Risk Management Report

2018

IT16168114 – Viraj Dissanayake

IT16152342 – R.M.A.D Rathnayake

Page | 1
 Risk Management Report
Sri Lanka Telecom PLC

1.Executive summary
This Report contains the details of the risk assessment which has been carried out along with
the Risk management unit of Sri Lanka Telecom PLC, under terms and conditions of the
organization.
In the period of, August 20 of 2018 to September 7 of 2018, the information security risk
assessment was performed by following the standards of NIST (NIST SP800-39/ SP800-30)
information risk assessment framework.
The assessment identified several information security risks, which are having the need of
concern of Board level of the organization.
Issues statement
Security issues of the ERP-X Web application
- The risk assessment unit was able to identify security holes in the web application
which can affect the confidentiality and integrity of the sensitive data of the SLT PLC.
- Details of each issue has been documented under the Technical report section of
this report.
Low processing power of the Web server
- The low processing power of the web server affects the availability of the data.
Recent incidents of system failures of ERP-X system have been occurred due to this
issue.
Outdated firewall operating system
- The Operating system currently using in the firewall system has major security
issues which makes the system unsecure.
Security issues in border router
- The CISCO 7606 router which has been used as the border router has been
identified for having product issues.

Recommendation statement

 Patching up the security holes of the web application has been expected by the ERP-X
application developers.
 Upgrading the processors of the web server is recommended.
 Firewall operating system needs to be replaced with a latest firewall operating system.
 Upgrading the router IOS is recommended.

Page | 2
 Note – It is recommended to examine the Figure3 – Annual loss expectancy details, in
‘Summary and Recommendations’ section (page-10) of this report.

2.Technical Report
2.1 Participants
 Database Administrator of SLT PLC
 Security Administrator of SLT PLC
 Network Manager of SLT PLC
 System Custodian
 Risk Assessment team

2.2 Scope of the risk assessment

The ERP-X (Enterprise resource planning) System of SLT PLC is the new information system
which has been used to replace the older system. Parallel system integration method had been
used to introduce the new system. The whole information management process of the SLT PLC
has been centralized by the ERP-X system. This risk assessment has been conducted by
focusing the following assets and components of the ERP-X system.

 ERP-X Web server

 ERP-X Application server
 ERP-X System’s Database
 Border router
 ERP-X Web application

2.3 Risk assessment approach

The risk assessment unit has reviewed the security policies, documentations and the diagrams
of each components of the system.
Interviews were conducted in order to validate the information, and from the site visit, the
security assessment unit was able to identify environmental controls of the system.

2.4 Risk Management Framework

The risk assessment was conducted by following the NIST (National Institute of Standards &
Technologies) Framework. NIST risk management framework provides organization wide
program guidance to manage information security risks of the organization. The Information
Risk assessment of the EPR-X system has been conducted according to the following steps as
defined in the NIST SP800-30 framework.

Page | 3
  System Characterization
 Threat Identification
 Vulnerability Identification
 Control Analysis
 Likelihood Determination
 Impact Analysis
 Risk Determination
 Control Recommendations

2.5 Assessment tools

Nessus, Nmap, OWASP ZAP, OWASP Dependency check has been used as
assessment tools, by the risk assessment unit to identify the vulnerabilities of the system.
Cross site scripting and SQL injections has been used in order to find the available
vulnerabilities of the code of the system.

2.6 Flow Diagram

Page | 4
2.7 Methodology

The information risk assessment of SLT PLC has been performed by using a hybrid risk
analysis model (Qualitative & Quantitative risk analysis), focusing on the following assets.

 ERP-X Web server

 ERP-X Application server
 ERP-X System’s Database
 Border router
 ERP-X Web application

2.7.1 Qualitative Risk model

The following risk model has been used by the risk assessment unit as the qualitative risk
analysis model.

 Risk = Threat likelihood x Magnitude of impact

2.7.2 Likelihood Determination

Likelihood Definition

High (1.0) Highly motivated threat source which is sufficiently capable.

