Risk Assessment in Global Finance Inc - Case Study Example

Risk Assessment Supervisor] Risk Assessment of the network: Global Finance Inc. (GFI) recently invested and installed new components within its network. The main purpose of implementing these changes to the network was to ensure that the performance of these networks significantly increased and could support the work that the employees of the organization could carry out. The company comprises of six main departments management, credit, finance, customer services, loan and accounting department. Each department comprises of a number of users and printers. The greatest number of users is within the accounts departments and finance department. Each department is connected to the network via a switch and the switches are connected through an Ethernet router. The network comprises of two border routers and two distribution routers. The core network and the offsite office are connected with the internet via virtual private network gateways. Finally there is the trusted computing Base Internal network that comprises of the core applications that are regularly used by employees of GFI. The Oracle server and Email application both are a part of the trusted computing base network. The trusted computing base is connected to the rest of the network using an Ethernet router which in turn is connected to a two Ethernet routers and to which the switches of different departments are connected. To provide access to dial up users a PBX is used that is in turn connected to the network through a firewall. It is important to mention here that this is the only place in the entire network where the use of a firewall has been made. Interconnection: In order to facilitate interconnection the network makes use of a number of connecting devices. To help connect users within a department, different switches are used for each department. These switches allow the users of a department to efficiently share data with each other and send messages to each other. To connect to users of different department these switches have been connected to Ethernet routers. The Ethernet routers enable users of different departments to communicate with each other. In addition these routers also provide users with the access to the Trusted Computing Base (TCB) which as mentioned above comprise of some of the most vital components of the company’s application. The offsite office of the company makes use of the internet to connect to the office network. The connection of the offsite network is made through a virtual private network. The virtual private network (VPN) uses a public network in a manner that makes it behave as if it were a part of a private network. The offsite user is then makes connection through the border and distribution routers that allow the offsite user to access the parts of network that he or she desires. Communication environment: GFI over the years has expanded its business and has significantly increased its network. With the growth of its network GFI was greatly able to facilitate communication and information sharing amongst its employees. The basic needs of GFI have always been to provide access to its employee to files that help them in executing their task efficiently. Without these files operations at GFI would halt and there would be little work that would be carried out at the company. Such dependency on information makes it crucial for the company to develop an environment where information flows within the organization as fluently as possible. To ensure that such a phenomenon is made possible it is vital that the company ensures that elements that surround the environment are of the nature that promote and encourage information exchange. Network of the company is one such element that has a significant effect over the way the company shares or exchanges information. By allowing the network to develop over time a company ensures that communication remains their number one priority and ensures that operations never stop at the company. Allowing the network to flourish also enables the company to make sure that its employees can access the data from any location around the globe. This facility allows the company’s employees to access their data even from remote locations enabling them to manage their work from home at any time of the day. Risks associated with the company’s network: Even though the company took measures to ensure that a DOS attack would not affect the network of the company, it is still the greatest threat that the company faces. Moreover the company is even exposed to a DDOS attack which could greatly damage the service that their network provides and could further damage their reputation (EC-Council, 2010). A DDOS attack in many ways is similar to DOS except for the fact that DDOS attacks tend to be a lot more disastrous than DOS attacks and can leave the network paralyzed for a long period of time. Usually in a DOS attack there is only one computer involved that continuously sends requests to the targeted server, DDOS on the other hand, uses multiple computers to attack a single targeted server increasing the impact of the attack (EC-Council, 2010). The fact that the company has been subjected to such an attack before it can be safe to assume that it must have taken measures to ensure that such an attack does not occur again. These measures may be not have been disclosed by the company in order to keep their security measures a secret. However, there is reasonable doubt as to whether or not the company has taken any measures against preventing a DDOS attack from occurring. Furthermore as there the company has not employed personnel to advise it regarding its online security this increases the doubt of whether or not the company is aware of the dangers that are associated with a DDOS attack. The second major risk that the company’s network faces is the risk of hackers. Even though the company has employed measures such as adding firewalls and providing VPN gateways, it is still not enough. VPN gateways have only been employed in different locations of the network whereas the use of firewall has been made at only one point within the network. Once an unauthorized user is able to bypass the firewall and VPN gateways there is little or no resistance that the hacker would have to face in order to access