Estimating The Probability Of Loss

Published Date: 02 Nov 2017

The observation from the description of the LTX Corporation has made the below concerns need to be focused in context of security. They are categorized as follows:

Network Security

Physical Security

Insecure Data collection policy (Fax, Unencrypted e-mail)

Operating System security (windows XP – Easy to exploit)

Server update

In addition to the above categories Server has to be updated in order to increase the efficiency and also to ensure security of Sensitive data. The following are the fundamental steps to be followed during the Risk Analysis approach.

Identifying Assets to Protect:

LTX Corp. does payroll, tax-preparation services and also accounting services to the customers. This clearly gives an idea that the data shared and manipulated is sensitive data that cannot be accessed by everyone without authorization and access permissions. The most important asset for the company is the sensitive data (both input from the customer, processed data like Excel sheet, Pay checks etc.). These require high level of protection since it directly determines the financial outcome (Return on Investment) and trust of the company.

Determining the Vulnerabilities:

The problem is the company lags in providing the physical security (no security cameras, security guards) and also Network security (absence of firewalls) which can open the doorway for a lot of vulnerabilities like theft/sabotage/vandalism or server crash by using DOS attack and some more vulnerabilities for carrying out Man in the Middle attack (Client side data not encrypted). The server runs on UPS backup power and sudden server crash can lead to loss of sensitive data as the power supplied by UPS last for a short time (absence of backup generator).

POTENTIAL VULNERABILITIES

VULNERABILITIES

CAUSES

Theft/Sabotage/Vandalism

No security initiatives (cameras, guards etc.)

DOS/Smurf /SYN-Flood etc.

No Firewalls (lack of Network Security)

Eaves Dropping

E-mail messages not encrypted (Excel sheet)

Sensitive Data loss

No central backup server (times of failure)

Session Hijacking

Easy (no need of cookies) if logout is not made

Malware Injection

Personal systems are allowed use same WIFI

Protocol Based Attacks

Poor Encryption Standard (WEP)

Misusing the privilege

Information Disclosure

Lack of OS security

Administrator access granted for Ease of Use

Insecure Data collection (FAX)

Windows XP (easy to exploit i.e. more vulnerable)

Estimating the probability of loss:

From the observation made on LTX Corp. the possibility of attacks due to vulnerabilities or weakness lying in the existing system have a very high chances of occurring with a Probability (=1), In general if the Probability (=0) forget it and Probability (=1) the problem has to be taken in to immediate consideration to avoid loss in money, time and trust. In addition to this one more key point to be noted here is the lack of strong policy in verifying the background information of an employee on a timely basis to ensure the security. This is important because there are chances of an employee becoming an "insider" due to some issues in money, challenge, fame etc. (motivators) faced by them and can also aid in performing an organized crime since it is finance based company , there is a lot of money (paychecks) incoming and outgoing (courier), these kind of crimes are common today which can lead to the loss of trust and customer satisfaction which can even bring down the company in the market position and revenue (view points).

Computing Risk Exposure:

Risk Exposure= Impact * Probability

Risk Impact= cost in time/money/quality/reputation

Probability = how likely the event will occur?

A-Network Threats

B-Physical Threats

C- Others (Insider)

For Example: let us assume that eaves dropping (stealing e-mail messages, passwords etc.) by listening on that connection can occur 40 % (probability in terms of percentage) and the organization faces loss of ($50,000) then the risk exposure would be ($20,000) which can adversely affect the revenue. The above table summarizes the vulnerabilities found with their probability and loss in categories of Low, Medium and High.

Category

Probability

Loss

Risk Exposure

A

High

High

High + High

B

High

High

High + High

C

Medium

High

Medium + High

Identifying Control and their costs:

In terms of physical security, the cost of security guards, cameras, Back-up generator, additional backup server etc. can help reducing the incurring loss (i.e.) these controls can be incorporated in order to reduce the risk occurrence and impact. In terms of Network security, configuring Firewall properly will reduce a lot of network based threats which can happen due to loss of firewall. In addition to this the company can have an Intrusion Detection System as the major activity of company is up online (Data sharing, Data processing etc.) In addition to the mentioned above the policy should strictly enforce the proper logout, background verification, strong encryption scheme, updated server (security) in order to protect the sensitive data.

