1. Executive Summary
1.1 Introduction
The purpose of this report is to provide you with a comprehensive understanding of the potential risks your business may face, as well as recommendations for managing those risks effectively. It is important to note that while every effort has been made to identify all potential risks, new risks may emerge over time and this report should be considered a living document that should be reviewed and updated regularly.
After identifying the core digital assets in Mycart using the OCATVE ALEGRO notable framework and some extra risk evaluating factors, the risk assessment is carried out and finished. Between April 20, 2023, and April 22, 2023, the Mycart corporate office.
An information security risk assessment was conducted by No.426, Deans Road, 10 in Colombo, Sri Lanka. The risk assessment's objective is to identify any potential threats to the security of the Mycart systems. Four of the 15 assets identified as crucial assets were also deemed important to the organization. These crucial assets were created in accordance with the importance and asset value inside the business.
1.2 Key issues and Recommendations
1. Online Security & Security Breaches
Malware, phishing assaults, hacking, and spam email are just a few of the security risks to be on the lookout for.
Use a robust SSL (Secure Sockets Layer) and keep your platform's operating system updated often to protect yourself from these dangers.
Cyber-attacks and online security breaches are highly prevalent in the e-commerce industry. You must use caution. It is crucial to protect consumer data since a data breach might harm your company's brand and put you at risk of legal trouble. E-commerce websites—mostly online stores—are the target of up to
32.4% of all successful hacking attempts.
The best solutions to overcome security flaws are to utilize appropriate security tools for your website and to build extra security layers. You should choose a safe e-commerce platform based on object-oriented programming language, utilize SSL certificates for transactions, and continuously check your website and servers for malware.
2. System Reliability & Upgrading Database Server Software
The ISP server could go down, the online payment system might display faults, and the e-commerce plugin might have glitches.
These are only a few potential uncontrollable events, aside from updating all operating systems and APIs.
The current version of Microsoft SQL Server 2019 used by this company. The Microsoft SQL Elevation of Privilege Vulnerability affects this database software. The CVE-2021- 1636 code.
This weakness receives a "HIGH SCORE". Installing the 4583458 Security updates is thus advised.
3. Upgrading the Firewall
The company now uses Watchguard Firewall XTM 11.7.4u1 and is susceptible to attacks involving remote buffer overflows. A lengthy session id value in a cookie may be used by remote attackers to execute arbitrary code.
The firewall can be upgraded to reduce these vulnerabilities.
4. DDOS Attacks
When a malicious actor sends massive quantities of web traffic from hundreds of host machines to the target's servers, it is known as a DDOS (distributed denial of service) assault. Due to the servers' inability to manage the volume of traffic being delivered to them, the performance of the website suffers or even crashes.
It's not necessary for a DDOS to be effective. Businesses engaged in e-commerce can stop or lessen such assaults by monitoring traffic in real-time, filtering it, or employing cloud providers to improve bandwidth.
DDOS assaults happen often. There is no reason a shrewd company wouldn't have a preventative strategy in place to guard against one of the most serious dangers associated with e-commerce businesses.
5. Privacy & Authentication Issues
Personal information about customers might be stolen and exploited for spamming, identity theft, and unwanted marketing.
Make sure to require customers to use strong passwords in addition to the previously mentioned online security measures. But in modern times, usernames and passwords are insufficient.
These basic authentication techniques are becoming more and more vulnerable to cunning hostile actors. Either by using a password reset or a password that has been stolen.
Smart online businesses will implement MFA or two factor authentication systems to reduce this ecommerce business risk. Before a consumer may log in using these techniques, an additional layer of authentication is necessary (such as a push notification on a different device).
6. Credit Card Fraud
A hacker might utilize credit card information from other customers in your system, or someone could use a stolen credit card to make an online transaction.
Regardless of how effective your internet security measures are, you should constantly keep an eye out for any unusual transactions.
7. Intellectual Property Violations
Your website's photos, product details, logos, videos, music, and items themselves might all be duplicated by other parties or infringe on their intellectual property.
Your intellectual property includes things like your website's content, logo, taglines, and pictures. Copying data from rival companies is one of the most frequent mistakes committed by firms, which may result in copyright claims, legal action, negative publicity, and even economic loss.
The answer is straightforward: don't steal or Make sure to use original text and photos, buy image licenses, or use royalty-free stock photography, to be more precise.
