Risk Assessment for Incident Management Group - Case Study Example

? Full Paper Risk Assessment Computer network risk Assessment framework takes a holistic approach for accessing risks, threats and vulnerabilities of the organization’s information technology architecture. Likewise, this essential function incorporates a risk management framework led by a steering committee. This committee ensures that the risk management framework is current, operational and up to date. If an organization agrees on establishing a risk management framework, the first step is to establish an asset inventory, where all the critical and non-critical assets are identified. The second step is to take the asset owners on board and define an asset classification scheme. This asset classification scheme defines the severity of all assets along with a value. This value will identify information assets connected on the computer network. Three of the important aspects that make the risk management framework recognizable are vulnerabilities, threats and exploits. Vulnerabilities are defined as weaknesses in a system, network, workstation, or server. This weakness can be exploited by a virus, Trojan, work, malware etc. Likewise, vulnerabilities are not inherent, as they can be created by poorly managing patch management procedures, operating system critical updates procedures, virus definition updates procedures, no adequate rules on firewall etc. These vulnerabilities can be exploited by threats such as a weak hole in an operating system can be exploited by a worm or virus attack. Threats are the known viruses, Trojans, root kits, malware, adware, spyware etc. Following are the result of Risk Assessment performed that will be used by Incident management group of GFI’s Network for activation of business continuity plan. Business continuity plan is develop to mitigate threats that have low probability of occurrence but high impact for GFI’s Network. Name of Threats Probability H / L Impact Action Required Power Failure / Fluctuation H H Reduce (Avoid or Transfer) IT Asset Damage H H Virus Attack H H Failure of Application System H L Develop Control Failure System Software H L Fraud H L Telecommunication Failure H L Internal IT attacks H L External IT Attacks H L Unauthorized access H L Head office Sabotage L H Business Continuity Plan Terrorism L H Explosion L H Fire L H War L H Bomb Threats L H Civil Disorder L H Flooding L H Nuclear Fallout L H Tornado, Hurricane, typhoon L H Tidal Waves L H Data loss L H Heating, Ventilation or Air Conditioning Failure L L Accept High Winds L L Robbery L L As we all know the best way to prepare for a disaster is to avoid the disaster. Therefore, following control has been already operational to mitigate major risk that lead to disaster due to IT breaches. There may be risk of failure of power supply in critical server that is mitigated by deploying redundant power supply that may automatically operate once problem arrived hence mitigate down time. Failure due to surge and electricity fluctuations are common computer hazards, in order to avoid these risks, IT department has taken necessary action to overcome the situational hazards to made all of the available web server hard drives in form of array called Redundant Arrays of inexpensive disk (RAID level 5) that mitigate downtime for business critical web server due to hard disk failure. Considering risk of failure of hardware component mention above redundant backup server for critical application server and authentication server is also deployed in organization for contingency purpose. The primary reasons to apply line-interactive UPSs are to protect the critical load from significant variations in the voltage supplied by the local electric company. To ensure the business running without interruption adequate UPS are installed in the organization. In case of power failure, power will be shifted automatically on UPS and servers, peripheral devices and other users PCs may continue to run in absence of electricity. Moreover, for addressing threats such as cross site scripting attacks, SQL injection attacks, considered to be one of the most dangerous attacks impacting high degree of business loss (Ansari & Sykes, 2012), and codes needs to be validated and hardened. For instance, if programming codes on the web server are left invalidated, the attacker can exploit the database by entering via the website of the organization. The database containing personal customer information will be a breach of privacy policy and some of the data privacy regulations as well. However, privacy policy differs from region to region. (Cross site scripting (or XSS, cross-site malicious content).2007) Similarly, cross site scripting establishes a fake path between the user and the web server, and steals all the confidential information during the established session. Risk Assessment and Threat Assessment Locking down systems is not a workable solution at all, as business critical services, operations and tasks will be halted, resulting in a massive loss for the organization. The information services executed on the workstations are dependent on the systems, as well as, other information services that are interlinked with each other. For instance, in a reputable bank, a proxy server providing Internet services is locked down. The impact of this service will be on other services, such as email service, customer services that may include marketing emails, customer E-statement email, customer notification email etc. however, the second option is feasible, as locking down systems is not a solution. For securing computer networks, there must be a risk management framework for identification of risks, prioritizing of risks, mitigation of risks, transfer of risks, avoidance of risks and acceptance of risks. One of the definitions for risk management says (WALL, 2009) “It is the evaluation of alternate courses of action to seek risk reduction”. Likewise, the most important output by conducting a risk assessment is the priority of restoration of services. Apart from risk assessment, an information technology strategy is required to address threats. The IT strategy is defined as “typically a long-term action plan for achieving a goal, set in the context of a rapidly changing technology environment” (IT strategy definition and review • IT strategy definition and review • oakleigh consulting). To eliminate information security