Grey Dog Service (GDS), Security Concerns and Mitigations
Security Concern: GDS does not Have Adequate Restriction of Access to Resources and Services
Being an Asset Management firm, Grey Dog Service (GDS) undeniably handles the most secretive data of their clients. This is data about the account details, personal information, and other very sensitive information should not be accessible by everyone. As a matter of fact, this information should be accessed by the least of people in the organization.However, GDS lacks adequate access controls to protect this information fully. This means that it cannot guarantee of the CIA triad of information. This is the confidentiality, integrity and availability of information (Docs.oracle).
Risks and Issues
On issues related to confidentiality, the private client information at GDS is at risk of being accessed by unauthorized people, being spread or disseminated by the unauthorized people to unauthorized people (Park). Clients trust that their personal data remains private, and they would not be the happiest people if any of the mentioned risks does occur on their data. Should their private information be exposed, they can slap the asset management firm with a lawsuit; the lawsuit could lead to fines, monetary loss, loss of customer loyalty and loss of reputation.
On issues related to integrity, the sensitive information is at risk of being modified by unauthorized people, fabrications from attackers or some data being deleted by attackers (Stringfellow). Clients trust that their information stored at GDS is indeed correct and is not interfered with. They would be most disappointed if their data is changed in the slightest way or falsified data being added to their records. Should the integrity of their information be compromised, clients can sue GDS, clients can demand some compensation, attackers could ask for huge amounts of ransom to return stolen data or not to publicize it, and all these scenarios place GDS at the losing end.
On issues related to availability, the data about clients should be instantly available at all times (Pcmag). When filing returns for certain assets owned by a given customer, when making new deals, when updating a client’s books of accounts, the client's data should be available. However, without adequate access control, data is at the risk of being deleted if it is in soft copy, misplaced, stolen or destroyed if it is in hard copy. This makes the data unavailable thus hindering some critical tasks from being performed. Interruptions deterring carrying out of normal activities could translate to huge financial losses, dwindling productivity and loss of customers.
To guarantee the affinity, availability, and integrity and of the information, it is crucial to address both the physical and logical access controls. Under physical access control, the access to given offices, rooms, files or resources should be a limited (Stolarski). Employees should only access information needed to carry out their duties. Three important things can be used for authentication in physical access controls. The first one is something one knows, that is, a password combination, a personal identification number (PIN), or just a phrase such as tango-Zulu-alpha. The second one is something one has; that is, a key card, a secret key or an access badge. The third one is something that one is; this entails the use of fingerprints, voice scans, face scans, iris scans and others that can be verified using biometric measurements.
To heighten the security, the firm can use multifactor authentication whereby, for one to access a given resource he or she will have to pass through 2 or 3 levels of authentication.For example, a face scan and a pin number. Also tied to physical controls, equipment such as computers, laptops or servers should be locked in very secure rooms. Also, guards can be put in place to prevent entry by unauthorized people at the very least level of security.
On matters logical access controls, they are tools that used to identify, authenticate and authorize users and to ensure non-repudiation (Abloy). These controls are used to restrict access to certain application systems, programs or soft copy information (Techopedia). They are also used to compliment physical access controls, for example, a door that requires a correct PIN to open is a physical control (the door) complimented by a logical control (the PIN). Therefore, at times there is only a thin line separating logical access from physical access controls. A good example is swiping a key card to gain entry into a restricted room. The card is physical; it is swiped and read against a knowledge base of the authorized people that can enter that room. If the holder meets the clearance level, the door is opened else; it remains shut.
Logical access controls are also widely used alone; that is, isolated from physical controls through login mechanisms to allow access to soft copy material. GDS should, therefore, implement a mechanism that allows different users to access different resources, services, and privileges based on the requirements of their duties. This will minimize the number of people that can access or make changes to the most sensitive client information.
The limitation of access to the resources and services, as the name suggests falls under the safety area of access control.
Security concern: GDS does not have an implemented network security mechanism
GDS houses sensitive information systems about their clients. Sensitive information such as account details happens to be one of the categories of most sought after information by hackers. Hackers will inevitably target an organization that is a custodian of information. One way hackers can obtain that information is through the company's network. It is, however, concerning that GDS lacks adequate network security and thus determined attackers can find their way into the network giving them a channel to siphon the private customer details.
