Technical Paper

Global Finance, Inc. (GFI) is a hypothetical company, which has grown rapidly over the past year. GFI has invested in its network and designed it to be fault tolerant and resilient from any network failures. However, although the company’s financial status has matured and its network has expanded at a rapid pace, its overall network security posture has not kept up with the company growth. The trusted computing base (TCB) internal network within the Global Finance, Inc. Network Diagram hosts the company’s mission critical systems that are vital to the company’s operations that also affect the overall financial situation. The most vital application servers is the company is their Oracle database and email system. GFI cannot afford system or network outages, as its cash flow and financial systems heavily depend on the network stability and availability. GFI has recently experienced multiple network attacks resulting in a total estimated loss at more than $1,000,000. Risk Assessment Purpose

The purpose of this risk assessment is to evaluate the adequacy of the Global Finance, Inc. security and network. This risk assessment provides a structured qualitative assessment of the operational environment. It addresses sensitivity, threats, vulnerabilities, risks and safeguards. The assessment recommends cost effective safeguards to mitigate threats and associated exploitable vulnerabilities. Safeguards are security features and controls that, when added to or included in the information technology environment, mitigate the risk associated with the operation to manageable levels. A complete discussion of the vulnerabilities and recommended safeguards are found in this report. Risk Assessment Scope

The scope of this risk assessment assessed Global Finance, Inc.’s use of resources and controls, implemented or planned, to eliminate and or manage vulnerabilities exploitable by internal and external threats to the GFI system. This Risk Assessment Report evaluates the confidentiality (protection from unauthorized disclosure of system data and information), integrity (protection from improper modification of information), and availability (loss of system access) of the GFI system. Recommended security safeguards will allow management to make decisions about security related initiatives. If the safeguards recommended in this risk assessment are not implemented and the GFI network is exploited, these vulnerabilities could result in: Unauthorized disclosure of data and sensitive information

Unauthorized modification or destruction of the system, its data, or both Denial of service, access to data, or both to authorized users who require access to this information on a frequent basis. Loss of network stability and availability

Loss in reputation and customer confidence
System Environment
Global Finance, Inc. uses a highly resilient flat network architecture for its network infrastructure. A flat network is a computer network design approach that aims to reduce cost, maintenance and administration. Flat networks are designed to reduce the number of routers and switches on a computer network by connecting the devices to a single switch instead of separate switches, or by using network hubs rather than switches to connect devices to each other. The topology of a flat network is not segmented or separated into different broadcast areas by using routers and switches CITATION Net12 \l 1033 (Network Computing, 2012). Remote dial up users make use of a Public Switched Telephone Network (PSTN) utilizing a Cisco BPX series switch to gain access to the network through the sole firewall in the entire network. PSTN is the world’s collection of interconnected voice oriented public telephone networks, both commercial and government-owned. It’s also referred to as the Plain Old Telephone Service (POTS) CITATION Lin05 \l 1033 (Lin, 2005). The GFI network supports a virtual private network (VPN).

A VPN is a private network that uses a public telecommunication infrastructure, usually the internet, to securely connect remote sites or individuals together with secure access to an organizations network. Instead of using a dedicated connection, a VPN allows remote client workstations to use a special key exchange that must be authenticated by the VPN. Once authentication has been verified, a secured network connection, also known as a tunnel, is established between the workstation and the access point of the organizations network. All traffic is encrypted through the VPN tunnel, which provides an additional level of encryption and security CITATION She11 \l 1033 (Shelly & Rosenblatt, 2011). A VPN ensures privacy through security procedures and tunneling protocols such as the Layer 2 tunneling Protocol (L2TP). Data is encrypted at the sending end and decrypted at the receiving end. Basically the protocols, by encrypting data at the sending end and decrypting it at the receiving end, send the data through a tunnel that cannot be entered by data that is not properly encrypted. An additional level of security involves encrypting not only the data, but also the originating and receiving network addresses.