the data of the company. Hackers can probably cause the company greater harm than any other threat. Once hackers gain access to the network they can use the information that they gain to either blackmail the company into paying them to keep quiet or selling the information to the company’s rivals (Chandra, et al., 2009). Moreover, these hackers may even manipulate the information or alter it or damage it in a manner that the company has to enforce the backup system to resume their operations. Until these backup procedures are implemented the network remains down which means there is little or no information that the users of the system would be able to access during that time (Chandra, et al., 2009). The above risk has been presented mainly because of the fault within the network structure. The structure does not have enough security features that would allow it to repel any sophisticated attacks that can be made to the company’s network. Another risk that comes to mind is related to the individuals that are working for the company. When it comes to security it is vital that internal and external threats are both analysed. Usually in an organization internal threats become the reason for a security lapse rather than an external attack. Internal security usually deals with helping employees understand the importance of keeping security the primary concern. Username and passwords are the main concern. Employees usually do not take a great deal of precaution when it comes to securing their username and passwords (Ec-Council, 2011). Employees share their username and passwords with each other through unsecure channels. It is through these unsecure channels that hackers are able to extract obtain username and passwords of employees and use them to gain access to an organization’s network. Moreover, in some cases hackers are able to extract passwords through an approach called phishing. Phishing allows hackers to trick employees and individuals into divulging vital information about the company or about its networks security. Using that information hacker is able to access the company’s network with relative ease (Ec-Council, 2011). In some cases employees download Trojans and viruses on their office workstation. Trojans usually create a backdoor within the computer in which they reside. The backdoor is then used by hackers and unauthorized personnel to gain access to the network and even monitor the activity that is taking place within that network (Newman, 2009). The above risks have been made on the assumption on the fact that there are no security personnel to advise the company about the importance of the formation of policies that helps ensure that personnel working at the company give online security utmost importance. Risk mitigation methods: One way of simple way of mitigating the effects of DDOS attack is obtaining greater bandwidth for the company’s network. DDOS attack basically consumes the bandwidth that the company has set to be used by its employees and its customers. By increasing the bandwidth the company would ensure that even during an attack services to the customer and to the company’s employee is provided and remains uninterrupted. Using multiple servers to allow the traffic to be divided amongst them would reduce the load on one server. This method of mitigating the effects of a DDOS attack however is expensive and requires additional network resources to be implemented (Garfinkel, Spafford, & Schwartz, 2003). Another method that can be used to mitigate a DDOS attack is with the help of the company’s ISP provider. As soon as the company identifies a DDOS attack it should inform its ISP that the company’s network is under attack. To identify a DDOS attack in its early stages it is vital that network engineers familiarize themselves with the network traffic that the company receives on a daily basis. Once they familiarize themselves with the network traffic it becomes relatively easier to identify a DDOS attack (Garfinkel, Spafford, & Schwartz, 2003). Informing the ISP provider makes them aware of the attack. The ISP provider reroutes all of the traffic of that is headed towards the company’s server to null route which makes it drop before it reaches the company’s server. This method is no doubt efficient and protects the server from any kind of harm however this also prevents users or employees from accessing the network (Garfinkel, Spafford, & Schwartz, 2003). In order to mitigate the risk of hacking the company has to enable some extra protective measures to ensure that hackers are not able to gain any unauthorized access to the company’s network. First of all instead of implementing just two VPN gateways the company must implement a VPN at almost every department to strengthen the security of the network. By implementing multiple VPN the company would ensure that there if in case an unauthorized user gets past the initial VPN he or she would not be able to obtain easy access to the information that is stored on the network (Chandra, et al., 2009). Another important feature that has been omitted throughout the network is the frequent use of firewalls. In only one place throughout the network has firewall been used. Firewall may be able to keep unauthorized users out of the network however there are multiple entry points that can be used by a hacker to gain access to the network and use the data that is present on the network to his or her benefit (Garfinkel, Spafford, & Schwartz, 2003). In order to protect the network more thoroughly firewalls must be installed before each border router and distribution router. This would ensure that all the routes that are leading to and out of the network are protected and would also ensure that there is little chance for a hacker to gain access to the network over time (Garfinkel, Spafford, & Schwartz, 2003). Another measure that can be taken by the company to strengthen its network security is updating every program, software and application that is being used by them. Out dated software presents a great deal of weaknesses to the entire system. Weaknesses within a network or a system are seen as opportunities by hackers. Hackers take advantage of these weaknesses and obtain access to a restricted network (Garfinkel, Spafford, & Schwartz, 2003). The company has mentioned that some of its most valuable assets