1. Overview
Global Finance Inc. (GFI) is a financial company that offers account management services to numerous accounts across three chief regions that include Canada, Mexico, and the United States (US). GFI is a public traded company that is traded on the New York Stock Exchange (NYSE). The company focuses on financial management, wholesale loan processing, loan application approval, and investing money for their customers. The company will be referred to as GFI for the rest of the paper.
GFI is concerned with cybersecurity in the firm as a result of previous events that brought attention to the numerous vulnerabilities within the company’s system. The first event that shed light on one of the weaknesses that occurred in 2013, where GFI’s Oracle database server was attacked. consequently, the customer database lost its confidentiality, integrity, and availability for a couple of days. The company was eventually able to reestablish the Oracle database server, and there were several adverse consequences. The company’s reputation was tarnished as a result of the loss of confidentiality, accompanied by financial losses since the company had to recompense a lump sum to their customers as a settlement for the loss of data confidentiality.
Delegate your assignment to our experts and they will do the rest.
Another event that became a cause of concern for GFI occurred in 2014. A malicious virus infected the whole network for some days and paralyzed use of the Oracle serve once again. GFI was forced to close the Oracle and the email servers for them to be quarantined. The company did not know how the malicious virus infected the network. There were three possibilities that were considered as a source of the malicious virus that included a malicious email, a USB flash drive, or downloaded from the internet. As a result of the attack, the company lost $1,700,000 in revenue. Additionally, the company also lost its customers’ confidence and trust.
In a separate event during the same year, a company employee neglected to protect company property and left his company laptop unattended in the airport. The laptop, which contained customer financial data, was stolen. To make matters worse, the hard drive was unencrypted. GFI again had to compensate its customers for the loss of confidentiality. Lastly, in 2015, a laptop running network sniffer software was discovered plugged into a network jack hidden in one of the empty offices. From the reports of numerous attacks, it is evident that GFI should implement information security measures to condense the risk of impending attacks and restore its customer’s trust.
GFI values confidentiality, integrity and availability. Therefore, the attacks and vulnerabilities are a source of concern since they contradict the company’s values. Chief Operation Officer (COO) Mike Willy is especially troubled by the growing operational dependence on technology services and the dwindling IT footprint. GFI’s Chief Executive Officer (CEO) is pushing to subcontract IT services, a move that COO Willy opposes. This report describes the results of the quantitative and qualitative risk assessment on GFI and discusses the possible improvements that could be made to diminish the risk of impending attacks.
1.1 Aim
The security risk assessment is being performed to provide a quantitative and qualitative risk assessment of GFI’s infrastructure. Having a reliable estimate will help in identifying vulnerabilities and determining the areas that require improvements. The corporate office network topology will be assessed after which vulnerabilities will be identified and addressed. The risk assessment will;
Identify present threats to the company’s IT security, customer data, strategic capabilities, and business intelligence.
Identify weaknesses and vulnerabilities associated with the current security control measures and company processes.
Provide security controls and authorizations grounded on the data obtained from the assessment.
Assess the financial and business impact of identified threats and vulnerabilities.
Assess risks and describe acceptable risk levels.
Give recommendations for fortifying GFI’s security infrastructure utilizing conventional technologies and evidence-based processes.
1.2 Roles and Responsibilities
John Thompson, CEO
The CEO’s role is to guarantee that there are no inconsistencies between the company’s espoused values and the business and corporate strategies. He is also responsible for ensuring that GFI’s long-term business and corporate strategies align with shareholder values. The CEO is also responsible for considering and approving various decisions and change requests within the organization, in line with the company’s hierarchical structure and top-down management approach.
Mike Willy, COO
The COO is responsible for supervising ongoing business operations. He is second on the company’s hierarchy and acts as the second in command to GFI’s CEO. Willy is responsible for assessing IT projects and their alignment with normal business operations. The COO is also concerned with the provision of input and implementation of GFI’s strategic plan. He is also responsible for overseeing the budget and progress concerning IT projects.
Computer Security Manager (CSM)
The CSM is mandated to overseeing the development, implementation, and management of GFI’s security vision, strategies, and programs. The CMS’s area of interests is mostly concerned with technological issues, security policy development, and performance of research. His chief role is to secure GFI’s network availability, confidentiality, and integrity. He does this by identifying system threats and vulnerabilities to support the optimum achievement of business objectives, identify and oversee the implementation of security control measures, and determine risk acceptability levels to lessen project letdowns.
