Gf Risk Assessment Paper

Running Header: GFI: Risk Assessment UNCLASSIFIED 1
GFI: Risk Assessment UNCLASSIFED 19

GFI: Risk Assessment
SGTs Cranston, Patterson, Zagurski
NCOA
SSG Fekete

Contents
1. Background and Purpose
2. Network Inventory, Value, and Priority
3. Perimeter Security: Access Vectors, Vulnerabilities, and Solutions
4. Remote Access Vulnerabilities and Solutions
5. Authentication and Data Protection for Mobile Devices
6. Wireless Security, Vulnerabilities, and Mitigations
7. Evaluate the Authentication Protocols in the Networks
a. Wired
b. Wireless
c. Mobility
8. Web System Protocols and Vulnerabilities
9. Web Access
10. Cloud Computing
11. Final Thoughts

Background and Purpose
Global Finance, Inc.

(GFI) manages thousands of financial accounts across Canada, the United States, and Mexico. They are publicly traded on the New York Stock Exchange. GFI handles a variety of financial needs, and they are specialized in financial management, loan application approval, wholesale loan processing, and portfolio management for their customers. Lately, GFI has been suffering from a slew of cyber-attacks and is desperate to mitigate threats without significant information technology (IT) budget increases. A majority of the daily work performed at GFI is done electronically and the security posture has not kept pace with the increase in demands placed on the network.
A primary focus of GFI is maintaining the confidentiality, integrity, and availability of their network and the data that traverses it. Unfortunately confidentiality, integrity, and availability have decreased in recent years as GFI has experienced numerous breaches. In 2013, GFI paid a large settlement to customers when their Oracle database server was targeted and customer data was stolen. The attack cost several days of lost productivity and substantial damage to GFI?s reputation. The next year, a virus infected multiple key systems and propagated throughout the entire network. The vector of the attack is still unknown, but GFI employees were without email or databases for several days. That attack cost GFI $1,700,000 in lost revenues and also damaged customer confidence in the company.
Separately in 2014, a GFI laptop containing key customer information was left unattended in an airport and was stolen. The hard drive of the laptop was unencrypted and GFI was forced to pay financial reparations to affected customers. In addition to these incidents, a laptop was found running network sniffer software in a vacant office in 2015. It was plugged into a network jack underneath a desk. Recently, GFI has experienced a spike in network activity with unknown causes. The spike may be related to fresh media attention.
GFI was recently featured in Forbes magazine, drawing attention to their achievements and creating a target for potential attackers. This risk assessment will seek to execute Chief Executive Officer (CEO) Thompson?s vision for confidentiality, integrity, availability within the network. The project will be under the direction of Chief Operations Officer (COO) Willy and the office of the Chief Security Officer. This plan intends to keep as much of the company infrastructure as possible in-house, and outsource only when necessary. The security assessment will advocate courses of action (COA?s) at various points, but with the intent on keeping costs as low as possible. The goal of this assessment is to audit current network topography and security practices, and suggest changes where necessary to ensure the continuity of operations. Assessing potential risks is a valuable step in broadening GFI?s security footprint.
Network Inventory, Value, and Priority
Item
Location
Quantity
Cost per unit
Total Cost
Priority

Dell Computer
Accounting
63
600
37800
?Medium

Credit Department
10

6000
?Medium

Customer Service
12

7200
?High

Finance
49

29400
?Medium

Loan Department
25

15000
?High

Management
5

3000
?Low

Intranet
7

4200
?Low

?
Total
171
?
102600
?

Lexmark Printers
Accounting
7
250
1750
?Low

Credit Department
3

750
?Low

Customer Service
3

750
?Low

Finance
5

1250
?Low

Loan Department
5

1250
?Low

Management
3

750
?Low

Intranet
0

0
?Low

?
Total
26
?
6500
?

Wireless Access Point
?
1
2000
2000
Low?

Private Branch Exchange
?
1
20000
20000
?Medium

VPN Gateway
?
2
30000
60000
?High

Multilayer Switch
?
3
1000
3000
?Medium

Border Core Router
?
2
10000
20000
?High

Distro Router
?
2
10000
20000
?High

10Gbps Switches
?
6
1500
9000
?Medium

Remote Access Server
?
1
10000
10000
?Medium

TCB Servers
?
6
1500
9000
?Medium

?
Total
?
?
153000
?

?
Grand Total
?
?
262100
?

