and Bpm
Operational Risk Management and BpmOperational Risk Management and Bpm
Operational Risk Management and Bpm
Nathaniel Palmer
 
Deseasonalizing Strategic KPIs Measures
Deseasonalizing Strategic KPIs MeasuresDeseasonalizing Strategic KPIs Measures
Deseasonalizing Strategic KPIs Measures
Mihai Ionescu
 

Viewers also liked (20)

PACE-IT, Security+ 2.3: Risk Mitigation Strategies
PACE-IT, Security+ 2.3: Risk Mitigation StrategiesPACE-IT, Security+ 2.3: Risk Mitigation Strategies
PACE-IT, Security+ 2.3: Risk Mitigation Strategies
 
Common Risk Mitigation Strategies Employed by Organizations
Common Risk Mitigation Strategies Employed by OrganizationsCommon Risk Mitigation Strategies Employed by Organizations
Common Risk Mitigation Strategies Employed by Organizations
 
Risk asssessment
Risk asssessmentRisk asssessment
Risk asssessment
 
Cambio climático
Cambio climáticoCambio climático
Cambio climático
 
How to Avoid the Sting of Unknown Risks
How to Avoid the Sting of Unknown RisksHow to Avoid the Sting of Unknown Risks
How to Avoid the Sting of Unknown Risks
 
Masters Programme On RM
Masters Programme On RMMasters Programme On RM
Masters Programme On RM
 
Risk Assessment And Management
Risk Assessment And ManagementRisk Assessment And Management
Risk Assessment And Management
 
Ranking Strategic Risk
Ranking Strategic RiskRanking Strategic Risk
Ranking Strategic Risk
 
JPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment ReportJPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment Report
 
Strategic Risk: Linking Risk Management & Strategy Management processes
Strategic Risk: Linking Risk Management & Strategy Management processesStrategic Risk: Linking Risk Management & Strategy Management processes
Strategic Risk: Linking Risk Management & Strategy Management processes
 
Assessment Of Risk Mitigation
Assessment Of Risk MitigationAssessment Of Risk Mitigation
Assessment Of Risk Mitigation
 
4th Workshop on Strategic Crisis Management, Keynote Presentation - Strategic...
4th Workshop on Strategic Crisis Management, Keynote Presentation - Strategic...4th Workshop on Strategic Crisis Management, Keynote Presentation - Strategic...
4th Workshop on Strategic Crisis Management, Keynote Presentation - Strategic...
 
Operational Risk Management and Bpm
Operational Risk Management and BpmOperational Risk Management and Bpm
Operational Risk Management and Bpm
 
Deseasonalizing Strategic KPIs Measures
Deseasonalizing Strategic KPIs MeasuresDeseasonalizing Strategic KPIs Measures
Deseasonalizing Strategic KPIs Measures
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & Co
 
Analysis of the Strategy, Execution and Strategic Risk of Walgreens
Analysis of the Strategy, Execution and Strategic Risk of WalgreensAnalysis of the Strategy, Execution and Strategic Risk of Walgreens
Analysis of the Strategy, Execution and Strategic Risk of Walgreens
 
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected RisksStrategic Risk Management in the Face of Uncertainty and Unexpected Risks
Strategic Risk Management in the Face of Uncertainty and Unexpected Risks
 
Business Plan: Risks & Challenges
Business Plan: Risks & ChallengesBusiness Plan: Risks & Challenges
Business Plan: Risks & Challenges
 
Strategic Performance & Risk Integration
Strategic Performance & Risk IntegrationStrategic Performance & Risk Integration
Strategic Performance & Risk Integration
 
UAT Kickoff Presentation 10 29 09
UAT Kickoff Presentation 10 29 09UAT Kickoff Presentation 10 29 09
UAT Kickoff Presentation 10 29 09
 

Similar to My Risk Assessment and Mitigation Strategy by David Bustin

NFRASTRUCTURE MODERNIZATION REVIEW Analyz.docx
NFRASTRUCTURE MODERNIZATION REVIEW Analyz.docxNFRASTRUCTURE MODERNIZATION REVIEW Analyz.docx
NFRASTRUCTURE MODERNIZATION REVIEW Analyz.docx
curwenmichaela
 
Due by 11316 9pm PSTGiven the pieces of information provided i.docx
Due by 11316 9pm PSTGiven the pieces of information provided i.docxDue by 11316 9pm PSTGiven the pieces of information provided i.docx
Due by 11316 9pm PSTGiven the pieces of information provided i.docx
sagarlesley
 
Hdcs Overview Final
Hdcs Overview FinalHdcs Overview Final
Hdcs Overview Final
rjt01
 
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docx
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docxGLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docx
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docx
budbarber38650
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trends
Christopher Bennett
 
