Risk Assessment Case study

GLOBAL ASSET INCORPORATED RISK ASSESSMENT
Name
Institution

Executive Summary
Global Asset, Inc (GAI) is a growing financial institution whose growth strategy incorporates technological innovation and automation. For a firm in the financial industry, security is vital for the daily business activities. The networks of such an institution demand extremely high levels of security, to avoid the loss of data and to protect against malicious internet users who may intrude on the network. The objective of the project is to build physical and operational security for the corporate information system. This is the core system that provided the primary business functionality to the remote nodes which connect to it.
For GAI, the physical network assets are in the same building and up to eleven people are responsible for the development and maintenance of the network and the security systems. The current challenge is an internal threat to the system by the management who consider outsourcing to be more cost-effective and efficient as compared to internal networks that are maintained by the organization.In the light of decreased attention to the role of information and communication technology in the running of the organization, it is paramount that the project demonstrates unassailably, the benefits of having such an internally maintained network instead of outsourcing this service.
The history of the organization indicates a prevalence of security concerns. The organization uses an Oracle database that had been broken into more than once.

This loss of data reflects negatively, especially on the reputation of such an institution. In spite of this negative history, diminishing the IT service internally presents a security risk and embarrasses the strategic plan of the organization.One benefit of internally developed and maintained systems is the ability to be self-sufficient and have custom solutions that address specific challenges that the organization is facing. Also, there is an advantage of secrecy since the organization has all rights to the system codes and this, in itself, is a security measure. This shields from outside influence.
Organizational authentication technology
The organization uses authentication to verify the identity of the remote nodes. The communication from the remote nodes to the corporate system is channeled through the virtual private network gateways. Authentication of the requests and machines is done over this virtual private network appliances through a Secure Sockets Layer (SSL) CITATION Placeholder2 l 2057 (McNab, 2007). This is a protocol that dictates the communication between remote nodes and the web-based servers of the corporate network. The Secure Sockets Layer (SSL) on this virtual private networks offers authentication, authorization, encryption and firewall security.
The internal authentication is mainly by passwords. The members of the network engineering team have workstations through which they can access the corporate network. This is a single factor authentication since individuals may easily log into the system using their personal details another person’s workstation.
Network security issues.
Although it has had many technological innovations incorporated into it over time due to the history of intrusions, the network is still insecure. Computer networks have very many vulnerabilities, and it’s hard to account for every single one of them. On the GIA network, the changes over time have served to increase the security level. However, these measures still fail to address some of the common network security issues.
The first network security issue for the network is the insider threat. The insider threat is a common threat to most networks CITATION Nee14 l 2057 (Neeraj & Gupta, 2014). This threat can be the inadvertent insider who facilitates activity that may compromise the network. Alternatively, this threat could be presented by the insiders who deliberately compromise the network and its security systems for sinister purposes. The insider threat is nonspecific to any network and needs to be accounted for in all networks. For the GAI network, there are multiple nodes on the network with several access points. All these areas of the network illustrate the possibility that an insider threat can happen.
Another security issue for this network is cyber-attacks with the propagation of viruses and bots CITATION Nee14 l 2057 (Neeraj & Gupta, 2014). The traffic to the GAI network has increased since it was publicly declared a profitable and remarkable company. However, the Information Technology department is to able to accurately report the source of the increased traffic. The traffic could be originating from internal operations or even from outside the network. It is the possibility that the traffic is originating outside the network, which presents a greater threat. Viruses and bots are propagated through various channels. They could be locally deployed or even delivered over emails and other file types online. The access to the network is not adequately secured mainly through the wireless access points, and the traffic monitoring is weak. The viruses and bots are a danger to the company since they are capable of corrupting the data or even in the case of bots, facilitating corporate espionage in the form of data collection and remitting it to the source that deployed them. This is risky for a financial institution whose reputation rests on its ability to protect the data.
Distributed denial of service attacks is a security concern for the GAI network. The GAI network has seen a rise in the network traffic recently. The network traffic is from an unspecified source. Additionally, the data transmission from the remote locations to the corporate network are transmitted over the internet in an encrypted form. This fact alone undoes whatever progress was made in the restructuring of the network to make it more secure. The unencrypted information is susceptible to phishing schemes that can spoof the network for this information and mimic the remote access points. This would grant the users of this information access to the network, and they could very easily overload it with traffic. Also, there is little network monitoring, and the information technology department confesses to being overly stretched in their mandate to provide adequate security and network services in light of limited resources. This network can very easily be overloaded by a denial of service attack due to its limited capacity, already heavy traffic and inability to filter out the requests and prioritize the network access control. A denial of service attack takes down a network by overloading its capacity in this way CITATION Nee14 l 2057 (Neeraj & Gupta, 2014). For GIA, this spells a tremendous loss in revenue and trust from the clients.
