Expert answer:Risk assessment Review for palgiariasm
Expert answer:Need help to review this paper for plagiarism and make needed modifications but keeping context and substance. Also, help to include in-text citations using sources from reference listPlease edit and check for plagiarismDo not change contentSend plagiarismreport
risk_assessment_paper_summary.docx
Unformatted Attachment Preview
Running head: GFI SECURITY RISK ASSESSMENT
Global Finance Industry Security Risk Assessment
1
GFI SECURITY RISK ASSESSMENT
2
TABLE OF CONTENTS
1. Background ……………………………………………………………………………………………………. 4
1.1 Purpose …………………………………………………………..Error! Bookmark not defined.
1.2 Roles and Responsibilities ……………………………….Error! Bookmark not defined.
2. Security Risk Assessment ……………………………………..Error! Bookmark not defined.
2.1 Risk Impact …………………………………………………….Error! Bookmark not defined.
3. Network Office Topology ……………………………………………………………………………….. 8
3.1 Network Security ……………………………………………………………………………………….. 8
3.2 Access Points ……………………………………………………………………………………………… 9
3.2.1 Internal Access……………………………………………………………………………………… 9
3.2.2 External Access …………………………………………………………………………………… 10
4. Access Control ………………………………………………………………………………………………. 10
4.1 Authentication …………………………………………………………………………………………. 10
4.2 Privileged Access ……………………………………………………………………………………… 11
4.3 Mobility …………………………………………………………………………………………………… 12
4.4.1 Wireless ……………………………………………………………………………………………… 12
4.4.2 Cloud Computing ………………………………………………………………………………… 13
4.4.3 Email and wireless communication ……………..Error! Bookmark not defined.
5. INVENTORY ………………………………………………………………………………………………… 8
GFI SECURITY RISK ASSESSMENT
3
6. NETWORK VULNERABILITES …………………………………………………………………. 17
7. SECURITY RISK MANAGEMENT ……………………………………………………………… 20
7.1 Wireless Access ……………………………………………….Error! Bookmark not defined.
7.2 Encryption………………………………………………………Error! Bookmark not defined.
7.3 Mobility ………………………………………………………….Error! Bookmark not defined.
7.4 Network Intrusion …………………………………………..Error! Bookmark not defined.
8. ASSUMPTIONS …………………………………………………..Error! Bookmark not defined.
9. CONCLUSION ……………………………………………………Error! Bookmark not defined.
GFI SECURITY RISK ASSESSMENT
4
Executive Summary
There were vulnerabilities discovered after the risk assessment of Global Finance, Inc.
These vulnerabilities were identified as Technical Security, Management, and Operational.
Vulnerabilities are weaknesses that could be fraught with a group of threats or just threats in
general. These weaknesses can be mitigated by defenses that are suggested. These security
measures are precise controls that, when included in the information technology setting,
mitigates the risk that is associated with the operation to controllable levels. However, a
comprehensive discussion about the vulnerabilities and recommended security measures are
discussed in this report. If the security recommendations in this risk assessment are not followed,
company data could be compromised, manipulated which could lead to exposure of sensitive
data or denial of service to the users who need access to the resources on a regular basis.
For Global Finance, Inc to achieve it mission of market sustanabilit, three areas must be
addresses in this report, confidentiality, integrity, and availability. Any vulnerability threat in any
of these areas must be mitigeted and defense controls to protect these areas from vulnerabilities
must be put in place. The objective of this risk assessment is to evaluate the network security of
Global Finance, Inc. This risk assessment shalt provide a designed qualitative assessment of the
operational environment. The tasks to address includes; sensitivity, threats, risks, vulnerabilities
and also the security measures. The assessment recommends cost-effective security measures to
mitigate threats and reduce vulnerabilities.
Background
Global Finance Inc. is a public financial company specializing in finance management,
application, processing, and approval of loans, investment and money management for
customers. GFI operates and manages accounts in Canada, USA, and Mexico, employing over
1,600 personnel and boasts an annual growth consistently at or around 8%. The GFI featured in
GFI SECURITY RISK ASSESSMENT
5
the fortune magazine after a well-designed management strategy based on scaling operational
performance via automation and technological innovation.