DATA CENTER CONSOLIDATION AT GUARDIAN LIFE As one of the lar
DATA CENTER CONSOLIDATION AT GUARDIAN LIFE As one of the larDATA CENTER CONSOLIDATION AT GUARDIAN LIFE As one of the lar
DATA CENTER CONSOLIDATION AT GUARDIAN LIFE As one of the lar
sharondabriggs
 
brocade-five-pillars-federal-data-centers-wp (1)
brocade-five-pillars-federal-data-centers-wp (1)brocade-five-pillars-federal-data-centers-wp (1)
brocade-five-pillars-federal-data-centers-wp (1)
Chet Fincke
 
brocade-five-pillars-federal-data-centers-wp (1)
brocade-five-pillars-federal-data-centers-wp (1)brocade-five-pillars-federal-data-centers-wp (1)
brocade-five-pillars-federal-data-centers-wp (1)
Vince Garr
 
Hu Yoshida's Point of View: Competing In An Always On World
Hu Yoshida's Point of View: Competing In An Always On WorldHu Yoshida's Point of View: Competing In An Always On World
Hu Yoshida's Point of View: Competing In An Always On World
Hitachi Vantara
 
Business Risk: Effective Technology Protecting Your Business
Business Risk: Effective Technology Protecting Your BusinessBusiness Risk: Effective Technology Protecting Your Business
Business Risk: Effective Technology Protecting Your Business
at MicroFocus Italy ❖✔
 

Similar to My Risk Assessment and Mitigation Strategy by David Bustin (20)

The New Intelligent Network: Building a Smarter, Simpler Architecture
The New Intelligent Network: Building a Smarter, Simpler ArchitectureThe New Intelligent Network: Building a Smarter, Simpler Architecture
The New Intelligent Network: Building a Smarter, Simpler Architecture
 
NFRASTRUCTURE MODERNIZATION REVIEW Analyz.docx
NFRASTRUCTURE MODERNIZATION REVIEW Analyz.docxNFRASTRUCTURE MODERNIZATION REVIEW Analyz.docx
NFRASTRUCTURE MODERNIZATION REVIEW Analyz.docx
 
Due by 11316 9pm PSTGiven the pieces of information provided i.docx
Due by 11316 9pm PSTGiven the pieces of information provided i.docxDue by 11316 9pm PSTGiven the pieces of information provided i.docx
Due by 11316 9pm PSTGiven the pieces of information provided i.docx
 
Clearswift f5 integration
Clearswift f5 integrationClearswift f5 integration
Clearswift f5 integration
 
Hdcs Overview Final
Hdcs Overview FinalHdcs Overview Final
Hdcs Overview Final
 
corporate-brochure.pdf
corporate-brochure.pdfcorporate-brochure.pdf
corporate-brochure.pdf
 
Vazata Federal IaaS
Vazata Federal IaaSVazata Federal IaaS
Vazata Federal IaaS
 
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docx
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docxGLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docx
GLOBAL ASSET, INC. (GAI) Global Asset, Inc. (GAI) is a fin.docx
 
Mastering Enterprise Networking: Components, Strategies, and Trends | Enterp...
Mastering Enterprise Networking: Components, Strategies, and Trends | Enterp...Mastering Enterprise Networking: Components, Strategies, and Trends | Enterp...
Mastering Enterprise Networking: Components, Strategies, and Trends | Enterp...
 
P r o t e c t i n g y o u r b u s i n e s s
P r o t e c t i n g y o u r b u s i n e s sP r o t e c t i n g y o u r b u s i n e s s
P r o t e c t i n g y o u r b u s i n e s s
 
A Guide to Evaluating Your IT Network
A Guide to Evaluating Your IT Network A Guide to Evaluating Your IT Network
A Guide to Evaluating Your IT Network
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trends
 
DATA CENTER CONSOLIDATION AT GUARDIAN LIFE As one of the lar
DATA CENTER CONSOLIDATION AT GUARDIAN LIFE As one of the larDATA CENTER CONSOLIDATION AT GUARDIAN LIFE As one of the lar
DATA CENTER CONSOLIDATION AT GUARDIAN LIFE As one of the lar
 
brocade-five-pillars-federal-data-centers-wp (1)
brocade-five-pillars-federal-data-centers-wp (1)brocade-five-pillars-federal-data-centers-wp (1)
brocade-five-pillars-federal-data-centers-wp (1)
 
brocade-five-pillars-federal-data-centers-wp (1)
brocade-five-pillars-federal-data-centers-wp (1)brocade-five-pillars-federal-data-centers-wp (1)
brocade-five-pillars-federal-data-centers-wp (1)
 
Epoch Universal Professional Services: Penetration Test
Epoch Universal Professional Services: Penetration TestEpoch Universal Professional Services: Penetration Test
Epoch Universal Professional Services: Penetration Test
 
SDN architecture for Scalable Resource Management for Big Data Governance in ...
SDN architecture for Scalable Resource Management for Big Data Governance in ...SDN architecture for Scalable Resource Management for Big Data Governance in ...
SDN architecture for Scalable Resource Management for Big Data Governance in ...
 