The controls to prevent the vulnerability from being exploit
are insufficient.
Medium (0.5) Motivated and capable threat source.
The controls are in place are having the capability of
Impeding exploits.
Low (0.1) The threat source lacks motivation and capability.
The controls are sufficient, can prevent from the
vulnerability being exploit.
2.7.3 Qualitative risk calculation

Risk scale: High (>50 to 100); Medium (>10 to 50); Low (1 to 10)

Impact

Threat likelihood Low (10) Medium (50) High (100)

High (1.0) Low risk Medium risk High risk

(10x1.0=10) (50x1.0=50) (100x1.0=100)
Medium (0.5) Low risk Medium risk High risk
(10x0.5=5) (50x0.5=25) (100x0.5=50)

Page | 5
 Low (0.1) Low risk Medium risk High risk
(10x0.1=1) (50x0.1=5) (100x0.1=10)

2.8 Vulnerability statement

Known vulnerabilities of Dependencies - Mysql-connector-java-5.1.42.jar third party library used

by the system has major security draw backs.
CVSS score – 8.0
- Apache SOLR 6.6.2 Third party library used by the
system contains known vulnerabilities.
CVSS score – 7.5

The password policies used for the ERP-X system have not well defined within the SLT PLC.

A Design flow has been identified in the ERP-X application. The implementation of Employee
resignation function without proper authentication manner could affect the data confidentiality
and integrity of the system.

SQL Injection – The system is vulnerable to SQL Injections according to the OWASP ZAP scan
performed by the risk assessment unit.

Cross site scripting – The test has been conducted by the risk assessment unit found that the
system contains cross site scripting vulnerabilities.

Low processing power of the sever could affect the overall functionality of the ERP-X system.
The data which are being sent by the other branches of the SLT PLC need to be processed by
using this system. This could be a potential risk for the system for being get attacked by DDOS
attack.

2.9 System characterization

2.9.1 Technology components

Component Description

 Operating System Microsoft Windows 2008 R2 Server NT 6.1

 Applications Oracle Java EE, Apache Tomcat server
 Database Oracle MYSQL 5.6.19 (x64)
 Network CISCO Routers, Internet firewall
 Protocols Transmission uses SSL

Page | 6
 2.9.2 System Users

Users Description

 CBIO Business information quality management

 CCO Customer data management
 CEO Legal division management
 CEWO Enterprises solution management
 CFO Account & asset management
 CHRO Human resource data management
 CIA Investigating unit data management
 CIO IT Application/ business support
 CLO Administrative data management
 SEAE/ RTOM/ DGM/ GM Administrative data management

2.10 Controller statement

Component / asset Vulnerability Likelihood impact Risk Recommended

Rating Controls

(A) ERP-X Web (i) Vulnerable to Low Medium Medium Upgrading the
server DOS attacks processors of the
server.
Replacing
malfunctioning
processors.
(ii) Server High
Medium High Utilizing the work load
failures due to distribution within
low processing servers.
power Upgrading the
processors of the
server.
Replacing
malfunctioning
processors.

(i) CVE-2010- Low Medium Low Installing the Oracle

(B) ERP-X patch updates
0066
Application server

Page | 7
(C) ERP-X (i) CVE-2018- Low
Medium Low Installing the Oracle
System’s Database 2680
patch updates

(ii) CVE-2016- Low

0472 Medium Medium Installing the Oracle
patch updates
(D) Border Router (i) CVE-2005- Low
(Cisco 7606) 1517 Low Low Upgrading the ISO

(ii) CVE-2003- Low

0543 Medium Low Upgrading the ISO

(E) ERP-X Web (i) MySQLl- Low Medium Medium Installing Patch
application connector-java- updates / upgrading
5.1.42.jar third the MySQL version
party library
used by the
system has
major security
draw backs

(ii) Apache Low

SOLR 6.6.2 Medium Medium Installing Patch
updates / upgrading to
Third party
latest version of
library used by
Apache SOLR
the system
contains known
vulnerabilities

(iii) SQL- Low Low Low Patching the security

injections holes in the source
code of the ERP-X
application
(iv) Cross site Low
scripting Medium Medium Patching the security
holes in the source
code of the ERP-X
application

Page | 8
 (v) Low strength Medium Medium Medium Using alpha numeric
of user characters along with
passwords special characters

2.11 Risk Heat map

(A)-ii

(A)-i
(B)-i (C)-i,ii (D)-ii (E)-iv
(E)-i,ii,iv

(D)-i
(E)-iii

Figure – 2 (Reference: Controller statement; section 2.10)

2.12 Risk Analysis

Risk factor Risk

ERP-X Web ERP-X ERP-X Border router ERP-X Web

server Application System’s (Cisco 7606) application
server Database

EF 30% 10% 18% 30% 25%

Before Safeguards
SLE $1,365 $8,700 $10,700 $26,940 $240,000

ARO 14 0.5 0.5 0.5 0.25

ALE $18,984 $4,350 $963 $17,470 $60,000

EF 20% 6% 8% 20% 13%

After Safeguards

Page | 9
 SLE $910 $5,220 $856 $17,960 $124,800

ARO 14 0.5 0.5 0.5 0.25

ALE $12,740 $2,610 $428 $8,980 $31,200

Annual cost of
safeguard $100 $1,200 $130 $240 $3,650

Cost vs benefit $6,144 $540 $405 $8,250 $25,150

Risk Analysis Reference – Appendix; section 4.1

Note – The impact and the risk rating has been estimated from the perspective of the SLT PLC.
These assessment values could be varying from the perspective of individuals/ entities of the
organization.

