Technical Paper: Risk Assessment
CIS 502 Theories of Security Management
Describe the company network, interconnection, and communication environment
The Global Finance Inc. network has two OC 193 core circuits that are connected to the core routers located in the DMZ. A PTSN circuit is also present, which connects to a phone switch located in the DMZ. There are two OC 193 circuit connections, 10 Gbps each, and they are not bonded meaning they are individual connections. The core routers as well as the Intranet routers have a failover configuration. The PTSN circuit coming into the phone switch located in the DMZ is not part of the GFI data network. The core routers are located in the DMZ with the VPN server. The core routers have direct access to the remaining network, which are the Accounting Department, Loan Department, Customer Service, Management, Credit Department and Finance Department, which are connected to the Trusted Computer Base Internal Network (TCBIN). Additionally, there is an off-site office that has a VPN gateway to the Cloud and from the Cloud to the Intranet. Also the Remote Dial-up-User has access to the PTSN network.
Assess risk based on the Global Finance, Inc. Network Diagram scenario. Note: Your risk assessment should cover all the necessary details for your client, GFI Inc., to understand the risk factors of the organization and risk posture of the current environment. The company management will decide what to mitigate based on your risk assessment. Your risk assessment must be comprehensive for the organization to make data-driven decisions
Based on GFI’s network the following is the risk assessment that GFI should receive regarding its network:
Off-site VPN: According to (i.i.com.com, 2006), there are 5 common VPN security mistakes that companies like GFI make: (Note GFI’s VPN is promise based, which has a higher risk of security vulnerability.)
The first security mistake for most companies is skipping the real-time endpoint security monitoring, or deeming it as too costly. Most Virtual Private Networks VPN are just that – a virtual, secure private communication channel that transports data from Point A to Point B, or typically from an end-user to a corporate network. Unfortunately, if Point A is a computer with a virus or an improperly configured firewall, then a hole has been created in the company’s network. Additionally, 95% of all security breaches occur at the browser level. In essence, remote access is given to everything on that endpoint (the user’s PC), and not just to the person sitting at the keyboard.
The problem, then, is most VPN clients, especially those that are web-based, don’t do any kind of sec