ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Grey Dog Service (GDS), Security Concerns and Mitigations

Updated on July 7, 2016

Security Concern: GDS does not Have Adequate Restriction of Access to Resources and Services

Problem Statement

Being an Asset Management firm, Grey Dog Service (GDS) undeniably handles the most secretive data of their clients. This is data about the account details, personal information, and other very sensitive information should not be accessible by everyone. As a matter of fact, this information should be accessed by the least of people in the organization.However, GDS lacks adequate access controls to protect this information fully. This means that it cannot guarantee of the CIA triad of information. This is the confidentiality, integrity and availability of information (Docs.oracle).

GDS

Source

Risks and Issues

On issues related to confidentiality, the private client information at GDS is at risk of being accessed by unauthorized people, being spread or disseminated by the unauthorized people to unauthorized people (Park). Clients trust that their personal data remains private, and they would not be the happiest people if any of the mentioned risks does occur on their data. Should their private information be exposed, they can slap the asset management firm with a lawsuit; the lawsuit could lead to fines, monetary loss, loss of customer loyalty and loss of reputation.

On issues related to integrity, the sensitive information is at risk of being modified by unauthorized people, fabrications from attackers or some data being deleted by attackers (Stringfellow). Clients trust that their information stored at GDS is indeed correct and is not interfered with. They would be most disappointed if their data is changed in the slightest way or falsified data being added to their records. Should the integrity of their information be compromised, clients can sue GDS, clients can demand some compensation, attackers could ask for huge amounts of ransom to return stolen data or not to publicize it, and all these scenarios place GDS at the losing end.

On issues related to availability, the data about clients should be instantly available at all times (Pcmag). When filing returns for certain assets owned by a given customer, when making new deals, when updating a client’s books of accounts, the client's data should be available. However, without adequate access control, data is at the risk of being deleted if it is in soft copy, misplaced, stolen or destroyed if it is in hard copy. This makes the data unavailable thus hindering some critical tasks from being performed. Interruptions deterring carrying out of normal activities could translate to huge financial losses, dwindling productivity and loss of customers.

Recommendations

To guarantee the affinity, availability, and integrity and of the information, it is crucial to address both the physical and logical access controls. Under physical access control, the access to given offices, rooms, files or resources should be a limited (Stolarski). Employees should only access information needed to carry out their duties. Three important things can be used for authentication in physical access controls. The first one is something one knows, that is, a password combination, a personal identification number (PIN), or just a phrase such as tango-Zulu-alpha. The second one is something one has; that is, a key card, a secret key or an access badge. The third one is something that one is; this entails the use of fingerprints, voice scans, face scans, iris scans and others that can be verified using biometric measurements.

To heighten the security, the firm can use multifactor authentication whereby, for one to access a given resource he or she will have to pass through 2 or 3 levels of authentication.For example, a face scan and a pin number. Also tied to physical controls, equipment such as computers, laptops or servers should be locked in very secure rooms. Also, guards can be put in place to prevent entry by unauthorized people at the very least level of security.

On matters logical access controls, they are tools that used to identify, authenticate and authorize users and to ensure non-repudiation (Abloy). These controls are used to restrict access to certain application systems, programs or soft copy information (Techopedia). They are also used to compliment physical access controls, for example, a door that requires a correct PIN to open is a physical control (the door) complimented by a logical control (the PIN). Therefore, at times there is only a thin line separating logical access from physical access controls. A good example is swiping a key card to gain entry into a restricted room. The card is physical; it is swiped and read against a knowledge base of the authorized people that can enter that room. If the holder meets the clearance level, the door is opened else; it remains shut.

Logical access controls are also widely used alone; that is, isolated from physical controls through login mechanisms to allow access to soft copy material. GDS should, therefore, implement a mechanism that allows different users to access different resources, services, and privileges based on the requirements of their duties. This will minimize the number of people that can access or make changes to the most sensitive client information.

Security domain

The limitation of access to the resources and services, as the name suggests falls under the safety area of access control.

Security concern: GDS does not have an implemented network security mechanism

Problem statement

GDS houses sensitive information systems about their clients. Sensitive information such as account details happens to be one of the categories of most sought after information by hackers. Hackers will inevitably target an organization that is a custodian of information. One way hackers can obtain that information is through the company's network. It is, however, concerning that GDS lacks adequate network security and thus determined attackers can find their way into the network giving them a channel to siphon the private customer details.

Risks and issues

There exist many gaps that can be exploited to get into an internal company network and access the client data. The attackers may target some software vulnerabilities, attack the hardware or guess some login credentials to systems. The sources of threats to this data can be external or even internal. External threats are from individuals outside of the organization but can use the internet to get to the organization’s network. Internal threats are from people within the organization who know what is valuable, where it is kept and who can access it. They also know where the physical access to the information is. They may also be innocent employees whose poor souls do not know they are unintentionally putting the organization at risk by visiting some sites, downloading some programs or opening attachments.

