Answered step by step
Verified Expert Solution
Question
1 Approved Answer
write a report to be sent to the CEO and Board of directors, with a good introduction and conclusion, about the risk for the following
write a report to be sent to the CEO and Board of directors, with a good introduction and conclusion, about the risk for the following case study The Case Study Part I: Problem(s) definition TechPro is a large consumer electronics retail Company located in Saudi Arabia. The company sells mobile devices, TVs, monitors, laptops, tablets, computers, printers, and other electronic appliances. The company has 60 different outlets located in the Middle East region. The company has experienced significant growth in last 5 years due to continual business innovation, customer loyalty, and satisfaction. The company has shown a remarkable business growth by generating approx. $500M revenue per year having about 1500 employees. The company has a large customer base of 4 million customers. The customer value to the company is $1000 Kareem, the Company Risk Analyst Officer (CRAO), is facing a pressure from the executives in the company to effectively manage risk the company is facing. Through a series of risk identification interviews, CRAO and his team have concluded that numerous external threats could potentially cause an outage to TechPro order processing system, most notably through DDoS attacks. The order processing system is a web-based application customers use to order products from the company. TechPro attracts attention from advanced cyber-criminal groups due to the het worth value of the company. In addition, risk assessment team has found another concerning issue on the company's network; it is an attack against confidentiality. The potential attack is targeting the company's network to compromise the confidentiality of the customers DB which contains sensitive data about customers and their credit cards. These potential threats are worrying the board of directors triggering the investigation. The CRAO and his team have decided to conduct a risk analysis to protect the company from these kinds of threats. Part II: Collecting Data & Estimates The team held meetings with other teams from across the company and its sub- department located in different locations and obtained the following information. In addition, the team met with security teams to investigate security issues experienced in previous years. These meetings are important to collect data that is relevant to the issues under investigation which will help in building the scenarios. Database Security Team In last five years, several TCP/UDP ports scanning on the company network has been detected. In TCP/UDP ports scanning, the attacker scan ports to discover open ones then establish a connection with them to breach data. The database security team explained that during last year around 15 attacks on TCP/UDP port attempted by cybercriminals. They further estimate that most likely 2 out of 10 attacks can overcome the security control and successfully access the beneficiaries DB Order Processing Security Team The Incident Management Team reported the DDoS attacks hit the order processing system 1 to 2 times a week. The order processing security team also discussed the Radware DDoS which is a mitigation service deployed in the company which filters traffic and blocks malicious campaigns. They reported that, while there hasn't been a successful DDoS attack against the company yet, based on increasing sophistication of attacks they believe that 1 attack in 10 are likely to overcome the Radware tool's current capabilities. Incident Response In the event of a DDoS attack system outage, 5-8 members would be assigned for 10-30 hours at an hourly wage of $200 to investigate the incident. Based on the previous company's record, the attack on customer database requires a third-party investigation team to collect evidences and resolve the issue. The average cost is $30,000 to pay to the investigation team. The local database security team will also investigate the issue using internal security tool such as Wireshark. Around 5 to 8 team members will work for 20-30 hours and it will cost a fixed amount of $150 per worker a If an outage of the order processing system was caused by an external threat, a 3rd party forensic investigation team would be hired and will cost an average of $50,000 dollars. In case of breach, the company has to notify the customers of the breach and this will cost around $2 for each customer. The company has assigned a contract with a credit monitoring service and would offer that service to clients in the event of data breach. The contract states it would cost TechPro $15 per customer. Business Continuity and Disaster Recovery. The Order Processing Management Team estimated that 10,000 transactions are handled by the order processing system each day. The average purchase amount in transactions is $300. The disaster recovery team reported that the Return Time Objective RTO of the order processing system is 2 hours. They have also reported that around 300 employees work on online orders and their hourly wage is $75. Other Considerations: In the event of breach due to external attacks, if the news goes out to the market, it will definitely create many questions on the company. The company expects to lose 0.05% of its customers. The discussion with legal department has shown that fines by lawsuits due to DB breach can cause loss of $500,000 to $800,000
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started