GFI has had concurred cyber-attacks over the last a few years, resulting in $1.700, 000 in
revenue loss and unpredictable client confidence. In 2012, a server belonging to the Oracle got
attacked, and their customer’s database got compromised for some days. However, the Oracle
database is restored and back online. The company’s confidentiality and reputation were
damaged. The attacks are a cause of great concern to the CEO; John Thompson, whose plans
places the organization’s confidentiality, integrity, and availability at a premium.
Due to the rising operational dependence on technology in conjunction with a
diminishing IT footprint, I was hired as the Computer Security Manager and report directly to the
Chief Operations Officer Mike Willy. Although the CEO and I understand the strategic
importance of technology in executing GFI’s business plan, I believe that that cutting IT services
and outsourcing IT technologies are a risk to security and strategic capability. GFI’s recent spike
in notoriety has led to a significant increase in network congestion that crosses to the internal
networks, network engineers are unable to identify traffic origination, but the volume and
frequency is a significant concern. To properly secure confidential corporate data, business
intelligence, and customer information, a security risk assessment is submitted.
Purpose
The risk assessment is the determination of the quantitative and qualitative estimates of
risks that are related to IT security threats, and the vulnerabilities that get associated with the GFI
business operations and analyze GFI’s IT organizational activities and infrastructure in the
provision of a wide-ranging and acceptable risk mitigating assessment. This assessment shalt
focus on providing solutions for identifying vulnerabilities and threats that are a risk to
GFI SECURITY RISK ASSESSMENT
6
confidentiality, integrity, and availability and threaten IT security and strategic capability. This
risk assessment shalt:
•
Identify current threats to GFI’s IT security, proprietary business intelligence, customer
information and strategic capability.
•
Identify weaknesses in security operations and company processes
•
Present security controls and authorizations.
•
Assess business impact of known threats and vulnerabilities.
•
Assess risk and identify acceptable risk.
•
Provision of recommendations to fortify and bolster the GFI’s security infrastructure with
the incorporation of emerging technologies and proven processes.
1.2. Roles and Responsibilities
John Thompson, Chief Executive Officer
The CEO’s role is to ensure that the company is long-term strategic business plans
increase shareholder value. Therefore, the CEO would have the final say and decide whether the
IT strategic plans align with the overall strategic business plan. For example, in the case of GFI,
the CSM would present the recommendations to the CEO for implementation of penetrationtesting of the software. The CEO should weigh the other officers’ views and decide whether it
has an impact on ROI and shareholder value.
Mike Willy, Chief Operations Officer
The Chief Operations Officer oversees the ongoing business activities within the
institution. The Chief Operations Officer is second in command. He is the person responsible for
oversight of how IT projects get aligned with day-to-day operations. He also provides leadership
GFI SECURITY RISK ASSESSMENT
7
and input for implementation of the company’s strategic plan and along with the Chief Financial
Officer, is responsible for the oversight of the IT operational activities.
Rick Santos, Computer Security Manager
The CSM serves as the business leader and has the responsibility for the designation,
deployment, and management of the organization’s business security vision, strategy, and
programs. The manager’s responsibility would focus on scientific and technological issues. Also
in policy, research, and development to protect GFI’s network confidentiality, integrity, and
availability. The manager would also be responsible for identifying vulnerabilities and threats to
GFI information system resources to achieve business objectives, identify and implement
security controls measures to mitigate the risks to reduce the hazard to a level that can be
tolerated and examine risk variables to reduce project failures.
2. Security Risk Assessment
An adequate assessment can prevent breaches, and therefore reduces the magnitude of
realized breaches, protecting the GFI from the spotlight for all the wrong reasons. According to
Dark Reading, 2013, “Consistent IT security risk assessments also allow the firm to establish a
cache of past data that can be used to gauge and communicate monetary impact related to risks
effectively — and, hopefully, convince upper management to take decisive action to reduce the
institutions’ threat surface.”
