Posted: October 1st, 2022

Global Finance Industry Security Risk Assessment

Global Finance Industry Security Risk Assessment
Pc Sciences and Info Know-how

Desk of Contents

1. Introduction
Global Finance Inc (GFI) could be described as a public firm specializing in several monetary elements, primarily monetary administration, wholesale mortgage processes, and mortgage utility approval, in addition to making investments for its clients. The corporate’s operations are unfold throughout america, Canada, and Mexico and make use of a workforce comprising of greater than 1600 staff. Previously few years, the corporate recorded an estimated annual progress charge of eight% persistently incomes the corporate recognition via a characteristic on Fortune journal. This constant efficiency has been attributed to the corporate’s well-designed administration technique, whose basis is guaranteeing that operation efficiency is scaled via technological innovation and automation.
Sadly, GFI has been uncovered to a number of cyberattacks lately, resulting in the lack of roughly $1.700, 000 in income. Immeasurable buyer confidence has additionally been misplaced as a result of these assaults. For instance, there was an assault on the oracle database in 2012, resulting in the lack of the client database availability for a number of days. Though this database was restored and regular operations resumed, the misplaced confidentiality was very damaging to GFI’s popularity. The corporate’s CEO John Thompson expresses issues about these assaults as a result of GFI’s privateness and integrity are affected massively, which could have an total impact on how the group conducts enterprise operations sooner or later.
With the corporate rising its know-how dependence on most of its operations and lowering the knowledge know-how footprint, the corporate employed me as a Pc Security Supervisor reporting on to Mike Willy, GFI’s Chief Operations Officer. Though Willy and I clearly perceive the strategic function performed by know-how in implementing the corporate’s marketing strategy, I consider that cutting down on info know-how companies whereas outsourcing IT applied sciences pose appreciable dangers to each the corporate’s strategic and safety capabilities. A safety threat Assessment should be performed, to make sure that the corporate’s company confidential information is safe whereas enhancing buyer info and enterprise intelligence,
1.1. Goal
This threat Assessment goals to find out each the qualitative and quantitative threat estimates associated to the corporate’s IT safety vulnerabilities and threats. The danger Assessment additionally seeks to research the corporate’s infrastructure and IT organizational processes to supply acceptable and wide-ranging dangers mitigating Assessment. Lastly, the analysis may even attempt to provide options to the recognized threats and vulnerabilities, which pose appreciable dangers to the corporate’s integrity and confidentiality whereas threatening its strategic functionality and IT safety framework.
Among the many key areas that this dangers Assessment will cowl contains;
a. Establish GFI’s present threats in several areas, key amongst them being proprietary enterprise intelligence, strategic functionality, buyer info, and IT safety.
b. Establish any weaknesses that may exist in GFI’s firm processes and safety controls.
Assess the potential enterprise impression of the recognized threats and vulnerabilities.
Lastly, to supply suggestions meant to boost the corporate’s safety infrastructure utilizing a confirmed course of and rising applied sciences.

