Security/Risk management/Rapid Risk Assessment: Difference between revisions

Jump to navigation Jump to search

Security/Risk management/Rapid Risk Assessment (view source)

Revision as of 09:58, 18 July 2016

92 bytes added ,  18 July 2016
Automated sync from https://github.com/mozilla/wikimo_opsec
(Automated sync from https://github.com/mozilla/wikimo_opsec)
(Automated sync from https://github.com/mozilla/wikimo_opsec)
Line 85: Line 85:
Large services should be split into multiple smaller services or sub-services that handle a specific type of data and
Large services should be split into multiple smaller services or sub-services that handle a specific type of data and
expose a limited set of features. This choice has to be made by the security engineer running the RRA. If the
expose a limited set of features. This choice has to be made by the security engineer running the RRA. If the
sub-services belong to different teams, it is a strong indicator that multiple RRAs should be ran.
sub-services belong to different teams, it is a strong indicator that multiple RRAs should be run.


Large services that cannot be split up not only lead to a complex assessment, but also may indicate that the service
Large services that cannot be split up not only lead to a complex assessment, but also may indicate that the service
Line 101: Line 101:
What to '''NOT''' focus on:
What to '''NOT''' focus on:
* Gathering security controls, figuring out how effective they are, etc. Don't do that! This information may be recorded if it comes up but do not focus on it.
* Gathering security controls, figuring out how effective they are, etc. Don't do that! This information may be recorded if it comes up but do not focus on it.
* Likelihood, Security provided by service. Don't spent much time there! These are "10, 000 feet approximations" and part of a larger risk calculation mechanism.
* Likelihood, Security provided by service. Don't spent much time there! These are "10,000 foot approximations" and part of a larger risk calculation mechanism.


== Guided process: Running your RRA in ~30 minutes ==
== Guided process: Running your RRA in ~30 minutes ==
Line 135: Line 135:
* Create a copy of the [https://drive.google.com/open?id=160V89R-VdIe1AEHcT_sX89UToV2gv8mLshhoia2-6mM template] and move it to the correct directory (or your personal Google drive if you're testing the RRA process).
* Create a copy of the [https://drive.google.com/open?id=160V89R-VdIe1AEHcT_sX89UToV2gv8mLshhoia2-6mM template] and move it to the correct directory (or your personal Google drive if you're testing the RRA process).
* Invite 1 or 2 members (product owners, lead engineers, etc.) related to the service with enough technical knowledge, ensure they will bring a diagram of data
* Invite 1 or 2 members (product owners, lead engineers, etc.) related to the service with enough technical knowledge, ensure they will bring a diagram of data
flows and have an understanding of the data being stored or processed by the service. You do not want more than 4 or 5 persons total as this will slow down the RRA. Most RRAs are run 1 on 1 (2 persons total).
flows and have an understanding of the data being stored or processed by the service. You do not want more than 4 or 5 people total as this will slow down the RRA. Most RRAs are run 1 on 1 (2 people total).
Make sure everyone invited has '''edit''' rights to the document, and has the document opened in front of them when the
Make sure everyone invited has '''edit''' rights to the document, and has the document opened in front of them when the
RRA starts.
RRA starts.
* If this is anyone's first RRA, ensure they understand what risk impacts are, and the standard risk levels we are using, as well giving them a short overview of what is going to happen:
* If this is anyone's first RRA, ensure they understand what risk impacts are, and the standard risk levels we are using, as well as giving them a short overview of what is going to happen:
** Filling in header/meta-data information about the service.
** Filling in header/meta-data information about the service.
** Getting an idea of how the service is architected.
** Getting an idea of how the service is architected.
** Recording all data the service may process/store and how sensitive it is.
** Recording all data the service may process/store and how sensitive it is.
** Run through the risk table and figure out what happens if the data leak, is modified, is unavailable, etc - while
** Running through the risk table and figuring out what happens if the data is leaked, modified, unavailable, etc - while assigning the standard risk levels.
assigning the standard risk levels.
** Writing down any recommendations for the service.
** Write down any recommendation for the service.