Item
Priority

SUS Server
?Low

Oracle Database Server
?High

Internal DNS
Medium

Exchange E-mail
Low

File and Print Server
Low

Intranet Web Server
Medium

Workstations
Medium

The most valuable systems for GFI are those related to the core production, financial services. Access to the trusted internal network, for both headquarters and branch offices, is critical to ensuring customers are capable of accessing their accounts. To this end the external routers, the VPN, and the internal trusted servers are the highest priority. The individual departments responsible for servicing these core functions, customer service and loans are also high. Supporting roles such as finance and accounting are medium in importance. For while they play a role in service the customer, they are not the customer?s first stop and any delay here can be offset later. However, delaying a customer?s loan will lose that customer. Printers and employee quality of life, such as wireless, are the lowest priority.
The Oracle database server in the past has experienced two malicious attacks that required it to be taken offline. This resulted in monetary reimbursement to consumers as well as a loss of confidence in GFI. As this server is so central to the daily operating success and reputation of GFI it is the highest priority asset within the internal network. Email, the intranet website and internal DNS are all medium in priority as they support the core functions but are not directly core functions. The SUS server and file and print server are low priority since these functions are the least directly related to the core operating functions of GFI.
The most valuable assets, the VPN gateways, the private branch exchange, and the routers should all be afforded a degree of physical security to prevent theft and tampering. Information security protocols and proper configurations should be utilized to prevent remote and malicious access to these devices. Network topology needs reform to prevent circumvention of the external security measures. Security focus should be spent not only around assets of the most value, but rather on assets that produce the most value. Those services that enable the core functions of GFI?s financial activities.
Perimeter Security: Access Vectors, Vulnerabilities, and Solutions
GFI?s network surface area is rather large.

Two routers demark the border between internet and intranet. Internal to these routers are two more routers, creating the appearance of a demilitarized zone (DMZ). However, there are access points, the wireless antenna system and the remote access server (RAS), that provide deeper intranet access that do not rely on the DMZ, rendering the latter rather decorative than substantial. Lastly, there is the virtual private network (VPN) that makes use of the edge routers and provides greater intranet access. Over all, there are four access points: VPN, two edge routers, the RAS, and the wireless system. The RAS, VPN, and wireless provide internal access.
The wireless antenna array is vulnerable to masquerade (with credentials taken from and evil-twin attack or dumpster dive). Combining a MAC address or IP spoofing attack to work around any whitelist efforts would gain access to the internal network. The router that services the VPN likely just forwards all traffic as port and IPs to filter on would be inapplicable. This, for all intent, puts the VPN on the edge making it

