You are the Chief Security Officer, hired by COO Mike Willy, to protect the physical andoperational security of GFI’s corporate information systems.

GLOBAL FINANCE, INC. (GFI)

Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for their customers.

The diagram below displays the executive management team ofGFI:

BACKGROUND AND YOUR ROLE

You are the Chief Security Officer, hired by COO Mike Willy, to protect the physical andoperational security of GFI’s corporate information systems. Shortly after starting in your new position, you recognize numerous challenges that you will be facing in this pursuit.

Your primary challenge, as is usually the case, is less technical and more of a political nature. CEO John Thompson has been swept up in the “everything can be solved by outsourcing” movement. He believes that the IT problem is a known quantity and feels the IT function can be almost entirely outsourced at fractions of the cost associated with creating and maintaining an established internal IT department. In fact, the CEO’s strategy has been to prevent IT from becoming a core competency since so many services can be obtained from 3rd parties. Based on this vision, the CEO has already begun downsizing the IT department and recently presented a proposal to his senior management team outlining his plan to greatly reduce the internal IT staff in favorof outsourcing. He plans on presenting this approach to the Board of Directors as soon as he has made a few more refinements in his presentation.

COO Willy’s act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology services combined with a diminishing IT footprint gravely concerned Mike Willy, and he begged to at least bring in an Information Security expert with the experience necessary to evaluate the current security of GFI’s infrastructure and systems. The COO’s worst nightmare is a situation where the Confidentiality, Integrity, and Availability of GFI’s information systems were compromised – bringing the company to its knees – then having to rely on vendors to pull him out of the mess

COO Willy has reasons for worrying. GFI has experienced several cyber-attacks from outsiders over the past a few years:

• In 2013, the Oracle database server was attacked and its customer database lost its confidentiality, integrity, and availabilityforseveral days. Although the company restored the Oracle database server back online, its lost confidentiality damaged the company reputation. GFI ended up paying its customers a large sum of settlement for their loss of data confidentiality.

CORPORATE OFFICE NETWORK TOPOLOGY

The diagram on the following page displays GFI’s Corporate Office Topology.

The GFI network infrastructure consists of a corporate WAN spanning 10 remote facilities that are interconnected to the GFI headquarters’ central data processing environment. Data is transmitted from a remote site through a VPN gateway appliance that forms a VPN tunnel with the VPN gateway in headquarters. Through this VPN connection, remote office users access the internal Oracle database to update the customer data tables. Through your inspection of the VPN configuration you discover that the data transaction traversing the remote access connection to the corporate internal databases is not encrypted.

Users are authorized to work from home and both dial-up and VPN remote access are available. Dial-up is provided via Private Branch Exchange (PBX) and a Remote Access Server and VPN remote access is provided via the VPN gateway. Authentication is password-based via MS-CHAP V2. Users are also able to take advantage of GFI’s Bring Your Own Device (BYOD) policy and a Wireless antenna allows wireless networking within headquarters. WEP is used to provide wireless security to BYOD users

The network perimeter between the Internet and GFI’s internal network infrastructure is separated by two Border (Core) Routers. These Border Routers then connect to two Distribution Routers and the VPN Gateway. The Distribution Routers connect to a RAS Server, a Wireless Router that provides a bridge between the Wireless Antenna and the internal network, and two Multi-layer switches. The Multilayer switches connect to six (6) Access Layer VLAN switches that segregate the Accounting, Loan Dept, Customer Services, Mgmt, Credit Dept, and Finance VLANs. The Multi-layer switches also connect to a third Multi-layer switch that provides a connection to GFI’s servers in the Trusted Computing Base subnet.

The trusted computing based (TCB) internal network is situated in a physically separated subnet. A bulk of the data processing for GFI is handled by an Oracle database on a high end super computer located in the TCB and the TCB also contains an intranet web server used by the internal support team, a Software Update Services (SUS) server used for patch management, an internal DNS server, an e-mail server, and other support personnel workstations. Although each corporate department is segregated physically on a different subnet, they share access to the corporate data in the TCB network