Risk Assessment And Security Recommendations For Versand’s Global Network Infrastructure Assignment

• Type Assignment
• Downloads534
• Pages15
• Words3742

Introduction

Versand is a well-established international shipping firm engaged in various business activities connected with the logistics and energy division. It has its main operational base in London and has a staff strength of over 70000 employees spread across 100 countries. It has a vast and integrated system for shipping that involves several regional facilities based in New York, Seattle, London, Frankfurt, Singapore and Sydney. Some of these are shipment management, container tracking and inventory, and booking systems which are developed on Microsoft Windows servers in SQL database. In June 2017, Versand faced a ransomware attack just like Petya/NotPetya which targeted the companies using unpatched Windows systems. This attack led the company to close its IT network to other users as a measure of preventing the spread of the virus, which greatly affected the company's operations around the world and revealed the company's vulnerability to hackers. Specific solutions include system upgrades, the establishment of network segmentation, multi-factor authentication, regular penetration testing, and compliance with ISO 27001 and NIST standards to increase Versand’s security and guarantee worldwide operational continuity.

Risk Assessment And Security Recommendations For Versand’s Global Network Infrastructure Assignment

Liked This Sample? Hire Me Now

Adam Turner 10 Years | MSc in Software Engineering

Don’t let deadlines overwhelm you-choose Rapid Assignment Help UK for reliable academic support and top-quality assignments every time.

This study seeks to analyze Versand current cyber risk profile, risks and suggest technical, legal and managerial controls and measures that can be adopted.

Evaluation of the Network and Data Architecture

Current Design of Regional Data Centers and Connectivity

Versand's world IT network arrangement is based on six centralised data centres situated in New York, Seattle, London, Frankfurt, Singapore city, and Sydney city. These data centres are fibre-linked regionally, which ensures a high frame rate and cross-region data transfer. Every data centre contains materials management applications for shipping orders, container tracing, stock, and video conference equipment and systems all running on Microsoft Windows servers with SQL server support (Tasueva and Borisova, 2021). Port offices and the regional sites are connected through secure Virtual Private Network (VPN) tunnels while vessels communicate through satellite connections to support real-time operation of maritime activities, port activities included (Sharma, 2021). Some of the port offices have internet breakouts locally to their offices while others completely rely on their regional data centres to connect them externally thus making the network architecture and security mechanisms to be nationally inconsistent.

Figure 1: Network Diagram

At the present time, VPNs are commonly used in conjunction with IPsec and AES-256 encryption. though there are cases where organizations may still be employing them on old Clients and SSL/TLS configurations. It is also expected that data transmission between the data center and cloud services is done over HTTPS, although this needs policy to be written down. Network firewall implementations are dissimilar across the globe with no identical fundamental infrastructure; hereby, for instance; they employ Cisco or fortinet platforms.

Data Transmission between Port/Regional Sites and Cloud

In the existing infrastructure, data transmission mainly relies on the VPN connection that ensures the communication of the port offices, regional offices, and data centres. Information traded includes transactional information, inventory information and the information on the containers. In addition, the company uses the Amazon AWS as well as the Microsoft Azure cloud for application scalability where the data centres are connected with cloud resources by use of secure channels (Hunter and Weiss, 2021). However, due to differences in the deployment of the firewalls and IPS/IDS at the port offices, there are gaps in the security standard now and then, and this makes some ports to be compromised by external threats.

Suitability of Current Infrastructure

From one perspective of the application, it efficiently addresses the operational demands by enabling real-time data processing and international connection. However, the stabilization of branch office devices with Windows 7 opens doors for cyber threats. There are no set security policies, more so at the port offices with direct linkages to the internet; this is a major vulnerability against advanced cyber threats.

Possible Exploits and Vulnerabilities

Internal Threats

The internal threats that are major risks for Versand include extensive control throughout their large workforce that is located within offices and ports all over the world. Users who have access to such systems are vulnerable to social engineering techniques, for instance, phishing, which involves sending fake emails or even communication to the user and tricking him or her into revealing credentials or opening a link that contains a virus. Since email is crucial to the company's shipping operations, a phishing attack would grant access to data and internal systems (Odimarha et al., 2024). In the same regard, certain human factors like sharing of passwords or incorrect passwords or even downloading executable files might also put the infrastructure in more danger for cyber risks. One more threat relates to malicious insiders' which means employees who are motivated either by financial or competitive reasons to misuse the privileges granted to them. Multi-factor authentication is not standard across port offices hence increasing the probability of an intruder gaining unauthorized access to sensitive systems and data (Haddad et al., 2023).