Hu Yoshida's Point of View: Competing In An Always On World
Hu Yoshida's Point of View: Competing In An Always On WorldHu Yoshida's Point of View: Competing In An Always On World
Hu Yoshida's Point of View: Competing In An Always On World
 
6 aproaches
6 aproaches6 aproaches
6 aproaches
 
Business Risk: Effective Technology Protecting Your Business
Business Risk: Effective Technology Protecting Your BusinessBusiness Risk: Effective Technology Protecting Your Business
Business Risk: Effective Technology Protecting Your Business
 

More from David Bustin

More from David Bustin (7)

Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...Security Analysis Findings and Recommendations for the Department of Veterans...
Security Analysis Findings and Recommendations for the Department of Veterans...
 
Risk Breakdown Structure by David Bustin
Risk Breakdown Structure by David BustinRisk Breakdown Structure by David Bustin
Risk Breakdown Structure by David Bustin
 
Risk governance by David Bustin
Risk governance by David BustinRisk governance by David Bustin
Risk governance by David Bustin
 
Project Management: Integrating a PMO Case Study by David Bustin
Project Management: Integrating a PMO Case Study by David BustinProject Management: Integrating a PMO Case Study by David Bustin
Project Management: Integrating a PMO Case Study by David Bustin
 
Managing IT projects by David Bustin
Managing IT projects by David BustinManaging IT projects by David Bustin
Managing IT projects by David Bustin
 
Risk management plan for Human Resource Software
Risk management plan for Human Resource SoftwareRisk management plan for Human Resource Software
Risk management plan for Human Resource Software
 
Business it and labor strategy infrastructure enhancements to achieve corpora...
Business it and labor strategy infrastructure enhancements to achieve corpora...Business it and labor strategy infrastructure enhancements to achieve corpora...
Business it and labor strategy infrastructure enhancements to achieve corpora...
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Recently uploaded (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