2. Security Risk Assessment
There are numerous information security risk assessment methods that can be used for GFI’s security assessment. Past methods have been dependable over the last few decades. The methods provided a reliable tool for organizations to protect themselves against pertinent risks associated with various business and corporate strategies. However, the advancement of the Internet of Things (IoT) has led to an increase in complexity, pervasiveness, and automation of technology used by companies such as GFI (Nurse et al., 2017).
Additionally, cyberspace continues to experience continuous maturity. As a result of the factors stated above, there is a need to consider new assessment methods that conform to the current systems and strategies. The method chosen must consider all the risks that are associated with the current ecosystem. Risks associated with the new ecosystem are associated with an upsurge in connectivity, and the coupling of digital and cyber-physical systems. The assessment methods considered must also build trust among employees and customers (Nurse et al., 2017).
The following risk assessment includes an analysis of what could go wrong, the chances that something could go wrong, and the consequences. Selected risk management strategies and methods will build upon the risk assessment. They will be used to determine the possible management approaches and their availability, the associated tradeoffs related to expenses, benefits, and risks. The security assessment methodology selected for this paper is the cyber vulnerability assessment methodology.
The cyber vulnerability assessment methodology consists of five main steps that have to be followed with the discretion of the assessment team and leaders. The first step is the development of an assessment plan that outlines the budget, schedule, goals, resources, and required experts for the assessment. The second step involves the configuration of the testing environment to ensure that it is safe. Third, the vulnerability assessment will be done using a penetration test. The penetration test will be conducted externally to the tested system machine. Fourth, the assessment and testing methods used will be properly documented for future reference. Lastly, quantitative measurements of GFI’s security will be taken to allow benchmarking against other systems ( Cherdantseva et al., 2016) .
2.1 Risk Impact
The following table adapted from the National Institute of Standards and Technology (NIST) (2004) summarizes the risk impact associated with the three main considerations in GFI’s security objectives, i.e. confidentiality, integrity, and availability.
Table 1 . Potential Impact of Security Objectives.
2.2 Corporate Office Network Topology
The GFI network infrastructure is composed of a corporate-wide area network (WAN) that spans across ten remote facilities. The facilities are unified to the GFI headquarters’ central data processing environment. Customer information is conveyed from a remote site using a virtual private network (VPN) gateway appliance. The gateway appliance forms a VPN tunnel where the VPN gateway is located in GFI’s headquarters. Remote office users use the VPN connection to get access to the internal Oracle database and update customer information in the customer data records.
2.3 Network Security
GFI encourages its employees to work from home. The objective is supported by the use of both dial-up and remote VPN access. Dial-up services are offered using Private Branch Exchange (PBX) and a remote access server while VPN remote access is provided via the VPN gateway. Employees are also encouraged to bring their own devices to work according to GFI’s policy. The devices use a wireless antenna that supports wireless networking within the organization’s headquarters. Wired equivalence privacy (WEP) is used to ensure wireless privacy for all employees who bring their own devices to work.
VPN is defined as a private data network that exploits civic telecommunication infrastructure while maintaining privacy through the use of tunneling protocol and security measures. GFI uses a remote VPN that supports the movement of employees when needed. Using a remote VPN allows employees to work wherever there is internet connectivity. It gives employees secure access to GFI’s central network. Software is installed in the employee’s device. The employee then gets a unique username and password for access. A virtual tunnel is also used to securely transmit data over an internet service provider (ISP) network. The VPN tunneling protocol used is the point-to-point tunneling protocol (PPTP). The use of PPTP is disadvantageous since it causes several risks. PPTP does not offer encryption or authentication features (Ahmed et al., 2016). This makes the system vulnerable to cyber-attacks from external sources, thus decreasing confidentiality.
2.4 Access Points
2.4.1 Internal Access
GFI employees can have internal access to the Oracle servers using thoroughly pre-inspected and updated personal workstations. The personal work stations have anti-virus software that is updated and maintained by the CSM. The internal network technology is characterized by multi-layer switches that connect to six access layer VLAN switches. The six switches separate the various departments, including Accounting, the Loan Department, Management, Credit Department, Finance, and Customer Services departments. Employees will only be given access privileges depending on need-to-know criteria. This will limit the number of people that have access to the servers, support accountability, and make security breach assessments easier and more reliable.
The network is also characterized by a firewall that can be used to monitor personnel access and other external parties. The firewall will be used to control incoming and outgoing traffic. The firewall will also be used to ensure that all devices, including those from users who bring their own devices to work, adhere to security standards or rules before they are allowed into the internal access points. An access control list (ACL) will also be developed to determine all employees that have access to every departments VLAN. This will ensure accountability in the various departments since not all employees have access to other departments’ data.