Determining Savings if controls are applied:

The Savings can be money/time/reputation which has a direct impact on company ROI (Return on Investment). For example: Customers are convinced about the security of the data as LTX Corporation primary goal is financial based services such as accounting, pay-roll processing etc. Then obviously it is going to invite more customer increasing revenue and position. If controls mentioned above are applied then it can greatly reduce the risk factors underlying in the system in the context of security. The losses incurred can be prevented and security can be trusted.

Suggestions for Improvement:

Things to do immediately:

Change in company current policy.

The following reasons contains parts, why (change) and how (suggestions).

REASONS & SUGGESTIONS: The current policy is not currently checking or verifying background information of existing employee. This is important and it can help avoiding an "insider" within the organization in order to avoid loss in terms of money and reputation. Employees should strictly logout after the work, automation of logout after the office hours can help in order to prevent this issue, people working for extra hours request for access permissions and then granted. This kind of things should be included in new policy and terms of the company.

Change in access permission levels

REASONS & SUGGESTIONS: The current procedure in the company is every employee is given administrator privileges for ease of use. This is not a good practice in terms of security since the attacker can trick any one of the employee through phishing attack, malware link, cross-site request forgery in order to gain the credentials for administrator based privileges. It is always good to practice "ROLE-BASED" privileges for a better security option. Security Training is necessary for employees to learn the specific roles and to clarify what they are allowed to do (access) and not allowed to do (restrictions) in order to ensure security.

Should Incorporate Security-based Initiatives (Physical Security)

REASONS & SUGGESTIONS: The current state of the company is lacking security mechanisms. This has to be changed as there is a lot of sensitive information in the systems. These changes can be incorporated by appointing security guards, 24-hour surveillance and every employee should be given a smart-card based access and there should be separate level of access for each and every door. This kind of tightening security is mainly because of three reasons sensitive data, systems and data backup (external drive) in safe in managers room. The Manger room should be even more secure (suggestion: Biometric locks for added security "Defense in Depth").

One more thing to be noted here is LTX room cleaner who doesn’t work for the organization itself, the security guards should thoroughly manually check him to see for any electronic items or documents before and after the maintenance work is done. The company should also be prepared for natural disasters that can harm the company for example: connection lost due to tornado should not lose the data or transaction in progress rather should save the information for restarting it later, same in the case of fire should use extinguishers that do not harm the system.

Should Incorporate Network-based security (Firewalls, WPA, Network Security Expert)

REASONS & SUGGESTIONS: The first step to incorporate network-based security is to configure firewalls properly as the current system doesn’t have firewalls which can serve as an entry point for various kind of malicious attacks like DOS attack, Smurf attack, Mail Bomb etc. One more thing to be noted here is all the systems are connected to same LAN Switch; malicious code injection can affect all the systems instantaneously and this is highly possible since the employees can bring their personal tabs and laptops (i.e.) if one system is infected with malware it can bring down all the systems connected in LAN network.

First Thing: Configure the Firewall, Auditing measures to check for vulnerable systems (NMAP) by appointing a network expert. Second Thing: a change in policy: "personal systems should not be allowed" in order to protect sensitive data and to prevent malware based attacks. One more thing is always attacker tries to take advantage over the weakness in protocol in use and the current state is the usage of "WEP" for wireless connection, the problem is it has several deficiencies and broken encryption standards. The suggestion would be to use "Wireless protected Access (WPA)" as an alternative instead to secure the sensitive data. Check updates of anti-virus programs installed properly and configure the firewall in the employee system properly as most of the recent attacks are targeted on weakness in mechanisms (Factory default)

Changes in Data Collection and Interaction:

REASONS & SUGGESTIONS: The observation made from the description has made it clear that Input data is collected in the form of E-mail/Fax and the processed documents are sent by E-mail using Microsoft encryption standard. The Hashing algorithm can be employed in order to verify the message integrity (CIA triad) so that information is not changed during the transit.

One more thing is in order to provide usability the customers are not required to encrypt their data and send. This is in contrast to security since there are several choice of attacks like "Eaves Dropping" "Man in the middle attack" etc. are possible aiming for credentials, plain text messages and all other forms of sensitive data. Provide an option for the customers in the user interface to encrypt the input data and then send (use well-known good encryption standard). The Sensitive data received as FAX is accessible by everyone which is not a good security practice. The best way is to appoint a person for collection of data coming through FAX as hard copies.

