Executive Summary
Global Finance Inc. (throughout the case study it will be abbreviated as GFI) is a large multinational company that functions on the territory of North America and provides its clients with numerous financial products and services. The ultimate goal of GFI is to become profitable and expand its influence in the region. Nonetheless, despite their relative marketing success, their susceptibility to digital attacks significantly reduces the chances to gain customer respect and approval. In perspective, this will adversely impact the level of public confidence and lead to the company’s decline. The current case study is intended to investigate the issues inherent in the IT department of GFI, assess all the accompanying risks, and propose a method for eradicating each of the vulnerabilities.
The process of the risk assessment conducted within the framework of this case study includes all the network-related issues. The author of the case study also pays special attention to the level of each risk and provides the rationale for addressing these risks properly. The most important levels include network/ wireless/ Web protocols and physical/ perimeter security. The author also believes that a careful approach to protecting these GFI assets can be explained by the non-refundable nature of the IT department. This means that in case of an emergency, such a major component of the company’s infrastructure may compromise not only the corporation itself but its customers as well. The lack of IT support will lead to a situation where a number of risks may leave the business behind the competition. The author of the case study proposes several risk mitigation strategies that cover all the most intimate regions of the network and do not cost a lot to implement. The evolving nature of IT threats makes such measures a requirement, not a prerogative.
Asset Inventory
Physical assets available to GFI are outlined below (see Table 1). The author of this case study conducted an extensive review of the available physical resources and came up with an estimation of both monetary values of these assets and their priority in terms of risk propagation.
Table 1. Physical assets.
As can be seen from Table 1, GFI is excessively interested in investing monetary resources in its physical assets. Its workstations and internal servers are of the highest priority because they contribute to the development of the network and ultimate corporate benefits (Stallings, 2016). Nonetheless, their impact may be just as critical when it will come to the level of risk associated with network security and data protection. For instance, any customer data may be lost, and this will lead to monetary losses resulting in a crisis or bankruptcy. Another important point of marking internal servers as an asset of critical importance is the impact of the latter on the company’s infrastructure and overall functionality (Knapp, Langill, & Samani, 2015).
To say the least, the majority of GFI employees daily rely on these services and the inability to communicate with other corporate branches will undermine the customers’ trust and the company’s profitability. Additionally, the author of the case study underscores the significance of communication channels that are established by means of switches and routers. The process of data transmission within the network would be obstructed. We should take into consideration the availability of daily operations that may become unavailable due to the vulnerabilities inherent in VPN or server setup, for example (Stallings, 2016). Such assets as copiers or RAS servers cannot be evaluated as critical because the majority of daily operations performed at GFI will still be available to the employees. The only thing that would be impacted is the level of mobility of employees (for instance, a wired connection may be used in the case if the wireless connection goes down).
Perimeter Security
One of the very first points that have to be addressed is perimeter security because there are external and internal access points that influence the IT state of affairs at GFI (Stallings, 2016). The concept of perimeter security also relies on VPN and other remote connection methods. According to the existing data, one of the biggest threats is DoS. This vulnerability may arise from the inability to filter the incoming traffic properly (this limitation is the consequence of poor network topology). Therefore, a router should never be used in GFI as a network traffic filter because the incoming source of information will most likely remain unknown in the majority of the cases (Kumar, Singh, & Jayanthi, 2016). One of the ways to deal with this is to add a supplementary level of security to the existing firewall and set it up in a way that would allow the GFI system administrators filtering the incoming traffic before the latter passes through the border routers. The positive effect of such innovation may be described as the possibility to improve the speed of information distribution within the network and an increased ability to limit incoming traffic.
Remote Access Infrastructure
The remote access infrastructure at GFI should be based on a relevant VPN gateway. Despite its numerous benefits, VPN may be a rather dangerous asset. In the case of GFI, a VPN connection is not encrypted, and this may lead to numerous security risks that will not be mitigated over a short period of time (Kumar et al., 2016). It is a well-known fact that remote access leaves all the information in the form of plain text if the connection is encapsulated. Therefore, there is a necessity to protect the information because it can be accessed from any remote location. Encryption is necessary (IPSec, for example) because the current authentication method only requires the user to enter their password (Knapp et al., 2015).
This risk has to be mitigated, and it may be useful to implement two-factor authentication. By doing this, GFI will be able to protect their employees and increase the security level of their system. Unsanctioned access that was possible with CHAP authorization (password-only protection) (Stallings, 2016). The company should do whatever it takes in order to minimize the possibility of being exposed to sniffing software and the ability to gain access to any part of the network by simply connecting to the GFI switch (Kumar et al., 2016). Further, the author of the case study will discuss the ways to deal with port-based security and protect the GFI employees from wireless network threats that may significantly impact their mobility. In perspective, locking down the ports on the company’s routers may exclude the instances of unsanctioned access to sensitive data.