External Threats

Versand is a global company and depends on the internet connection which makes it vulnerable to various external risks and threats A worldwide Petya/NotPetya ransomware attack that occurred in 2017 targeted outdated Windows systems and led to a full cessation of operations to prevent the virus’s spread. This exemplifies a primary ransomware attack where the hackers locked the files and demanded payment in cryptocurrency for the key (Symes et al., 2024). DDoS attacks remain another threat because they can inundate key services including the shipment booking system or communication servers that are vital for operations and can severely dent its reputation. In addition, using techniques, such as SQL injection attacks, hackers could achieve unauthorized access to various booking/tracking systems within the organizations, make changes to the data or steal it. Other risks are from clients, independent partners, or contractors who have unsupervised, messy, or password-protected or any feeble authentication manner.

Network and Application Vulnerabilities

There are several issues on both network and application levels within Versand’s System Umgebung. Windows 7 systems that are present in the port offices are bad as they have reached their end-of-life support meaning that they don’t receive new patches and updates. This research established that there is a patchy implementation of firewalls and IPS in the global offices which are possible openings that the attackers may exploit (Soner et al., 2024). The lack of proper wireless vulnerabilities adds to the internal network vulnerability as policies concerning the use of wireless are not clearly defined in most of the port offices. Also, the lack of network segregation and the use of Microsoft-based applications run on physical and virtual machines that are not isolated will allow lateral movement if the host is compromised.

Currently, the authentication process between regional and port offices means the use of simple username and password without a common MFA. Still, many systems are not linked to centralized identity providers, such as ADFS; authorization control is not robust: there is no role-based access control or more detailed access control levels (Zheng et al., 2021). This position is not good for systems because it can lead to lateral movement and a privilege escalation.

Risk Assessment for Exploits and Vulnerabilities

Risk Assessment of Access Points and Systems Components

Versand’s global structure has several main entry points and components that are prone to certain degrees of risk. While regional data centres are very well prepared with good servers and storage boxes, these are vulnerable to outside cyber threats since they have direct connectivity to the cloud and inter-data centres. This is so because misconfigurations within virtual machines or inadequate patching mechanisms are other sources of threats. Regional and port offices are also other areas of weakness in terms of security policies, obsolete operating systems and weak control of local breakouts (Ganin et al., 2020). On the same note, the use of aged Windows 7, which receives no support updates from Microsoft, exposes the organisation to malware infection; wireless networks make the broader network vulnerable to intruders. In addition, the remote VPN connections between the vessel and data centres through satellite links are vulnerable to interception means, which exposes the vessels’ data to interception, whereby an attacker may interfere with the process of data transmission or receipt (Chatterjee et al., 2022).

Potential Exploits and Consequences

These weaknesses can be potentially exploited by a hostile party in different ways. An adversary may modify a port office device to become a way into the network as it provides further access to other authorized networks hosting critical data centres in the vicinity (Škundrić et al., 2022). So, if there were no network segmentation, the attackers could take control of certain systems and gain access to other essential programs that might be used in container tracking or inventory. Lack of effective user-level administrative controls or the use of weak authentications makes it easier for the hackers to get into the systems posing as other users and possibly stealing data or making unfavourable modifications (Shi et al., 2025). Issues to note are that the presence of SQL injection within booking applications may lead to data manipulation or extraction of customer and shipment information (Blackhurst et al., 2018). Furthermore, it showed that ransomware to unpatched servers poses a threat to the entire shipping process as it occurred to the company in 2017 leading to system shutdown and recovery. The risk does not only extend to a substantial financial loss but also leads to damaging a company's reputation, possible legal actions under the Data Protection Acts and regulation of international shipping.

Weak access controls, especially in remote offices and vessels, given the green light to confidential systems. Current wireless networks typically do not use shared mutual authentication (e.g., EAP-TLS), and individual VPN clients do not require device certificates (Hamied, 2023). Lack of IAM creates a loose structure and adds risk because accountability is complicated and widespread.

ERD (Entity Relationship Diagram) Representation

The Entity Relationship Diagram (ERD) tries to unveil the existing relationship between the main systems of Versand and to clarify the flow of sensitive information together with the possible security interface points.