The ACLs are a group of commands that filter the traffic that leaves and enters the network. It allows the network administrator to decide who enters or leaves the interface. The ACL also restricts telnet, filters the network’s routing information, and prioritizes GFI’s traffic using queuing. Some of the benefits associated with using ACLs include the reduction of network traffic, improvement of network performance, ability to control the flow of traffic, and support of decision-making processes within the organization (Suman & Agrawal, 2016).
Apart from the use of a firewall and ACLs. GFI can also depend on group policy objects (GPO). Group policy is one of the features in the Microsoft Windows Active Directory. The feature provides additional control and management features for device users and computer accounts. The GPO is assigned by linking the objects to various containers that include sites, domains, and organizational units (OUs) in an Active Directory. It is the role of the CSM to determine the policy settings that apply to the various environments. The machine policies will then be evaluated, followed by a thorough evaluation of the site, domain, and OU policies (Krahl, 2017).
2.4.2 External Access
External access is ensured by utilizing a remote access server (RAS). The RAS is linked to several distribution routers, which are part of two border routers that separate GFI’s network from the internet. External access is also ensured using VPN gateways. Employees who access the network using dial-up are obligated to follow the standard authentication procedure to screen unwanted traffic. One of the chief concerns regarding internal access is the absence of data encryption in data transmitted across the VPN virtual tunnels. This vulnerability acts as a critical threat to the system’s confidentiality, integrity, and availability.
3. Access Control
Access control algorithms will be used to decide whether a new internal or external connection is accepted after the communication quality has been ascertained. Whenever a new service call is detected, the call will be processed depending on whether the bandwidth is available in the community. In case the required bandwidth is unavailable, the service call will be castoff or put on a waiting list.
3.1 Authentication
The authentication process will be secured by performing an analysis to determine whether the protected protocols are secure. Session keys will be created as a form of authentication. Each access run will be assigned a different session key. The keys will be developed in a random manner, whereby the familiarity of previous session keys will not allow the inference of upcoming keys. The session key will be calculated by a one-way hash and session secrets. The random number generated will be discarded after the expiry of a session (Liu et al., 2012).
An asymmetric key will be used to encrypt both incoming and outgoing messages. Messages can only be encrypted by a single key and decrypted using another key. For GFI, the public key will be issued while the private key will be kept secret. The asymmetric pair of keys are different in that one if the public and the other is private. The public key can be published and known by every employee within the organization, but the private key is unique to each owner. Therefore, only the owner can distinguish and utilize the private key. Each employee will have both keys. The public key will be centrally stored and accessible to everyone, while the private key is stored by the user. Employees will be required to use both keys when sending an email. The receiver’s public key is used to encrypt the data while the sender’s private key is used to sign the email.
There are various authentication methods utilize by varied companies. These methods ensure the security of the networks and topology infrastructures. Possible options to be considered for GFI include Password Authentication Protocol (PAP), smartcard biometrics, and Single Sign-On.
3.2 Privilege Access
Privileged Access is defined as access that allows various individuals who can take actions which may have an impact on computing systems, network communication, and data from other users. Privileged access for the GFI network will only be given to network administrators, system administrators, and a few other employees that are involved in the IT department. All privileged access users must have an individual account that is characterized by a unique username and passwords. The passwords must comply with the company’s password policies regarding strength. Access to the password storage system will be controlled by multi-factor authentication.
The access control will follow the principle of least privilege. According to this principle, privilege access employees will only have access to data required for the accomplishment of their job function. The CEO is responsible for approving all privilege access accounts and review all the users annually. Reviews will be performed to determine whether the users need access to information and whether the current access is appropriate for the performance of business functions. Privilege access users will only have access to data on a need to know basis. They will only have access to and knowledge of information required to perform their job functions.
Each department is responsible for the separation of duties achieved by separating the various roles and responsibilities. The CMS is also expected to perform a regular review of the system logs to monitor privilege access user accounts. The logs must be securely stored in a centralized system that ensures the integrity and access to the accounts is controlled. All employees with privilege access must respect the rights of all the system users within the organization. They must also respect the company objectives in terms of confidentiality, integrity, and availability. Access to other individual’s information is limited to the least content and the least action required to resolve any challenges or situations. Privilege access is also reserved for mandatory tasks that require privilege access ( Jayabalan & O’Daniel, 2016) .