Mobility Security
Continuing the topic of mobility and the availability of communication, the author of the study concludes that the current lack of protection at GFI may influence the future of the company (Stallings, 2016). First of all, employees should have freedom in terms of using their devices within the company’s network, but there should be a set of rules outlined for the workers that would limit their interaction with the outside sources of information (Kumar et al., 2016). This may positively impact the employees’ communication practices and the level of output. By doing this, the author of the case study intends to grant access to any information that may be work-related from any location in the company’s office. Regardless, this may negatively influence the security of GFI data. One of the ways to resolve this issue is to implement a unified policy that would regulate the use of mobile devices within the internal company network.
A number of restrictions should be introduced in order to monitor the network for devices that could download harmful software or cause any other damage. The key objective of this initiative is to allow the GFI employees to use their devices but include a number of limitations in the corporate policy (Knapp et al., 2015). GFI could implement an additional level of authentication that is characteristic of wireless networks so as to create a sophisticated environment where the user would be able to communicate with the network only if they had necessary certification-related information (Stallings, 2016). If the person on the other end does not know the necessary data (password), they will not be able to communicate with the GFI network. The implementation of the 802.1x standard may lead to the creation of port-based connection options that will reduce the load on the company’s wireless access points and switches (Kumar et al., 2016). This unified approach to the protection of mobility is beneficial because the network will become integrated and feature an all-around security initiative.
Wireless Vulnerabilities
The wireless protocol that is currently used in GFI is WEP. The problem with this protocol type consists in the fact that it extends beyond the physical restrictions of the GFI network and can be considered outdated. It is safe to say that the presence of WEP does not add to the level of security of the network because there are some tools that may help one to overcome the borders of WEP rather easily. This led the author of the case study to the idea that a WPA2-AES standard could be used by the GFI IT department. This implementation will critically affect the level of the company network’s vulnerability to external stimuli. Moreover, the administration should pay close attention to the hackers’ ability to access wireless networks without physically being located in the office area. It is required to implement the WPA2 standard and relocate the access points in order to minimize the hackers’ chances to gain access to the most sensitive area of the network (Knapp et al., 2015). The author of the case study also proposes to customize wireless connections as much as possible to decrease the possibility of GFI being exposed to unsanctioned attacks that occur outside the physical location of the corporation. The rationale for this will be discussed further in the case study.
Authentication Protocols
When it comes to authentication protocols, the author suggests that the use of a VPN may positively contribute to the security of the authentication process. It is a well-known fact that the majority of organizations currently try to make the best use of remote access instruments so the use of a VPN can be totally justified within the framework of the current study. A typical VPN gateway is similar to a remote access concentrator and may become a serious advantage throughout the process of building a more complex authentication procedure (Knapp et al., 2015). One of the biggest advantages of this technology is the minimization of time that is spent on authentication and information transfer. In GFI, CHAP is the protocol that is currently installed. This is one of the weakest authentication infrastructures, and it is critical to replace it with an updated version of security protocols.
The company may use tokens or digital certificates. The IT department at GFI may also try to combine CHAP with an encryption protocol. This will lead to a situation where any potential hacker will try to gain access to the company’s private network instead of attacking the encryption itself. In this case, the VPN will be protected from the attacks. Considering the fact that GFI does not use any digital certificates yet, they have to review their CHAP strategy. The key rationale of GFI for not using digital certificates yet is their priority to authenticate not the end-user but the linked device (Kumar et al., 2016). It is considered adverse because access from multiple devices is unavailable and all the information may be lost if the device is embezzled (Knapp et al., 2015). The author of the case study stresses the importance of combining CHAP and VPN due to their complementary authentication characteristics. From the security perspective, GFI may consider combining the CHAP authentication protocol with a custom-designed digital certificate so as to ensure that double protection is in place.
Web System Protocols
Web system protocols are responsible for the protection of the data that can be located on the company’s file server (Kumar et al., 2016). This particular question is of high importance to GFI because they were involved in situations where compromised sensitive data triggered unexpected monetary expenditures intended to restore the data and pay the damages. GFI may be interested in compiling a custom-built authentication module intended to improve its authentication mechanism. This LDAP module can be integrated into the Apache build. Nonetheless, it is important to take into consideration the insecure nature of the HTTP Web protocol because the password and user ID will be transmitted via LDAP in the form of plain text (Knapp et al., 2015). This problem is rather serious because it allows practically anyone to sniff that data and gain access to the extension of the HTTP protocol titled DAV (distributed authoring and versioning). The current situation at GFI shows that they do not have the possibility to encrypt the traffic and prevent any possible loss of data. The SSL protocol is not in place either. The latter means that the port 443 (HTTPS) is inactive and the hackers may easily get into the system and bypass all the existing security measures. The implementation of SSL will require the administrators to close the port 80 and maintain the SSL technology on their server.