Have a standard operating procedure that outlines the actions to be taken to make sure there are no IP violations when posting content and images. Perform routine content checks, and when errors are found, fix them right away.
8. Low SEO Ranking
Poor SEO performance is awful. It implies that potential clients won't be able to find your company online.
Your website traffic may drastically decrease over night if Google or other platforms completely changed their algorithm at any time. You cannot sell anything if customers cannot find your establishment.
You must arm yourself with information. Analyzing product demand is crucial for figuring out search volume and keyword difficulty. It will be challenging to rank for that keyword in a highly competitive market. To strategize how to go forward, smart B2B organizations will need to invest in SEO tools and marketing experts. Do you spend money on developing incredible content for competitive, high-traffic keywords? Or should you concentrate on long-tail keywords that receive less traffic yet face less competition? Your decision is yours.
9. Return of Goods and Warranty
Increasing supply chain expenses and being unable to resell the products at their original pricing are two problems that frequently arise when dealing with product returns.
These kinds of difficulties may be managed with the use of a sensible pricing policy and a long-term company strategy.
10. Warehousing and Logistics Issues
While orders are coming in, you run the risk of running out of stock, having a product shipment delayed, or having a package delivered to the incorrect person.
This problem is readily resolved by a system with a good, quick, and reliable database and regular system updates.
2. Technical Report
2.1 Introduction
Mycart, a well-known online retailer in Sri Lanka, provides its clients with access to a large selection of goods and services. Customers can access business and marketing platforms using this platform from anywhere at any time as long as they have an active internet connection thanks to its adaptable virtual network.
Mycart's corporate headquarters are located in Colombo, Sri Lanka, at 426 Deans Road, 10. Computers and database servers are among the physical and virtual resources in the office that are necessary for the platform's efficient operation.
In order to protect the personal and financial information of its clients, Mycart must develop strong information security risk management policies given the rising frequency of cyber attacks and data breaches in today's digital ecosystem.
We will evaluate potential threats to Mycart's information security in this technical study and offer suggestions for reducing such threats. Our examination of Mycart's information security will touch on a number of issues, such as its IT setup, data management practices, and user authentication protocols. We will also assess the effectiveness of the current security controls and recommend further steps that might be taken to strengthen Mycart's overall security posture.
2.2 Methodology
This risk assessment project's goal is to examine the risks, threats, and hazards the business faces and put in place the necessary risk-reduction or risk-elimination procedures to give consumers a platform that is more secure and flexible.
We used the customizable OCTAVE Allegro framework, which is a methodology for discovering and analyzing an asset's information security vulnerabilities, to carry out the risk assessment. In addition, we applied a quantitative risk assessment strategy that involved surveying respondents to ascertain the proportion of asset loss (EF) brought on by each identified danger.
The Single Loss Expectancy (SLE) was estimated using the EF and asset value. The frequency of threat recurrence in a year (ARO) was multiplied by SLE to arrive at the Annual Loss Expectancy (ALE). Finally, we used the formula below to determine the cost-benefit ratio.
Cost/Benefit=ALE Before Mitigation - ALE After Mitigation - Annual Cost of Safeguard
The following calculation is used to calculate the risks related to Mycart.
Risk = Threat Probability X Impact
2.2.2. Risk Appraisal Criteria
In this project we used qualitative risk analysis technique for identifying hazards associated with online shopping cart.
Qualitative Risk Analyzing
2.2.3Quantitative Risk Analysis
Critical Assets Categories and Threat Analysis
|
Critical Asset |
Description |
Container |
Security Requirements |
Value (Rs) |
|
Mobile Application (MA) |
The business's mobile app gives customers access to customer information, including Personal Information, account information, account balances, and other features like data package upgrades. |
Microsoft SQL Server 2019 Android Studio V4.0 and Android Version 10 |
C – Confidentiality I – Integrity A - Availability |
Rs. 15,750,000 |
|
Database Network (DN) |
Records can have many owners in a database that is arranged based on record ownership, enabling different access points to the data. |
• Hardware and Firewalls from WatchGuard |
C – Confidentiality I – Integrity A - Availability |
Rs. 10,850,000 |
|
Server Administrative (SA) |
All business related financial and administrative Tasks for the Company and Defenses are handled by this server. |
Dell PowerEdge R530 Rack Server; Windows Server 2016 |
C – Confidentiality I – Integrity A - Availability |
Rs. 11,005,000 |
|
Customer Information database Server (CIDS) |
a list of a person's first and last names, contact information such phone numbers and email addresses, etc. |
• Windows Server 2016 • Server Dell PowerEdge R530 |
C – Confidentiality I – Integrity A - Availability |
Rs. 11,320,000 |
|
Asset |
Threat |
Impact Assessment |
Mitigation Approach |
|||
|
MA |
a) Privacy, Cryptography threats b) Privilege escalation using enumeration methods.
