Technical Paper free essay sample

Describe the company network, interconnection, and communication environment. In order to support their growing business, Global Finance, Inc. (GFI) has taken necessary actions to ensure their network remains fault tolerant and resilient from any network failures. GFI has acquired network devices in order to support their network and maintain interconnection among their employees and customers. The World Trade Organization defines interconnection as: â€Å"Linking with suppliers providing public telecommunications transport networks or services in order to allow the users of one supplier to communicate with users of another supplier and to access services provided by another supplier, where specific commitments are undertaken. † (Blackman Srivastava, 2011) As technology has changed and competition has intensified, many forms of interconnection have evolved. All involve the linking of networks to enable customers of one network to communicate with customers of another network or to have access to services offered by another network operator. GFI’s network interconnects their employees to their customers through Internet and telecommunications. GFI employees are able to connect to their customers through two adjacent, non-competing telephone networks that interconnect so that subscribers on one network can call those on the other. Traditional wireline telephone and new wireless mobile carriers interconnect so that subscribers of the traditional phone service can call wireless subscribers, and vice versa. New competitive local telephone carriers allows GFI to interconnect with the incumbent carrier so they can attract subscribers in the common service territory, and enable those subscribers to call subscribers on the incumbent‘s network. (Blackman Srivastava, 2011) GFI’s successful communication with their customers is required in order to conduct daily business transactions. GFI’s network makes it easy for employees in one department to communicate with employees in another department through numerous Access Layer Virtual Local Area Network (VLAN) Switches. GFI employees are directly linked to the Internet in a manner that allows them to interact with customers through their website. Assess risk based on the Global Finance, Inc. Network Diagram scenario. The risk assessment process is needed to identify risks that need to be treated within an organization, as well as to provide strategies and methods that are most appropriate to treat these risks. Because many organizations are poorly aligned between their risk exposure and their risk appetite, it is important to engage in the risk assessment procedures. These procedures can help an organization prevent risk exposure and determine if their current operations will result in an increase or decrease of market value and owners’ wealth. As a result of the economic crisis, and the recent increase in corporate failures, organizations can now learn from the mistakes of others. In an effort to demonstrate the importance of successful risk assessment and alignment implementation it is necessary to examine GFI’s network closer. GFIs success is dependent on their network. The network is fairly stable with very few outages due to network failure. To ensure the network operates successfully GFI has hired a small team of network engineers to keep up with the network growth and the bandwidth demand by the company employees and the clients. However, the company has not hired any security personnel who can take care of the operational security responsibility. Not having a secure network leaves the network open to vulnerabilities and compromises the daily flow of business. The trusted computing base (TCB) internal network in the Global Finance, Inc. Network Diagram hosts the company’s mission critical systems without which the company’s operations and financial situation would suffer. The Oracle database and email systems are among the most intensively used application servers in the company. GFI cannot afford system outages because its cash flow and financial systems heavily depend on the network stability. GFI has experienced DOS network attacks twice this year and its Oracle database and email servers had been down for a week. The recovery process required GFI to use $25,000 to restore its operations back to normal. GFI estimated the loss from these network attacks at more than $100,000 including lost customer confidence. GFI’s failure to incorporate proper firewall devices at Internet access points can be linked to DOS network attacks and Oracle database and email servers being down. Network security is just as important as securing the company’s web site and related applications. Networks, because of the sensitive data they usually give access to, are one of the most targeted public faces of an organization. Here are the top 5 network security vulnerabilities that are often omitted from typical reviews, and some tips to avoid making the same mistakes: †¢Network Security Omission #1: Missing patches—all it takes for an attacker, or a rogue insider, is a missing patch on a server that permits an unauthenticated command prompt or other backdoor path into the web environment. Network security personnel should be extra careful when applying patches to servers but not applying any