Anti-spam team, Confirmed users
99
edits
Security/Risk management/Rapid Risk Assessment: Difference between revisions
Jump to navigation
Jump to search
Security/Risk management/Rapid Risk Assessment (view source)
Revision as of 16:16, 18 July 2016
, 18 July 2016Automated sync from https://github.com/mozilla/wikimo_opsec
Gdestuynder (talk | contribs) (Automated sync from https://github.com/mozilla/wikimo_opsec) |
(Automated sync from https://github.com/mozilla/wikimo_opsec) |
||
| Line 85: | Line 85: | ||
Large services should be split into multiple smaller services or sub-services that handle a specific type of data and | Large services should be split into multiple smaller services or sub-services that handle a specific type of data and | ||
expose a limited set of features. This choice has to be made by the security engineer running the RRA. If the | expose a limited set of features. This choice has to be made by the security engineer running the RRA. If the | ||
sub-services belong to different teams, it is a strong indicator that multiple RRAs should be | sub-services belong to different teams, it is a strong indicator that multiple RRAs should be ran. | ||
Large services that cannot be split up not only lead to a complex assessment, but also may indicate that the service | Large services that cannot be split up not only lead to a complex assessment, but also may indicate that the service | ||
| Line 101: | Line 101: | ||
What to '''NOT''' focus on: | What to '''NOT''' focus on: | ||
* Gathering security controls, figuring out how effective they are, etc. Don't do that! This information may be recorded if it comes up but do not focus on it. | * Gathering security controls, figuring out how effective they are, etc. Don't do that! This information may be recorded if it comes up but do not focus on it. | ||
* Likelihood, Security provided by service. Don't spent much time there! These are "10,000 | * Likelihood, Security provided by service. Don't spent much time there! These are "10, 000 feet approximations" and part of a larger risk calculation mechanism. | ||
== Guided process: Running your RRA in ~30 minutes == | == Guided process: Running your RRA in ~30 minutes == | ||
| Line 135: | Line 135: | ||
* Create a copy of the [https://drive.google.com/open?id=160V89R-VdIe1AEHcT_sX89UToV2gv8mLshhoia2-6mM template] and move it to the correct directory (or your personal Google drive if you're testing the RRA process). | * Create a copy of the [https://drive.google.com/open?id=160V89R-VdIe1AEHcT_sX89UToV2gv8mLshhoia2-6mM template] and move it to the correct directory (or your personal Google drive if you're testing the RRA process). | ||
* Invite 1 or 2 members (product owners, lead engineers, etc.) related to the service with enough technical knowledge, ensure they will bring a diagram of data | * Invite 1 or 2 members (product owners, lead engineers, etc.) related to the service with enough technical knowledge, ensure they will bring a diagram of data | ||
flows and have an understanding of the data being stored or processed by the service. You do not want more than 4 or 5 | flows and have an understanding of the data being stored or processed by the service. You do not want more than 4 or 5 persons total as this will slow down the RRA. Most RRAs are run 1 on 1 (2 persons total). | ||
Make sure everyone invited has '''edit''' rights to the document, and has the document opened in front of them when the | Make sure everyone invited has '''edit''' rights to the document, and has the document opened in front of them when the | ||
RRA starts. | RRA starts. | ||
* If this is anyone's first RRA, ensure they understand what risk impacts are, and the standard risk levels we are using, as well | * If this is anyone's first RRA, ensure they understand what risk impacts are, and the standard risk levels we are using, as well giving them a short overview of what is going to happen: | ||
** Filling in header/meta-data information about the service. | ** Filling in header/meta-data information about the service. | ||
** Getting an idea of how the service is architected. | ** Getting an idea of how the service is architected. | ||
** Recording all data the service may process/store and how sensitive it is. | ** Recording all data the service may process/store and how sensitive it is. | ||
** | ** Run through the risk table and figure out what happens if the data leak, is modified, is unavailable, etc - while | ||
** | assigning the standard risk levels. | ||
** Write down any recommendation for the service. | |||
{| class="wikitable" | {| class="wikitable" | ||
| Line 164: | Line 165: | ||
** In some cases the scope is critical to the understanding of the RRA. | ** In some cases the scope is critical to the understanding of the RRA. | ||
* If you know of linked services (for example if it uses SAML authentication, the linked service could be "SAML SSO") | * If you know of linked services (for example if it uses SAML authentication, the linked service could be "SAML SSO") | ||
* Ask the team who owns the service ( | * Ask the team who owns the service (takes decisions if the service must go down for example), who develops the code and who's operating it. | ||
** Generally its a team name and one or more names. Sometimes, it's a third party (SaaS). | ** Generally its a team name and one or more names. Sometimes, it's a third party (SaaS). | ||
** You never want to leave the service owner blank, and you always want a Mozilla contact as service owner. | ** You never want to leave the service owner blank, and you always want a Mozilla contact as service owner. | ||
| Line 172: | Line 173: | ||
=== General notes (5-10 minutes) === | === General notes (5-10 minutes) === | ||
At this point you want to have a good understanding of the service: | |||
