First pass at mitigation sets (6095818b) · Commits · STAN4CRA / EN 304 620 Virtual Private Networks Part 1

EN-304-620-1.md

+64 −81

Original line number	Diff line number	Diff line
		@@ -674,16 +674,6 @@ For each threat, a formula based on the risk factor levels is used to calculate

		For each threat, both likelihood and impact must be Low before the risk is considered sufficiently mitigated. If the calculated levels are not already Low, then mitigations must be applied until they are both Low. The mitigation sets that will accomplish this are listed in each threat description.

		The risk factors by type are:

		* Likelihood: CFG, AUT, ADM, RDP
		* Impact: DAT, FUN

		The mitigations that reduce risk by type are:

		* Likelihood: ROUT-1, CONF-\, AUTH-\, IPV6-\, CRYPT-\
		* Impact: ROUT-2, ROUT-3, NUTI-\, DNSL-\, EISO, TRAF-\, NPII-\

		### C.4.3 TH-UEVU: Unknown exploitable vulnerabilities

		Attacker may use unknown exploitable vulnerabilities in the product implementation to get unauthorized access to product assets.
		@@ -691,14 +681,12 @@ Attacker may use unknown exploitable vulnerabilities in the product implementati
		\| Risk factors \| Likelihood \| Security profiles \|
		\|------------------------\|------------\|-------------------\|
		\| max(DAT, FUN, COM) = 2 \| High \| SP-3, SP-4 \|
		\| max(DAT, FUN, COM) = 1 \| Medium \| SP-2 \|
		\| max(DAT, FUN, COM) = 0 \| Low \| SP-1 \|
		\| all others \| Medium \| SP-2, SP-1 \|

		\| Risk factors \| Impact \| Security profiles \|
		\|-------------------\|--------\|-------------------\|
		\| DAT = 2 & FUN = 2 \| High \| SP-3 \|
		\| all others \| Medium \| SP-2, SP-4 \|
		\| DAT = 0 & FUN = 0 \| Low \| SP-1 \|
		\|------------------------\|--------\|-------------------\|
		\| max(DAT, FUN, COM) > 0 \| High \| SP-2, SP-3, SP-4 \|
		\| all others \| Medium \| SP-1 \|

		Requirements that mitigate this threat: SSDD, NPII, LOGG

		@@ -710,9 +698,9 @@ Mitigations for Likelihood:

		Mitigations for Impact:

		* Medium to Low: NPII-1, LOGG-1
		* Medium to Low: NPII-1, LOGG-1, CDST

		* High to Low: NPII-\, LOGG-\
		* High to Low: NPII-\, LOGG-\, CDST

		### C.4.4 TH-KEVU: Known exploitable vulnerabilities

		@@ -721,16 +709,14 @@ Attacker may use known exploitable vulnerabilities in the product implementation
		\| Risk factors \| Likelihood \| Security profiles \|
		\|-----------------------------------\|------------\|-------------------\|
		\| max(DAT, FUN, COM) = 2 & ADM = 2 \| High \| SP-4 \|
		\| all others \| Medium \| SP-2 \|
		\| max(DAT, FUN, COM) = 0 or ADM = 0 \| Low \| SP-1, SP-3 \|
		\| all others \| Medium \| SP-1, SP-2, SP-3 \|

		\| Risk factors \| Impact \| Security profiles \|
		\|-------------------\|--------\|-------------------\|
		\| DAT = 2 & FUN = 2 \| High \| SP-3 \|
		\| all others \| Medium \| SP-2, SP-4 \|
		\| DAT = 0 & FUN = 0 \| Low \| SP-1 \|
		\|------------------------\|--------\|-------------------\|
		\| max(DAT, FUN, COM) > 0 \| High \| SP-2, SP-3, SP-4 \|
		\| all others \| Medium \| SP-1 \|

		Requirements that mitigate this threat: SSDD, NPII, LOGG, VULH
		Requirements that mitigate this threat: NPII, LOGG, VULH

		All mitigations from TH-UEVU apply (using that requirement's risk formula), in addition to:

		@@ -766,9 +752,9 @@ Mitigations for Likelihood:

		Mitigations for Impact:

		* Medium to Low: AUTH-3, AUTH-5, NPII-1
		* Medium to Low: AUTH-3, AUTH-5, NPII-1, CDST

		* High to Low: AUTH-3, AUTH-4, AUTH-5, NPII-1, NPII-2, NPII-4
		* High to Low: AUTH-3, AUTH-4, AUTH-5, NPII-1, NPII-2, NPII-4, CDST

		### C.4.6 TH-RDOS: Denial of service on remote data processing

		@@ -802,13 +788,13 @@ Mitigations for Impact:

		### C.4.7 TH-MITM: Machine-in-the-middle

		Attacker attempts to read or modify traffic by capturing and relaying activity to and from endpoints.
		Attacker may read or modify traffic by capturing and relaying activity to and from endpoints.