3.3 Mobility
Mobility is critical since it ensures that all employees and clients can interact with an organization as efficiently as possible by supporting real-time interaction. Mobility is critical for the enhancement of productivity within the organization. It supports the development of a virtual environment or offices where employees can get access to GFI’s servers and work from any geographical location as longs as they have an internet connection. Mobility is likely to increase employee satisfaction, thus promoting better customer services. GFI’s bring your own device (BYOD) policy is also beneficial to the company as it supports mobility. However, one of the chief concerns that arise from the BYOD policy is that external computers with malware can infiltrate the company. Without control of how many devices an employee can bring, there is a risk that some of the devices could be used to smuggle customer information, thus compromising the company’s integrity and confidentiality.
Mobility also promotes employee freedom where the company gives employees the trust and freedom to work at any time and during any time according to their preferences. As long as employees are able to access their work resources, they can fulfil their job functions. Mobility encourages high levels of productivity by creating a happier workforce. Mobility also increases the company’s reliability and availability. GFI could enhance its connectivity using mobile devices such as tablets and smartphones, thus maintaining customer loyalty and improving customer services. Through enhancing mobility, GFI is also able to support collaboration between different coworkers and departments regardless of where the employees are based.
Though mobility is associated with several benefits, there are also a few disadvantages that must be considered in mobility considerations. Mobility is supported by providing remote access to the company’s Oracle server. Providing remote access to work resources increases the possible vulnerabilities and the threat of data breaches. Mobility is also associated with fragmentation of work applications and data, which makes securing the data more difficult.
3.3.1 Wireless
Having wireless connectivity within GFI promotes flexibility for all the employees. However, the GFI wireless network is not encrypted, which increases the risk of breaching data. The company’s service set identifier (SSID) has no access restrictions. Therefore, anyone located within the WAP range can access it. This is counterproductive and creates a high level of risk for the integrity, confidentiality, and availability. GFI should adopt a personal information protection approach based on RSA. Through this approach, all the information being transmitted within the network must be transformed from plain text to ciphertext. The system administrator is responsible for giving permission for authorization management. System administrators will be expected to devolve the authorization to the database administrators. These administrators will then input the information into the database ( Khatarkar & Kamble, 2015) .
3.3.2 Cloud Computing
Embracing cloud computing will enable GFI to provide reliable online services to their customers, thus improving the company’s customer services and productivity. Though cloud computing e-commerce is associated with numerous benefits, it is also important to consider that there are several security concerns associated with the use of e-commerce services. One of the chief concerns is data breaches that might occur due to the provision of remote access (Avram, 2014). This makes the system more vulnerable and adversely affects the integrity, confidentiality, and availability of the network system. Cloud computing also makes it possible to hijack accounts. With cloud computing, external parties might have access to employees’ login details to remotely access sensitive information, that if released, would lead to financial losses and loss of credibility.
Another risk that exists with the use of cloud computing is an insider threat, where employees with authorized access or misuse information available in the customer accounts. The misuse of information could be through malicious intent, malware, or accidents. This can be mitigated using privilege access and other access control methods. The cloud computing service is also vulnerable to the injection of malware from an internal or external source. When the malware injection is executed, the cloud begins operating in tandem with the malware, allowing attackers to eavesdrop and steal data. This compromises the integrity of customer information. These challenges can be avoided by using data encryption and privileged access (Avram, 2014).