One of the attack methods is the exploitation of server operating system vulnerabilities. Attackers are keen to look for any bugs in systems. Some bugs have been found in some server operating systems. Attackers need only to find the IP address of the server and scan for an open SMB port where the vulnerability is and throw multiple types of commands at it hoping one will succeed (Offensive-security). The vulnerability can enable an attacker remotely access the command shell of the server. From the tank, they can access the file, the web or email servers. One of these is where GDS will have stored the sensitive client information. Attackers will thus be able to access, modify, destroy, publicize or use it inappropriately.

Any successful attack carried out could lead to information theft, manipulation of data, disruption or denial of services or even identity theft. This could result in catastrophic damages to the organization. Endless court battles will ensue, direct financial losses will be suffered, customers will no longer want to do business with the firm and the future of the company will not be so bright with all these issues on its shoulder.

Recommendations

The first recommendation to protect the internal network of GDS is through the installation of firewalls. Firewalls decide what data gets in and out of the trusted internal network (intranet) to or from the untrusted external network (internet). Firewalls use intelligent ways to make decisions on the kind of traffic to allow or reject. The best option when purchasing firewalls is by using next generation firewalls. They are fitted with the traditional firewall mechanisms of using packet filtering, proxies, and stateful packet inspection among others. They can also act as intrusion prevention systems by detecting and stopping suspicious activities on the organization network. They also depend on more than their local database to draw their decisions of rejecting traffic; they can read from external sources as well.

The second recommendation is the training of users. Internal users can be targeted to make an attack successful. They can be victims of social engineering, phishing, email viruses and so on. They are required to be trained on how to protect themselves and the company network from attacks. The last recommendation is that operating systems should be updated to install the latest security patches, and antivirus programs should always be kept up to date.

Security Domain

The domain of this security concern is telecommunications and network security.

Security interest: GDS does not adequately secure its data

Problem statement

Sometimes the greatest hits to a system are not due to highly sophisticated attacks; they are the results of simple mistakes. GDS has stored a wide range of customer data in its servers. To protect the availability of the information in the case of a disaster, attack or accidents leading to the destruction of the information, GDS maintains backups of the information in external hard drives. At times, due to work logs, employees may decide to copy client data to their laptops or flash drives to be able to work from home. In unfortunate situations, the backup hard drives and employee laptops and flash drives may get lost, get stolen or even fall into the wrong hands. GDS neither encrypts its data, nor does it have password protection on its backups. Therefore, any fair-minded person can be able to read the contents.

Risks and issues

In the wrong hands, the first risk is that client data can be disclosed to the public. To the dismay of many customers, their sensitive information will be visible to many eyes. This will mean that GDS failed to protect the privacy of the client information that can be considered to be sacrosanct. This is a good reason for the client to drag GDS into courts and win big regarding monetary compensation. The reputation of GDS will have also been soiled, and no other customer will want to engage in business with the firm that cannot protect sensitive information.

The second risk is that with this information in their hands, attackers have the leverage to ask for massive amounts of money to remain silent. That is, they can ask for money so as not to do the above mentioned. This translates directly to a significant financial loss, operating in constant fear of future demands from the new custodians of customer data and also living in doubt of what the attackers could do with such kind of data in their hands.

Recommendations

The second recommendation is to encrypt all sensitive customer data. Encryption turns plain text data to cipher text. The cipher text is unreadable to everyone save for the holder of a key to decrypt it. GDS should identify the most sensitive and private data, encrypt it and entrust the decryption key with a few very holistic individuals. Data stored in backups, flash drives or computers and data in transit on the network should be encrypted. That way, any lost device will not jeopardize security and confidentiality of user data. Any data siphoned during transit will also be of no use since it will be in an unreadable state.

The second recommendation involves making it illegal for employees to copy any client data to their devices or sending such data over their personal emails. Employees can be quite reckless and might not necessarily feel the full blow of the consequences of their actions. Also, employee devices and removable media should be password protected.

The third recommendation is to consider backing up data in the cloud. Since tech giants such as Microsoft and Google have made it possible to store data on their cloud servers, GDS should take this opportunity to transfer their backups to the cloud. Data in the cloud is safe, easy to access, cannot get lost and can be quickly be used for recovery during emergencies.

Security Domain

The security domain that securing data falls under is cryptography.

working

This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, hubpages.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://corp.maven.io/privacy-policy

Show Details
Necessary
HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
LoginThis is necessary to sign in to the HubPages Service.
Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
AkismetThis is used to detect comment spam. (Privacy Policy)
HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
Features
Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
MavenThis supports the Maven widget and search functionality. (Privacy Policy)
Marketing
Google AdSenseThis is an ad network. (Privacy Policy)
Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
Index ExchangeThis is an ad network. (Privacy Policy)
SovrnThis is an ad network. (Privacy Policy)
Facebook AdsThis is an ad network. (Privacy Policy)
Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
AppNexusThis is an ad network. (Privacy Policy)
OpenxThis is an ad network. (Privacy Policy)
Rubicon ProjectThis is an ad network. (Privacy Policy)
TripleLiftThis is an ad network. (Privacy Policy)
Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
Statistics
Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
ClickscoThis is a data management platform studying reader behavior (Privacy Policy)