Cloud Computing Environment
Another area that may have a critical impact on GFI is cloud computing. The creation of such an environment may help the company to strengthen its position in the market and attract more customers without worrying about security or free space on hard drives as much as before. Moreover, this is a perfect possibility to extend the reach of the company and gain more followers within the online environment (Kumar et al., 2016). The idea behind a cloud computing environment consists of the fact that all the GFI customers will send queries to the physical web server located within the limits of the corporate network. In perspective, it will allow the company to offer its services to any given individual from any particular location. For GFI, the only question is the security of such an environment. The decision to place the data on a web server will limit the amount of incoming traffic and protect it from the most devastating attacks. The implementation of this initiative seriously relies on the physical location of the webserver. There is a need to separate the external and internal versions of the network so as to limit all the unwanted and unauthenticated connections (Knapp et al., 2015).
GFI will also have to consider the deployment of two firewalls intended to secure the partition. The internal network will be kept safe due to the separation of the latter and the Internet. Such a design should include one firewall between the internal network and the company’s server and another between the two firewalls. The external firewall would communicate with all the incoming sources of information with the intention of sorting them while the internal would severely block all the incoming traffic that would cause damage to the Web server. The author of the case study highlights the importance of configuring the firewalls properly. This will be needed to protect the internal network and mitigate the risks associated with disclosing the corporate data to the customers or hackers. To conclude, the implementation of a double firewall design would allow blocking all the traffic except for HTTP and HTTPS (ports 80 and 443 respectively) (Stewart, 2014). An all-inclusive cloud computing environment will protect GFI, but the administration has to spend money on additional hardware in order to make such a setup possible.
A Review of Vulnerabilities
The majority of the vulnerabilities that will be assessed further throughout the case study have already been mentioned before – perimeter security, encryption, physical security, remote access, wireless security, remote access. The author will extensively address them so as to come up with a number of relevant recommendations and provide a rationale for dealing with each of the enumerated risks. In general, these vulnerabilities have to be reviewed because they can affect the company’s international standing and overall profitability. By the end of the case study, the author will be able to provide the readers with a comprehensive set of measures that can protect the company from losing data and exposing itself to the incessant hacker attacks. There are two main types of vulnerabilities that will be addressed by the author of the case study: physical and non-physical. While physical threats are much more devastating, the researcher claims that only an integrated approach to assessing and managing the risks may help GFI to get rid of the outdated protocols and come up with a better data protection plan.
Quantitative and Qualitative Risk Assessment
The first risk that has to be addressed by GFI right away is the lack of perimeter security (Stallings, 2016). The problem here consists in the fact that the company only has two border routers. Even though they are expensive and multifunctional, they cannot protect the network properly, and numerous additional steps will have to be taken in order to mitigate this risk. The key issue with the existing hardware consists of the fact that they cannot filter requests coming from the external limits (Kumar et al., 2016). Moreover, they do not provide the end-users with adequate security measures, so it is critical to address this critical risk and come up with a decision as soon as possible. The second risk is the absence of any encryption methods (remember the case where the GFI employee’s laptop was stolen, and the data on the hard drive was not encoded). This is a critical risk that cannot be overlooked within the framework of the current state of affairs. Practically anyone could sniff the information because the majority of laptops and desktops are not protected appropriately (Stallings, 2016).
Remote access to private and sensitive data is also in danger because of the absence of encryption methods. The third issue is physical security, and it is inextricably connected to the previous point. Anyone who plugs their device may have access to the GFI network and bypass the port security (bearing in mind that there is currently no port-security set up in GFI). We may also extend the discussion on the topic of VPN and include the risk associated with remote access to the data located on the servers of GFI. Here, the problem consists in the fact that hackers may easily compromise the network by means of the dial-up access to the information (Kumar et al., 2016). Installing a VPN is probably the only safe option available to GFI that will not turn out to be either costly or sophisticated. If the company decides not to remove its outdated dial-up connection, it will be exposed to the high-level risk of single-factor authentication. The access point that exists only because of the dial-up option should be removed from the GFI network so as to pave the way for a VPN-based network and mitigate the remote access vulnerability.