{| class="wikitable"
{| class="wikitable"
Line 165: Line 164:
** In some cases the scope is critical to the understanding of the RRA.
** In some cases the scope is critical to the understanding of the RRA.
* If you know of linked services (for example if it uses SAML authentication, the linked service could be "SAML SSO")
* If you know of linked services (for example if it uses SAML authentication, the linked service could be "SAML SSO")
* Ask the team who owns the service (takes decisions if the service must go down for example), who develops the code and who's operating it.
* Ask the team who owns the service (for example the team that makes decisions if the service must go down), who develops the code and who's operating it.
** Generally its a team name and one or more names. Sometimes, it's a third party (SaaS).
** Generally its a team name and one or more names. Sometimes, it's a third party (SaaS).
** You never want to leave the service owner blank, and you always want a Mozilla contact as service owner.
** You never want to leave the service owner blank, and you always want a Mozilla contact as service owner.
Line 173: Line 172:
=== General notes (5-10 minutes) ===
=== General notes (5-10 minutes) ===


At this point you want to have a good understanding of the service:
In this phase you want to gain a good understanding of the service:


* Where is it running? Which platforms?
* Where is it running? On which platforms?
* What is it running, what kind of software or technologies?
* What is it running, what kind of software or technologies?
* How is it structured, architected? Do you have your data flow diagram?
* How is it structured, architected? Do you have your data flow diagram?
* Do you have some documentation links?
* Do you have some documentation links?
* Any URL to access the service?
* Any URLs to access the service?
* How is administration performed?
* How is administration performed?
* How is authorization (login) performed?
* How is authorization (login) performed?
Line 202: Line 201:
** Specific configuration data (on disk or in RAM).
** Specific configuration data (on disk or in RAM).
** Credentials used by the applications (keys, logins, etc.).
** Credentials used by the applications (keys, logins, etc.).
** Potentially program code/script (such as if the code is stored on a Git repository, downloaded and ran by the service).
** Software source code/scripts (such as if the code is stored on a Git repository, downloaded and ran by the service).
** Ask again and specify you want to make sure they've listed all sensitive data they can think of.
** Ask again and specify you want to make sure they've listed all sensitive data they can think of.
* Set the data classification for each data type in the dictionary, such as "PUBLIC", "STAFF", etc. Mozilla uses standard classification levels.
* Set the data classification for each data type in the dictionary, such as "PUBLIC", "STAFF", etc. Mozilla uses standard classification levels.
* If some compensating controls are mentioned or there are more details about the data you can fill them in as well.
* If some compensating controls are mentioned or there are more details about the data you can fill them in as well.
** For example "User attributes, classified INTERNAL, protected by LDAP authentication, used to find out the user
** For example "User attributes, classified INTERNAL, protected by LDAP authentication, used to find out the user's t-shirt size".
t-shirt size".
* Based on this dictionary/catalog of data, figure out which is the main data classification the service is handling. If unsure, ask the team.
* Based on this dictionary/catalog of data, figure out which is the main data classification the service is handling. If unsure, ask the team.
** For example "mock is mainly used to serve package files that are PUBLIC." (public main data classification).
** For example "mock is mainly used to serve package files that are PUBLIC." (public main data classification).
Line 214: Line 212:
=== RRA Risk table (5-10 minutes) ===
=== RRA Risk table (5-10 minutes) ===


This is where the risk impact assessment is done, and where the probability for these impact is roughly estimated.
This is where the risk impact assessment is done, and where the probability for these impacts is roughly estimated.
The risk impact is using ''probable impact'', that is, worst-case scenario impacts that seem possible.
The risk impact is using ''probable impact'', that is, worst-case scenario impacts that seem possible.


Line 230: Line 228:
|-
|-
| <span style="background-color: #ffd351; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">HIGH</span>
| <span style="background-color: #ffd351; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">HIGH</span>
| Articles in technical websites such as HN, Ars-Technica, etc. are seen.
| Articles in technical websites such as Hacker News, Ars-Technica, etc. are seen.
|-
|-
| <span style="background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">MAXIMUM</span>
| <span style="background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">MAXIMUM</span>
| Scandal. We appear on TV, BBC, etc.
| Scandal. National and international news outlets report on the event.
|-
|-
|}
|}
Line 281: Line 279:
value being recorded and must be as accurate as possible.
value being recorded and must be as accurate as possible.