1.2. Roles and Obligations
Chief Govt Officer -John Thompson
The function of a CEO is to make it possible for the long-term strategic enterprise plans of the corporate are properly taken care of to extend shareholder worth. As such, Mr. Thompson will give the ultimate verdict whereas additionally making choices concerning whether or not the strategic info plans align clearly with the corporate’s strategic marketing strategy. As an illustration, on this case, the Pc Security Supervisor offers Mr. Thompson the suggestions on easy methods to implement the penetrating testing software program. Mr. Thompson will then think about views from different officers and determine if this advice will impression the corporate’s ROI and its shareholder worth.
Chief Operations Officer – Mike Willy
The Chief Operations Officer’s main function is to supervise the continued enterprise operations within the firm. On this case, Mike Willy is the second within the command line, and his obligations embody overusing how info know-how initiatives throughout the firm align with the day by day operations. The COO additionally offers inputs and management on how the corporate’s strategic plan must be implanted. Lastly, he Helps the corporate’s Chief Monetary Officer to find out how the operation info know-how course of will impression the general operational funds.
Pc Security Supervisor – Rick Santos
The Pc Security Supervisor’s main function to be the corporate’s enterprise chief whose obligations embody guaranteeing the event, administration, and implementation of the corporate’s company safety imaginative and prescient is properly carried out. On this case, Rick Santos’s obligations deal with the technological and scientific points essential to guard the corporate’s community integrity and confidentiality whereas figuring out any vulnerability that may Help cists on the GFI info system. Endeavor these roles is essential as a result of it is going to Help GFI understand its enterprise goals whereas implementing applicable safety management measures essential to mitigate dangers and decrease the probability of undertaking failure.
2. Security Risk Assessment
With the precise safety dangers Assessment, GIF can forestall safety breaches whereas minimizing the impression of the already realized breaches, thus safeguarding the corporate’s popularity. Moreover, common IT safety threat Assessment may also Help organizations to retailer historic information that may be utilized to speak and successfully gauge the financial impression that’s associated to the recognized dangers. Such an Assessment framework would persuade the corporate’s higher administration to take applicable motion meant to scale back IT on the menace floor to a given group.
2.1. Risk Impression
The desk beneath summarizes every safety goal’s potential impression on integrity, availability, and confidentiality, as described by Dempsey, Witte and Rike (2014).

Determine 1: Retrieved from (Dempsey, Witte & Rike, 2014)