* Where is it running? | * Where is it running? Which platforms? | ||
* What is it running, what kind of software or technologies? | * What is it running, what kind of software or technologies? | ||
* How is it structured, architected? Do you have your data flow diagram? | * How is it structured, architected? Do you have your data flow diagram? | ||
* Do you have some documentation links? | * Do you have some documentation links? | ||
* Any | * Any URL to access the service? | ||
* How is administration performed? | * How is administration performed? | ||
* How is authorization (login) performed? | * How is authorization (login) performed? | ||
| Line 201: | Line 202: | ||
** Specific configuration data (on disk or in RAM). | ** Specific configuration data (on disk or in RAM). | ||
** Credentials used by the applications (keys, logins, etc.). | ** Credentials used by the applications (keys, logins, etc.). | ||
** | ** Potentially program code/script (such as if the code is stored on a Git repository, downloaded and ran by the service). | ||
** Ask again and specify you want to make sure they've listed all sensitive data they can think of. | ** Ask again and specify you want to make sure they've listed all sensitive data they can think of. | ||
* Set the data classification for each data type in the dictionary, such as "PUBLIC", "STAFF", etc. Mozilla uses standard classification levels. | * Set the data classification for each data type in the dictionary, such as "PUBLIC", "STAFF", etc. Mozilla uses standard classification levels. | ||
* If some compensating controls are mentioned or there are more details about the data you can fill them in as well. | * If some compensating controls are mentioned or there are more details about the data you can fill them in as well. | ||
** For example "User attributes, classified INTERNAL, protected by LDAP authentication, used to find out the user | ** For example "User attributes, classified INTERNAL, protected by LDAP authentication, used to find out the user | ||
t-shirt size". | |||
* Based on this dictionary/catalog of data, figure out which is the main data classification the service is handling. If unsure, ask the team. | * Based on this dictionary/catalog of data, figure out which is the main data classification the service is handling. If unsure, ask the team. | ||
** For example "mock is mainly used to serve package files that are PUBLIC." (public main data classification). | ** For example "mock is mainly used to serve package files that are PUBLIC." (public main data classification). | ||
| Line 212: | Line 214: | ||
=== RRA Risk table (5-10 minutes) === | === RRA Risk table (5-10 minutes) === | ||
This is where the risk impact assessment is done, and where the probability for these | This is where the risk impact assessment is done, and where the probability for these impact is roughly estimated. | ||
The risk impact is using ''probable impact'', that is, worst-case scenario impacts that seem possible. | The risk impact is using ''probable impact'', that is, worst-case scenario impacts that seem possible. | ||
| Line 228: | Line 230: | ||
|- | |- | ||
| <span style="background-color: #ffd351; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">HIGH</span> | | <span style="background-color: #ffd351; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">HIGH</span> | ||
| Articles in technical websites such as | | Articles in technical websites such as HN, Ars-Technica, etc. are seen. | ||
|- | |- | ||
| <span style="background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">MAXIMUM</span> | | <span style="background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">MAXIMUM</span> | ||
| Scandal. | | Scandal. We appear on TV, BBC, etc. | ||
|- | |- | ||
|} | |} | ||
| Line 279: | Line 281: | ||
value being recorded and must be as accurate as possible. | value being recorded and must be as accurate as possible. | ||
* Tell the team you're now going to look at the impact on | * Tell the team you're now going to look at the impact on confidentiality, availability and integrity of the service. | ||
** Confidentiality is | ** Confidentiality is what happens if the data is leaked (all files zipped up and served on a public site). | ||
** Availability is | ** Availability is what happens if the service is no longer available (DDOS or malfunction, service unreachable). | ||
** Integrity is | ** Integrity is what happens if the service data is tampered with (records no longer show trustworthy data, site is | ||
* For each, look at how it affects Mozilla's reputation, productivity and finances. | defaced, etc.) | ||
* For each, we'll look at how it affects Mozilla's reputation, productivity and finances. | |||
** Reputation is our public image, both internal and external to Mozilla. | ** Reputation is our public image, both internal and external to Mozilla. | ||
** Productivity is our ability to work. If a team can't do their regular work, their productivity is affected. | ** Productivity is our ability to work. If a team can't do their regular work, their productivity is affected. | ||
** Finances represent the cost of an impact. For example, abusing an AWS account and running bitcoin-mining instances would cost us money. | ** Finances represent the cost of an impact. For example, abusing an AWS account and running bitcoin-mining instances | ||
* For each row, there is a summary/reference built-in the template that | would cost us money. | ||
* For each row, there is a summary/reference built-in the template that let you know how the level is set. | |||
As you go through each row, ensure that the team understands which | As you go through each row, ensure that the team understands which level you're selecting as impact and why. | ||
For example: | For example: | ||