2.1 Risk Impact
The table below summarizes each security’s objectives and potential impact on integrity
availability and confidentiality according to the National Institute of Standards and Technology
GFI SECURITY RISK ASSESSMENT
8
of 2004:
Potential Impacts of Security Objectives
3. Network Office Topology
GFI has a corporate WAN that includes 10 remote sites that communicate with the
central data processing environment through a corporate VPN. Role-based access control
implemented, and access is strictly on the roles of the user within an organization. An example of
RBAC would be if an Engineering manager would need access to Engineering Dept. Data as
well as the training dept. Data. Each role would define the authorizations that are required to
access different objects.
3.1 Network Security
GFI SECURITY RISK ASSESSMENT
9
A VPN gateway appliance installed on the broader layer of the network. According to
Microsoft (2013), “VPNs use a combination of tunneling, authentication, and encryption
technologies to create secure connections. In ensuring the highest-level security for a VPN
deployment, it is advisable to use Layer Two Tunneling Protocol along with Internet Protocol
security.” VPN’s provide the highest level of security because authentication prevents
unauthorized users from connecting to the network. Secure Sockets Layer (SSL) VPN systems
are susceptible to Denial of Service attacks if software patches are not kept up to date. It presents
a moderate risk to availability. Therefore, software patches and updates should be scheduled
nightly during off-peak hours to minimize bogging down the network.
3.2 Access Points
3.2.1 Internal Access
The GFI employees get access to the network internally using pre-inspected and up-todate personal workstations updated with anti-virus. Internal network topology includes 10gpbs
VLAN switches segregated by the department. Personnel, applications, and servers would have
the appropriate access privileges to only the required resources they have the “need to know,”
and monitor activities via auditing and reporting systems. Access control lists should be
implemented to determine who would have access to each VLAN. Some VLAN’s contain
sensitive and classified information. The way you mitigate this is by implementing ACL’s. These
ACL’s control who access the individual VLAN’s, application, databases, email, file and printer
servers. Not implementing ACL’s poses a high risk to integrity and confidentiality. Wireless
access points should be encrypted, and SSID’s be made invisible. Protection of the network is
complete through the installation of a firewall client. It is along with Web Proxy and stringent
GFI SECURITY RISK ASSESSMENT
10
Web Browser settings will no doubt minimize the risk of inadvertent or malicious attacks like
man-in-the-middle and denial of service.
Group Policy is also essential for network security at the internal organizational level.
According to Microsoft (2012), “Group Policy is an infrastructure that allows you to implement
specific configurations for users and computers. The Group Policy settings get contained in the
Group Policy objects that get linked to the Active Directory service containers such as domains,
sites, and organizational units.” The Default Domain Policy GPO should manage the default
Kerberos Policy, Password policy, and Account Lockout Policy and Account Policies settings.
Accounts should be from the same domain as the global parent group. Therefore, Group scope
for OU’s (Organizational Units) should be global. Failure of implementing the controls may pose
high threats resulting in compromise of integrity and confidentiality breaches.
3.2.2 External Access
External access is accomplished through RAS servers, which converse with distribution
routers, VPN gateways, and 10gbps switches via a 100 Mbps router. Mobile users who connect
via dial-up are expected to authenticate. However, remote access to the organization’s databases
is not protected. It poses a high threat to confidentiality, integrity, and availability.
4. Access Control
4.1 Authentication
An asymmetric key is more flexible than the Symmetric system. Messages are encrypted
with one key and can be decrypted only by the other key. Usually, the public key is published,
but the private key is not. PKI deals typically with making sure that the public essential
certification is up to date and authorized. Asymmetric pair of keys is made up of one public key
and one private key. Everyone can know the public key, and the private key must be known and
GFI SECURITY RISK ASSESSMENT
11
used only by the owner. PGP utilizes a trusting scheme where a user has generated 2 keys for
utilization, one public key that is centrally stored that is accessible by everyone and a private key
that is held by the user in confidence. The email is encrypted with the receiver’s public key and
signed by the sender’s private key. Validation of authenticity using the sender’s public key is
done when a recipient receives the message by decrypting it with a private key. According to
(TechRepublic 2001), companies have several authentication methods to ensure the security of
their networks and topology infrastructures. The options available to companies include, but are
not limited to, the following:
•
IPSec Authentication
•
Single Sign-On (SSO)
•
Password Authentication Protocol (PAP)
•
Smart Card
•
Microsoft CHAP
•
Biometrics
•
The Extensible Authentication Protocol (EAP)
•
SSL
•
Kerberos
4.2 Privileged Access
Based on the sensitivity and classified information housed on GFI’s networks, Mandatory
Access Control should get implemented. MAC brought into existence a more specialized design
to access the controls. MAC is mainly done at institutions, housing highly sensitive and
classified data, whose access has the bases on the security labels (CGI Security, 2012), the
characteristics of MAC include:
GFI SECURITY RISK ASSESSMENT
•
12
Only the administrators are responsible for making changes to a resource’s security label
and not the data owners.
