Risk Assessment for Global Finance

Abstract

The current risk assessment for GFI’s network architecture and control measures has left the network in a highly exposed state. The network does not have the ability to monitor and filter the network traffic, thus making network devices and data open to attacks such as malware, denial of services (DoS) and packet sniffing. These are the recommendations are being made to harden the network and mitigate risk.

• Implement a firewall to control and filter network traffic
• Implement IDS / IPS system to notice and block threats
• Ensure data transmission to include authentication protocols from satellite offices and remote users occur in an encrypted state
• Make sure proper authentication protocols are being used

The risk assessment will also have recommendations for improving security, identifying the source of intrusions, reducing network latency, the implementation of personal mobile devices, security complications over a wireless network, and cloud computing security.

Introduction

Global Finance, Inc. (GFI) is a financial company that manages accounts across Canada, the United States, and Mexico. GFI specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for their customers. In 2013, there was an attack that resulted in the breach of the oracle database and the follow up virus attacked that shut down key IT functions this resulted in customers losing their confidentiality and integrity in GFI. GFI ended up paying their clients a large sum of money because of the loss of data confidentiality.

In 2014, another attack happened that affected GFI’s network for seven days, Oracle and email severs were shut down. From this attack the company love $1,700,00 and the faith of the customers data being protected. Another incident that happened was a financial consultant working for GFI left his laptop unattended and it was stolen. The laptop contained client’s financials and the company had to pay out to their clients for damages. In 2015, a lap top was found with network sniffer software under a desk. From the number of cyber-attacks that GFI is a company that needs an increase of information security maturity not only for their network but for the employees to be educated about protecting their work belongings as well.

The plan is to examine GFI’s current network that connects the various departments, allows remote connections from satellite offices and connects the network with the internal trusted computing base (TCB) network. Then to create a risk assessment that will include recommendations for improving security, identifying the source of intrusions, reducing network latency, the implementation of personal mobile devices, security complications over a wireless network, and cloud computing security.

Risk Assessment Approach

The National Institute of Standards and Technology (NIST) SP 800-30 was used to develop the risk assessment framework to identify, evaluate and mitigate risk posed to GFI’s information security that affects the confidentiality, integrity and availability of its information. In the National Institute of Standards and Technology Special Publication 800-30 (2012) it is stated that: The NIST model has a 4-step process for their risk management process, the steps are listed below with an explanation.

NIST Risk Management Processes

• Step 1. Framing risk
• Step 2. Accessing Risk
• Step 3. Responding to Risk
• Step 4. Monitoring Risk

The first component purpose is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk. The risk management strategy establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within organizations. The purpose of the risk assessment component is to identify threats to organizations, vulnerabilities internal and external to organizations, and potential threats that could exploit vulnerabilities. The purpose of the risk response component is to provide a response to risk in accordance with the organizational risk frame by developing alternative plan of action for responding to risk.

The purpose of the risk monitoring component is to verify that planned risk responses are implemented, and information security requirements derived from and traceable to organizational missions/business functions, federal legislation, directives, regulations, policies, standards, and guidelines are satisfied. (p. 4)DataData was collected to have a more accurate view of GFI’s IT architecture, identify past, current and possible threats. To conduct a business impact analysis more information was collected to determine the effect of how certain Information was collected prior to the analysis and assessment phase however further information was conducted throughout the process to refine information or expand on requirements.

Interviews and Questionnaires

Qualitative and quantitative questionnaires were sent out to team leaders through-out the company to prioritize current operations and identify possible risks. Detailed questionnaires were sent out for further information. Additional questionnaires were sent to all employees within the organization to have a deeper understanding of the organization. Interviews of key leadership, identified key team personnel and personnel identified through questionnaires was conducted throughout the process. (Harris, 2013) Review of Cyber-attacksA review of past and current documents was conducted to include reviews of past security breaches such as the 2013 Oracle database attack, 2014 network attack and loss of company property, 2015 breach of security, and IT security logs.

System Layout

GFI’s current network infrastructure is as stated in the following:

• Corporate WAN spanning 10 remote facilities, that are interconnected to the GFI headquarters’ central data processing environment.
• VPN connection, remote office users access the internal Oracle database to update the customer data tables.
• The trusted computing based (TCB) internal network is separated from the subnet and a bulk of the data processing for GFI is handled by an Oracle database on a high end super computer located in the TCB.
• The TCB contains an intranet web server used by the internal support team, a Software Update Services (SUS) server used for patch management, an internal DNS server, an e-mail server, and other support personnel workstations. Corporate employees may access the corporate network via a wireless access point. (CMIT 425 Risk Assessment Paper) The following illustration shows the current network topology.

Outside Threats

Based on data collection, past attacks are from outside hackers are a big threat to GFI. If a hacker is determined to steal information for financial gain information to be sold or to commit fraud. Possible attacks a hacker could do on the company are sniffing, malware, phishing, Dos attacks, MITM

• Malware. The introduction of malware such as viruses, Trojans and worms aimed at gaining access to network resources, customer data, or aimed at destroying or stealing data such as customer PII is one of the highest threat.
• Phishing. GFI currently employs approximately 1600 employees, phishing attacks aimed at tricking employees for information such as PII, network account access information such as username and passwords pose a significant threat to GFI.
• DoS attacks. A denial of service (DoS) or a distributed denial of service (DDoS) attack is likely aimed at denying both customer access to company resources such as online financial transactions but also denial of corporate resources to employee and GFI organization.
• Domain Login Cracking.
• MITM. Man in the middle (MITM) attacks may be used to target customers to gain PII or possible gain remote employee access information.
• Application Login Theft. Inside ThreatsGFI has over 1800 employees that have access to confidential client information and confidential corporate data. That leaves the company open to multiple chances of employee theft of information. Company resources can cause the highest level of financial damage because they hold company information. An inside threat could also come from an unknowing employee where an outside hacker could have hijacked on the employee’s account. VulnerabilitiesThe analysis identified the following general vulnerabilities that pose significant threat to the security of the network.
• Lack of system to monitor and filter network traffic
• Data transaction traversing the remote access connection to the corporate internal databases is not encrypted.
• Security ramifications over the wireless network that is widely open to the company and nearby residents
• Absence of employee training to guard against cyber-attacks.