Figure 2: ER Diagram

The above ER diagram identifies the major data entities involved in the shipping process of Versand. It employs a system of logging into the platform using credentials and making shipment bookings associated with containers of inventory items. A tracking record of each container is kept to help in tracking the status and places it is at a particular period. Payments involve shipments, and the suppliers offer booking services whereby customers request specific shipments. This structure raises the visibility of vital data transactions for effectively controlling shipment, tracking, and inventory data in the system environment.

Recommendations and Mitigation Strategies

Infrastructure Security Improvements

As part of further improvement of network topology for Versand’s global network, it is necessary to ensure strong network segmentation, to localize core processes, including shipment data management and financial databases, from operational areas. This will avoid exposure of important resources in the organization in the event of an attack and prevent lateral movement. The improvement of firewalls at all the port and regional offices will maintain the strategic security perimeter to filter and monitor all traffic in conjunction with the existing security policy (Forguites, 2024). In particular, VPN policies need to be updated to increase encryption measures and multi-factor authentication (MFA) for external connections from vessels or third-party contractors. VPN access will be restricted by implementing the principle of least privilege to restrict unnecessary systems from being accessed by any user. One of the general principles is that periodic observation of the logs of VPN usage will reveal unfamiliar patterns of connection that may be associated with a violation.

Application Security Enhancements

Since Versand is an organization that is very inclined to utilize Microsoft-based systems, it is required to have a strict patch management policy for quick installation of all acquired patches for servers, applications, and endpoints. Any operation that does not prioritize the patching of known vulnerabilities such as the one that happened in the year 2017 makes the company vulnerable to the attacks (Liu et al., 2022). Furthermore, there is a need to install IDPS in all data centres and port offices to provide timely detection and immediate response to intruding activities. IDPS solutions should be configured for signature-based threats and specifically for tracking and booking systems that are frequently targeted in injection attacks. Encryption of stored and transmitted data should be a rule to avoid loss or interception of data that can be sensitive or valuable.

Use certificate based IPsec VPN for Remote Access and employ TLS 1.3 for all cloud and web services (Larkins and Caldwell, 2021). The second secure change is to enforce MFA for all admin accounts with TOTP apps or biometric ones. RBAC can be applied in the shipping, tracking and the inventory system to allow the users to see only modules which are related to his/her position. Synchronise all IAM practices with an identity provider to ensure that they are easier to monitor and govern (Hao et al., 2021).

Social, Legal, and Managerial Security Measures

Continuing education programs to enforce good security habits should be conducted or provided sessions should be held continuously at the employee level to combat the dangers of phishing, social engineering, and human mistake. Security awareness activities for staff should focus on mimicking attacks and the correct way to handle emails, login credentials and security incidents. Legally, it was necessary to adhere to GDPR due to the company’s operations in Europe as VL. Risk management procedures in line with ISO 27001 information security management system that require conduct of audits and documentation of risk assessment and control and risk treatment plans (Sindiramutty et al., 2024).

Use Case Diagram for Security Implementation

The following use case for the interactions between the users, systems and the security controls in place in Versand will help in detailing the interactions on the Versand platform.

Figure 3: Use Case Diagram

This use case illustrates how controls such as MFA, FW, IDS, Encryption and Patching manage to address the users, the administrators and the attackers.

Plan for Penetration Testing

Internal Penetration Testing Approach

A proper internal penetration testing plan should be developed to determine Versand's internal network security weakness with a specific focus on regional data centres, port offices as well as employee workstations. The internal test will then act like there is an attacker from inside the trusted network where the firewall, an intrusion detection device, or people’s access privileges will be evaluated (Alkhurayyif and Almarshdy, 2024). Much attention will be paid to systems with the Windows 7 operating system as such systems remain vulnerable to malware extension and privilege escalation.

External Penetration Testing Strategy

External penetration testing will concern issues that are within a system that can be attacked from beyond the network boundaries with the external firewall as a barrier, some of which are VPN gateways, web-based shipment booking and cloud-connected services. This realistic skills-based test will bring out shortcomings such as SQL injection, cross-site scripting, and the lack of or wayward validation and will help address them as well (Odimarha et al., 2024). It is also important to test suppliers and third-party vendor connections to identify any risks that an outside party may pose when connected to the Versand network. It will identify assets that may be accessed by threats and examine how great the threats’ danger is to organisational perimeter security.