Data loss is a major network security issues in the GIA network. This is especially because the data of the institution is at the core of its principal business processes. The avenues through which data can be lost include the action of viruses, internal threats and natural events such as power loss. Backup systems are essential in a network of this kind to prevent such an event from transpiring.
The bring your own device (BYOD) policy that the management is thinking of implementing presents a network security issue. The policy allows for the use of personal resources to do official duties. However, conflating the two is likely to cause a spillover of one into the other. The use of personal information on corporate networks may only be embarrassing but does not pose as big a danger as the leakage of corporate information over personal networks.
Access points
Access points are the stations that transmit and receives data. The GAI corporate network has internal access points that allow access to the network resources within the network itself. These internal access points connect to the individual departments. There are six such access points. Accounting, loans, customer services, management, credit and finance departments each have unique access points to the GAI corporate network. These access points are organized in this way, consistent with the subsystem architecture of the network. Each department is organized to operate on its own subsystem and only communicates with the other departments through the trusted computer base internal network.
The external access points allow for access to the network from remote locations. The devices that use these access points are uniquely configured to do so from outside the network. There are two wireless access points in the GAI corporate network. The first external access point is the wireless access point that allows connection to the corporate network over a wireless connection. This wireless connection provides access to company resources and is an open network. The second external access point is responsible for handling the traffic from off-site offices to the corporate network. This access point is secured through a virtual private network appliance that implements the secure socket layer protocol (SSL). This access point allows the remote offices to alter the corporate network’s database tables and values in the same way as the nodes that access the network via internal access points can.
Network authentication design proposal
The network authentication should happen over all the access points. For the internal access points, network authentication can be done using more than one factor. Smart card access will assess for the possession of the password and the knowledge of the key phrase of pass phrases. This is two layer approach that will ensure high levels of security for internal systems. The internal systems need this high level of authentication because they interact directly with the corporate network. Corruption at any of this access points is more damaging to the system. The external access points can use SSL as an Authentication protocol. Although SSL memory corruptions have occurred on some occasions, the protocol is still quite reliable as a security measure CITATION Placeholder2 l 2057 (McNab, 2007).
Authentication technology
Network security for GAI.
Vulnerabilities
In its architecture and considering corporate policy, there are inherent vulnerabilities in the network security system that predispose it malfunction or failure. The first vulnerability is the lack of data encryption CITATION Mur13 l 2057 (Murray, 2013). During its transmission to the central database from the remote site, the data is not encrypted. The data in this format, if intercepted, can easily be accessed and this presents a problem for the organization. This data poses a threat in two ways. First, the data may reveal access codes and protocols for the corporate network. This exposure makes people with malicious intention to intrude the system very easily and cause damage that may be irreparable. Secondly, the interception of such data may cause the exposure of important corporate secrets. An espionage of this kind may be dangerous to the organization either because it reveals trade secrets to the rivals or it exposes information that may be damaging to the company reputation.
Another vulnerability of the system is the lack of a corporate policy on the passwords. Weak passwords pose a security threat to the entire network. A weak password alone is enough to provide an individual with malicious intention access into the system. The weak passwords problem or the lack of a password authentication system altogether in the system means that the system depends on the virtual private network appliance for all its security. Due to the lack of encryption, this authentication venue is faulty. The password authentication system is, therefore, an avenue through which one could get access to the system through the external access points and be able to infiltrate the system even over the internal access points.
Missing patches and misconfigured firewalls present a security problem for the network. The security issue arises from the lack of a frequent update service for the operating system for the network. This inadequacy runs the risk of leaving open any old paths into the system that may be used at a later date by a hacker to gain access to the client files and other important corporate documents.
The use of flash drives also makes the system vulnerable. These devices are convenient means of data transfer between two terminals. This is especially important in the separated departments of the subsystem architecture. However, using flash drives exposes the network to the risk of transmission of viruses, Trojan horses, and other malware. Also, the flash drive compromises data security by making the confidential corporate data portable. The data that is meant to belong to the corporation can easily leak to other locations without the knowledge of the data managers.