vulnerable.
Hardening the network is possible. Expand the DMZ to include firewalls, as opposed to edge two routers to enhance security posture. Cisco IOS Firewall is a statefull perimeter defense product capable of intrusion prevention system (IPS), content filtering, and network address translation (Cisco). Cisco ASA firewalls would be the internal firewalls between the DMZ and the trusted internal network. Within this DMZ move the wireless. Additionally, to the wireless network add an Authentication, Authorization, and Accounting (AAA) server within the DMZ. This additional layer would add extra difficulty to any masquerade efforts. The RAS and VPN servers should also reside within the DMZ entirely. Lastly, segment the internal network with virtual local area networks (VLANS). VLANS will separate the internal network, helping to reduce the overall damage any potential breakthrough can wreck.
Remote Access Vulnerabilities and Solutions
GFI has three distinct remote access vectors. First, there is the wireless antenna array (WAA), this system is designed to provide wireless coverage to GFI employees and potential guests. Its current encryption is WAP. Second, there is the VPN designed to create a shared and secure network with an off-site office. However this VPN, despite its name, is not encrypted allowing others to view the traffic. Lastly, there is a work from home infrastructure. This makes use of the public switched telephone network (PSTN) to allow employees access. It consists of a public branch exchange (PBX) and an RAS. Of these three, the WAA and VPN allow direct access into the network. The RAS and connects through a distribution router that is part of the DMZ, if the four routers are in a DMZ configuration already.
The WAA offers to much direct access to the network. Moving it to a true DMZ would separate wireless network access from the internal network. Still, the wireless is vulnerable. Typical wireless access involves an authentication process to the local network. An attack as simple as an evil twin combined with a masquerade would penetrate the outer network. An attacker would then have access to the internal network. Adding a whitelist of approved employee wireless devices will not be enough to prevent such attacks. Simple MAC or IP spoofing could be enough to defeat these defenses. To block this access vector, incorporate an Authentication, Authorization, and Accounting server. Such a device will require an additional authentication beyond the easily acquired external wireless credentials. This system should also sit within the bounds of a DMZ to further increase security and specialize outside network communication though one dedicated portion of the network. Move the wireless network new and more secure WPA3 (Wi-Fi Alliance, 2018).
The VPN brings its own security risks; any compromises to the off-site network could easily traverse to the heart of the main network. Moving the VPN server to within the DMZ would help mitigate these risks provided additional software solutions such as VLANS, IPS or intrusion detection systems (IDS) were employed to detect suspicious traffic or segment its spread to a section of the network. The VPN presently lacks any encryption, allowing traffic to, be viewed in the open. Encrypt VPN traffic in Point-to-Point Tunneling Protocol, natively supported, it?s an effective means to secure the VPN traffic from snooping (Crawford & Tyson, 2018).
The RAS, depending on the router configuration, may provide unfiltered access to the internal network. Properly constructing a DMZ will help prevent attacks from succeeding in reaching their intended target. Again proper VLAN implementation will prevent successful attacks from gaining complete network access.
Beside network topology, adding IDS/IPS capable of heuristics and application layer inspection in line with network traffic will harden the overall network. Software solutions, enterprise level security products, will increase the internal security. The idea is to create a layered defense that does not rely on one security measure. Layer defenses are harder to overcome and a lucky attacker will not likely success in breaching multiple security measures.
Authentication and Data Protection for Mobile Devices
Mobile device security is an important part of having a safe network. To ensure a secure network, we must not allow users to retain company information or data on their personal mobile devices. That said, the Information Technology (IT) department understands the requirement for mobility in today?s corporate world. We propose to manage a portal through Secure Socket Layer (SSL) where users can access their company profile from anywhere at any time. Access to the profile would require the use of a RSA Secure ID token and a password exclusive to each user. The company would provide tokens for any employee that requests one for the purpose of mobile access, or to work from home.
Using an online portal would eliminate the storage of company data on personal devices, while still providing access to business systems from those same devices. This portal can be hosted from within the secure network and accessed via an internet website. To authenticate with the server, users would need to first navigate to the site, then enter their username, password, and RSA pin number. The information would be verified through an encrypted connection to the internal network, and the user would either be granted or denied access.
By implementing this system, the process of authenticating users to the company wireless network becomes trivial. The network can be completely standalone and open to the public. Since any information destined for the portal would be encrypted through SSL, there would be no need to require additional restrictions. This proposal can be accomplished with minimal additional investment apart from RSA tokens and development time. While it may take significant time and effort to develop the interface, the hardware we already own should sufficiently handle the additional load. The change may also allow us to remove the Virtual Private Network infrastructure, providing further data and network security.
Wireless Security, Vulnerabilities, and Mitigations
Similar to mobile device security issues, wireless vulnerabilities would be mostly mitigated by a switch to a token based authentication system. The wireless network wouldn?t need to be nearly as secure if it was physically separate from the internal network. By creating an air gap between the company intranet and our wireless network, we can ensure that data within the intranet is not dependent on the wireless network security. The same method of authenticating to the intranet through the wireless network would apply in any location worldwide. This shift in management would open up many possibilities and allow for a complete overhaul in the virtual networking structure of the company.
Under this new system, the wireless network security would no longer be directly tied to the security of company data.

This allows us to establish the wireless network with a simple WPA2 password for employee access. We also recommend establishing a guest wireless network with limited capability to browse the internet that doesn?t require a password for authentication.
Another benefit of an online portal is that users can work from home or from satellite offices as needed. For the sake of redundancy, it may be prudent to keep the Virtual Private Network (VPN) connection to our satellite office; however, it would not be necessary. It would also be wise to remove the RAS and PBX from the company network. These legacy systems allow remote dial-up users to authenticate to the network, but their functionality could be accomplished through a web browser under the new system.
Though it may be initially costly to implement, the increased functionality and ease of access to a browser-based portal system should provide exceptional returns on investment. This scalable selection will also improve the security of the network and proprietary