are present in the Trusted Computing Base (TCB) however TCB is one of the most vulnerable parts of the network when looked at from a security point of view. TCB acts as the central hub for the entire network and provides data to these networks. Any damage that the TCB sustains can have an impact on the entire network. In order to make sure that data present in TCB remains safe it is essential that TCB is placed in a VPN of its own. Furthermore it would be beneficial if the company updated its database server from 9i to oracle database 11g. Oracle database server 11g provides greater security features as compared to 9i. Finally using a strong encryption algorithm would ensure that even if data is lost there is no way for the unauthorized personnel to be able to have full access to the data (Garfinkel, Spafford, & Schwartz, 2003). Implementation and Enforcement of Security Policies It is necessary to ensure that the security policies are implemented and enforced throughout the organization in an integrated and automated manner so that all risks are taken into condition and are addressed to mitigate the overall business risk. In this way, organizations are able to achieve an efficient information management network based on standardized methods and processes. This reduces the human intervention and manual activities that could lead to manipulation of information held by organizations and instead, the human capital can focus on innovation. The dispersion of information that is generated by different parts of an organization increases the level of risks faced by the organization through intrusion in its information management system. In order to achieve this there are certain recommended steps that the organization needs to follow. Establishing Compliance Framework By developing a comprehensive and enterprise-wide compliance framework the organization can achieve better adherence to its information security policies. Developing Process Control Framework It is important for the organization to have a centralized monitoring system that keeps a continuous check on information being retrieved or work with to perform different processes within the organization. This framework can generate log for human interactions and track any weaknesses in the system (IBM, 2007). Integrating Security Policy By developing a strong security policy that effectively highlights controls over different processes of an organization can assist it in enforcing its policies and effectively monitor interactions that are taking place with its systems. One of the key areas relevant to this is tracking the interactions of those individuals who are given greater access to the system. The security policy must be well defined to monitor compliance by such individuals who have access to sensitive data or the core functions of the system (IBM, 2007). Continuous Enterprise-wide Surveillance There is a need for continuous enterprise-wide surveillance to ensure that there is a security and threat management is efficient. This can substantially reduce the level of risks that an organization is subject to. Effective risk management can allow the company to predict possible risks to the information security and ensure that it can address these security issues by undertaking innovative initiatives. Implementing Server and IT system policy This ensures that the configuration of the centralized servers and access by users through their desktops that they adhere to the compliance policies of the organization. Any violations in the security must be automatically detected and unauthorized access to the system must be prevented. This would ensure that no threat goes undetected. Performing and record audits There should be automatic and centralized system for generating audit logs so that high level of efficiency can be achieved. This must ensure that the information is reliably stored and ease of tracking logs and information can be achieved. Adopting Innovative Dashboard Through innovative compliance dashboard, the organization can provide access to decision makers to get system and access information and they can direct changes in the system to ensure fully compliance to the security policies of the organization (IBM, 2007). Risk assessment methodology used: The risk assessment methodology that was used in this paper was qualitative. The data used in risk assessment was based on facts that have been stated in the literature provided by experts on this topic. Assessment was also carried out of the network diagram that was provided. The assessment showed that there were a number of risks that could affect the performance of the network and could even become a cause for the network to suffer downtime. In order to mitigate these or eliminate these risks a number of solutions to the problem were suggested. These solutions would increase the cost of the company but would ensure that the network does not suffer any major downtime. One of the greatest risks that are usually assessed in organizations is related to the individuals that work in these organizations. Employees at an organization are unaware of the damages that lapse in security could do. In order to help create awareness amongst employees it is vital that communication throughout the company is effective and that there everyone is made aware of the impact that lapse in security could have on the company and the functioning of that company. The facts that were obtained for this risk assessment had been used from authentic sources. The sources were either in the form of a book or a report and there no unauthentic source was used to obtain any kind of information. Reference list Chandra, P., Bensky, D., Bradley, T., Hurley, C., Rackley, S., Rittinghouse, J., et al. (2009). Wireless Security: Know It All. Oxford: Newnes. EC-Council. (2010). Ethical Hacking and Countermeasures: Threats and Defense Mechanisms. Boston: Cengage Learning. Ec-Council. (2011). Network Defense: Security Policy and Threats. Boston: Cengage Learning. Garfinkel, S., Spafford, G., & Schwartz, A. (2003). Practical UNIX and Internet Security. Sebastapol: OReilly Media, Inc. IBM. (2007). Implement and enforce security policies and report on your compliance efforts. New York: IBM. Newman, R. (2009). Computer Security: Protecting Digital Resources. Sudbury: Jones & Bartlett Learning. Read More