The poor network monitoring is a systemic vulnerability for the GAI network. The GAI network has reportedly had abnormal traffic for a while. However, the level of traffic monitoring is unsatisfactory. The information technology department can only comment on the patterns of usage of the network resources and differentiate the internal and external traffic. However, this reporting on its own is insufficient. An increase in data traffic to levels that can be considered abnormal indicates that there is a high index of suspicion of illegal activity. A secure system should be able to track the source of the traffic. This tracking will help to identify the individuals who are driving the data usage up and their intentions. Without such levels of monitoring and the accompanying ability to limit the traffic where necessary, the system is vulnerable to both malicious attackers who have the intention of overloading the system and causing it to crash and the hackers who seek to extract valuable company data anonymously.
The last vulnerable part of the system is the unsecured access to the wireless connection. The wireless access point is linked directly to the corporate network and grants access to company network resources. This access poses a problem to the company network since not only the employees but also the nearby residents also have access to the wi-fi connection. Little regulation in the way of authentication and authorization is done in the access to the wi-fi network. The implication of this vulnerability is that people with the right knowledge can easily access the system and then manipulate it from within without much restriction. This vulnerability is compounded by the fact that the monitoring of the network is very poor and the offenders could very easily maintain their anonymity. Episodes such as the cyber-attacks in the past few years are bound to recur in such an environment.
Design proposal to tackle the network security vulnerabilities.
The vulnerabilities in the system can be circumvented by putting in place a secure network system that addresses the challenges, or at least most of them. Since the vulnerabilities are on many different platforms, an adequate intervention would have to involve the interplay of many different technologies that synergistically cover more areas.
The first change to the system would be the use of powerful multi-layered authentication technologies to limit the first access to the network CITATION Muh14 l 2057 (Muhammed & Mukund, 28 Oct. 2014). This part of the intervention is crucial since, if effective, it can reduce the load on the network and allow more efficient and relevant distribution of network resources. Authentication technologies that are available make use of three principles. The first principle is the use of something whose identity is known. The second is something that an individual holds and whose identity is only known to them and the verifying agent or system (a token). The last principle is the use of something inherent in the party being authorized (a biometric characteristic).
Each of these factors can be used in isolation or combination with another one. The type of authentication depends on the number of factors used. The more the number of factors applied in the creation of the authentication system, the better the security level because of a multi-layered approach. Multifactor authentication is the strongest as it compares many factors over many layers. For GAI network, the authentication technology of choice is the use of smart cards. Smart card logon is a very secure authentication technology since it assesses both proofs of ownership and knowledge of access codes. The user is only allowed access to the password or passcode entry window only after sufficient proof of identity. However, the smart card alternative is quite costly and is only justified for use over this corporate network.
This deployment of a smart card solution is intensive and should only be used for the deep layers. As an adjunct to the security measures already described, a network logon feature can also control the access to the computer network by ordinary users. This ensures trusted machines by trusted individuals are used for the exercise. In this open networks, known network identities are assigned to the other nodes and their first contact with the system establishes a path for the transmission of information. Its scalability means limited resources are used effectively for a large number of clients. This second authentication technology is in line with the objective of keeping the cost down without compromising the security of the network.
The Secure Sockets Layer/Transport Layer Security (SSL/TLS) authentication can still be used for the remote access. This protocol is very efficient in maintaining the security of a web-based system. The protocol defines some services besides authentication when running on the virtual private network appliance. The SSL protocol’s function is already implemented in the system, hence this protocol can only be strengthened by covering the loopholes that undermine the integrity of the system. SSL is vital in ensuring that the machine that connects to the network is the actual machine authorized to do so, and forces a secure connection. However, the current system has a loophole in the connection by having unencrypted data passing between the network and the remote terminal. This is exposure to phishing schemes that will use the information to access the system in a secure way and even access restricted areas. Data encryption is necessary before the data leaves the remote terminal and gets into the corporate network to prevent exposure to phishing. Although SSL forces a connection over a secure network, this measure ensures that should anything happen to the effect that the data is accessed, the system is still safe.
A final intervention is the deployment of a security subsystem architecture for central maintenance. A security subsystem maintains the security feature at a central location. The security subsystem provides the security feature to all the clients. The security subsystem is easy to maintain and run updates because of its central location. An advantage of this system is the reduced cost of maintenance since all the components of the system are kept in one place. Code upgradability is not an issue anymore because the security feature is in one subdirectory. Vulnerabilities such as missed patches are not a concern when the security can be updated at one level and reflect system-wide changes. However, this security architecture predisposes to the challenge of increased vulnerability if it is not done well. The problem of the architecture is that the security subsystem is increasingly vulnerable if not appropriately deployed. Unlike the distributed system, the security system has only one center to handle security. Therefore, doing away with this one area or even slightly modifying it has system wide complications and ramifications. This deployment will, therefore, be compounded to investments in the physical locations of the devices. Already, the trusted computing base internal network is very heavily invested in the security of its system and parts. This will, therefore, be a low-cost venture for the security.