My Risk Assessment and Mitigation Strategy by David Bustin

  • 1. 1 RUNNINGHEAD: GLOBAL FINANCE,INC.RISKASSESSMENTANDMITIGATION STRATEGY Quantitative and Qualitative Risk Analysis: Proposal for Mitigating Risk David Bustin University of Maryland University College August 10, 2014
  • 2. Global Finance, INC Risk Assessment and Mitigation Strategy 2 Executive Summary Purpose This report provides an analysis of the technical vulnerabilities of Global Finance, Inc. Enterprise network. Also, included in the document are associated cost of specific compromises and strategic alternatives to mitigating those vulnerabilities. This report does not assure the reader that all implementations and strategies will eliminate attempts to sabotage the network. The document provides a solution for industries best security safeguards to protecting data. Methods of Analysis Historical losses for Global Finance, Inc. exceed the cost of accepting the proposed recommendations. The potential of losses are much greater given time and negligence of properly securing the corporate network. The estimated cost of non-compliance is in excess of the value of all customer accounts plus legal fees and increased business continuity. The business impact analysis results indicate failure in security could bankrupt the organization. Findings Findings indicate an unsecure wireless access, absent DMZ, unencrypted trusted path, and lack of proper authentication and encryption drastically increases network vulnerability. Limitations of the Report This report recognizes limitations in the analysis. The frequency and types of attacks are undetermined. Subsequently, only estimations based on research provide expected losses. Additional capabilities, cloud computing and mobile computing, will undergo a trial and error phase with documentation. To this point, error rates can only be estimated.
  • 3. Global Finance, INC Risk Assessment and Mitigation Strategy 3 Quantitative and Qualitative Risk Analysis: Proposal for Mitigating Risk A quantitative and qualitative analysis of computer information systems identifies technical and administrative deficiencies which enable prioritizing task to be more efficient. Security is a primary concern in all layers of networks providing a Defense in Depth approach. Identifying known or potential risks, threats, and vulnerabilities aids in drafting the security model which reduces adverse occurrences. An emergency response team should be on-call to resolve problems as soon as possible for limiting damage. Outsourcing IT tasks poses an imbalance in favor of cost over benefit. These issues will be addressed in this document. Also, this paper will prioritize asset inventory for Global Finance, Inc., evaluate the current topology and perimeter protection, evaluate remote access controls and security safeguards, describe current authentication and propose new technology, list and assess vulnerabilities, recommend security for mobile computing, introduce safeguards for wireless computing, and design a cloud computing environment. Though not comprehensive, contained in this paper are the recommendations for a secure computing environment that delivers solutions to past, present, and future technological challenges tailored for business operations. Expanding the network to meet new technological and business demands, a mobile computing environment will be added for employees to utilize Global Finance’s resources while traveling. Ensuring the secure connections for these mobile devices is paramount due to the nature of Global Finance’s business and valuable data they possess. In addition to mobile computing, the IT staff at Global Finance, Inc. will offer cloud computing for conducting e-commerce. In order for the company to grow as well as, maintain a competitive presence, products and services must be available globally at all times. Offering these products and services requires planning for authentication, monitoring
  • 4. Global Finance, INC Risk Assessment and Mitigation Strategy 4 services, accounting for and prioritizing the new assets. The following section list assets, then prioritizes them based on quantitative and qualitative values. Inventory and Prioritization of Mission-Critical Assets Global Finance, Inc., GFI, has successfully grown approximately 8% for nearly six years. They currently employ over 1,600 people and service customer accounts in Canada, the United States, and Mexico. Expanding business across international borders has contributed to the growth and for GFI to maintain a competitive strategy, computer network operations must also expand. Currently, the company operates ten subnets for remote facilities, an offsite office connected through a virtual private network (VPN) to an internal Oracle database located inside a trusted computing base (TCB) internal network which are all interconnected through 6 virtual local area network (VLAN) switches. These 6 access layer VLAN switches interconnect to 2 Cisco Catalyst 3750 switches. These 2 switches and a VPN gateway connect to a third Cisco Catalyst 3750 switch which bridges the connection to the TCB internal network. The TCB consist of a SUS server for windows updates, Oracle database server for customer account management, domain naming server (DNS) for resolving domain addresses, exchange server for e-mail service, file and print server, web server for internet access, and 7 workstations. The accounting subnet has sixty-three workstations and 7 printers, the loan department subnet has twenty-five workstations and five printers, the customer service subnet has twelve workstations and 3 printers, the management subnet has 5 workstations and 3 printers, the credit department subnet has ten workstations and 3 printers, and the finance subnet has forty-nine workstations and 5 printers. The wide area network (WAN) also includes a wireless antenna intended for employee connectivity, a VPN gateway, 2 Cisco 7201 border routers, 2 Cisco 7500 series
  • 5. Global Finance, INC Risk Assessment and Mitigation Strategy 5 distribution routers, and a remote access server (RAS) linking distribution routers to a private branch exchange (PBX) for connection to the public switched telephone network (PSTN). The current enterprise network configuration includes several critical nodes. These nodes should be prioritized in their value to their purpose and monetary value. The following section identifies the network assets in order of critical to least damaging in the event of a natural disaster, security breach, or virus. Prioritizing these assets aids in security decisions, risk assessments, disaster recovery, and business continuity with least interruption to business. Asset Prioritization and MissionObjectives Identifying mission-critical assets and prioritizing them enables planners to allocate resources for security and network design for optimizing their budget. For Global Finance, Inc., their assets are ranked in the below Table 1 from most critical down to least critical. Table 1. Mission Critical Assets Asset Priority Mission Objective Oracle DB Server Maintains bulk of data processing. Most critical asset. SUS Server Vital for system updates and patches. File & Print Server Stores customer records, data, and critical company documents. Internal DNS Necessary for sharing resources internally across subnets. Intranet Web Server Enables communications and resource sharing between subnets. Exchange E-mail Server Provides communications, finding employees, shared calendars task assignments and storing conversations for referencing. Workstations in TCB Displays an interface to servers on the TCB internal network. 3 Cisco 3750 switches Link between TCB and other subnets, as well as, VPN Gateway for the Offsite Office. 6 Cisco VLAN switches Each department has an assigned switch for communicating and these switches are a single point of failure for each department. Workstations for each department Provides the interface for data. 2 Distribution Routers Aggregates traffic from public for marketing and providing products and services. Also, routes traffic between offsite office and WAN.
