Professional Documents
Culture Documents
2018
Page | 1
Risk Management Report
Sri Lanka Telecom PLC
1.Executive summary
This Report contains the details of the risk assessment which has been carried out along with
the Risk management unit of Sri Lanka Telecom PLC, under terms and conditions of the
organization.
In the period of, August 20 of 2018 to September 7 of 2018, the information security risk
assessment was performed by following the standards of NIST (NIST SP800-39/ SP800-30)
information risk assessment framework.
The assessment identified several information security risks, which are having the need of
concern of Board level of the organization.
Issues statement
Security issues of the ERP-X Web application
- The risk assessment unit was able to identify security holes in the web application
which can affect the confidentiality and integrity of the sensitive data of the SLT PLC.
- Details of each issue has been documented under the Technical report section of
this report.
Low processing power of the Web server
- The low processing power of the web server affects the availability of the data.
Recent incidents of system failures of ERP-X system have been occurred due to this
issue.
Outdated firewall operating system
- The Operating system currently using in the firewall system has major security
issues which makes the system unsecure.
Security issues in border router
- The CISCO 7606 router which has been used as the border router has been
identified for having product issues.
Recommendation statement
Patching up the security holes of the web application has been expected by the ERP-X
application developers.
Upgrading the processors of the web server is recommended.
Firewall operating system needs to be replaced with a latest firewall operating system.
Upgrading the router IOS is recommended.
Page | 2
Note – It is recommended to examine the Figure3 – Annual loss expectancy details, in
‘Summary and Recommendations’ section (page-10) of this report.
2.Technical Report
2.1 Participants
Database Administrator of SLT PLC
Security Administrator of SLT PLC
Network Manager of SLT PLC
System Custodian
Risk Assessment team
Page | 3
System Characterization
Threat Identification
Vulnerability Identification
Control Analysis
Likelihood Determination
Impact Analysis
Risk Determination
Control Recommendations
Page | 4
2.7 Methodology
The information risk assessment of SLT PLC has been performed by using a hybrid risk
analysis model (Qualitative & Quantitative risk analysis), focusing on the following assets.
The following risk model has been used by the risk assessment unit as the qualitative risk
analysis model.
Likelihood Definition
Risk scale: High (>50 to 100); Medium (>10 to 50); Low (1 to 10)
Impact
Page | 5
Low (0.1) Low risk Medium risk High risk
(10x0.1=1) (50x0.1=5) (100x0.1=10)
The password policies used for the ERP-X system have not well defined within the SLT PLC.
A Design flow has been identified in the ERP-X application. The implementation of Employee
resignation function without proper authentication manner could affect the data confidentiality
and integrity of the system.
SQL Injection – The system is vulnerable to SQL Injections according to the OWASP ZAP scan
performed by the risk assessment unit.
Cross site scripting – The test has been conducted by the risk assessment unit found that the
system contains cross site scripting vulnerabilities.
Low processing power of the sever could affect the overall functionality of the ERP-X system.
The data which are being sent by the other branches of the SLT PLC need to be processed by
using this system. This could be a potential risk for the system for being get attacked by DDOS
attack.
Component Description
Page | 6
2.9.2 System Users
Users Description
(A) ERP-X Web (i) Vulnerable to Low Medium Medium Upgrading the
server DOS attacks processors of the
server.
Replacing
malfunctioning
processors.
(ii) Server High
Medium High Utilizing the work load
failures due to distribution within
low processing servers.
power Upgrading the
processors of the
server.
Replacing
malfunctioning
processors.
Page | 7
(C) ERP-X (i) CVE-2018- Low
Medium Low Installing the Oracle
System’s Database 2680
patch updates
(E) ERP-X Web (i) MySQLl- Low Medium Medium Installing Patch
application connector-java- updates / upgrading
5.1.42.jar third the MySQL version
party library
used by the
system has
major security
draw backs
Page | 8
(v) Low strength Medium Medium Medium Using alpha numeric
of user characters along with
passwords special characters
(A)-ii
(A)-i
(B)-i (C)-i,ii (D)-ii (E)-iv
(E)-i,ii,iv
(D)-i
(E)-iii
Page | 9
SLE $910 $5,220 $856 $17,960 $124,800
Note – The impact and the risk rating has been estimated from the perspective of the SLT PLC.
These assessment values could be varying from the perspective of individuals/ entities of the
organization.
Page | 10
Annual Loss expectencies brfore & after safeguards
ALE Before safeguard ALE After safeguard
70,000
60,000
50,000
40,000
30,000
20,000
10,000
0
ERP-X Web server ERP-X Application ERP-X Systm's Border Router ERP-X Web
server Database Application
4.Appendix
EF (Exposure factor) – Asset loss caused by threat as a percentage
SLE (Single loss expectancy) - Asset value x EF
ARO (Annual rate of occurrence) – Frequency of threat occurrence within a year
ALE (Annual loss expectancy) – ARO x SLE
Page | 11
- $1,365 - $910
ARO – 14 ARO – 14
Page | 12
-----------
Note – US dollars has been used as the currency to assign the values.
Page | 13
4.2 Reference
https://nvd.nist.gov/vuln-metrics/cvss
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-30r1.pdf
Page | 14