		\| Risk factors \| Likelihood \| Security profiles \|
		\|-------------------------------\|------------\|-------------------\|
		\| ADM = 2 & DAT = 2 & FUN = 2 \| High \| SP-1, SP-3 \|
		\|-----------------------------\|------------\|-------------------\|
		\| ADM > 0 & max(DAT, FUN) = 2 \| High \| SP-3, SP-4 \|
		\| all others \| Medium \| SP-2 \|
		\| ADM = 0 or DAT = 0 or FUN = 0 \| Low \| SP-4 \|
		\| DAT = 0 & FUN = 0 \| Low \| SP-1 \|

		\| Risk factors \| Impact \| Security profiles \|
		\|-------------------\|--------\|-------------------\|
		@@ -822,7 +808,7 @@ Mitigations for Likelihood:

		* Medium to Low: CRYPT-2

		* High to Low: CRYPT-1, CRYPT-2
		* High to Low: CRYPT-\*

		Mitigations for Impact:

		@@ -832,27 +818,26 @@ Mitigations for Impact:

		### C.4.8 TH-LEAK: Sensitive data leaks

		Attacker reads sensitive data sent outside the VPN connection by the product.
		Attacker may read sensitive data sent outside the VPN connection by the product.

		\| Risk factors \| Likelihood \| Security profiles \|
		\|--------------\|------------\|-------------------\|
		\| DNC = 2 \| High \| SP-\* \|
		\| DNC = 1 \| Medium \| none \|
		\| DNC = 0 \| Low \| none \|
		\|------------------------------\|------------\|-------------------\|
		\| DNC = 2 & DAT = 2 & FUN = 2 \| High \| SP-3 \|
		\| all others \| Medium \| SP-2, SP-4 \|
		\| DNC = 0 or max(DAT, FUN) = 0 \| Low \| SP-1 \|

		\| Risk factors \| Impact \| Security profiles \|
		\|-------------------\|--------\|-------------------\|
		\| DAT = 2 & FUN = 2 \| High \| SP-3 \|
		\| all others \| Medium \| SP-2, SP-4 \|
		\| DAT = 0 & FUN = 0 \| Low \| SP-1 \|
		\|--------------\|--------\|-------------------\|
		\| DAT > 0 \| High \| SP-2, SP-3, SP-4 \|
		\| all others \| Medium \| SP-1 \|

		Requirements that mitigate this threat: ROUT, CONF, DNSL, IPv6, CRYPT

		Mitigations for Likelihood:

		* Medium to Low: ROUT-1, ROUT-2, CONF-3, DNSL-1, DNSL-2, DNSL-7, DNSL-8, IPv6-\, CRYPT-\
		* Medium to Low: ROUT-1, ROUT-2, CONF-\, DNSL-1, DNSL-2, DNSL-7, DNSL-8, IPv6-\

		* High to Low: ROUT-\, CONF-3, DNSL-\, IPv6-\, CRYPT-\
		* High to Low: ROUT-\, CONF-\, DNSL-\, IPv6-\

		Mitigations for Impact:

		@@ -865,10 +850,10 @@ Mitigations for Impact:
		Attacker may read sensitive data transmitted without encryption.

		\| Risk factors \| Likelihood \| Security profiles \|
		\|--------------------\|------------\|-------------------\|
		\| CFG = 2 or ADM = 2 \| High \| SP-\* \|
		\| CFG = 1 \| Medium \| none \|
		\| CFG = 0 \| Low \| none \|
		\|------------------------------------------\|------------\|-------------------\|
		\| CFG = 2 or (CFG > 0 & ADM = 2 & COM > 1) \| High \| SP-3, SP-4 \|
		\| all others \| Medium \| SP-1, SP-2 \|
		\| CFG = 0 or (ADM = 0 & COM = 0) \| Low \| none \|

		\| Risk factors \| Impact \| Security profiles \|
		\|-------------------\|--------\|-------------------\|
		@@ -880,25 +865,24 @@ Requirements that mitigate this threat: CRYPT, SCDL, AUTH, ROUT, DNSL

		Mitigations for Likelihood:

		* Medium to Low: EISO
		* Medium to Low: EISO, CRYPT-2, ROUT-1, AUTH-1, AUTH-2

		* High to Low: EISO, DNSL-6
		* High to Low: EISO, DNSL-6, CRYPT-\, ROUT-\, AUTH-\*

		Mitigations for Impact:

		* Medium to Low: CRYPT-2, ROUT-1, AUTH-1, AUTH-2
		* Medium to Low: NPII-1, LOGG-1

		* High to Low: CRYPT-\, SCDL-\, ROUT-\, AUTH-\
		* High to Low: NPII-\, LOGG-\

		### C.4.10 TH-UNAA: Unauthorized authentication

		Attacker may attempt to authenticate in an unauthorized manner to get access to product assets.