patches makes it too easy for attackers. Solution: Follow network security best practices by updating the operating system and any other software running on it with the latest security patches. Too many incidents occur because criminal hackers take advantage and exploit un-patched systems. (Beaver, 2013) †¢Network Security Omission #2: Weak or default passwords—many web applications, content management systems, and even database servers are still configured with weak or default passwords. Who would need file inclusion or SQL injection when the file system or database can be accessed directly? Solution: Change and test for weak passwords regularly and consider using a password management tool. Implement intruder lockout after a defined number of failed login attempts. (Beaver, 2013) †¢Network Security Omission #3: Misconfigured firewall rulebases—One of the biggest, most dangerous, assumptions is that everything is well in the firewall because it’s been working fine. Digging into a firewall rulebase that has never been analyzed will inevitably turn up serious configuration weaknesses that allow for unauthorized access into the web environment. Sometimes it’s direct access while other times it’s indirect from other network segments including Wi-Fi – parts of the network that may have been long forgotten. Solution: Start with the organization’s security policy; one that reflects the current situation and foreseeable business requirements. After all, the firewall rulebase is the technical implementation of this security policy. Review it regularly and keep it relevant. (Beaver, 2013) †¢Network Security Omission #4: Mobile devices—Phones, tablets, and unencrypted laptops pose some of the greatest risks to web security. Think about all the VPN connections, cached passwords in web browsers, and emails containing sensitive login information that you – and likely everyone else responsible for managing the web environment – have stored on mobile devices. The use of unsecured Wi-Fi via mobile devices is the proverbial icing on the cake. Solution: Instill clear data management rules for all employees and make mandatory data encryption part of your security policy. This is becoming even more important with employees connecting their personal devices to the corporate network. (Beaver, 2013) †¢Network Security Omission #5: USB Flash Drives—the dangers of these portable devices have been known for long enough. But still, all that Edward Snowden reportedly needed to walk away from the National Security Agency building with a cache of national secrets was a USB flash drive. USB drives are also one of the most common ways a network can get infected from inside a firewall. Solution: Have clear security policies regarding personal storage devices including who can use them and in what places. Restrict the computers that can read USB flash drives and help prevent unauthorized access by encrypting the data as soon as it hits the device. (Beaver, 2013) Whether accessible from inside or outside the network, these commonly-overlooked security vulnerabilities are likely putting GFI’s web environment at risk today. The smart approach to minimize the risks is to perform in-depth web vulnerability scans and manual analysis like and also ensure that everything else that touches the web environment has been properly reviewed. (Beaver, 2013) Before a firm embarks on the task of conducting a risk assessment, it is important to establish the risk appetite of the organization, meaning its capacity to take on risk to meet its organizational objectives. There are four basic steps that stakeholders of the organization can approach to establish a risk appetite statement. The stakeholders of an organization generally include shareholders, board of directors, management, employees, customers, suppliers, and even taxpayers and voters. The four steps involved in determining an organization’s risk appetite play a fundamental role in preventing derailment from strategic goals, culture, market, regulatory requirements, and financial sensitivity. (Cernauskas Tarantino, 2011, pp. 42-46) Step 1 in the process is to develop strategic objectives at an enterprise and operating unit level. Some of the objectives stakeholders will consider include market share, competitors’ strategic direction, reputation in the marketplace, earning stability and growth, investor returns and expected returns, regulatory requirements, capital adequacy, and external credit ratings. Because organizations have very diverse stakeholders, it is common to have conflicting opinions regarding the objectives, risks, and expectations; however, stakeholders’ are generally concerned with maintaining business growth, profitability, and earnings stability, ensuring regulatory compliance, being an employer of choice, and being a good corporate citizen. Furthermore, as time passes, the needs of organizations change, thus it is important to revisit the objectives, business plan, risks, and expectations. For example, if an organization’s growth target increases within a year, then the risk appetite would need to be reconsidered and adjusted to reflect the increase in risk and capital requirements. Additionally, the business plan should also be revisited so that it reflects the new risk appetite statement and outlines how the organization