three. Community Workplace Topology
Global Finance Inc has company WAN with ten distant areas for speaking with the corporate’s central information processing setting through a company VPN. The implementation of an entry management exists on the firm with its entry is strictly primarily based on a consumer’s function throughout the group. As an illustration, in a state of affairs the place an engineering supervisor requires entry to information from the engineering division and coaching division, each consumer’s function defines the permissions essential to entry these totally different objects.
three.1. Community Security
Within the community’s border layer, the set up of a VPN gateway equipment is finished. Ross (2014) signifies that VPNs make the most of encryption applied sciences, tunneling and encryption to provide you with a safe connection. Layer Two Tunneling Protocol is used along with the Web Protocol safety (L2TP/IPSec) to make sure that the VPN deployment safety is of the best degree potential. VPN’s provide high-security requirements as a result of authentication normally works to forestall any licensed customers from making connections to a corporation’s community. VPN methods utilizing Safe Sockets Layer are inclined to inclined to varied threats such because the Denial of Service assaults, particularly in conditions the place the software program patches haven’t been up to date. As such, updates on software program patches must be finished often with probably the most advisable strategy being to conduct nightly schedules throughout off-peak hours as a result of it might be certain that the community will not be slowed down.
three.2. Entry Factors
three.2.1. Inside Entry
Global Finance Inc staff can internally entry the corporate community via the usage of pre-installed and up to date particular person workstations fitted with antivirus. The group’s inner community topology contains the usage of 10gpbs VLAN switches which were segregated by the division. With this type of arrange, it implies that personnel, servers, and purposes have entry to the suitable privileges such that they solely require the assets they have already got whereas their actions could be simply monitored via varied auditing and reporting methods. The lists of entry controls also needs to be carried out to find out the people which have the precise to entry every VLAN, given the truth that a few of them have already got labeled and delicate info. These dangers can additional be mitigated by implementing ACLs as a result of they permit for the management of who can entry particular person VLANs, databases, purposes, and different vital information. Failure to implement these ACLs would pose appreciable dangers to the confidentiality and integrity of the group. Moreover, encryption of Wi-fi Entry Factors is important whereas the SSIDs must be made invisible. These measures could be bolstered by putting in a firewall shopper with automated configurations as a result of they improve safety to the community. Lastly, establishing these measures alongside guaranteeing that strict Internet Browser settings are put in place will decrease the dangers of malicious assaults equivalent to a denial of companies or man-in-the-middle.
One other essential community safety measure to contemplate is Group Coverage, which performs a big function, primarily when utilized on the inner group degree. Rafaels (2019) defines Group Coverage as an infrastructure permitting for the implementation of particular configurations for each computer systems and customers. Group Coverage settings exist throughout the Group Coverage objects (GPOs) which are usually linked to Lively Listing companies equivalent to organizational items, websites, and domains. On this case, Default Area Coverage GPO can be utilized to handle default Kerberos Coverage, Account Insurance policies settings, password coverage, and Account Lockout Coverage (Rafaels, 2019). These accounts should be from an identical area, which is the worldwide mother or father group. As such, group scope for organizational items must be common. A failure to make sure that these controls are carried out poses excessive dangers that may lead to a confidentiality breach whereas integrity can also be misplaced.
three.2.2. Exterior Entry
RAS servers permit for the belief of exterior entry as a result of they discuss to the distribution routers, 10gbps switches, and VPN gateways via a router of about 100 Mbps. Cell customers making dial-up connections need to make authentication (Rafaels, 2019). Nevertheless, encryption of inner company databases distant entry will not be finished which tends to pose appreciable threats to the integrity, confidentiality, and availability.
four. Entry Management
four.1. Authentication
In comparison with the Symmetric system, it tends to be extra versatile. The system permits for message encryption utilizing one single key and might solely be decrypted utilizing one other key designed just for that objective. Normally, the general public key could be revealed whereas the non-public key can not. The function of a PKI is to make sure that the certification of the general public is saved up to date and licensed.
The uneven keys comprise of 1 non-public and public key every. Whereas the general public key’s open to everybody, the non-public key can solely be identified or utilized by the proprietor. PGP could make use of a trusting scheme that permits customers to generate two keys, one a public key that may be accessed by everybody since it’s saved at a central and accessible location. In distinction, the second key’s non-public that the consumer holds in confidence. Encryption is commonly finished utilizing the receiver’s public key whereas the sender’s non-public key does the signing. As soon as a message is acquired, it’s decrypted by the recipient utilizing the non-public key. In distinction, the validation of this message authenticity is finished utilizing the general public key from the sender.
Yang and Hwang (2015) argue that firms have a tendency to make use of a number of authentication strategies which are used to safe their topology infrastructure and networks. Among the choices that GFI can think about could embody;
• IPSec Authentication
• Password Authentication Protocol (PAP)
• Microsoft CHAP
• SSL
• And plenty of extra others equivalent to Kerberos.
four.2. Privileged Entry
From the labeled and delicate info on Global Finance Inc’s community, the implementation of Obligatory Entry Management (MAC) must be undertaken. MAC can introduce specialised approaches in direction of entry management, and it’s carried out sometimes at organizations with the power to retailer labeled and extremely delicate information. In distinction, entry tends to be primarily based on present safety labels. Yang and Hwang (2015) signifies the next to be the traits of a Obligatory Entry Management;
a. The modifications made to a given useful resource safety label can solely be finished by an administrator and never the info homeowners.
b. The assigned safety degree on every information relies on its relative safety worth, confidentiality and sensitivity.
c. All customers have the precise to learn from decrease classifications in comparison with the one they’ve been granted, and so they can also write from a better classification
d. A learn/write entry is given to customers to be executed on objects that naked the identical classification.
e. Authorization and restriction of entry to particular objects are sometimes primarily based on a specific time throughout the day, relying on elements equivalent to labeling on a useful resource and the credentials of the consumer.
f. Authorization and restriction of entry to particular objects are additionally primarily based on HTTP shopper’s safety traits.
four.three. Mobility
To boost efficient interplay between the group between co-workers and its clients in real-time, mobility is a crucial consideration. Global Finance Inc intends to extend its dimension, which implies that mobility would improve productiveness by establishing an setting the place its staff can have their digital places of work wherever, so long as there’s an web connection. Mobility tends to empower staff in order that they develop into extra productive, and they’re additionally in a greater place to serve the shoppers (Yang & Hwang, 2015). Nevertheless, though mobility is a crucial asset to have in any group, safety issues should even be thought of. As an illustration, cellular units are inclined to pose large threats as a result of they’ve the potential to bypass an organization’s antivirus purposes and firewalls.
four.four. Flexibility and Comfort
four.four.1. Wi-fi
Wi-fi capabilities inside Global Finance Inc present the corporate with numerous flexibility. Nevertheless, the present wi-fi community at Global Finance Inc does not make use of any type of encryption whereas the SSID tens to be seen to anybody throughout the WAP vary. As such, this arrange the current’s excessive dangers to the CIA. Primarily based on this understanding, it might be recommendable to implement WPA2-Enterprise with TKIP or AES encryption. Moreover, the SSID also needs to be hidden.
four.four.2. Cloud Computing
E-commerce platforms which are cloud computing primarily based permit Global Finance Inc to supply its clients with totally different services through on-line platforms. Nevertheless, though these on-line platforms present clients with a handy technique of service supply, they pose a number of safety issues as a result of any information whose storage is finished remotely can simply be compromised. As such, further community safety phases and requirements are required to make sure that these dangers are mitigated. I’d suggest the usage of Microsoft Azure Cloud Computing Platform & Companies to mitigate such dangers. Yang and Hwang (2015) point out that Azure can simply combine with the prevailing IT setting in a corporation via totally different safe non-public community connections, storage options and hybrid databases, amongst others. With such capabilities in place, the group’s property stay proper the place they’re wanted. Furthermore, Azure Stack may even be used to run AZURE inside a corporation’s datacenter. The Azure hybrid clouds are identified to supply the very best options to each worlds by providing extra IT choices whereas reducing prices and complexities.
Microsoft Azure already has sturdy security measures, however they want one other safety layer that may be offered via the McAfee Endpoint Security relevant within the Microsoft Azure Environments. Yang and Hwang (2015) point out that MESMA can combine with Microsoft Azure. Via the Azure PowerShell platform, it may deploy simply, thus offering superior safety to a corporation’s endpoints.