  • 6. Global Finance, INC Risk Assessment and Mitigation Strategy 6 VPN Gateway Provides the secure connection between remote office and TCB internal network. Remote Access Server Allows employees to connect from outside of the network. Improves productivity but is not a highly critical asset. Private Branch Allows employees to dial-in to corporate WAN from home, hotels, Exchange airports, etc. 2 Border (Core) Routers Provides the internet connectivity and routes incoming traffic to internal request. Wireless Antenna & router Allows wireless connectivity to the network and internet. Least critical but one of the most vulnerable. Enterprise Topology Evaluation Enterprise topologies are designed for large, production networks with many users. They encompass people, software, and processes to interoperate, integrate, and standardize polices. Security architecture for enterprise networks are more granular as a result of increased operational responsibilities and the authentication, software deployments, connections, and other network processes presenting a complete defense in depth. Enterprise systems must efficiently manage workload balance to avoid downtime or network lag. Management for authentication and identification is paramount for controlling the proper level of access to the resources. User accounts should be managed centrally and administrator privileges should be consistent. Flexibility in the integration of various network, authentication, and encryption protocols allows efficient network management and ease of integrating software. In an enterprise topology, central management of software enables administrators to remotely load software and respond to user issues. Enterprise topologies are designed with a focus on incorporating business needs. As Shon Harris states, “Not only do the solutions need to apply to the whole enterprise in a standardized manner, they need to map to business needs.” An enterprise network has responsibilities to the business that also include nontechnical considerations that entail industry regulations and laws related to the nature of a specific organization’s business.
  • 7. Global Finance, INC Risk Assessment and Mitigation Strategy 7 Perimeter Protection Measures and Mission Objectives To secure the corporate wide area networks from external threats, implementing a demilitarized zone (DMZ) is recommended. Within the DMZ, the border and distribution routers, PBX, and RAS will be located. A dual firewall should be installed between the distribution routers and the remote access server to provide filtered traffic from the internet to the DMZ and from the DMZ to the business network. The firewall will be configured to deny all services not permitted and will be monitored regularly. Another firewall configuration should include firewall session tracking to ensure TCP sessions do not last an unusually long time. This is potentially a covert channel attempting to extract internal data through the firewall. Collocated with the firewall in the DMZ, a reverse proxy should be integrated to relieve the workload on associated webserver. The routers should have DMZ host installed on them. Also, end to end point security such as Symantec should be included on the routers, in addition to, intrusion detection system (IDS) sensors and intrusion prevention system. The routers should also have the ability to perform egress and ingress filtering. The DMZ should also include packet sniffers for HTTP traffic attempting to bypass the proxy server, as well as, SMTP, FTP, and other traffic. The IT staff should periodically conduct penetration testing and vulnerability scanning to test configurations and discover weaknesses. The wireless connection providing access to the internal network and internet should have a secure station serial identification (SSID), and password. The SSID should not be broadcast and 802.1i or WPA2 encryption and authentication must be configured. Perimeter protection is a mission critical area for maintaining the confidentiality, integrity, and availability of information and information systems. This segment of the network provides the most vulnerability to vital assets and if compromised by lack of attention, the
  • 8. Global Finance, INC Risk Assessment and Mitigation Strategy 8 business will experience losses. Through frequent training, employees will understand various social engineering techniques and they will be able to respond appropriately. Securing the perimeter is vital, however, ensuring internal and external access points for the network align with a defense in depth strategy. The next section will list GFI’s access points. Internal and External Access Points List Global Finance’s wide area network contains multiple external and internal access points. Their external access points are two routers on the border, connecting an off-site office with a VPN tunnel. Outbound traffic also routes through these two border routers. The network configuration also consist of a private branch exchange system for dial-in users to connect from home, hotels, or other remote places they can connect through. Another external access point is the wireless antenna, which provides the most vulnerability by wirelessly connecting directly to the internal switches and sequentially the subnets of each department. Inside the perimeter of the network, there are two distribution routers, a remote access server, and 6 access layer VLAN switches that segment the WAN with subnets for each department. The remote access provides additional vulnerabilities due to increased exposure and mobility. An evaluation of the protocols will identify the needed security. These are discussed in the following section. Remote Access Protocols Evaluation Specific protocols are specifically designed to enable remote user connection to network resources and grant them access. Users dial-in to the remote access server which serves as a gateway to the internal network. The following text evaluates some dial-up authentication protocols. Extensible Authentication Protocol is a mutual authentication by the remote access client and authenticator such as a RADIUS server. The authenticator request authentication from the remote access client through a name or personal identification number. The query receives a