Network Topology Perimeter Traffic

At GFI there are no methods being used to secure the perimeter of the network from untrusted network traffic such as traffic from the unsecure internet. Network devices such as the border (core) routers and distribution routers remain unsecure in an unprotected state. This exposes the routers and the network to attack vectors. Logical Segregation. The network topology does not currently support a high level of logical separation or logical grouping of devices. A high level of unfiltered internal network traffic results in devices within the network being on even levels of access. Being on even levels give untrusted devices access more trusted areas of the network. TCB Access. Though the TCB remains on a physically separated subnet, there is currently no means to filter or control incoming and outgoing network traffic to the TCB. This exposes every component within the TCB to include the critical Oracle database to possible outside attacks and also from unauthorized access from other entities within the network.

Remote access VPN Gateway/Remote Access Server

The VPN Gateway device is located on the border of the network topology and is open leaving it exposed it to possible attack vectors. Current tunneling protocols being implemented is allowing data transactions from the satellite office through the VPN to the GFI internal database to be transmitted in an unencrypted manner. Hackers may engage in packet sniffing to capture data packets containing sensitive information such as username and passwords. The remote access server (RAS) is also located on the border of the topology open to possible compromise with no security such as a firewall. The RAS server job is to authenticate and provide remote access to remote users, this could pose a security vulnerability to potential attacks and malware.

Identity Governance

The GFI currently does not manage an employee’s IT profile within the company which results in lack of centralized governance and vulnerabilities such as: · Passwords: there is no method to enforce password policies such as complexity, password history and account lockout polices.

• Provisioning: currently there is a lack of system to oversee the provisioning of accounts from creation to the termination of an account. This can lead to security vulnerabilities such as orphaned accounts, terminated employees with access, privilege creep and accounts with unauthorized access.
• Audit Control: there is no method to currently perform an audit of current access activity to detect possible security issues.
• Privilege User: there is no method to oversee privilege account users leading to both internal and external vulnerabilities.

Risks for Wireless Access

Global Finance employees gain access to the network using a wireless access point (WAP) that exposes GFI to several security risks. There are risks such as rouge access points, denial of service (DoS), configuration problems, and passive capturing. Rouge access points: “A rogue access point, also called rogue AP, is any Wi-Fi access point that is installed on a network but is not authorized for operation on that network, and is not under the management of the network administrator” (Beal, 2018). This type of attack allows a hacker capture data that is being transmitted from the rouge access point. A hacker would be able to collect a company’s and clients information.

Denial of service: “is a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic” (Beal, 2018). Configuration problems: would be if an inexperienced user set up devices with no security, weak passphrases, and weak security deployments. Passive capturing: “is performed by simply getting within range of a target wireless LAN and then listening and capturing data. This information can be used for a number of things including attempting to break existing security settings and analyzing non-secured traffic” (Wilkins, 2011).

Access Control

Within Goal Finance they have implemented a system where employees are given access high enough to complete their work this has resulted in a vulnerability for the company. This kind of policy leaves the confidential information of the company and their clients and the network open to attackers. The inability to monitor user access control levels give hackers the ability to gain entry to a user’s account and take confidential information or upload viruses to be exploited later. Vulnerabilities Integrity of Transmitted Data. Global Finance plans to operate over a wireless network and will need to send/receive sensitive information. At this time the company is not using any methods to ensure transmitted data has not been interfered with. The company plans to use offer their services online which means that important information will be sent over online and open to attacks.

Employee Training

Global Finance currently does not train end users on threats and proper security procedures. End users are not currently being trained on recognition of social engineering and phishing attacks. Nor are they currently trained in how to recognize or react to a possible data breach. This lack of training exposes GFI’s network to possible threats such as malware that are introduced through end user actions.

Physical Security

Global finance has some security measures to secure the building but there is little to none physical security measures to secure the data center. This is leaving the data center open to theft or damage of sensitive information. Other physical threats are being able to access computers and servers directly to upload viruses or download data is a significant threat to the confidentiality of GFI’s information.

Anti-Virus Software

GFI has an anti-virus software that provides a level of protection against malware and other cyber-attacks. While the anti-virus software is from a well-respected there are no measures in place to make sure it has the latest security updates, but also ensure all the systems receive the updates.

Segregated Networks

The implementation of VLANs switches separates the network for all the departments, accounting, loan, customer services, management, credit, and finance. This controls the networks data flow however this does not protect against possible attacks. Each department is not protected against possible harmful attacks coming from the internet or from a compromised network.

Account Management

The control measures being used to manage account identities is being controlled through manual means. This has brought up the issue of orphan accounts and unauthorized access being granted.

Authentication

Authentication for remote access through VPN or through RAS is currently employing outdated protocols to include using unencrypted data transmission.