Risks and issues
There exist many gaps that can be exploited to get into an internal company network and access the client data. The attackers may target some software vulnerabilities, attack the hardware or guess some login credentials to systems. The sources of threats to this data can be external or even internal. External threats are from individuals outside of the organization but can use the internet to get to the organization’s network. Internal threats are from people within the organization who know what is valuable, where it is kept and who can access it. They also know where the physical access to the information is. They may also be innocent employees whose poor souls do not know they are unintentionally putting the organization at risk by visiting some sites, downloading some programs or opening attachments.
One of the attack methods is the exploitation of server operating system vulnerabilities. Attackers are keen to look for any bugs in systems. Some bugs have been found in some server operating systems. Attackers need only to find the IP address of the server and scan for an open SMB port where the vulnerability is and throw multiple types of commands at it hoping one will succeed (Offensive-security). The vulnerability can enable an attacker remotely access the command shell of the server. From the tank, they can access the file, the web or email servers. One of these is where GDS will have stored the sensitive client information. Attackers will thus be able to access, modify, destroy, publicize or use it inappropriately.
Any successful attack carried out could lead to information theft, manipulation of data, disruption or denial of services or even identity theft. This could result in catastrophic damages to the organization. Endless court battles will ensue, direct financial losses will be suffered, customers will no longer want to do business with the firm and the future of the company will not be so bright with all these issues on its shoulder.
The first recommendation to protect the internal network of GDS is through the installation of firewalls. Firewalls decide what data gets in and out of the trusted internal network (intranet) to or from the untrusted external network (internet). Firewalls use intelligent ways to make decisions on the kind of traffic to allow or reject. The best option when purchasing firewalls is by using next generation firewalls. They are fitted with the traditional firewall mechanisms of using packet filtering, proxies, and stateful packet inspection among others. They can also act as intrusion prevention systems by detecting and stopping suspicious activities on the organization network. They also depend on more than their local database to draw their decisions of rejecting traffic; they can read from external sources as well.
The second recommendation is the training of users. Internal users can be targeted to make an attack successful. They can be victims of social engineering, phishing, email viruses and so on. They are required to be trained on how to protect themselves and the company network from attacks. The last recommendation is that operating systems should be updated to install the latest security patches, and antivirus programs should always be kept up to date.
The domain of this security concern is telecommunications and network security.
Security interest: GDS does not adequately secure its data
Sometimes the greatest hits to a system are not due to highly sophisticated attacks; they are the results of simple mistakes. GDS has stored a wide range of customer data in its servers. To protect the availability of the information in the case of a disaster, attack or accidents leading to the destruction of the information, GDS maintains backups of the information in external hard drives. At times, due to work logs, employees may decide to copy client data to their laptops or flash drives to be able to work from home. In unfortunate situations, the backup hard drives and employee laptops and flash drives may get lost, get stolen or even fall into the wrong hands. GDS neither encrypts its data, nor does it have password protection on its backups. Therefore, any fair-minded person can be able to read the contents.
Risks and issues
In the wrong hands, the first risk is that client data can be disclosed to the public. To the dismay of many customers, their sensitive information will be visible to many eyes. This will mean that GDS failed to protect the privacy of the client information that can be considered to be sacrosanct. This is a good reason for the client to drag GDS into courts and win big regarding monetary compensation. The reputation of GDS will have also been soiled, and no other customer will want to engage in business with the firm that cannot protect sensitive information.
The second risk is that with this information in their hands, attackers have the leverage to ask for massive amounts of money to remain silent. That is, they can ask for money so as not to do the above mentioned. This translates directly to a significant financial loss, operating in constant fear of future demands from the new custodians of customer data and also living in doubt of what the attackers could do with such kind of data in their hands.
The second recommendation is to encrypt all sensitive customer data. Encryption turns plain text data to cipher text. The cipher text is unreadable to everyone save for the holder of a key to decrypt it. GDS should identify the most sensitive and private data, encrypt it and entrust the decryption key with a few very holistic individuals. Data stored in backups, flash drives or computers and data in transit on the network should be encrypted. That way, any lost device will not jeopardize security and confidentiality of user data. Any data siphoned during transit will also be of no use since it will be in an unreadable state.
The second recommendation involves making it illegal for employees to copy any client data to their devices or sending such data over their personal emails. Employees can be quite reckless and might not necessarily feel the full blow of the consequences of their actions. Also, employee devices and removable media should be password protected.
The third recommendation is to consider backing up data in the cloud. Since tech giants such as Microsoft and Google have made it possible to store data on their cloud servers, GDS should take this opportunity to transfer their backups to the cloud. Data in the cloud is safe, easy to access, cannot get lost and can be quickly be used for recovery during emergencies.
The security domain that securing data falls under is cryptography.