The risks associated with the concept of cloud computing include security, possible unauthorized access to the customer data, legal risks, lack of control, and the loss of control over the platform. In e-commerce, such aspects play a very important role so they cannot be ignored (Stallings, 2016). The further configuration of an e-commerce platform developed at GFI may lead to unpredictable consequences, so the administration has to be prepared for the outcomes of such decisions. This topic is also connected to the question of wireless security (Kumar et al., 2016). The existing protocol is the key contributor to a high-level risk because WEP-based systems can be hacked even by means of the simplest software that is available to every user and does not cost anything. The risk that can be associated with the existing system is the possibility to access the network even outside of the physical location of the office. If a hacker gets full access to the internal network of GFI, this will end in the consequent loss of personal data and money.
Risk Mitigation Procedures
One of the first things that have to be done in order to protect the company’s network from the intrusions may be the installation of two firewalls. This will help GFI to protect their internal network from unsanctioned breaches. The size of the network also hints at the fact that the possibility of a breach may lead to an unsorted flow of harmful traffic (Stewart, 2014). By doing this, the company will be able to strengthen its perimeter security and minimize the chance of losing important assets. The acquisition of firewalls will cost GFI at least $10,000, but it has to be stated that without this hardware, the company will not stand any chance against hackers and consequent security breaches. There is also a possibility to install an IDS (intrusion detection device). Even though it costs approximately $10,000, its benefits are evident – it will allow the administrators to filter incoming traffic much more aggressively. There is also an advantage that consists in the fact that any IDS is able to generate alerts when necessary (Stewart, 2014). More importantly, the critical risk caused by the absence of any protection of its perimeter may be successfully mitigated by the amalgamation of an IDS and several firewalls. In perspective, such an initiative may save the company and minimize its recovery expenses.
Another important area that has to be addressed is the presence of risks associated with remote access and data security. The former can be resolved by means of installing IPSec. This will allow the company to grant access to its remote employees without being afraid to lose their internal resources (Stewart, 2014). The company may be interested in purchasing a number of digital certificates to ensure that they successfully encrypt all their messages throughout the process of data transfer. When it comes to data security, one of the easiest ways to deal with the risks associated with this part of the network may be to incorporate BitLocker (Stallings, 2016). This is a basic tool that will allow the GFI administrators to protect the data located on the hard drives and physically encrypt all of it. Considering the fact that the majority of GFI employees are using laptops, the installation of BitLocker should be the primary objective of the system administrators. In other words, the use of BitLocker ensures that the company’s assets are safe even when they are stolen (Vacca, 2013). Bearing in mind the potential price of recovering the stolen data, the author of the case study is certain of the fact that the cost of implementing BitLocker is much lower than that of recuperating the lost assets.
The last part of the risk mitigation procedures should be dedicated to Web-based protection. First of all, there is the company’s cloud computing environment. In order to protect it, the administration will have to relocate its Web server and place it somewhere outside the internal network so as to minimize the chances of contact between the company’s intranet and the Web server (Vacca, 2013). The author of the case study believes that the only expenditures within the framework of this upgrade revolve around the purchase of another server necessary to host the company’s website. Consequently, there are risks associated with port security that have to be resolved. Nonetheless, they do not require any monetary outlays as the only thing that has to be done is the correct setup of the existing hardware. As it has been stated before, it is necessary to lock down the ports that are not used (Stallings, 2016).
No outside sources should be allowed to connect to the network under any circumstances. All the networking devices in GFI should be configured accordingly. The last aspect of the risks associated with Web-based threats is the company’s wireless security. The author of the case study recommends the application of the WPA2 standard with the intention of protecting the process of user authentication (Kumar et al., 2016). Also, it is recommended to limit the wireless signal to certain areas so as not to provide it outside the territory of the organization. This implementation is of critical importance because it is completely free and only requires the correct hardware configuration (Vacca, 2013). The latter may involve either finding the spot-on transmission power or relocating the wireless access points and creating a different infrastructure. These are the key components of a perfect WPA2 configuration that can protect the company from providing the signal outside the internal network and exposing itself to hacker attacks (Stallings, 2016). The chances to attack the GFI network will be minimized by means of a complex password and the need to be physically present at the office of the company in order to be able to gain access to the wireless network.
References
Knapp, E. D., Langill, J. T., & Samani, R. (2015). Industrial network security: Securing critical infrastructure networks for smart grid, scada, and other industrial control systems. New York, NY: Elsevier.
Kumar, G., Singh, M., & Jayanthi, M. (2016). Network security attacks and countermeasures. Hershey, PA: IGI Global.
Stallings, W. (2016). Network security essentials: Applications and standards. Boston, MA: Pearson Education, Inc.
Stewart, J. (2014). Network security, firewalls, and VPNs. Burlington, MA: Jones & Bartlett Learning.
Vacca, J. R. (2013). Network and system security. Waltham, MA: Syngress.