Mini-Case 1: Belmont State Bank – Chapter 11
Belmont State Bank, with their current computer system is virtually wide open for an attack from external or internal sources because of their password requirements. That is the first thing that jumped out when reading the scenario. This is probably the easiest type of password there is to crack. And if not the easiest, it is certainly one of the easiest. It would probably take less than one minute for even an inexperienced hacker to crack a four (4) digit numeric password. Belmont State Bank should require at least a 6 to 8 digit password containing upper-case and lower-case letters, at least 1 number, and at least 1 special character. (Vanin, 2012)
The next concern is the dial-up network that causes significant alarm when concerned with the security of the networks. There are severe limitations to the security of dial-up networking. In today’s security processes it either requires excessive time in terms of hours to download the updates provided by AV vendors. It is much more difficult to have an effective firewall in place because the dial-up services are very unlikely to be routed through a router. A dial-up connection is generally exposed to the world once the connection to the Internet is complete. Finally, if there is an infection with the dial-up device it is usually very much more difficult to detect and clean than a broadband device. (Morales, 2006)
The potential problems of the Multi-vendor networks comes into play with the Banks use of the variety of client computers and ATM they have in service. Is there really a problem with security when using or including a variety of vendor’s equipment, computers, servers, routers, etc., in the network? There may not be a problem but it must be considered in any risk assessment. The following questions need to be considered when choosing between multi-vendor or single vendor networks:
How important is having a single vendor to your organization? 2.
Is the IT budget an issue?
What is the current life-span of the current network equipment? 4.
Is the decision long-term or short-term?
Will training be required?
Is compatibility a deciding factor?
These are just some of the considerations that must be addressed during the risk assessment for the Banks network security. (Kobuszewski, 2012)
The assessments of the previous considerations are just the beginning of a thorough risk assessment. This brings us to the point of developing a Control Spreadsheet and defining the assets and threats in a more concise manner. To be sure that the data communication network and microcomputer workstations have the necessary controls and that these controls offer adequate protection, the following spreadsheet was developed for Belmont State Bank to give us a base point from which we can outline the possible threats to the Bank’s network.
Figure 1: Belmont State Bank Control Spreadsheet
Locally operated circuits
Internet access circuits
Server software and configuration settings
Operating systems and configuration settings Application software
Server software for web servers Server software for transaction server
Figure 2: Types of assets
Identify Bank Threats - A threat to the data communication network is any potential adverse occurrence that can do harm, interrupt the systems using the network, or cause a monetary loss to the organization. While threats may be listed in generic terms (e.g., theft of data, destruction of data), it is better to be specific and use actual data from the organization being assessed (e.g., theft of customer credit card numbers, destruction of the...
Please join StudyMode to read the full document