5. Stock
Merchandise Division Amount Price Whole Price Precedence
Dell Precision Workstations Accounting 50 $500 $25,000 Excessive
Credit score 10 $500 $5,000 Reasonable
Buyer Service 10 $500 $5,000 Reasonable
Finance 35 $500 $17,500 Excessive
Loans 20 $500 $10,000 Reasonable
Administration 10 $500 $5,000 Excessive
TCB Community 10 $500 $5,000 Excessive
Subtotal 145 $72,500

HP LaserJet Printers Accounting 5 $400 $2,000
Credit score 1 $400 $400
Buyer Service 1 $400 $400
Finance three $400 $1,200
Loans 2 $400 $800
Administration 1 $400 $400
TCB Community zero zero zero
Subtotal 13 $5,200

Wi-fi Entry Level three $300 $900 Excessive
VPN Gateway 2 $35,000 $70,000 Excessive
Border Routers 2 $30,000 $60,000 Excessive
Subtotal eight $132,300
Grand Whole $210,000

6. Community Vulnerabilities
System Vulnerability Risk Precedence
Wi-fi Know-how Global Finance Inc wi-fi community is accessible to the corporate staff and neighboring residents. This open accessibility presents a really excessive threat to the corporate’s community safety. Excessive Excessive
Encryption Encryption has not been undertaken on the distant connectivity that exists to and from the company database and TBC. It is a high-security threat to Global Finance Inc. Excessive Excessive
Mobility There is no such thing as a present system that has been established to forestall malicious packages that may exist on contaminated units and purposes from interfering with the company community. Moreover, no established system exists to safeguard the corporate’s information from compromise if the system is stolen or will get misplaced. Excessive Excessive
Community Intrusion There’s a large spike within the community site visitors that’s crossing the corporate’s inner networks. In the mean time, the origin of this site visitors or the individual producing it’s but to be recognized. Furthermore, the frequency and quantity of this community additionally occurs to be very irregular Excessive Excessive
Cloud Computing Failure to make sure that cloud computing is properly secured makes it inclined to occasional information breaches, which might result in the lack of confidential and high-level company info. Medium Medium

