Belmont State Bank, with their current computer system is virtually wide open for an attack from external

or internal sources because of their password requirements. That is the first thing that jumped out when reading the scenario. This is probably the easiest type of password there is to crack. And if not the easiest, it is certainly one of the easiest. It would probably take less than one minute for even an inexperienced hacker to crack a four (4) digit numeric password. Belmont State Bank should require at least a 6 to 8 digit password containing upper-case and lower-case letters, at least 1 number, and at least 1 special character. (Vanin, 2012) The next concern is the dial-up network that causes significant alarm when concerned with the security of the networks. There are severe limitations to the security of dial-up networking. In todays security processes it either requires excessive time in terms of hours to download the updates provided by AV vendors. It is much more difficult to have an effective firewall in place because the dial-up services are very unlikely to be routed through a router. A dial-up connection is generally exposed to the world once the connection to the Internet is complete. Finally, if there is an infection with the dial-up device it is usually very much more difficult to detect and clean than a broadband device. (Morales, 2006) The potential problems of the Multi-vendor networks comes into play with the Banks use of the variety of client computers and ATM they have in service. Is there really a problem with security when using or including a variety of vendors equipment, computers, servers, routers, etc., in the network? There may not be a problem but it must be considered in any risk assessment. The following questions need to be considered when choosing between multi-vendor or single vendor networks:

2 Our text book define the Risk assessment as The process by which one identifies threats, uses a methodology to determine the tangible or intangible exposures, and develops a sequenced list of the threats from the one having the highest risk to the one having the lowest risk.

Belmont State Bank is dealing with financial accounts and transactions that are distributed over hundreds of branches through a central processing system in the headquarters. Data security is the ultimate goal in this case and all efforts should be concentrated on protecting the connectivity, integrity, and the availability. The critical elements here are : a) b) Customers and Banks data. The network.

My risk assessment will be based on this fact and the possible threats that may endanger one or more of the CIA requirements. Threats can be of natural causes that will affect continuity, or intentional to gain unauthorized access to the banks vital data, accordingly the controls will be relative to the type and severity of those threats. The vulnerable areas in the banks network that can be the target of any security breach are: 12345Branches Connections circuits (Dedicated or dialup) Clients computers Tellers computers The ATM connections. The Banks central server and network.

With reference to the statistical information in ch-11 of our text book (1) that summarizes the average frequency of the common threats and the average dollar loss value we can build our risk assessment matrix as shown below. The controls are meant to help to prevent the threat if possible, and /or to minimize loss and provide alternatives that will guarantee continuous service.

Regarding the safety of vital data, the Bank needs to give more attention to its security systems, strong Authentications, secure and encrypted communications. Tellers terminals need strong passwords (long alphanumeric) with frequent forced password change. on the other hand to secure the hardware functions against disasters or sabotage, the Bank must consider a redundant equipment and network

components, probably a RAID system, in the headquarters, and ready to work terminals, ATMs, and other components. They also should consider alternative providers in case of network breakdown. Using a backup power supplys (Generators) might be an expensive solution but in case of high risks of natural disasters areas it might be feasible, however using UPSs also can be a good idea to protect data from short power outages.

1-

Fitzgerald. Business Data Communications and Networking, 10th Edition. John Wiley & Sons

2Behrouz A. Forouzan (2007). Data Communications and Networking, Fourth Edition, McGraw Hill- Higher education

Risk Assessment Matrix

THREATS Disruption, Destruction, Disaster INTROSION Power Loss Eaves-drop 13,14,19 Theft Circuit Failure Virus

ASSETS Natural Disasters Fire Flood External Intruder Internal Intruder Central Server 1,2,21 1,4 5,6,19 12,19,21 8,15,16, 20 17,18, 20 Central Bank Data Dedicated Circuits 1,2,19 19 11 10 6 12 12 19 11 10 12,21

7,15

8,9,15, 16,17,18

19 11 10 7,15 12,17,18 10 7,15

19

8,12,15, 16,20 16,20

12,17 17,18 18 12,17 17,18 18 12,17 18

Dialup Telephone network Client Computers ATMs 21 21 2,3,19 6

Tellers Computers

2,3,21 19,21 6

12,17,18

16,18 18

Branches daily data

19

19

19

17,18 16

CONTROLS 1. Disaster Recovery Plan 2. Firefighting system 3. sprinkler system 4. over ground level 5. Backup generators 6. Uninterruptable power supply 7. Anti-Virus software 8. Strong Passwords 9. Firewall 10. Alternative phone lines 11. Alternative dedicated lines 12. premises physical security 13. power redistribution plan 14. Alternative backbone 15. Security measures training 16. Strong Authentication 17. use message integrity protocols 18. fully encrypt communications (IPSEC) 19. data backup system 20. Use restricted ACLs on data stores 21. Backup equipment