* Tell the team you're now going to look at the impact on confidentiality, availability and integrity of the service.
* Tell the team you're now going to look at the impact on the confidentiality, availability and integrity of the service.
** Confidentiality is what happens if the data is leaked (all files zipped up and served on a public site).
** Confidentiality is impacted if the data is leaked (all files zipped up and served on a public site).
** Availability is what happens if the service is no longer available (DDOS or malfunction, service unreachable).
** Availability is impacted if the service is no longer available (DDOS or malfunction, service unreachable).
** Integrity is what happens if the service data is tampered with (records no longer show trustworthy data, site is
** Integrity is impacted if the service's data is tampered with (records no longer show trustworthy data, site is defaced, etc.)
defaced, etc.)
* For each, look at how it affects Mozilla's reputation, productivity and finances.
* For each, we'll look at how it affects Mozilla's reputation, productivity and finances.
** Reputation is our public image, both internal and external to Mozilla.
** Reputation is our public image, both internal and external to Mozilla.
** Productivity is our ability to work. If a team can't do their regular work, their productivity is affected.
** Productivity is our ability to work. If a team can't do their regular work, their productivity is affected.
** Finances represent the cost of an impact. For example, abusing an AWS account and running bitcoin-mining instances
** Finances represent the cost of an impact. For example, abusing an AWS account and running bitcoin-mining instances would cost us money.
would cost us money.
* For each row, there is a summary/reference built-in the template that lets you know how the level is set.
* For each row, there is a summary/reference built-in the template that let you know how the level is set.


As you go through each row, ensure that the team understands which level you're selecting as impact and why.
As you go through each row, ensure that the team understands which impact level you're selecting and why.


For example:
For example:


Confidentiality=>Reputation HIGH impact would mean that Mozilla would get in tech. news (HN, Ars Technica, etc.)
* Confidentiality => Reputation HIGH impact would mean that Mozilla would get in tech news (HN, Ars Technica, etc.) if the data was leaked.
if the data was leaked.
* Confidentiality => Productivity MEDIUM impact would mean that some small Mozilla teams (SG) would be affected for more than 24h, or a large team (LG) for a few hours.
Confidentiality=>Productivity MEDIUM impact would mean that some small Mozilla teams (SG) would be affected for more than
If the impact on productivity is higher than LOW, it is possible that we incur financial impacts derived from work-force costs.
24h, or a large team (LG) for a few hours.
If the impact on productivity is higher than LOW, it is possible that we occur financial impacts derived from work-force costs.


For each level, add a rationale on why the level was selected. Remember that anyone reading this
For each level, add a rationale on why the level was selected. Remember that anyone reading this
document will rely on your rationale and need to be able to understand why the level is selected. List affected teams
document will rely on your rationale and they will need to be able to understand why the level is selected. List affected teams
and their sizes, for how long for example.
, their sizes and the duration of the impact for example.




Line 317: Line 311:


* Is the service code peer-reviewed?
* Is the service code peer-reviewed?
* Did the service get any kind of security review, modeling, pen-testing in the past?
* Did the service receive a security review, threat modeling or pen-testing in the past?
* Did the service suffer any security vulnerability in the past?
* Has the service suffered any security vulnerabilities in the past?
** Did any of the vulnerabilities get exploited or the service compromised?
** Did any of the vulnerabilities get exploited or was the service compromised?
* How confident are you that this impact may occur during the next year?
* How confident are you that this impact may occur during the next year?
* Are we aware of ongoing attacks on the service? (brute force attempts, DDoS, ...)
* Are we aware of current ongoing attacks on the service? (brute force attempts, DDoS, ...)