  • 9. Global Finance, INC Risk Assessment and Mitigation Strategy 9 response from the remote client and grants access. EAP offers a subtype identified as EAP-TLS. This is a strong protocol which compromised passwords are not enough to bypass the RADIUS server. This protocol would require a hacker with the password that has been compromised to also possess the client-side certificate. This is a great protocol. For the dial-up users, point- topoint protocols is a good choice for server and client encryption. This protocol supports TCP/IP, IPX/SPX, AppleTalk, and many other LAN protocols. Serial Line Internet Protocol is older technology used as a client in Windows NT or 2000 and fails to support dynamic host configuration protocol. This is not a good selection. Password Authentication Protocol (PAP) is only utilized when servers require plaintext passwords and no encryption when passed. This is not a good selection. The encryption for Shiva Password Authentication Protocol is weak and fails to meet the needs of GFI. Challenge Handshake Authentication Protocol reverses encrypted passwords and stores them in plaintext on the remote access server. Also, this is not a good choice. MS-CHAP v2 revised CHAP by storing passwords in encrypted formats. It also requires authentication between authenticator and remote access client by using different encryption keys. This is a good selection. For dial-up encryption protocols, Microsoft Point- toPoint Encryption requires the dial-up authentication protocol to be EAP-TLS or MS-CHAP version 1 or 2. This is not a bad selection but is limited to Microsoft only protocols for authentication. Selecting the most secure protocols for remote authentication and encryption which are compatible provides an external layer of security. Separate protocols are used for the VPN. IPsec, L2TP, and EAP-TLS used together provides the needed security for private and secure communications. There are more security safeguards discussed in the following section to harden the network defense.
  • 10. Global Finance, INC Risk Assessment and Mitigation Strategy 10 Network Security Safeguards Evaluated Managing the security for a large network entails many safeguards. Symantec Endpoint Protection provides many security features needed for the GFI WAN. The Symantec product is scalable and grows along with the network. Symantec Endpoint Protection offers 5 layers of protection that include network, file, reputation, behavior, and repair. It provides protection from malware by an intrusion protection system and includes browser protection for each node. On files, endpoint scans and eliminates malware, viruses, worms, bots, and root kits. This comprehensive protection is excellent for business. It is flexible by providing scalability and enforces policy. Symantec endpoint protection also reduces operating cost and system downtime, improves productivity through scan performance and displays all features through a central dashboard. Another unique feature for this product is location awareness. Automated detection of the location a system attempting to connect including hotspots, VPNs, or wireless networks. Endpoint protection includes the intrusion prevention system. An intrusion detection system would need to be installed on each workstation and server in the network in the event an intrusion is not prevented. Global Finance Security Issues Global Finance, Inc. has a history of security incidents. Increased traffic flow from external sources drastically increased following an article in Fortune magazine mentioning Global Finance, Inc. Data filtering at the border is too lenient. There is also network lag causing some applications to time out for some employees. Purging the Oracle database, scanning for duplicate copies of files, and large files that are not needed or used is a first step. Also, unneeded processes running on the database should be stopped. The company has also been the victim of multiple cyber-attacks including targeting the Oracle database and malicious virus infected the
  • 11. Global Finance, INC Risk Assessment and Mitigation Strategy 11 network. The wireless connection directly into the internal network is failing to prevent unauthorized user access. Neighboring residents are able to connect with ease. Additionally, the trusted path leading directly from the switch to the trusted computing base internal network is unencrypted. Data from the TCB is shared across all of the other subnets. A successful breach of the perimeter enables a hacker to easily steal or manipulate data at will. Asset Vulnerabilities Assessment and Compromise Listing only the nodes of a network is not sufficient for assessing vulnerabilities. Knowing the software and associated network components are equally important because they also present vulnerabilities. Configuration on devices should apply to simplistic principles in order to reduce cost of change management. Third party applications are another risk. Conducting a qualitative and quantitative assessment provides the organization enough insight for decision making. The qualitative assessment is the prioritization of mission critical assets which is itemized in Table 1 above. The quantitative assessment entails value of assets, threat exposure, and financial loss if compromised. The Oracle database Enterprise Edition cost $10,450 for license update, software, and support. The high end computer price is $6,000. Since the bulk of customer accounts for loans, investments, and financial management are processed on the Oracle database, a compromise of the system could bankrupt Global Finance, Inc. as a result of lawsuits, as well as, customers closing accounts. An estimation of financial loss is in excess of $100 million. Providing identity protection services for affected customers, regaining trust, court cost, potential Federal fines, and many other expenses exceed implementing strong technical security measures upfront. Currently, the TCB shares information across all subnets unencrypted. This is a big vulnerability for sensitive data transmitting over the trusted path. An effective solution for authentication is public key infrastructure and Advanced Encryption
  • 12. Global Finance, INC Risk Assessment and Mitigation Strategy 12 Standard 256 bit full disk and file data encryption. The WSUS will replace current software on the SUS server and is free. A WSUS server often fails to patch third party software from vendors such as Adobe or Java. Java is known to result in nearly half of exploits. The operating system for the WSUS server is Windows Server 2012. The internal DNS server is Ubuntu 12.04 LTS running ISC BIND version 9 software for $4,500. The Ubuntu software mistakenly modifies certain response fields when enabling a shadow copy. This enables a remote attacker to potentially access sensitive data. The attacker could also use improperly handled fields to overwhelm the system with inbound DNS messages causing denial of services. Patches have been deployed but configuration management and applying them is vital. A crash of the internal DNS would cause data flow to stop and business operations to experience downtime. Microsoft Exchange Server with exchange 2012 cost $4,000. The web server is Microsoft Internet Information Services with software version 8.5 in Windows Server 2012 R2 Datacenter SKU priced at $6,155. Also in the TCB internal network are 7 Dell New Inspiron Desktop computers with Windows 8.1 with monitor bundle for $3,500 total. The 6 other domains also have a total of one hundred and sixty-four computers totally $82,000 at $500 each. There are twenty-six printers at $1,000 each for a total of $26,000. There are 3 Cisco 3750 switches with 10/100 LAN, 4 1 gigabyte SFP slots at $6,995 each for a total of $21,000. The six Cisco VLAN switches, 2960 Series 10/100 with LAN Lite Software, cost $725 each for a total of $4,350. VLAN switches present a vulnerability known as mac spoofing and VLAN hopping. Ensure ports are not set to negotiate trunks. A misconfiguration could allow an attacker access to internal traffic. There are 2 Cisco 7505 distribution routers with a total cost of $15,800 and 2 Cisco 7201 border routers that cost a total of $22,500. The VPN gateway includes a Cisco 3030 that cost $5,930. The remote access server is a Dell Power Edge R320 with a value of $1,109.