will meet the objectives and shareholder’s expectations. (Cernauskas Tarantino, 2011, pp. 42-44) Step 2 is to align the risk profile to business and capital management objectives. To accomplish this, the organization must determine the risk capacity, meaning they must identify how much risk is currently being taken and how much risk is still needed in order to meet the desired goals and align the risk profile to the business plan. Step 3 involves determining the risk thresholds at an enterprise and operating level. To accomplish step 3, the organization must identify the tolerance ranges for specific risks. These tolerance ranges should be identified to ensure that the appetite of the organization remains within the bounds of the business plan. In addition, these measures break down high-level risk appetite into actionable measures and help ensure that appropriate reporting and monitoring processes can be put in place for the effective management of these risks. (Cernauskas Tarantino, 2011, pp. 42-45) Finally, step 4 is to formalize and codify the results of the risk appetite and provide a formal risk appetite statement. This statement should then be approved by the board and then communicated to the organization. To ensure quality performance amongst the organization, it is important to assess performance in terms of compliance with the risk appetite. The organization should also have standard risk and incident reporting procedures in order to successfully monitor breaches of risk appetite and tolerance at all levels of the organization. (Cernauskas Tarantino, 2011, pp. 42-45) Although determining the risk appetite might seem like a lengthy process, there are significant advantages for the organization. A risk appetite statement gives managers an improved understanding of what risk management means, and thus helps them apply risk management more effectively. Additionally, risk appetite helps an organization determine the capacity to take on risk, allocate risk management resources, define risk limits on new business ventures, and develop more knowledgeable risk reporting. (Cernauskas Tarantino, 2011, pp. 46-47) Risk assessment is the process in which an organization identifies, analyzes, and evaluates risk. Risk assessments are the basis for risk management within an organization. They are valuable tools for organizations because they provide guidelines and understanding of risks, their causes, consequences, probabilities, as well as solutions. Risk assessments provide risk information to stakeholders and can help them understand the nature and impact of risk. They can also help determine whether an activity or project should be undertaken, how to maximize these opportunities, and to establish prioritization within risks in order to choose between different options. Additionally, risk assessments help determine if certain risks should be treated, as well as compares the pros and cons of different risk reduction techniques. Although risk assessments are very valuable, they are not to be considered a stand-alone activity and should be used in conjunction to other elements of the risk management process. (Cernauskas Tarantino, 2011, pp. 47-49) Organizations should have a process in place for conducting risk assessments. Risk managers are accountable and responsible for conducting risk assessments within an organization. They should understand the objectives and goals of the organization and should know how risk assessment integrates to them. Risk managers should know how to define risk criteria and should have various methods, techniques, and resources for conducting risk assessments. Additionally, risk managers should know what risks are acceptable and how unacceptable risks should be treated. In other words risk managers should know how to effectively change the probability factor in the occurrence of the risk, and they should also know how to effectively change the effects of the risk. Finally, risk managers should know the process for risk identification, which is the process of finding, recognizing, and recording risks. (Cernauskas Tarantino, 2011, pp. 49-52) Risk analysis is the process where risk managers analyze the risk assessments and determine whether risks need to be treated and what strategies and methods are most appropriate to treat these. It involves identifying the causes and sources of the risk, the consequences and probabilities, and the effectiveness of existing controls to determine the level of risk. (Cernauskas Tarantino, 2011, pp. 52-53) Examine whether your risk assessment methodology is quantitative, qualitative, hybrid, or a combination of these. The risk assessment approach taken to evaluate and determine the risks within GFIs network was based on the hybrid method. This approach combines some elements of both the quantitative and qualitative assessments. Sometimes quantitative data is used as one input among many to assess the value of assets and loss expectancy. This approach gives the assessment more credibility due to the hard facts presented but it also involves people within the organization to gain their individual insight. The disadvantage of this approach is that it may take longer to complete. However, a mixed approach can result in better data than what the two methods can yield alone. (Vanderburg, 2010)