7. Risk Mitigation
The present IT processes and community topology at Global Finance Inc current a number of severe vulnerabilities that require mitigation utilizing each the arduous and gentle safety controls. Within the present IT setting, these vulnerabilities need to be addressed to make sure that Global Finance Inc’s information and property are adequately safeguarded whereas additionally guaranteeing that the corporate’s enterprise intelligence maintains the CIA mannequin.
7.1. Wi-fi Entry
Presently, wi-fi community entry processes use open authentication approaches. This strategy permits any particular person inside GFI WAP’s proximity and working any WIFI enabled system to realize entry to labeled, privileged and delicate info. The potential threats that Global Finance Inc is uncovered to incorporate; Denial of Service assaults, wi-fi intrusion and phishing, endpoint assaults, amongst others. Such assaults have the potential to trigger quantitative and qualitative injury to the corporate’s integrity and confidentiality. Primarily based on this understanding, these dangers could be mitigated by adhering to the next suggestions;
a. The SSID must be hidden within the Global Finance Inc framework via a course of known as community cloaking. Adopting this strategy prevents the SSID title from being broadcasted by making it seem like invisible. Though this strategy can forestall inexperienced customers from accessing the community, it must be taken as a supplementary measure meant to help encryption.
b. One other advice must be to implement WPA2-PSK (AES) encryption as a result of it boosts community encryption whereas additionally be certain that the excessive speeds inside a given community are maintained.
c. Lastly, two networks must be carried out to make sure that visitors are segregated from the Global Finance Inc staff. These networks are the Global Finance Inc Emp and Global Finance Inc Visitor. The visitor community will permit all guests to have momentary entry to ascertain connections to the Global Finance Inc community. Nonetheless, they’d not be capable to entry the corporate’s delicate or labeled info.
7.2. Encryption
IPSec must be the encryption approach used to safe all info transmitted via the Global Finance Inc VPN, distant methods, or TCB interchanges. “IPSec makes use of parcel separating and cryptography. Cryptography offers shopper affirmation, ensures info privateness and trustworthiness, and implements confided in correspondence. The strong cryptographic-based verification and encryption bolster that IPSec offers are notably compelling to creating certain about site visitors that should cross untrusted prepare methods, like these on an unlimited company intranet or the Web. IPSec moreover is especially applicable and efficient in enhancing community safety, particularly to purposes that do not give ample safety to any communication (Trojahn & Ortmeier, 2013). Routers and firewalls will likewise be redesigned to permit IPSec site visitors.
7.three. Mobility
Global Finance Inc’s community requires that greatest practices must be carried out to make sure that BYOD units don’t hurt the community. As such, the next suggestions must be thought of;
a. Cell system administration instruments must be used to trace all cellular units throughout the group and likewise maintain observe of the working methods and purposes throughout the firm whereas additionally conducting patch administration. As soon as these instruments establish a malicious utility or vulnerability inside a particular system, this malicious utility or system must be quarantined till a patch or repair is accessible.
b. One other advice is to put in endpoint safety software program like Norton Endpoint Safety, Kaspersky Web Security or McAfee Cell Security on all units. Nevertheless, though this software program is helpful in stopping information leakage from the group, it isn’t capable of shield the corporate in opposition to actions dedicated by untrusted staff. As such, entry management measures, audit logging, and different management measures need to be put in place.
c. It is usually recommendable that Global Finance Inc’s assets are separated from private consumer assets. On this case, a MAC shall be used to supply entry to the corporate’s staff once they require figuring out something. Adopting these measures implies that labeled or proprietary info cannot be accessed from any BYOD units. These steps are undertaken to safeguard the corporate’s property and knowledge whereas permitting its staff the pliability to make use of their units.
d. Lastly, authentication strategies like Password Authentication Protocol (PAP) must be utilized to entry any Global Finance Inc’s community or property.
Making use of these suggestions will permit Global Finance Inc the pliability essential for efficient cellular computing whereas guaranteeing defense-in-depth posture is maintained with out rising any upkeep or administration necessities.
7.four. Community Intrusion
Community site visitors quantity has been reported to have elevated considerably, and as such, the suggestions that I’d make embody putting in signature-based Intrusion Detection Techniques, which are typically extra proactive by way of reacting to threats inside a corporation. These methods can obtain these milestones as a result of they will monitor the community actions fairly simply to supply tangible studies through which the group personnel could make the precise Assessment and safe their community appropriately. When these Intrusion Detection Techniques are positioned alongside firewalls, they will scan each inbound and outbound site visitors successfully.
One other advice would make the most of penetration testing software program equivalent to Metasploit, which offers an explosive framework consisting of quite a few highly effective instruments in addition to the utilities required for penetration testing. One of the essential phases of penetration testing is intelligence gathering as a result of it offers a strong platform for the final word payload supply. Moreover, intelligence gathering strategies like port scanning are generally used to use any vulnerability inside a given community.
eight. Assumptions
The Pc Security Supervisor at Global Finance Inc, Mr. Rick Santos has to handle and function the corporate’s community whereas making the next assumptions;
a. That community customers will not be going to permit any unauthorized events from buying entry to their confidential information or login info entrusted to them.
b. Each crew member throughout the firm, whether or not employed or an informal employee, will report on any safety incident or points that they may encounter with the corporate’s hardware or community.
c. The GIF’s laptop safety crew shall be accountable for creating, implementing and keep a safety coverage.
d. The Techniques Administrator ought to approve all modifications whereas the CSM makes the authorization. Moreover, the administrator will implement whereas the CSM will take a look at, confirm and keep the community system.
e. Lastly, any place modifications or worker termination must be communicated to the corporate’s Pc Security Supervisor inside a well timed vogue in order that nay privileges could be adjusted or revoked as essential.
9. Conclusion
Security stays an inevitable expense that any firm ought to undertake if it needs to boost the security of its operations and assure its clients with integrity and confidential processes. Global Finance Inc maintains a lot of information containing labeled and confidential info saved at totally different areas and the transmission of this information going via quite a lot of mediums and utilizing totally different strategies. As such, Global Finance Inc can’t be reluctant concerning the integrity advert confidentiality of this community being compromised as a result of the corporate dangers dropping delicate information. Risk administration refers to processes that establish and mitigate the vulnerabilities with the community processes. Resolving any points that may exist inside encryption administration or wi-fi networks will be certain that Global Finance Inc can remedy a lot of the threats that it presently faces. Furthermore, a well-established threat administration plan that’s accompanied by strong safety consciousness coaching, alongside distinctive worker credentials requiring multi-level authentication, provide the precise safety that Global Finance Inc requires to protect the integrity and confidentiality of its community. When all these elements are put into thoughts, it’s recommendable that any outsourcing concerns must be halted till the established safety issues have been resolved conclusively.