The estimated likelihood is then recorded as an estimated occurrence rate per calendar year.
The estimated likelihood is then recorded as an estimated occurrence rate per calendar year.
Line 327: Line 321:
==== Additional tips ====
==== Additional tips ====


* Whenever the productivity impact is HIGH or MAXIMUM, there probably also is a financial impact due to the cost of the workforce being impacted.
* Whenever the productivity impact is HIGH or MAXIMUM, there is probably also a financial impact due to the cost of the workforce being impacted.
* Financial risk is sometimes hard to define, in particular when tied to contracts.
* Financial risk is sometimes hard to define, in particular when tied to contracts.
** If no financial impact is clearly derived, it is OK to set the impact to LOW and rationale to "N/A".
** If no financial impact is clearly derived, it is OK to set the impact to LOW and rationale to "N/A".
** If there is still doubt, you may select "unknown" or "undefined" instead.
** If there is still doubt, you may select "unknown" or "undefined" instead.
* If you have any HIGH or MAXIMUM impact, you will want to propose the team to run a threat model and pen-test, every time.
* If you have any HIGH or MAXIMUM impacts, propose that a threat model and pen-test be run.
* Educate the project owners and/or lead developers of the project about the meaning of these risks and how the RRA can help them make decisions such as which operational environment to select, what technologies to use, or how much effort to put in securing the project.
* Educate the project owners and lead developers of the project about the meaning of these risks and how the RRA can help them make decisions such as which operational environment to select, what technologies to use, and how much effort to put into securing the project.


=== Recommendations (5 minutes) ===
=== Recommendations (5 minutes) ===


While the RRA is not meant for true security-review type work, recommendations do come up and this is a great time to
While the RRA is not meant as a true security-review, recommendations do come up and this is a great time to
have a quick 5 minutes chat about these.
have a quick 5 minute chat about these.


* Ensure all recommendations that came up (from you or the team) are mentioned there. It's OK to fill this table as you go, too!
* Ensure all recommendations that came up (from you or the team) are mentioned here. It's also ok to fill this table as you go!
* List the control need (should this be prioritized?)
* List the control needed (should this be prioritized?)
* Ensure logging and access control have been mentioned. Can these be improved? Should we alert on events?
* Ensure logging and access control have been mentioned. Can these be improved? Should we alert on events?
* Does this service have an incident response scenario figured out?
* Does this service have an incident response plan defined?


=== Wrapping up ===
=== Wrapping up ===
Line 349: Line 343:
** A service that does not seem safe provides LOW security.
** A service that does not seem safe provides LOW security.
** A service that seem to follow best-practices provides MEDIUM security.
** A service that seem to follow best-practices provides MEDIUM security.
** A service that put emphasis on security and uses stronger controls provides a HIGH security.
** A service that puts an emphasis on security and uses stronger controls provides HIGH security.
** A service that has been well reviewed via threat models, pen-tested, etc. and uses strong controls, privilege and
** A service that has been well reviewed via threat modeling and penetration testing, uses strong security controls, and has good privilege and data separation provides MAXIMUM security.
data separation provides a MAXIMUM security.
* Which recommendations are the team thinking of implementing ''(If no recommendations are implemented, you have very little impact)''
* Which recommendations do the team think of implementing ''(If no recommendations are implemented, you have very little impact)''
* Summarize the risk assessment table, the biggest impacts, and ask the team if the summary is what they expected.
* Summarize the risk assessment table, the biggest impacts, and ask the team if that sounds like what they expected.
* Ask the team if there are any security concerns that they have, which have not been mentioned.
* Ask the team if there is any security concern that they have, which has not been mentioned.
* Ensure you left no "red" fields blank (these are must-fill-in fields).
* Ensure you left no "red" field blank (these are must-fill-in fields).
* Tell the team that you'll follow up with a risk-record, thank them for their time and you're done!
* Tell the team that you'll follow up with a risk-record, thanks them for their time, you're done!


=== Creating a risk record (post-work, 30 minutes) ===
=== Creating a risk record (post-work, 30 minutes) ===
Gdestuynder
Confirmed users
502

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1140066"

Navigation menu