Confidentiality=>Reputation HIGH impact would mean that Mozilla would get in tech. news (HN, Ars Technica, etc.) | |||
if the data was leaked. | |||
If the impact on productivity is higher than LOW, it is possible that we | Confidentiality=>Productivity MEDIUM impact would mean that some small Mozilla teams (SG) would be affected for more than | ||
24h, or a large team (LG) for a few hours. | |||
If the impact on productivity is higher than LOW, it is possible that we occur financial impacts derived from work-force costs. | |||
For each level, add a rationale on why the level was selected. Remember that anyone reading this | For each level, add a rationale on why the level was selected. Remember that anyone reading this | ||
document will rely on your rationale and | document will rely on your rationale and need to be able to understand why the level is selected. List affected teams | ||
and their sizes, for how long for example. | |||
| Line 311: | Line 317: | ||
* Is the service code peer-reviewed? | * Is the service code peer-reviewed? | ||
* Did the service | * Did the service get any kind of security review, modeling, pen-testing in the past? | ||
* | * Did the service suffer any security vulnerability in the past? | ||
** Did any of the vulnerabilities get exploited or | ** Did any of the vulnerabilities get exploited or the service compromised? | ||
* How confident are you that this impact may occur during the next year? | * How confident are you that this impact may occur during the next year? | ||
* Are we aware of | * Are we aware of ongoing attacks on the service? (brute force attempts, DDoS, ...) | ||
The estimated likelihood is then recorded as an estimated occurrence rate per calendar year. | The estimated likelihood is then recorded as an estimated occurrence rate per calendar year. | ||
| Line 321: | Line 327: | ||
==== Additional tips ==== | ==== Additional tips ==== | ||
* Whenever the productivity impact is HIGH or MAXIMUM, there | * Whenever the productivity impact is HIGH or MAXIMUM, there probably also is a financial impact due to the cost of the workforce being impacted. | ||
* Financial risk is sometimes hard to define, in particular when tied to contracts. | * Financial risk is sometimes hard to define, in particular when tied to contracts. | ||
** If no financial impact is clearly derived, it is OK to set the impact to LOW and rationale to "N/A". | ** If no financial impact is clearly derived, it is OK to set the impact to LOW and rationale to "N/A". | ||
** If there is still doubt, you may select "unknown" or "undefined" instead. | ** If there is still doubt, you may select "unknown" or "undefined" instead. | ||
* If you have any HIGH or MAXIMUM | * If you have any HIGH or MAXIMUM impact, you will want to propose the team to run a threat model and pen-test, every time. | ||
* Educate the project owners and lead developers of the project about the meaning of these risks and how the RRA can help them make decisions such as which operational environment to select, what technologies to use, | * Educate the project owners and/or lead developers of the project about the meaning of these risks and how the RRA can help them make decisions such as which operational environment to select, what technologies to use, or how much effort to put in securing the project. | ||
=== Recommendations (5 minutes) === | === Recommendations (5 minutes) === | ||
While the RRA is not meant | While the RRA is not meant for true security-review type work, recommendations do come up and this is a great time to | ||
have a quick 5 | have a quick 5 minutes chat about these. | ||
* Ensure all recommendations that came up (from you or the team) are mentioned | * Ensure all recommendations that came up (from you or the team) are mentioned there. It's OK to fill this table as you go, too! | ||
* List the control | * List the control need (should this be prioritized?) | ||
* Ensure logging and access control have been mentioned. Can these be improved? Should we alert on events? | * Ensure logging and access control have been mentioned. Can these be improved? Should we alert on events? | ||
* Does this service have an incident response | * Does this service have an incident response scenario figured out? | ||
=== Wrapping up === | === Wrapping up === | ||
| Line 343: | Line 349: | ||
** A service that does not seem safe provides LOW security. | ** A service that does not seem safe provides LOW security. | ||
** A service that seem to follow best-practices provides MEDIUM security. | ** A service that seem to follow best-practices provides MEDIUM security. | ||
** A service that | ** A service that put emphasis on security and uses stronger controls provides a HIGH security. | ||
** A service that has been well reviewed via threat | ** A service that has been well reviewed via threat models, pen-tested, etc. and uses strong controls, privilege and | ||
* Which recommendations | data separation provides a MAXIMUM security. | ||
* Summarize the risk assessment table, the biggest impacts, and ask the team if | * Which recommendations do the team think of implementing ''(If no recommendations are implemented, you have very little impact)'' | ||
* Ask the team if there | * Summarize the risk assessment table, the biggest impacts, and ask the team if that sounds like what they expected. | ||
* Ensure you left no "red" | * Ask the team if there is any security concern that they have, which has not been mentioned. | ||
* Tell the team that you'll follow up with a risk-record, | * Ensure you left no "red" field blank (these are must-fill-in fields). | ||
* Tell the team that you'll follow up with a risk-record, thanks them for their time, you're done! | |||
=== Creating a risk record (post-work, 30 minutes) === | === Creating a risk record (post-work, 30 minutes) === | ||