10. References
Dempsey, Ok., Witte, G., & Rike, D. (2014). Abstract of NIST SP 800-53 revision four, safety and privateness controls for federal info methods and organizations. DOI:10.6028/nist.cswp.02192014
Rafaels, R. (2019). Information to understanding safety controls: NIST SP 800-53 rev 5.
Ross, R., Katzke, S., Johnson, L. A., Swanson, M., Stoneburner, G., & Rogers, G. (2007). Advisable safety controls for federal info methods and organizations. DOI:10.6028/nist.sp.800-53r2
Ross, R. S. (2014). Assessing safety and privateness controls in federal info methods and organizations: DOI:10.6028/nist.sp.800-53ar4
Smith, R. W. (2004). undefined. The Definitive Information to Samba three, 261-292. DOI:10.1007/978-1-4302-0683-5_10
Stoneburner, G., Goguen, A., & Feringa, A. (2002). undefined. DOI:10.6028/nist.sp.800-30
Stoneburner, G., Goguen, A., & Feringa, A. (2002). undefined.
Trojahn, M., & Ortmeier, F. (2013). undefined. 2013 IEEE Seventh Worldwide Convention on Software program Security and Reliability Companion. DOI:10.1109/sere-c.2013.14
undefined. (2016). Worldwide Journal of Science and Analysis (IJSR), 5(1), 1581-1584. DOI:10.21275/v5i1.nov153159
Yang, D., & Hwang, I. (2015). Security enhancement strategies for cellular POS system. 2015 2nd ACM Worldwide Convention on Cell Software program Engineering and Techniques. DOI:10.1109/mobilesoft.2015.40

Order | Check Discount

Tags: Global Finance Industry Security Risk Assessment