This has to be enforced in the server side too (i.e.) it is not suggested to share the data in the form of plain text in databases, but the downside is the encrypted database efficiency for selecting and retrieving the data will be complex than standard retrieving since once retrieved the encrypted data has to be converted in to a readable form.

In terms of security, databases should not contain plain text information or databases should be designed in such a way to avoid some of the access like count, sum etc. which can narrow down the results to reveal sensitive information. The best suggestion is to reveal partial amount of information for some miscellaneous queries (gain information). The bottom line is the sensitive data should not be revealed at any cases without proper access permissions or privileges.

Changes in Software and Backup power:

REASONS & SUGGESTIONS: The first thing to be done is to have a backup generator to ensure consistent power supply in the case of failure. This can help in preventing the data loss and transaction loss in the case of power failure since the current state of the server relies on UPS battery for backup which is unreliable. The second thing is to have a backup server for this kind of scenarios to ensure Business continuity and to have an incident response team for resolving the issues after an event occurs or pops up. The security patches have to be constantly checked rather than checking once a month to avoid new threats and their impacts on the server.

From the business point of view, the LTX computer system has WINDOWS XP, OFFICE 2007 and OUTLOOK EXPRESS which are all outdated versions. WINDOWS XP is more vulnerable to many attacks and also easy to exploit. There are separate communicators which can be purchased and used for communicating inside the office which is practiced common. The problem is the current state of the company is using outdated versions, in order to avoid system being vulnerable all the released patches has to be updated. Rather using the advanced versions will be a good choice because those will have the past vulnerabilities removed and from then can constantly update for latest threats and vulnerabilities found.

Long-Term Improvements

Developing a Business Case:

The following diagram follows the steps mentioned below:

Identify the problems. Example: Network-based, Physical security, Weak Policy etc.

Suggest the solutions to counter the problem.

Describe the way in which solution can handle the encountered problem.

Compare the solutions in terms of cost, time (i.e.) to identify which is appropriate and feasible approach among the proposed solutions.

Select the appropriate solution

Why does LTX corp. need a security expert or an officer?

REASONS : The security expert can help the organization security in various ways like creating a security plan for checking to see the underlying systems are secured by reviewing the current state of the system ,aiding in developing security measures and changing policies to enforce security. One more thing is the security expert can promote security awareness and best practices to be followed in terms of security (Security Training).

Why need of reviewing access control mechanisms?

REASONS: The problem here is there is no central backup all the employees have permission to access a shared common folder which holds the data, since every employee is given administrator-based access, anyone can make unauthorized changes to the folder like delete the data (affecting Availability), modify data (affecting Integrity), and also unauthorized changes affecting confidentiality of data. The solution can be a role-based access mechanisms (i.e.) restricting access, enabling least privileges to perform an action. This can be done by creating a central backup with proper administration support to ensure CIA triad.

Why software update is necessary for LTX systems?

REASONS: The observation gave the knowledge that LTX systems are running on Windows XP platform in which time to infect and exploit is less than five minutes. The attacker can exploit any one of the vulnerability in the underlying system to steal the sensitive data and also can use it for performing malicious activity by turning a system in to a zombie computer very easily.

This is supported by anti-virus programs and firewalls running in Default factory settings even though the best way is to secure by default the software (anti-virus) underlying cannot be trusted as it secures by default, Self-auditing will help in overcoming this issue by updating latest patches released to defend against new viruses or any other malicious activity.

The best solution is to update the OS as the latest version where the past vulnerabilities have been fixed and look for updates against latest threats; from production point of view it will increase the efficiency and performance of the system than older versions.

Why server has to be updated for LTX systems?

REASONS: The server mentioned is Windows server 2005 but the problem is 4 years old which might have a direct impact on efficiency (performance) i.e. number of transactions or number of authentications, processing speed etc. so once the server is updated it will have both hardware and software tuned to latest versions with all updated patches to perform well against several kinds of threats and increase the speed of handling volumes of sensitive data.

From customer point of view, customer satisfaction can be guaranteed by quicker responses during file access and prevention of degradation of service due to latest threats which ensure business continuity adding up reliability to the system & High availability (24*7) in the business point of view.