threats on systems and networks, a collaborative strategy is recommended. It includes partnership linking the law enforcement agencies and the private sector by knowledge-sharing and synchronization on investigation methods and trends to eliminate cyber threats. As these threats are also called an organized crime, structured approach is required for combat. The implementation of an emergency response team is mandatory to conduct operations related to cyber activities. The teams can be established from the legacy ICT enabled organizations. The response will also be responsible to communicate with the government and business on cyber security related activities in a safe environment. The implementation of a centralized security center is required to control and maintain the threats to the systems and networks. The security center needs to be equipped with enhanced security technologies, process and methodologies to eliminate utmost advanced persistent threats. Risk identified by risk assessment will be mitigated by implementing preventive, detective, corrective or deterrent controls. Similarly, we can assume that a holistic risk assessment program and an information technology strategy addressing security threats will be one of the solutions for eliminating the two different teams. If both the approaches will be applied to the scenario, business functions may halt. For instance, if a system providing critical business service is locked down, and the same system is marked critical in the risk assessment process, it will not be possible for to incorporate both approaches in the current scenario. GFI’s Network The organization’s network consists of off-site office connectivity that demonstrates a Virtual Private (VPN) Gateway with the Internet cloud. The connectivity of remote users is established separate on a Public Switched Telephone Networks (PSTN). Likewise, the VPN gateway that connects the off-site office is terminating on border gateway core routers of the organization that are located in the Demilitarized Zone (DMZ). For preventing single point of failure, there are two border gateway routers backing up each other. Similarly, border routers are connecting to the distribution routers. There are two distribution routers for preventing single point of failure. Likewise, firewall is installed on one of the distribution routers. There is no protection on the border gateway routers that are directly connected to the Internet. Moreover, the Remote Access Server is located after the firewall. All the remote requests coming from the PSTN network are coming through the border gateway router, distributed router, firewall and then the RAS. Likewise, RAS is terminating on the Private Automatic Branch Exchange (PABX). The PABX is connected to the PSTN network. GFI network consist of six functions i.e. accounting department, loan department, customer services department, management department, credit department and finance department. Each department is connected to a separate switch that is directly connected to routers. Finance department is connected on a separate Virtual Local Area Network (VLAN). The last layer of network comprises of all applications that are called trusted computing base internal network. These trusted network servers are connected to a single router. Proposed GFI Network Proposed Network Changes We have incorporated an intranet server in the demilitarized zone. We have incorporated two firewalls on the edge of internet facing routers i.e. border routers We have again incorporated two firewalls on the connectivity of distributed routers that is not a demilitarized zone We have replaced all the remaining switches with the access layer VLAN switches A common IT infrastructure incorporates logical controls for protecting information assets within the network. The Microsoft active directory is not primarily a security control, as it does not mitigate any risks associated with viruses, worms, Trojans, phishing, spam, denial of service attacks etc. however, it provides a secure administration of user profiles and File sharing features. File sharing threats are spreading on a rapid pace, as every now and then, new file sharing technologies are getting being developed and in demand. Controls will not only provide value from all network based services, but will also augment productivity for the organization in terms of revenue, customer loyalty and competitive advantage. Workgroup based environment is not centralized. For instance, users can only login, if they have account created on that specific computer. As far as security is concerned, there are no passwords, resulting in anyone to log on the network. Moreover, workgroup only recognize twenty to twenty five computers that are on the same subnet. For instance, we have application servers that are on the different subnet, users will not be able to access applications, as they are configured on a different subnet. On the other hand, Domain based environment provides centralized administration and access for users. All staff has to enter user credentials, in order to identify themselves on the network before doing any work. Moreover, computers with different subnet are supported and thousands of computers can be connected on the domain based environment. For instance, if a computer stops responding, employees or users can log on from some other computer and no work is halted. Therefore, Domain based network environments are more effective and are compatible to the current network scenario. Moreover, if security auditing features are enabled, user activity and system logs are saved and monitored. Likewise, the lightweight directory access protocol ensures encryption all the way from the domain controller to the workstations via Kerberos. However, network or system security specialist will not be able to monitor, analyze or examine threats from a domain environment. Active directory prevents unauthorized access because users have to provide login credentials for accessing personal file settings, data and customized permitted objects in the operating system. Logical vulnerabilities include no additional security controls on firewall, critical servers, and network devices. If any suspicious packet bypasses the firewall, there are no mechanisms to track and monitor the probe of a hacker trying to breach into the core systems. Moreover, GFI network do not have a single security control, instead