•
All data get assigned security level equivalent to its relative confidentiality, protection
and sensitivity values.
•
The users can read lower classifications from the one assigned (A “secret” user may read
unclassified documents).
•
The users can write to a higher classification (A “secret” users can post information to
Top Secret resources).
•
The users have access to read and write to objects of similar classification (a “secret” user
can read or write to a secret document only).
•
Authorization to access is based on the time of the day dependence on labeling on the
resource and the user credentials.
•
Authorization or restriction to objects get based on the security characteristics of the
client HTTP
4.3 Mobility
Mobility is significant for the institution to interact with its clients and other co-workers
shortly. With GFI increasing in size, mobility can boost productivity by creating an environment
where employees can have virtual offices anywhere Wi-Fi is available. Mobility allows staffs to
be more productive and better able to serve the consumer. Also, BYOD is a possibility, but it
involves security concerns. Mobile devices are a threat to their potential to bypass the company’s
firewall and antivirus applications.
4.4.1 Wireless
GFI SECURITY RISK ASSESSMENT
13
There is no debating the fact that wireless capabilities provide flexibility within GFI.
However, the GFI wireless network currently does not employ any encryption, and the SSID is
visible to anyone within the range of the WAP. It presents a high risk to CIA. I strongly
recommend implementing WPA2-Enterprise with AES or TKIP encryption and conceal the
SSID.
4.4.2 Cloud Computing
Cloud computing that is based on e-commerce platforms would allow GFI in offering its
products and services online. However, there are concerns over security. Any data stored
remotely pose a risk of being compromised. Therefore, it requires additional stages of security
and network standards to mitigate these risks. I recommend utilizing Microsoft Azure Cloud
Computing Platform & Services. According to Microsoft 2015), Azure easily integrates with
your existing IT environment through the most extensive network of protected private
connections, hybrid database, and storage solutions, and data residency and encryption features,
so your assets stay right where you need them. You can even run Azure in your datacenter with
Azure Stack. Azure hybrid cloud solutions give you the best of both worlds: more IT options,
less complexity, and cost.”
McAfee Endpoint Security for Microsoft Azure Environments will be used to provide
another level of security to Microsoft Azure’s already robust security features. According to
McAfee (2015), “MESMA integrates with Microsoft Azure and deploys efficiently using the
Azure PowerShell platform, provides advanced security for all of your endpoints — physical,
virtual, and cloud servers, includes antivirus, anti-malware, host intrusion prevention, device
control, host-based firewall, dynamic application control, and more to tackle malware, zero-day
threats, and evasion attacks at every vector — mobile, data, web, email, and network.
GFI SECURITY RISK ASSESSMENT
14
5. Inventory
Item
Department
Quantity
Cost
Total Cost
Priority
Mission
Objective
Dell
Accounting
50
$500
$25,000
High
Offers
Precision
accounting
Workstations
services and
financial
support to the
organization,
Payroll, and
Inventory
Credit
10
$500
$5, …
Purchase answer to see full
attachment
How it works
- Paste your instructions in the instructions box. You can also attach an instructions file
- Select the writer category, deadline, education level and review the instructions
- Make a payment for the order to be assignment to a writer
- Download the paper after the writer uploads it
Will the writer plagiarize my essay?
You will get a plagiarism-free paper and you can get an originality report upon request.
Is this service safe?
All the personal information is confidential and we have 100% safe payment methods. We also guarantee good grades