  • 13. Global Finance, INC Risk Assessment and Mitigation Strategy 13 Improper configuration for the RAS allows access for intruders. One vulnerability found in Remote Desktop Protocol (RDP) allows an attacker to take complete control of the system or cause a Denial of Service. Telework would not possible. The PBX server is located on-site and is an IP PBX with call center software. The wireless connectivity is established through a Linksys LRT 214 router that cost $159. The level of security for wireless access is much lower than wired connections. The most robust wireless security, WPA2/TLS, is not difficult. An attacker can simply view tutorials online and download tools for free by querying a search engine. Global Finance, Inc. currently is experiencing neighbor residents accessing the wireless router. This access point is directly connected to the internal switches allowing war-drivers access. Known Vulnerabilities and New Design. Global Finance, Inc. has a history of network attacks as a result of vulnerabilities. Their wireless network is unsecure and open for the public access. Relocating the wireless router outside of range from the perimeter and using mac filtering along with not broadcasting the SSID will reduce the opportunity for unauthorized access. There is also an unencrypted trusted path to the TCB from the switches. Configuring an encryption protocol, SSL/TLS, provides increased difficulty for capturing intelligible data. These protocols apply to all transmitted data on the WAN. These protocols apply to the VPN as well. Filtering traffic at the access points will alleviate congestion of the internal bandwidth and cease applications from stalling. Routine maintenance on workstations, servers, switches, and routers increase performance. Evaluation of Authentication Protocols and Methodologies with Supporting Data There are many authentication protocols but choosing the most reliable and strongest benefits the organization. Extensible Authentication Protocol is a framework of authentication protocols.
  • 14. Global Finance, INC Risk Assessment and Mitigation Strategy 14 EAP-TLS is a secure subset protocol for wireless transport and supported among many vendors. Client-side certificates are required and not favored but is the reason they are the de facto for wireless transport authentication protocols. Host Identity Protocol (HIP) is a host identification protocol for IP networks and supplies a host identity name space for the public key security infrastructure complimentary to PKI. Expanding the WAN to include mobile computing, HIP is a very useful protocol. MS-CHAPv2 works well with the VPN and on the RADIUS server. Mutual authentication is required between each end by sending a peer challenge on a Response packet and authenticator response on a success packet. Remote Authentication Dial In User Service (RADIUS) offers centralized management for authentication, authorization, and accounting for remote users to connect to the internal network from outside. A RADIUS client is installed on the remote access server. Secure Mobile Computing DesignProposal and CEO Concerns on Mobile Security Today’s high computing business world requires near real time access to network resources for providing customer service while traveling. The Cisco Next-Generation WAN Architecture (NGWAN) provides the necessary security for authentication and data protection. There are five core modules listed as follows: Regional WAN: Provides connectivity between distant sites with remote locations. Metro: Connects remote offices with data centers, WAN core: Interconnects regional networks and data centers within a country or globally, Enterprise Edge: Connects the enterprise network to external networks and services, Enterprise interconnect: Connects all WAN, campus, and data center network modules together. NGWAN also connects to the cloud and collaborative services for distant support on projects by coworkers. NGWAN uses TrustSec architecture for authentication, access control, and user policies for a secure environment. For Bring Your Own Device (BYOD), employee mobile
  • 15. Global Finance, INC Risk Assessment and Mitigation Strategy 15 devices, partitioning corporate data from personal data will be conducted by GFI IT staff. Mobile Device Management software allows securing, monitoring, management, and support for deployed devices. Wireless Vulnerabilities Wireless vulnerabilities contain all of the same vulnerabilities as the wired networks they are connected to and possess a few more. Wireless connections using Bluetooth technology include many types of Bluetooth attacks. Bluesnarfing attacks easily gain access to retrieve information, bluebugging involves eavesdropping on calls and sending out text or calls from the victim number, and bluejacking enables an intruder to send electronic business cards with offensive material on the victim’s device. For wireless connectivity to a wireless router, eavesdropping and corporate espionage are vulnerabilities which an adversary can simply monitor communications and steal corporate secrets and information. Wardriving is another threat to wireless network connectivity, whereas, an attacker can attack a global positioning system to a mobile device that has a program such as netstumbler to map access points for intruding into wireless access. Configuration in wireless networks is a priority. Broadcasting a SSID is the same as advertising the network name. Administrators should not broadcast the SSID, name the connection different than the WAN, and change the manufactures default password. Rogue access points are vulnerabilities that are easily exploited. These can be accidental as a result of an employee plugging a laptop into the wireless router. MAC filtering should be configured to only allow specified devices. The following section summarizes security safeguards, authentication technologies, and network security. Recommended Wireless Safeguards, Authentication Technologies, & Network Security The current network configuration places the wireless access point inside the border directly