Mobility
Mobility in a financial institution offers the possibility of streamlining operations and increasing the value addition services for the industry such as customer relationship management. The security of mobile networks is different from the security of other networks that do not have this feature. A key difference is in the fact that that the mobility platform have a unique set of challenges that are not a very secure platform especially when they are deployed as open networks. The problem in this network is they type that can be addressed and still leave the system with the benefits of this mobility.
Another security concern in such a system is the deployment of a bring your own device policy. This presents a challenge that comes from the employees themselves. There is a possibility of losing sight of the thin boundary between work and family social life. Such incidences result in the cases like Snowden, and these threaten corporate policy and network security. However, all these main challenges facing the mobility deployment can easily be managed.
Design of a secure mobile computing
The mobile computing network includes smartphones, tablets, laptops, etc. This mobile computing platform is ideal for the financial institution since flexibility offers an advantage. The mobility implementation will allow these trusted devices access to internal resources within the corporate network. The intended level of access illustrated above warrants a very secure authentication process to prevent the service being hacked.
The authentication technologies that could prove useful for mobile computing include firewall traffic filtration and use of passwords. Traffic filtration over firewall is the initial step in ensuring that the mobile devices accessing the network are only the ones that have been authorized to do so. The limitation on traffic like this is protective against a heavy load by unauthorized users. The data in the network cannot be accessed from any mobile platform except through this firewall. The data will remain secure for as long as the firewall is functioning and updated.
Data Protection
Data protection must also be addressed from all the levels through which the data can be lost. Mobile networks will need an end to end encryption for the data transmission process and the use of private keys specific to the network to ensure that the data is kept within the system and not exposed to individuals with malicious intention. The portability of mobile devices necessitates the encryption of the data that is stored on the devices too. The mobile devices are easily lost or get passed around quite often. The data within these devices is safer if it can only be accessed through decryption.
Data loss and violation from the bring your own device policy can be countered by the use of alternative approaches to the problem of blurred lines between the employees social and business life. The first security feature is the use of personally owned, company enabled policies to ensure the data access is restricted to authorized individuals and authorized devices. The personally-owned company-enabled policies give the employees the freedom of working with their own devices but within a midline framework developed by the company to guard its interests. An alternative approach to the same issue is the corporate owned, personally enabled policy which grants the organization all the rights to remotely delete any data on the devices to protect its name, without incurring any penalties. The latter option is less secure as it relies on monitoring and is more of a “situation control” kind of solution.
Antivirus software is also needed to ensure that the data that gets into the system is not capable of collapsing the system because it contains data. Antivirus applications are usually deployed on the external access points together with the firewalls.
Wireless vulnerabilities
Wireless networks offer the privilege of mobility but at the cost of increased vulnerability. These systems need more security measures implemented to cover for these shortcomings. The first security than in wired or remote connections. This is because in the wireless networks, the devices may not be readily authenticated or they may not be part of the authentication process altogether. Any device may be used to access the corporate network.
Misconfigured firewalls are also a security vulnerability for wireless networks. Without fully functional firewalls, the wireless networks can easily be exploited to gain access to the corporate network and its resources. The mobile devices are a vulnerability in the system since they are not tied to the network. Information stored on these devices can easily be transmitted over other networks without the corporate network having much control. Unsecured access points are another vulnerability. These represent points of potential infiltration into the organization and can grant access to company network resources
Recommendations
The safeguards implemented for the network security should include secured wireless access points, company policy on the portability of data, data encryption and the use of antivirus and firewall applications that are regularly updated. The authentication technologies to be used include password access and traffic filtration by the firewall. End-to-end encryption and also the encryption of data on mobile devices should protect the data on wireless networks. The data stored in any location other than the corporate network data storage sites should be handled carefully and be stored for no more than four days except on special occasion. This regulation will minimize loss of data and its leakage.

References
BIBLIOGRAPHY McNab, C. (2007). Network Security Assessment. Sebastopol, CA: O’Reilly Media.
Muhammed, J., & Mukund, K. (28 Oct. 2014). Systems and methods of multi-layered authentication/ verification of trusted platform updates. U.S. Patent No. 8,874,922.
Murray, A. T. (2013). An overview of network vulnerability modeling approaches. Geo Journal, 209-221.
Neeraj, K., & Gupta, V. (2014). Security Threats and Attacks in Wireless Sensor Network. Journal of Network Security, 12-17.