4. Inventory
| Item | Department | Quantity | Cost | Total Cost | Priority | Mission Objective |
| Dell Precision Workstations | Accounting | 45 | $400 | $18,000 | High | Provides accounting and financial management services. The department is also responsible for providing financial support to GFI and performing payroll responsibilities, and inventory. |
| Credit | 10 | $500 | $5,000 | High | Quantity, monitor, and allay credit risk, credit limits, and credit support arrangements. | |
| Customer Service | 15 | $500 | $7,500 | Moderate | Identifying customer issues, preventing the provision of poor services, and finding solutions to customer service issues. | |
| Finance | 50 | $500 | $25,000 | Very High | Developing and implementing budget estimates and plans, managing company finances and forecasting resource needs, reporting on financial progress, creation of value, and ensuring compliance to company, and legal statutes. | |
| Loans | 15 | $300 | $4,500 | Moderate | Obtains and processes all loan applications. | |
| Management | 25 | $500 | $12,500 | High | Oversees all company operations, and ensures alignment of company processes with company values and policies. | |
| TCB Network | 15 | $500 | $7,500 | High | Core support team has its intranet web server, an email system, and other support personnel workstations | |
| Subtotal | 175 | $80,000 | ||||
| HP LaserJet Printers | Accounting | 10 | $400 | $4,000 | ||
| Credit | 5 | $400 | $2,000 | |||
Customer Service | 1 | $400 | $400 | |||
| Finance | 5 | $400 | $2,000 | |||
| Loans | 4 | $400 | $1,600 | |||
| Management | 1 | $400 | $400 | |||
| TCB Network | 0 | 0 | 0 | |||
| Subtotal | 26 | $10,400 | ||||
| Wireless Access Point | 4 | $500 | $2,000 | High | ||
| Private Branch Exchange | 2 | $1,000 | $2,000 | Medium | ||
| VPN Gateway | 2 | $30,000 | $60,000 | High | ||
| Border Routers | 2 | $25,000 | $50,000 | High | ||
| Subtotal | 10 | $114,000 | ||||
| Grand Total | $204,400 |
Table 2 . GFI Inventory
5. Network Vulnerabilities
Risk Matrix Legend
Probability Level | Impact Level | Criteria | ||
| High (H) | High (H) | Critical | ||
| Medium (M) | Medium (M) | Marginal | ||
| Low (L) | Low (L) | No Impact |
Table 3. Risk Matrix Legend
System/Entity | Vulnerability | Risk Level | Priority |
Wireless Technology | The wireless network accessible by both company employees and the neighboring individuals. This poses a high risk that adversely impacts the confidentiality, integrity, and availability of the system. | High | High |
Encryption | There is no data encryption of information being transmitted across the virtual VPN tunnel, which increases the risk of data breaching, thus reducing the confidentiality of the customer data. It constitutes a high risk to the CIA. | High | High |
Mobility | Mobility increases the risk of data breaching and malware injection. It also increases the risk of malicious attacks from within the organization or from external parties. There is no way to screen devices brought into the headquarters, making the network vulnerable to malware. | High | High |
Network Intrusion | A significant surge in network traffic into the internal networks. The source of the increased traffic is unknown, but the company is able to determine the traffic volume. Unwanted traffic can be reduced by using a firewall and frequently reviewing access logs to ensure that only authorized users have access to the network. | High | High |
Cloud Computing | Cloud computing is susceptible to data breaches if not suitably secured. | High | High |
Table 4 . Network Vulnerabilities
6. Risk Mitigation Measures
GFI’s current network topology and IT processes are characterized by numerous vulnerabilities that must be mitigated to ensure the safety of customer information and restore the company’s reputation in terms of data confidentiality. Mitigation measures could be founded on either soft or hard security controls.
6.1 Wireless Access
The current wireless network uses an open authentication technique that is unreliable in ensuring that only approved individuals have access to the network. With the current authentication practices, it is possible for anyone with a Wi-Fi-enabled device and located within the WAN geographic scope to access the network and customer information. It creates a risk for confidentiality. Unauthorized users can access sensitive and private information that would lead to monumental financial losses, loss of customers, and tarnishing the company’s reputation. It exposes the company to numerous threats that include data interception and eavesdropping. The attacks from external sources are likely to injure the company’s reputation. Injuries to the confidentiality, integrity, and availability of company data could be qualitative or quantified.
Below are some of the mitigation measures that could be implemented to reduce the mentioned threats;
The first measure is using a network sniffer as a diagnostic tool. The network sniffer operates in promiscuous mode, allowing it to open any and all packets on the network. The network sniffer operates with a network card. It also has a software that captures data on the incoming and outgoing traffic, and sorts out the traffic according to individual stations on the network (Breeding, 2009).
Network cloaking can also be used by hiding the SSID within the company’s framework. Therefore, the SSID name will be invisible. It will act as a way to ward off unwanted and unexperienced network users. Hiding the SSID should be used in conjunction with encryption.
The company must ensure that they eliminate all rogue access points within its network. Positioning a wireless network in an inappropriate security zone compromises GFI’s overall security. Therefore, the rogue access points should be removed or transferred to exist within the company’s office network and support system.
Another security strategy is separation and segregation where the company ensures that business will run as usual in case something happened to the VLAN. This can be done by ensuring that the wireless network is physically separate (Breeding, 2009).