Focus on Communication Servers

Since the nature of the company mostly involves the use of communication servers for voice and video conveying systems, penetration tests will focus on these systems to analyze the possibility of data leaks (Sindiramutty et al., 2024). The testing will involve testing the encryption, determining the ability to withstand interception of some of the communication that the corporation holds as sensitive, and discovering some of the configuration weaknesses that make it easy for an outsider to spy on the communication.

Comparison Against Industry Standards

Current Security State vs. Industry Benchmarks

The findings, though, show that Versand has current cybersecurity vulnerabilities that may be assessed against the principles of the NIST, ISO 27001, and CIS Controls. Despite these preventive measures such as VPN connection and anti-virus, the organization has not applied the firewall consistently while still using Windows 7 which is not supported in the market contrary to the standards set by these frameworks (Korsvik, 2023). For example, CIS Control 7 suggests the need to manage vulnerability, an aspect that Versand did not observe resulting in the 2017 ransomware attack Sindiramutty et al., 2024). Also, the absence of a unified MFA and inadequate employee knowledge do not satisfy AC and AT guidelines provided by NIST (Kaila and Nyman, 2018). More specifically, the Port's data is not protected based on GDPR rules regarding its confidentiality and integrity because several of its offices still use outdated systems to connect wirelessly.

Expected Improvements After Implementation

The strategies recommended would go a long way in improving Versand’s levels of conformity to the existing practices in industries. The enhancements made to the legacy systems, implementation of proper network segmentation policy, and the use of modern intrusion detection systems will go a long way in fulfilling the requirements of SC of the NIST while at the same time addressing the technical controlling objectives of ISO 27001 (Renvall, 2018). This means that CIS Control 3 will be met by carrying out penetration testing and management of patches frequently (Odimarha et al., 2024). Also, ISO 27001 will be supported by mandatory cybersecurity training and proper access controls for employees.

Conclusion

The evaluation of Versand’s current global network infrastructure reveals various pertinent risks relating to cybersecurity concerns, outdated equipment, even varying degrees of security integration, and weak levels of access control. The ransomware attack in 2017 revealed possible operational disruption and financial loss that the cyber threats caused to the core business, shipping, and logistics services. The results further show internal threats including human mistakes and phishing in addition to external threats like ransomware and DDoS that comprise information and halt activities. Additionally, there is no clear formulation of the firewall deployment and unrestricted WLAN access, coupled with the utilization of nonprofessional systems.

It is crucial to closely monitor the cyber threats to protect the numerous systems, active networks, and other structures of Versand. Conducting vulnerability checks, penetration testing, and the use of better detection methods will ensure that the risk is detected well enough before it gets out of hand. Computer network traffic will need to be monitored especially when concerning communications servers to shield sensitive corporate communications. The changes which have been proposed include MFA, RBAC, system patching, strong VPN encoding, and network partitioning; they improve access control, minimize entry points for hackers, and prevent their movement within the network. The testing acknowledges threats and exposures in the system, while the IAM establishes centralized control to eliminate ineffective processes, which cements Versand’s cybersecurity network.

To minimize the probability of such attacks, it is suggested that Versand should modernize old applications, launch a policy that insists on multi-factor authentication, and use network segmentation. Ongoing education and training for its employees and compliance with set standards, and framework like NIST, ISO 27001 and CIS Controls can help to significantly bolster the organization’s defenses against cyber threats.