data.
Evaluate the Authentication Protocols in the Networks
Wired
First looking into the network, the only seen authentication system is the VPN gateway. The VPN gateway would apply authentication only to the ones using it to access the network. This is only slightly more secure than having a port open on the router and user just direct connecting to the intended destination behind it. It adds the security of forcing the traffic to, be encrypted via Extensible Authentication Protocol (EAP). There are a few ways to authenticate to this type of software, but I recommend using or acquiring a smart card to add the benefit of two types of authentication to this gateway.
Next, looking into the network, move the VPN gateway, SUS server, Exchange email, internal web server, and possibly the Oracle DB server to a demilitarized zone in-between two of the distribution routers. This will change the security to a more upfront setting and make securing these types of services more feasible while providing them to the larger company.
Wireless
The most important thing to consider in a wireless environment is that best practices are in use for authenticating to the network. A few things to consider here are making management to the wireless access point only accessible from the internal LAN, changing the password for the wireless access point at a high frequency (recommend every two weeks), using the best methods to authenticate to the network (WPA2) and turning off some of the default open authentication methods such as Telnet for more secure methods such as SSH.
Another factor in wireless communication is availability, changing the wireless area for the target audience to only the areas where the target is while limiting any areas where they are not. This means turning down the power of the transmitter for the wireless access point or implementing multiple low power access points to hit only the target working area. Area that is outside of this range would be more subject to listening and eventual cracking of the wireless authentication methods in use.
Mobility
The out branch networks are more difficult to authenticate securely than one might think. Using a computer set to authenticate to the VPN gateway would be the best practice in having them access the internal network. Using only the necessary amount of computer attached to this gateway would be the best method for keeping the network running quickly.
Web System Protocols and Vulnerabilities
Identifying some common attacks on the web server is the best place to start here. The Top 10 security vulnerabilities as per OWASP Top 10 are: SQL Injection, Cross Site Scripting, Broken Authentication and Session Management, Insecure Direct Object References, Cross Site Request Forgery, Security Misconfiguration, Insecure Cryptographic Storage, Failure to restrict URL Access, Insufficient Transport Layer Protection, and Invalidated Redirects and Forwards.
SQL injection is the way of adding commands or tricking the underlying database to execute commands in an unintended fashion. SQL injection is an easy fix, by sanitizing the user input or by allowing a whitelist of inputs from the user we can keep the actions of the attacker very limited to only the necessary times for a post to the SQL database.
Cross site scripting is a method of causing a modification in a script on the webserver or in transit to the clients. This can be done on the server or client. The implications behind this is session hijacking, defacing websites, or redirecting to a malicious site.
Broken authentication and session management is the reuse of a session cookie or id to gain information that was previously on a valid user?s session. This is caused by the user closing the session without the browser sending a termination signal. The method to mitigate this is to keep users from accessing the company?s web server from ?public locations? such as a library or internet caf?.
Insecure Direct Object References is accessing an unintended form or file from the browser. Mitigation of this is to lock down the access to files that only need to be seen by the web service in use.
Cross Site Request Forgery is causing the user to send data to a site that they have already authenticated to. To mitigate this, we use captchas and force re-logins over time.
Security Misconfiguration is a lack of updates to the underlying software or a misconfiguration in the software. Removing the default users and passwords, or by implementing access controls can mitigate this.
Insecure Cryptographic Storage is a lack of encryption on important files in the server. To fix this use encryption on files containing usernames and passwords or where their backups are kept.
Failure to restrict URL Access is a lack of control on locations and files in the web server. Recommended changes are to implement strong access control methods and authentication policies.
Insufficient Transport Layer Protection is a failure in the transport layer to protect important information transiting the web. Keeping the certificates up to date and using HTTPS for the traffic can keep it secure.
Invalidated Redirects and Forwards is redirection caused by failure to properly validate input into redirection links. It is recommended to not use redirection links and to validate user input if you do.
Web Access
Internet access within and enterprise needs to be reliable and secure. Presently web traffic originates from the internal network and is released into the wild. No effort is made to prevent employees from visiting sites with a high probability of malicious traffic. Opening the internal network to cross site scripting attacks, browser hijacking and more. The addition of a proxy server to the corporate DMZ will mask the boxes behind it. Additionally, proxy servers can monitor employee searches. By blocking certain sites there is reduced risk of malicious traffic, such as phishing, malware, or ransomware, to infect the network from the browsing habits of employees. The human element is frequently the weakest link in infrastructure security. The additional cost would be the server and software, the man hours to install, and new legal paperwork. Employees will now need to sign a consent to monitor before they are allowed to use the proxy for web browsing.
Cloud Computing
On demand delivery of computing power is a growing field. The field is relatively new and has been growing rapidly. More and more firms, such as IBM, Microsoft, and Amazon, work to leverage their core competencies to create new markets. Replacing the internal private network with cloud computing has a number of benefits such as: scalability, rapid deployment, and predictable costs. Cutting the downtime needed to address security breaches or software upgrades will avoid repeats of the Oracle database compromise in 2013. This type of cloud would be a private cloud, only available to the firm and its employees. Microsoft?s Azure cloud computing solutions offers private clouds. These can be located on-site and completely controlled by GFI. Customization of the cloud can include adding the Oracle Server, Internal DNS, Exchange server, File and Print Server, the Intranet Web Server and the SUS server; the entire trusted network. Additional services could be added easily, adding a Redundant Array of Individual Disks (RAID) server to backup the Oracle DB will enhance availability. This new cloud environment will require a new security to prevent the repeat of the 2014 virus attack. McAfee Management for Optimized Virtual Environments (MOVE) AntiVirus offers protect for virtual servers and desktops ("McAfee MOVE AntiVirus", 2018). Overall, the transformation of the internal network into a cloud computing space will insulate the inner, working core of GFI. Breeding confidence in the GFI brand, promoting the availability of our products, and guaranteeing the integrity GFI?s patron?s data.
Final Thoughts
GFI?s current information security posture is a failure. From the 2013 and 2014 malware attacks this is evident. Perimeter security is non-existent, no DMZ and clear lines of access into the internal network though unencrypted VPNs and wireless. The internal trusted network is hardware based, lacking backups and once compromised requiring days of downtime to return to working order. This combination has rendered the GFI name a mockery in terms of trust consumers of financial goods will place with the firm. The inability to see the simple solutions that would address these concerns is the greatest failure. Restructuring the network topology to include a proper DMZ hosting all the ingress points while simultaneously implementing new authentication protocols for those wishing to access the network will obfuscate the inner network from malicious attackers. Updating the security protocols for wireless and mobile security, using a proxy server for browsing, and increasing internal security will greatly improve the posture of GFI without the need to out-source this functionality to third-party organizations.
While ensuring the protection of expensive and valuable assets is important this strategy above focuses on protecting the assets that produce the most value for the company by focusing on confidentiality, integrity and availability. The compromising events of 2013, 2014, and 2015 compromised and tarnished each of these in a different way. The suggested mitigation and reform efforts developed above will serve to reverse this. Confidence will be improved when consumers not only see the monetary reparations made, but also the new network topology and utilization of new security protocols. Integrity comes from the trusted internal network and the security information generated and stored there receives. The encrypted VPN, employing Microsoft Azure cloud, and the McAfee MOVE AntiVirus, all these developments were to ensure GFI?s customer?s data is protected and their assets secured. Availability comes from the external facing and distribution routers, the encrypted VPNs that allow a branch to connect to headquarters. Backups to critical servers furthers this cause by protecting customer?s data. The CIA triad as it is called. Focusing efforts on protect the means and ways of cash flow will ensure the continuation of GFI into the future.