6.2 Encryption
The encryption technology recommended for utilization by GFI is the IPSec encryption technique. The technique will be used to secure all data transfer processes passing through the GFI network, VPN, and TCB communication. The IPSec encryption technique is based on the use of packet filtering and cryptography. Cryptography supports confidentiality, integrity, and availability by offering user authentication measures. It also created trust in the communication process. User authentication and encryption of data are critical for securing data traffic running through GFI’s network paths (Salman, 2017).
6.3 Mobility
The use of cloud e-commerce and the BYOD policy creates several risks for the company. Mitigation of these risks requires the implementation of the following measures;
Segregation and separation of GFI resources from the users. Privileged access will be used to ensure that users only have access on a need to know basis. It will also ensure that users only have access to the information essential for the performance of their job functions ( Jayabalan & O’Daniel, 2016) .
Smart cards and PAP will be used to control access to the GFI network, thus reducing unwanted traffic.
Reliable security software should be installed in all devices that are connected to the network. The software should be frequently maintained and updated to ensure that the network is protected against emerging threats.
6.4 Network Intrusion
The unexplained spike in network traffic recorded by GFI could be solved by using a firewall that scrutinizes, and authorizes or blocks access to the network. Penetration test programs could also be used to adequately ensure the security of customer and company data ( Cherdantseva et al., 2016) .
7. Assumptions
The following assumptions were made in the performance of the security risk assessment and reporting for GFI;
All employees are expected to report any suspicious traffic and security issues they encounter while using the network.
All employees will be responsible and adhere to company guidelines regarding information security.
Employees will not disclose company or customer information.
The CSM is responsible for overseeing the creation and implementation of data security measures and policies.
8. Conclusion
Some of the chief objectives in GFI are the maintenance of the confidentiality, integrity, and availability of company data. The company is a financial company that possess very sensitive data, where the loss of data or unauthorized access would cost the company its reputation and financial losses. It is, therefore, important for the company to understand and measure all possible vulnerabilities and threats. Doing so is made possible by the use of a risk assessment and management plan. Based on the report provided, it is evident that GFI is in need of an internal IT department.
References
Ahmed, F., Butt, Z. U., & Siddiqui, U. A. (2016). MPLS based VPN Implementation in a Corporate Environment. Journal of Information Technology & Software Engineering , 6 (5), 1-7. 10.4172/2165-7866.1000193
Avram, M. G. (2014). Advantages and challenges of adopting cloud computing from an enterprise perspective. Procedia Technology , 12 (0), 529-534. 10.1016/j.protcy.2013.12.525
Breeding, M. (2009). Wireless Network Configuration and Security Strategies. Library Technology Reports , 41 (5), 21-30.
Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., & Stoddart, K. (2016). A review of cyber security risk assessment methods for SCADA systems. Computers & security , 56 , 1-27. https://doi.org/10.1016/j.cose.2015.09.009
Jayabalan, M., & O’Daniel, T. (2016). Access control and privilege management in electronic health record: a systematic literature review. Journal of medical systems , 40 (12), 261. https://doi.org/10.1007/s10916-016-0589-z
Khatarkar, S., & Kamble, R. (2015). A survey and performance analysis of various RSA based encryption techniques. International Journal of Computer Applications , 114 (7).
Krahl, K. M. (2017). Using Microsoft Word to Hide Data (Doctoral dissertation, Utica College).
Liu, J., Xiao, Y., & Chen, C. P. (2012, June). Authentication and access control in the internet of things. In 2012 32nd International Conference on Distributed Computing Systems Workshops (pp. 588-592). IEEE. 10.1109/ICDCSW.2012.23
Nurse, J. R., Creese, S., & De Roure, D. (2017). Security risk assessment in Internet of Things systems. IT professional , 19 (5), 20-26. 10.1109/MITP.2017.3680959
Pub, F. I. P. S. (2004). Standards for Security Categorization of Federal Information and Information Systems. NIST FIPS–199 .
Salman, F. A. (2017). Implementation of IPsec-VPN tunneling using GNS3. Indonesian Journal of Electrical Engineering and Computer Science , 7 (3), 855-860.
Suman, S., & Agrawal, E. A. (2016). IP traffic management with access control list using cisco packet tracer. Int. J. Sci. Eng. Technol. Res , 5 (5), 2278-7798. Available at: https://www.researchgate.net/profile/Shipra_Suman2/publication/304627953_IP_Traffic_Management_With_Access_Control_List_Using_Cisco_Packet_Tracer/links/5775749508aead7ba06fff33/IP-Traffic-Management-With-Access-Control-List-Using-Cisco-Packet-Tracer.pdf [Accessed 24 June, 2020]