References

Journals

• Alkhurayyif, Y. and Almarshdy, Y.S., 2024. Adopting automated penetration testing tools: A cost-effective approach to enhancing cybersecurity in small organizations.
• Blackhurst, J., Rungtusanatham, M.J., Scheibe, K. and Ambulkar, S., 2018. Supply chain vulnerability assessment: A network-based visualization and clustering analysis approach. Journal of Purchasing and Supply Management, 24(1), pp.21-30.
• Chatterjee, P., Bose, R., Banerjee, S. and Roy, S., 2022. Secured Remote Access of Cloud-Based Learning Management System (LMS) Using VPN. In Pattern Recognition and Data Analysis with Applications (pp. 111-126). Singapore: Springer Nature Singapore.
• Forguites, J., 2024. Network segmentation boosts performance, protection: reduce network cybersecurity risk and optimize network performance by following these 5 steps to leverage best practices of network design. Control Engineering, 61(11), pp.38-41.
• Ganin, A.A., Quach, P., Panwar, M., Collier, Z.A., Keisler, J.M., Marchese, D. and Linkov, I., 2020. Multicriteria decision framework for cybersecurity risk assessment and management. Risk Analysis, 40(1), pp.183-199.
• Haddad, J., Pitropakis, N., Chrysoulas, C., Lemoudden, M. and Buchanan, W.J., 2023. Attacking Windows Hello for Business: Is It What We Were Promised?. Cryptography, 7(1), p.9.
• Hamied, M.H.A., 2023, January. Using an IPsec VPN to secure the network communication in the smart grid. In 2023 1st International Conference on Advanced Innovations in Smart Cities (ICAISC) (pp. 1-5). IEEE.
• Hao, Q., Sun, L., Guo, S., Liu, H., Qian, D. and Zhu, X., 2021, August. Improvement of EAP-TLS protocol based on pseudonym mechanism. In 2021 International Conference on Wireless Communications and Smart Grid (ICWCSG) (pp. 23-28). IEEE.
• Hunter, R. and Weiss, J., 2021. Cybersecurity and data centers. Data center handbook: Plan, design, build, and operations of a smart data center, pp.349-358.
• Kaila, U. and Nyman, L., 2018. Information security best practices. Technology Innovation Management Review.
• Korsvik, V.P.I., 2023. Cyber security Risk perception and Mitigation Strategies within the Maritime Shipping Industry (Master's thesis, University of South-Eastern Norway).
• Larkins, H. and Caldwell, N., 2021, September. IPsec: A Study Exploring Bandwidth and CPU Utilization. In 2021 International Conference on Computing and Communications Applications and Technologies (I3CAT) (pp. 36-43). IEEE.
• Liu, W., Xu, X., Wu, L., Qi, L., Jolfaei, A., Ding, W. and Khosravi, M.R., 2022. Intrusion detection for maritime transportation systems with batch federated aggregation. IEEE transactions on intelligent transportation systems, 24(2), pp.2503-2514.
• Odimarha, A.C., Ayodeji, S.A. and Abaku, E.A., 2024. Securing the digital supply chain: Cybersecurity best practices for logistics and shipping companies,'. World Journal of Advanced Science and Technology, 5(1), pp.026-030.
• Renvall, A., 2018. Improving cybersecurity through ISO/IEC 27001 information security standard in the context of SMEs.
• Sharma, G., 2021. Secure remote access ipsec virtual private network to university network system. Journal of Computer Science Research, 3(1), pp.16-27.
• Shi, M., Chen, J., Ma, Z., He, K., Jia, M. and Du, R., 2025. A Formal Analysis of 5G EAP-TLS Protocol. IEEE Transactions on Networking.
• Sindiramutty, S.R., Jhanjhi, N.Z., Tan, C.E., Khan, N.A., Shah, B. and Manchuri, A.R., 2024. Cybersecurity measures for logistics industry. In Navigating Cyber Threats and Cybersecurity in the Logistics Industry (pp. 1-58). IGI Global.
• Škundrić, P., Korać, V. and Davidovac, Z., 2022. EU CYBER INITIATIVES AND INTERNATIONAL CYBERSECURITY STANDARDS–AN OVERVIEW. Archaeology & Science/Arheologija i Prirodne Nauke, 18.
• Soner, O., Kayisoglu, G., Bolat, P. and Tam, K., 2024. An investigation of ransomware incidents in the maritime industry: Exploring the key risk factors. Proceedings of the Institution of Mechanical Engineers, Part O: Journal of Risk and Reliability, p.1748006X241283093.
• Symes, S., Blanco-Davis, E., Graham, T., Wang, J. and Shaw, E., 2024. Cyberattacks on the Maritime Sector: A Literature Review. Journal of Marine Science and Application, 23(4), pp.689-706.
• Tasueva, T.S. and Borisova, V.V., 2021, February. Digital Design of the Region’s Logistics Infrastructure. In International Scientific and Practical Conference “Russia 2020-a new reality: economy and society”(ISPCR 2020) (pp. 446-450). Atlantis Press.
• Zheng, Z., Zhang, Y., Gurram, V., Useche, J.S., Roth, I. and Hu, Y., 2021, March. Best Practices in Designing and Implementing Cloud Authentication Schemes. In CS & IT Conference Proceedings (Vol. 11, No. 3). CS & IT Conference Proceedings.