of a firewall and demilitarized zone. This concludes that only Network address translation (NAT) is the only logical security control, whose main purpose is to hide private IP addresses of the local area network and relay the traffic via a global IP address. Suppose, if a threat bypasses a firewall that is located before the RAS server, there is a high probability and risk that the data residing in the trusted computing base will also be compromised. Moreover, if any employee or personnel plugs in the suspicious USB drive in one of the system, there is no mechanism or tools to monitor internal network threats, as it has been proved that internal threats are relatively more probable than external threats. Furthermore, there are no tools for demonstrating events and alerts associated with violation logs. In addition, there are no logical controls linked with the database, as SQL injection techniques have proven to exploit data from the database. Furthermore, for logical vulnerability Virtual local area compatible switch is only interconnecting the finance department. VLAN’s separates traffic for each department an also prevent denial of service attacks and unwanted traffic broadcast that may result in network congestion and degradation of network services. 3.2 Proposed Intrusion detection system Security in terms of computer networks has marked its significance. Senior management address security issues to an optimal level and enforces strict security procedures in order to protect strategic and financial assets. Likewise, new and improved sensing technologies are now mandatory for GFI’s computer network for maintaining the security of network. Consequently, an intrusion detection system is required for continuously monitor threats and vulnerabilities within the EEC network. IDS/IPS derived from the traditional security appliances and is defined as “Intrusion detection system (IDS) is a type of security management system for computers and networks. An IDS gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions and misuse” (Intrusion Detection System, 2007). The signature based IDS analyze and identify specific patterns of attacks that are recognized by raw data that is in terms of byte sequences called strings, port number, protocol types etc. Likewise, apart from the normal operational pattern, signature based IDS detects any activity that is unusual from previously defined patterns. Moreover, the patterns are monitored with strict control algorithms. The signatures are stored in a signature repository. The prime object of a ‘signature based IDS’ is to search signatures in order to detect a threat or vulnerability that is similar to antivirus software that also detects viruses. The functionality of IDS is to detect attacks that are initiated directly towards the network. Moreover, IDS tries to identify as many events as possible and therefore generate logs. The location if IDS is behind the firewall so that it may analyze packets that are passed via a firewall. The detection engine of IDS compares predetermined rules in order to deny or accept packets. The rules are categorized in two domains i.e. Chain headers and Chain options. The structure of a signature contains the following attributes: Identification number, Message and Rule. However, if a threat is trying to gain access to the confidential data of the organization, signature based IDS will detect this particular threat and generate alerts for corrective actions. Anomaly based intrusion detection system is based on data driven methodology that complies with data mining techniques. The functionality of an anomaly based IDS involves in the creation of profiles associated with normal behavior and activities within the network. If any unknown activities initializes that is not similar to the normal profiles, is considered as anomalies or attacks. Moreover, the normal routines of normal profiles are also monitored, if they also exceeds from their given boundaries, they are also considered as anomalies also called as false positives. An efficient anomaly based IDS may extract results containing high detection success rate along with low false positive rate. Moreover, these systems are categorized in to various sub categories including data mining, statistical methodologies, artificial neural networks, immune systems and genetic algorithms. Among all of these, statistical methods are more commonly used for detecting intrusions by finding out any anomaly that has initiated within the network. By combining these two types of IDS, network administrators eliminate or fill vulnerabilities within the network. Anomaly based intrusion detection system will be recommended for EEC computer network, as the signature based IDS only works on the given signatures and will not sense any unusual activity if it is not defined in the signature. Anomaly based IDS will detect every threat that is referred as anomaly within the network. 4 Proposed Network Security Tools GFI’s computer network has to address many challenges in order to secure the information residing on the network assets i.e. workstations and servers. For mitigating these issues, certified and skilled staff employment is required, as they will contribute significantly for safeguarding and identifying potential threats and vulnerabilities that may lead to a backdoor for cyber criminals. Moreover, there are specialized and certified tools available that will be utilized by the certified staff in a crises situation. Furthermore, in case of a security breach, network administrator employed in GFI will not be able to trace the attack, as the attack spreads in the distributed network and trusted zones. The existing scenario for GFI’s computer network does not have adequate security controls for addressing advance persistent threats (APT), as they construct complex patterns or anomalies. The merger of different networks may broadcast infinite unwanted traffic that can degrade network performance and all three sites may be affected. For resolving this issue, a certified vulnerability assessment tools is required that will be compatible on more than one network interfaces/ distributed networks. References Ansari, S., & Sykes, E. R. (2012). SQL injection in oracle: An exploration of vulnerabilities. International Journal on Computer Science & Engineering, 4(4), 522-531. Intrusion Detection System. 2007. Network Dictionary, , pp. 515-515. Read More