References
Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide (n.d.), Retrieved April 26, 2018, from https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/vlans.html
Cisco IOS Firewall (n.d.). Retrieved April 26, 2018, from https://www.cisco.com/c/en/us/products/security/ios-firewall/index.html#datasheets-literature
Cisco IOS Firewall Common Deployment Scenarios (n.d.). Retrieved April 26, 2018, from https://www.cisco.com/c/dam/en/us/products/collateral/security/ios-firewall/prod_presentation0900aecd804e1307.pdf
Clientless VPN through a web browser - network drive(s). (n.d.). Retrieved April 24, 2018, from https://kb.uwex.uwc.edu/page.php?id=40213
Government Mandates Affecting Mobile Compliance. (n.d.). Retrieved April, 24, 2018, from https://www.mobileauthenticationtechnologies.com/pages/government-compliance
McAfee MOVE AntiVirus. (2018). McAfee. Retrieved 28 April 2018, from https://www.mcafee.com/us/products/move-anti-virus.aspx
Mitchell, B. (2017, June 9). How Can You Secure a Wi-Fi Network with WPA2? Retrieved April 24, 2018, from https://www.lifewire.com/what-is-wpa2-818352
RSA SecurID Hardware Tokens | Two Factor Authentication. (2018, April 04). Retrieved April 24, 2018, from https://www.rsa.com/en-us/products/rsa-securid-suite/rsa-securid-access/securid-hardware-tokens
Wi-Fi Alliance (2018, January 8) Retrieved April 27, 2018,https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-security-enhancements

Crawford, S., & Tyson, J. (2018). How VPNs Work. HowStuffWorks. Retrieved 27 April 2018, from https://computer.howstuffworks.com/vpn7.htm
UNCLASSIFED
UNCLASSIFIED