|
An attacker would have access to sensitive data and the private data of users could be leaked. Credentials (username, password) Will be leaked, sensitive information leakage.
|
• Use asymmetric encryption algorithms such as RSA. • Add a 2-factor authentication method • When multiple login failures occur make sure to block the user till, they verify themselves. • Force users to use a strong password Cost – Rs. 1,950,000 |
|||
|
Risk Factors Before Mitigation
|
Risk Factors After Mitigation
|
|||||
|
EF |
80% |
EF |
17% |
|||
|
SLE |
0.8 * 15,750,000=12,600,000 |
SLE |
0.17 * 15,750,000=2,677,500 |
|||
|
ARO |
0.88 |
ARO |
0.88 |
|||
|
ALE |
0.88 * 12,600,000=11,088,000 |
ALE |
0.88*=2,677,500=2,356,200 |
|||
|
Cost/Benefits = 11,088,000 – 2,356,200 – 1,950,000 =6,781,800 |
||||||
|
CIDS |
a) SQL Injection Attack b) Distributed Denial of Service (DDoS) Attack c) Social Engineering Attack on Employees d) Unsecured Remote Access to CIDS |
CIDS contains sensitive customer information such as their personal and financial data, which can be compromised if the system is attacked or accessed by unauthorized individuals.
|
• Implement strict access controls to limit who can access CIDS. • Regularly update and patch software to prevent known vulnerabilities, especially for web-based applications. • Implement a firewall to monitor and filter network traffic. • Educate employees on how to recognize and report suspicious activity or phishing attempts. Cost – Rs. 1,250,000 |
|||
|
Risk Factors Before Mitigation
|
Risk Factors After Mitigation
|
|||||
|
EF |
85% |
EF |
17% |
|||
|
SLE |
0.85*11,320,000=9,622,000 |
SLE |
0.17*11,320,000=1,924,400 |
|||
|
ARO |
1.2 |
ARO |
1.2 |
|||
|
|
ALE |
1.2*9,622,000=11,546,400 |
ALE |
1.2*1,924,400=2,309,280 |
|||
|
|
|
Cost/Benefits = 11,546,400- 2,309,280 - 1,250,000 = 7,987,120 |
|||||
|
DN |
a) Firewall software |
An attacker can get access to the internal organizational network and access confidential data. Also, attackers can launch various attacks and can corrupt the network data.
|
• A well-thought-out network segmentation approach • Set up a remote Syslog server and take precautions to keep it safe from unwanted users • At regular intervals, firewall logs should be examined, and any questionable log entries should be analyzed • Back up the firewall rule set and configuration files on a regular basis.
Cost – Rs. 556,750
|
||||
|
|
that has become obsolete b) Accessing the firewall via an unencrypted Telnet Connection. c) Insider Threats d) Protocols for inspection are too basic |
||||||
|
Risk Factors Before Mitigation
|
Risk Factors After Mitigation
|
||||||
|
EF |
52% |
EF |
18% |
||||
|
SLE |
0.52*10,850,000=5,642,000 |
SLE |
0.18*10,850,000=1,953,000 |
||||
|
ARO |
0.75 |
ARO |
0.75 |
||||
|
ALE |
0.75*5,642,000=4,231,500 |
ALE |
0.75*1,953,000=1,464,750 |
||||
|
Cost/Benefits = 4,231,500 – 1,464,750 - 556,750 = 2,210,000 |
|||||||
|
SA |
a) Ransomware Attack b) Server hardware failure c) Power outage affecting the server
|
If an administrative server goes down, it can impact the organization in several ways. It can result in additional costs for the organization, sensitive company data loss, and damage to the organization's reputation.