  • 16. Global Finance, INC Risk Assessment and Mitigation Strategy 16 bypassing security in perimeter protection. Relocating the wireless router in the DMZ would require access to the internal network to pass through the series of security checks identical to remote access connections. Configuring the wireless router to not broadcast SSID, disable the SSID Guest, name the SSID different than the WAN, applying a secure password, selecting WPA2/AES for encryption and authentication, MAC filtering, enabling the wireless firewall, and monitoring traffic provides a sufficient level of security for incorporating a wireless connection. The access point should be configured to pass HTTPS vice HTTP for protecting username, passwords, and avoid passing plaintext. Wireless standard 802.11ac is the newest technology allowing dual-band connections of 2.4 Gigahertz and 5 Gigahertz. Wireless connections possess additional vulnerabilities but with proper configuration settings and monitoring, those vulnerabilities can be deterred. Expanding the network to meet evolving business needs is not limited to various connectivity methods. As a result of expanding business internationally, newer methods of data storage have emerged. Cloud computing offers data storage by third parties. There are risk and benefits discussed in the following section. Cloud Computing Environment Design Cloud computing provides advantages and disadvantages over traditional storage methods. There are different options for cloud computing to include internal or external private storage, public storage by third parties, and hybrid. A recent design is virtual private cloud (VPC). This method works by a third party allocating a specific storage space, ip based, on a public cloud. The design for VPC was developed to resolve concerns about security and control over proprietary data. For GFI to institute VPC, a virtualization environment should be configured on TCB servers. This option, cloud computing, saves the company on expensive server hardware and software upgrades with associated maintenance cost. GFI will also have
  • 17. Global Finance, INC Risk Assessment and Mitigation Strategy 17 access to processing use, storage, memory, and software over the internet resulting in lower management oversight, in addition to, administrative cost. Rapid scalability is nearly automated within cloud computing. Environmental factors including natural disasters or fire and flooding become non factors with advanced offsite storage. Virtualization in a private cloud offers a self- service portal to access resources. Additionally, private cloud management by third parties handle privacy and protection regulations. VMware applications are loaded on desktops and servers. For GFI IT staff to manage the virtualization, IT Service Management (ITSM), is included in the management layer. Risk Assessment Probability and Impact Discovered on Assets Banking and financial institutions are by nature targets for attacks. They possess money, credit, and personal information on a large scale. The risk of exposure increases the opportunity and potential for attacks. Given, the increase in more powerful, easy to use, and availability of tools to hack information systems, the risk rises. The vast majority of attempted attacks can be deterred or mitigated with a thorough security policy that is practiced. Incorporating a DefenseIn-Depth layered security approach will enable the IT staff to identify an intruder and defend against the attack before it is successful or spreads throughout the network. The probability of attack is high and the potential of a successful attack is low when integrating the strategy outlined in this document. A compromise on the TCB internal network would violate the integrity, confidentiality, and availability of customer data as it is stored, shared, and processed there. The cost are critically high in the event of a breach in the TCB. Loss of customers, lawsuits, regulatory fines, and change management are expected. A compromise of network switches has the potential to stop traffic flow from one or all of the subnets. Personal and corporate data could be manipulated or retrieved and damages are less than attacks on the
  • 18. Global Finance, INC Risk Assessment and Mitigation Strategy 18 TCB. With access to the switches, an intruder could map their attack to a specific target such as the finance department to steal financial data. Router attacks could provide an attacker the ability to flood the network with erroneous traffic or deploy a denial of service and affect online business. A hack of the RAS would potentially disrupt remote services for employee’s connectivity from home or hotels. An attack on the PBX could cost GFI an unpredictable amount of money as a result of fraudulent use in calling cost. The wireless router is the least expensive node but provides the easiest path for access if it is not properly configured, monitored, and located on the network. Once this access point has been connected to by an intruder, they will have access to network switches and the internet within the same connection. From there, they can download malicious content or hacking tools for systems discovered in the reconnaissance phase of the attack. Recommended Risk Mitigation Procedures and MissionObjectives The first recommendation is to move the wireless connection to the DMZ in order to prevent direct access to the internal network and subnets. The next step in mitigating threats is to implement the PKI for authentication and associated encryption protocols. All traffic traversing internally should be encrypted. The third step is to design and implement the DMZ recommended earlier in this document. The DMZ will provide the needed buffer from the path with the highest exposure to the internet. The VPN should contain the SSL/TLS protocols and close monitoring and prompt reporting of suspicious activity decreases the opportunity for a successful attack.
  • 19. Global Finance, INC Risk Assessment and Mitigation Strategy 19 Conclusion Increasing availability of more powerful hacking tools with increased exposure to the internet and mobile computing adds risks. Budgeting and reaction time to attacks are vital to the success of a corporate network and ultimately the existence of a business. Outsourcing involves cost not recognized by retaining IT staff. Scheduling appointments for consultation, unclear duties and responsibilities requiring rework, and uncertainty of knowledge level are contributing factors to higher cost for outsourcing. Many types of attacks can be mitigated successfully when caught and responded to in time. Outsourcing requires appointments and their staff getting familiar with the organizations network. Retaining IT staff can often prevent attacks by daily monitoring and adjustments to the network. Maintaining control of corporate data and avoiding liabilities are recognized through employing an IT staff. Outsourcing carries a risk of valuable data being extracted either accidentally or purposefully and taken out of the company’s possession.
  • 20. Global Finance, INC Risk Assessment and Mitigation Strategy 20 References Harris, S., & Kumar, P. V. (2013). CISSP all-in-one exam guide, sixth edition (6th ed.). New York: McGraw-Hill. http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/NGWANArchOver .pdf
  • 21. Global Finance, INC Risk Assessment and Mitigation Strategy 21