The main benefit of a VPN is the lower cost needed to support this technology compared to alternatives like traditional leased lines or remote access servers. VPN solutions also utilize several different network protocols including PPTP, L2TP, IPsec, and SOCKS. VPN servers can also connect directly to other VPN servers. A VPN server-to-server connection extends the intranet or extranet to span multiple networks. Global Finance, Inc.’s flat network topology, as illustrated in Figure 1, is adequate for small networks and is implemented using Layer 2 switching. A flat network, is a network in which all workstations or servers can reach other devices on the network without going through any intermediary hardware devices, such as a bridge or router. There is no hierarchy with a flat network design, and because each network device within the topology is performing the same job, a flat network design can be easy to implement and manage. The flat network topology is not divided into layers or modules and can make troubleshooting and isolating of network faults a bit more challenging than in a hierarchical network. In a small network, this might not necessarily be an issue, as long as the network stays small and manageable.

Flat networks are designed to reduce the number of routers and switches on a computer network by connecting the devices to a single switch instead of separate switches, or by using network hubs rather than switches to connect devices to each other. The switches illustrated in Figure 1 are assumed to be for redundancy purposes. In this case, even if one of the switches fails, the network will continue. By having multiple switches and spreading servers across all of them, networks can achieve a higher level of severance in which the failure of one switch does not completely compromise the application environment. This provides redundancy, effectively eliminating the single point of failure. The topology of a flat network is not segmented or separated into different broadcast areas by using routers and switches. Unlike a hierarchical network design, the network is not physically separated using different switches. Generally, all devices on the network are a part of the same broadcast area. Therefore, each department within the Global Finance’s infrastructure can directly communicate with another department on the network or directly with the Trusted Computing Base Internal Network itself. Figure 1. Global Finance, Inc. Network Diagram

Vulnerabilities
This report has determined that the structure of the GFI networks vulnerability to Distributed Denial of Service (DDoS) and several other attacks is a High risk and highly likely to occur risk. A DDos attack is an attack launched from many places at once. The objective of a DDoS attack is to incapacitate a system or service in a way that is difficult to block. A DoS attack that originates from a single system is easy to block by configuring a router to drop packets from the attacking system. However, a DDoS attack can originate from thousands of systems, making it virtually impossible to block by any normal means CITATION Gre09 \l 1033 (Gregory, 2009). DDoS attacks can be mitigated by implementing an Intrusion Prevention System (IPS) configured to execute a DDoS security policy. IPS scans the network traffic stream in order to find threats using known exploits and attack vectors. IPS does not detect specific files, but rather specific methods that can be used to get malicious files onto your network. This allows IPS to protect against both known and unknown threats, even before antivirus signatures can be created for them.

This report recommends GFI to implement two intrusion prevention systems, one that scans all traffic on the dirty network, which is used for devices directly exposed on the public internet. The second IPS should monitor all traffic that originates from the remote network, which is used for all external connection that do not come directly over the Internet, For example VPN’s, department terminals, any mobile devices that may access the internal network, etc. This report has also identified that the GFI network’s firewall in insufficient and has a High negative impact and a highly likely to occur risk. The network contains a single point failure firewall which is only utilized by traffic from remote dial up users that enters the network through the PSTN system. Firewall is a software or hardware-based network security system that controls the incoming and outgoing network traffic based on applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network that is not assumed to be secure and trusted CITATION Opp97 \l 1033 (Oppliger, 1997). This report recommends that GFI implement several redundant firewalls including a perimeter firewall, packet filtering firewalls for each network segment.

A filtering firewall works at the network level. Data is only allowed to the system if the firewall rules allow it. As packets arrive they are filtered by their type, source address, destination address, and port information contained in each packet. This report has also identified that the architecture GFI’s flat network negatively impacts performance and scalability. Because traffic travels through one switch or redundant switches, it is not possible to segment the networks into sections and prevent users from accessing certain parts of the network. It is easier for hackers to intercept data on the network. For example, if a workstation in the Accounting department is compromised, there is nothing to prevent it from infecting another workstation in a different department. Another major concern is security, as flat networks need a different approach than that used in a tiered network. Flat networks eschew the need for Layer 3 routing, which effectively removes traditional security technologies, such as firewalls, access control lists, filters and other security appliances from the network.

