You are the Chief Security Officer, hired by COO Kelly Smith, to protect the physical and operational
security of FMI’s corporate information systems. Shortly after starting in your new position, you recognize
numerous challenges that you will be facing in this pursuit.
Your primary challenge, as is usually the case, is less technical and more of a political nature. The CEO
has been swept up in the “everything can be solved by outsourcing†movement. He believes that the IT
problem is a known quantity and feels the IT function can be almost entirely outsourced at fractions of the
cost associated with creating and maintaining an established internal IT department. In fact, the CEO’s
strategy has been to prevent IT from becoming a core competency since so many services can be obtained
from 3rd parties. Based on this vision, the CEO has already begun downsizing the IT department and
recently presented a proposal to his senior management team outlining his plan to greatly reduce the
internal IT staff in favor of outsourcing. He plans on presenting this approach to the Board of Directors as
soon as he has made a few more refinements in his presentation.
COO Smith’s act of hiring you was, in fact, an act of desperation: the increasing operational dependence
on technology services combined with a diminishing IT footprint gravely concerned Smith, and he begged
to at least bring in an Information Security expert with the experience necessary to evaluate the current
security of FMI’s infrastructure and systems. The COO’s worst nightmare is a situation where the
Confidentiality, Integrity, and Availability of FMI’s information systems were compromised – bringing the
company to its knees – then having to rely on vendors to pull him out of the mess.
COO Smith has reasons for worrying. FMI has experienced several cyber-attacks from outsiders over the
past a few years:
In 2018, the Oracle database server was attacked, and its customer database lost its confidentiality,
integrity, and availability for several days. Although the company restored the Oracle database
server back online, its lost confidentiality damaged the company reputation. FMI ended up
paying its customers a large sum of settlement for their loss of data confidentiality.
In 2019, another security attack was carried out by a malicious virus that infected the entire
Vice President
Trey Elway
Executive
Assistant
Kim Johnson
Executive
Assistant
Julie Anderson
Executive
Assistant
Michelle Wang
CCO
Andy Murphy
COO
Kelly Smith
CFO
Ron Johnson
Director of
Marketing
John King
Director of HR
Ted Young
CEO
Matt Roche
network for several days. While infected, the Oracle and e-mail servers had to be shut down to
quarantine these servers. COO Smith isn’t sure whether the virus entered FMI’s systems through
a malicious email, from malware downloaded from the Internet, or via a user’s USB flash drive.
Regardless of the source of the infection, the company lost $1,700,000 in revenue and intangible
customer confidence.
• In a separate incident in 2019, one of the financial advisors left his company laptop unprotected
at the airport while travelling and it was stolen. It contained customer financial data and the
hard drive was not encrypted. Financial reparations were paid to impacted customers.
• In 2020, a laptop running network sniffer software was found plugged into a network jack under a
desk in one of the unoccupied offices.
It is apparent from the number of successful cyber-attacks that FMI is an organization severely lacking in
information security maturity. COO Smith has commissioned you to perform a quantitative and qualitative
risk assessment of FMI’s infrastructure to determine where improvements could be made to reduce the
risk of future attacks.
CORPORATE OFFICE NETWORK TOPOLOGY
The diagram on the following page displays FMI’s Corporate Office Topology.
The FMI network infrastructure consists of a corporate WAN spanning 20 remote facilities that are
interconnected to the FMI headquarters’ central data processing environment. Data is transmitted from a
remote site through a VPN gateway appliance that forms a VPN tunnel with the VPN gateway in
headquarters. Through this VPN connection, remote office users access the internal Oracle database to
update the customer data tables. Through your inspection of the VPN configuration you discover that the
data transaction traversing the remote access connection to the corporate internal databases is not
encrypted.
Users are authorized to work from home and both dial-up and VPN remote access are available. Dial-up is
provided via Private Branch Exchange (PBX) and a Remote Access Server and VPN remote access is
provided via the VPN gateway. Authentication is password-based via MS-CHAP V2. Users are also able
to take advantage of FMI’s Bring Your Own Device (BYOD) policy and a Wireless antenna allows
wireless networking within headquarters. WEP is used to provide wireless security to BYOD users.
The network perimeter between the Internet and FMI’s internal network infrastructure is separated by two
Border (Core) Routers. These Border Routers then connect to two Distribution Routers and the VPN
Gateway. The Distribution Routers connect to a RAS Server, a Wireless Router that provides a bridge
between the Wireless Antenna and the internal network, and two Multi-layer switches. The Multilayer
switches connect to six (6) Access Layer VLAN switches that segregate the Accounting, Loan Dept,
Customer Services, Mgmt, Credit Dept, and Finance VLANs. The Multi-layer switches also connect to a
third Multi-layer switch that provides a connection to FMI’s servers in the Trusted Computing Base
subnet.