3.Summary and Recommendations

The risk assessment unit has identified that Sri Lanka Telecom PLC has been able to manage
majority of the information related risks in an acceptable level for the organization. But, this risk
assessment has figured out some risks that the organization currently prone to.
The web server of the ERP-X system needs to be upgraded with Intel® Xeon® Processor E3-
1270V2 (8M Cache, 3.5 GHz) processors. This could prevent the server from being unable to
process the workload.
ERP-X application server consists of vulnerabilities, which affects the CIA of the ERP-X system.
Patch updates provided by Oracle corporation is recommended to be applied.

Page | 10
 Annual Loss expectencies brfore & after safeguards
ALE Before safeguard ALE After safeguard
70,000

60,000

50,000

40,000

30,000

20,000

10,000

0
ERP-X Web server ERP-X Application ERP-X Systm's Border Router ERP-X Web
server Database Application

Figure – 3 (Reference: Appendix; section 4.1)

4.Appendix
 EF (Exposure factor) – Asset loss caused by threat as a percentage
 SLE (Single loss expectancy) - Asset value x EF
 ARO (Annual rate of occurrence) – Frequency of threat occurrence within a year
 ALE (Annual loss expectancy) – ARO x SLE

Asset values from the perspective of SLT PLC

 ERP-X Web server (Supermicro SYS-2028U-E1CNRT) - $4,550.00

 ERP-X Application server (Oracle WebLogic Server) – $87,000.00
 ERP-X System’s database – $10,700.00
 Border router – $89,800.00
 ERP-X Web application - $960,000.00

4.1 Cost benefit analysis

 4.1.1 ERP-X Web server

EF – 30% EF – 20%
SLE – 4550 X 30% SLE – 4550 X 20%

Page | 11
 - $1,365 - $910

ARO – 14 ARO – 14

ALE – 1356 X 14 ALE – 910 X 14

- $18,984.00 - $12,740.00

Annual cost of safeguard – $100

Safeguard cost benefit – 18,984 – (12,740 + 100)

= $6,144.00
-------------

 4.1.2 ERP-X Application server

EF – 10% EF – 6%
SLE – 87000 X 10% SLE – 87000 X 6%
- $8,700 - $5,220

ARO – 0.5 ARO – 0.5

ALE – 8700 X 0.5 ALE – 5220 X 0.5

- $4,350.00 - $2,610.00
Annual cost of safeguard – $1200.00

Safeguard cost benefit – 4350 – (2610 + 1200)

= $540.00
------------

 4.1.3 ERP-X system’s database

EF – 18% EF – 8%
SLE – 10700 X 18% SLE – 10700 X 8%
- $1,926.00 - $856.00

ARO – 0.5 ARO – 0.5

ALE – 1926 X 0.5 ALE – 856 X 0.5

- $963.00 - $428.00

Annual cost of safeguard – $130

Safeguard cost benefit – 963 – (428 + 130)

= $405.00

Page | 12
 -----------

 4.1.4 Border router

EF – 30% EF – 20%
SLE – 89800 X 30% SLE – 89800 X 20%
- $26,940.00 - $17,960.60

ARO – 0.5 ARO – 0.5

ALE – 26940 X 0.5 ALE – 17960 X 0.5

- $17,470.00 - $8,980.00

Annual cost of safeguard – $240.00

Safeguard cost benefit – 17470 – (8980 + 240)

= $8,250.00
--------------

 4.1.5 ERP-X Web application

EF – 25% EF – 13%
SLE – 960,000 X 25% SLE – 960,000 X 13%
- $240,000.00 - $124,800.00

ARO – 0.25 ARO – 0.25

ALE – 240,000 X 0.25 ALE – 124,800 X 0.25

- $60,000.00 - $31,200.00

Annual cost of safeguard – $3650.00

Safeguard cost benefit – 60000 – (31200 + 3650)

= $25,150.00
----------------

Note – US dollars has been used as the currency to assign the values.

Page | 13
4.2 Reference
https://nvd.nist.gov/vuln-metrics/cvss
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-30r1.pdf

Page | 14