This report recommends GFI to segment the network with multiple segmented VLANs. A VLAN is a set of workstations within a LAN that can communicate with each other as though they were on a single, isolated LAN. Therefore, if one of the workstations on the VLAN is compromised, it will not be able to directly communicate with workstations on another VLAN. When properly configured, VLAN segmentation severely hinders access to system attack surfaces. It reduces packet-sniffing capabilities and increases threat agent effort. Finally, authorized users only “see” the servers and other devices necessary to perform their daily tasks. Figure 2. Global Finance, Inc. Network Diagram with Recommendations

Another assumption made by this report is that the Oracle 9i Database is not encrypted. Malicious insiders and system administrators could access both encrypted data and encryption keys, giving them access to clear text data, unless keys are deliberately isolated in a dedicated key management system. Furthermore, Applications that have legitimate access rights that have been compromised and are infected with malware can still access confidential data. This report recommends Global Finance, Inc. to implement Database level encryption. Database level encryption offers the best security when it comes to protecting data at rest. This protection goes further than storage level encryption and also avoids widespread changes in the application layer. Oracle offers native transparent database encryption by default. With transparent data encryption, the encryption process and associated encryption keys are created and managed by the database. This is transparent to database users who have authenticated to the database. At the operating system, however, attempts to access database files return data in an encrypted state.

Therefore, for any operating system level users, the data remains inaccessible. Additionally, because the database is doing the encryption, there is no need to change the applications, and there is a minimal performance overhead when changes occur in the database. Successfully implementing database encryption depends on how encryption key management is done. Managing encryption keys can be complex. Solutions that handle key management from within the database complicate the ability to establish and maintain proper role separation because they put database administrators (DBA) in control of encryption keys, as well as the data itself. Key management servers can add new levels of assurance to database encryption by helping GFI effectively protect and manage encryption keys. Figure 2 illustrates the use of an Encryption Management server in the Trusted Computing Base Internal Network. The Encryption Management Server (EMS) automates deployments, provisioning, key management, and policy enforcement for encryption solutions, reducing administrator workloads and ensuring consistent security policy across the organization. Administrators can establish, enforce, and update security policies in real-time across multiple integrated encryption solutions from a simple, web based management console.

Additionally, they can fine tune encryption policy assignment using optional enterprise directory integration utilizing hardware security modules. With hardware security modules (HSMs), GFI can take full advantage of Oracle’s native database encryption capabilities and still add higher levels of assurance to key management activities, ensuring optimal security, efficiency, and guaranteed accessibility to encrypted data. By storing encryption keys in a protected environment, separate from the database itself, HSMs enforce separation of duties between security staff and DBAs. This risk assessment used the qualitative assessment methodology. Qualitative Risk Analysis is concerned with discovering the probability of a risk event occurring and the impact the risk will have if it does occur. All risks have both probability and impact. Probability is the likelihood that a risk event will occur, and impact is the significance of the consequences of the risk event.

This type of risk assessment was used due to the initial DoS attacks against GFI, resulting in an estimated loss of over $1,000,000 dollars. First of all, there are no exact values that can be placed on the loss of customer confidence. Another reason is that there is no way to quantify monetary loss from a Dos attack, no two attacks are the same, each attack may target different servers and execute for different durations before being addressed. And finally, the probability of the vulnerabilities of GFI’s current network infrastructure being exploited again are extremely high. This risks assessment should be presented to Global Finance, Inc.’s Senior Management, Security and Infrastructure teams. The objective of the assessment is to illustrate the severity of the vulnerabilities within GFI’s current network, to provide potential solutions to these vulnerabilities and to help determine the proper measures to implement to mitigate the risks outlined in this assessment.

References

BIBLIOGRAPHY

Gregory, P. (2009). CISSP Guide to Security Essentials. Cengage Learning. Lin, C. (2005, September). PSTN (public switched telephone network). Retrieved from TechTarget: http://searchnetworking.techtarget.com/definition/PSTN Network Computing. (2012, March 22). Flat Network Strength Also A Security Weakness. Retrieved from Information Week Network Computing: http://www.networkcomputing.com/networking/flat-network-strength-also-a-security-weakness/d/d-id/1233495? Olzak, T. (2012, April 18). VLAN Network Segmentation and Security. Retrieved from Infosec: http://resources.infosecinstitute.com/vlan-network-chapter-5/ Oppliger, R. (1997, May). Internet security: firewalls and beyond. Communication of the ACM Volume 40 Issue 5, pp. 92-100. Shelly, G., & Rosenblatt, H. J. (2011). Systems Analysis and Design, Ninth Edition. Cengage Learning.