|
• Provide regular security awareness training to staff • Maintain physical security measures (e.g., locks, cameras, alarms) • Implement a robust backup strategy • Invest in backup power supply solutions • Implement a regular server maintenance plan • Use proper DDoS protection firewalls
Cost - Rs. 700,000
|
||||
|
Risk Factors Before Mitigation
|
Risk Factors After Mitigation
|
||||||
|
EF |
40% |
EF |
15% |
||||
|
SLE |
0.4*11,005,000=4,402,000 |
SLE |
0.15*11,005,000=1,650,750 |
||||
|
|
|
ARO |
0.90 |
ARO |
0.90 |
||
|
|
|
ALE |
0.90*4,402,000=3,961,800 |
ALE |
0.90*1,650,750=1,485,675 |
||
|
|
|
Cost/Benefits = 3,961,800 – 1,485,675 - 700,000 = 1,776,125 |
|||||
2.2.3.2 Heat Map
3. Summary and Recommendations
We strongly recommend that your organization migrate to the new firewall. You can choose a trusted firewall such as SonicWALL or Fortinet. Cost between Rs. 10,000 to 20,000. This upgrade also helps prevent remote buffer overflow attacks. It is also recommended to use a robust DC power supply to ensure a stable power supply to the server. The Aggreko YAAF003 is a good fit for this need as it can deliver 150 KW of power. It is a hybrid energy system that runs on both fuel and sunlight. Your organization uses an insecure database system, and we highly recommend updating your software. Use Microsoft SQL Server 2020 or a later version. You also to make it easier and cheaper, you can also update your current version with security patches. According to the company's mobile application management, the current base operating system is Android 10, but this version is vulnerable to attacks, so we recommend updating to a newer version of the operating system. Your organization needs a strict password policy. Otherwise, hackers can use it to gain access to private corporate systems. Therefore, we recommend that you create a strong password policy for your company. Effective access controls can be installed to further enhance system security. This can reduce the impact of information leakage during unauthorized access.
4. Appendixes
4.1 Qualitative Risk Analysis Terms and How They are Calculated.
1. Does the system under attack have any redundancies/backups/copies?
Yes: -10%
No: no deduction
2. Is the system under attack behind a firewall?
Yes: -10%
No: no deduction
3. Is the attack from outside?
Yes: -20%
No: no deduction
4. What is the potential rate of attack? (10% damage/hour vs. 10% damage/min)
If the rate of damage is less than 1% per hour: -40%
If the rate of damage is between 1% and 10% per hour: -20%
If the rate of damage is greater than 10% per hour: no deduction
5. What is the likelihood that the attack will go undetected in time for a full recovery?
If the probability of being undetected is less than 5%: -30%
If the probability of being undetected is between 5% and 20%: -10%
If the probability of being undetected is greater than 20%: no deduction
6. How soon can a countermeasure be implemented in time if at all?
If the countermeasure can be implemented within 30 minutes: -30%
If the countermeasure can be implemented within 1 hour: -20%
If the countermeasure can be implemented within 2 hours: -10%
If the countermeasure will take longer than 2 hours or is not possible: no deduction
4.2 CRITERIA
- SLE (Single loss of expectancy) - the monetary value expected from the asset, case threat
- SLE = Asset value X EF
- ARO (annualized rate of occurrences) – frequency of threat occurrence within a year. Calculates this value based on experience and SANS word survey.
- ALE (annualized loss expectancy) - the monetary value expected from the asset, case threat annually. ALE = ARO X SLE
- Cost/benefit – how much is the cost or benefit that installing countermeasures for a specific threat
- Cost / benefit = ALE before safeguard – ALE after safeguard – the annual cost of the safeguard
4.3 Criteria for Heat Map
5. References
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1636
- CVE-2021-1636 - Security Update Guide - Microsoft - Microsoft SQL Elevation of Privilege Vulnerability
- 2020-01 Security Bulletin: Junos OS: EX4300/EX4600/QFX3500/QFX5100 Series: Stateless IP firewall filter may fail to evaluate certain packets (CVE-2020-1604) (juniper.net)
- NVD - CVE-2013-6021 (nist.gov)
- Android Security Bulletin—December 2021 | Android Open Source Project
- Threats to and Attacks on Routers - SCND - Cisco Certified Expert (ccexpert.us)
- https://www.floship.com/blog/_10-inevitable-ecommerce-risks/
- https://www.abacademies.org/articles/Features-of-e-commerce-risk-management-inmodern-conditions-1939-6104-19-1-515.pdf
- https://www.jbs.cam.ac.uk/wp-content/uploads/2021/11/crs-risk-management-for-theconsumer-sectors.pdf
- https://www.sana-commerce.com/blog/solve-ecommerce-business-risks/