		\| Risk factors \| Likelihood \| Security profiles \|
		\|-------------------\|------------\|-------------------\|
		\| DAT = 2 & FUN = 2 \| High \| SP-3 \|
		\| all others \| Medium \| SP-2, SP-4 \|
		\| DAT = 0 & FUN = 0 \| Low \| SP-1 \|
		\|-----------------------------------\|------------\|-------------------\|
		\| max(DAT, FUN, COM) = 2 & ADM = 2 \| High \| SP-4 \|
		\| all others \| Medium \| SP-1, SP-2, SP-3 \|

		\| Risk factors \| Impact \| Security profiles \|
		\|-------------------\|--------\|-------------------\|
		@@ -926,9 +910,8 @@ Attacker may remove evidence of compromise from the endpoint.

		\| Risk factors \| Likelihood \| Security profiles \|
		\|-------------------\|------------\|-------------------\|
		\| DAT = 2 & FUN = 2 \| High \| SP-3 \|
		\| all others \| Medium \| SP-2, SP-4 \|
		\| DAT = 0 & FUN = 0 \| Low \| SP-1 \|
		\| max(DAT, FUN) = 2 \| High \| SP-3, SP-4 \|
		\| all others \| Low \| SP-1, SP-2 \|

		\| Risk factors \| Impact \| Security profiles \|
		\|-------------------\|--------\|-------------------\|
		@@ -940,9 +923,9 @@ Requirements that mitigate this threat: LOGG

		Mitigations for Likelihood:

		* Medium to Low: LOGG-1
		* Medium to Low: LOGG-2

		* High to Low: LOGG-1, LOGG-2
		* High to Low: LOGG-2

		Mitigations for Impact:

		@@ -956,9 +939,9 @@ Attacker may use configuration errors to get unauthorized access to the product

		\| Risk factors \| Likelihood \| Security profiles \|
		\|---------------------------------------------------\|------------\|-------------------\|
		\| CFG = 2 & max(ADM, COM) = 2 & max(DAT, FUN) = 2 \| High \| SP-3, SP-4 \|
		\| all others \| Medium \| SP-1, SP-2 \|
		\| CFG = 0 or max(ADM, COM) = 0 or max(DAT, FUN) = 0 \| Low \| none \|
		\| CFG > 0 & max(ADM, COM) = 2 & max(DAT, FUN) = 2 \| High \| SP-3, SP-4 \|
		\| all others \| Medium \| SP-2 \|
		\| CFG = 0 or max(ADM, COM) = 0 or max(DAT, FUN) = 0 \| Low \| SP-1 \|

		\| Risk factors \| Impact \| Security profiles \|
		\|-------------------\|--------\|-------------------\|
		@@ -986,9 +969,9 @@ Attacker may use user metadata such as IP addresses and traffic analysis to gain

		\| Risk factors \| Likelihood \| Security profiles \|
		\|--------------\|------------\|-------------------\|
		\| TODO \| High \| \|
		\| TODO \| Medium \| \|
		\| TODO \| Low \| \|
		\| TODO \| High \| SP-3 \|
		\| TODO \| Medium \| SP-2, SP-4 \|
		\| TODO \| Low \| SP-1 \|

		\| Risk factors \| Impact \| Security profiles \|
		\|-------------------\|--------\|-------------------\|
		@@ -1010,15 +993,15 @@ Mitigations for Impact:

		* High to Low: TODO

		### C.4.14 TH-RDPS: RDPS compromise and isolation
		### C.4.14 TH-RCOM: RDPS compromise and isolation

		Attacker may use compromise or isolation errors in remote data processing system to gain access to product assets.

		\| Risk factors \| Likelihood \| Security profiles \|
		\|--------------\|------------\|-------------------\|
		\| TODO \| High \| \|
		\| TODO \| Medium \| \|
		\| TODO \| Low \| \|
		\|-------------------------------\|------------\|-------------------\|
		\| RDP = 2 & DAT = 2 & FUN = 2 \| High \| SP-3 \|
		\| all others \| Medium \| SP-4 \|
		\| RDP = 0 or DAT = 0 or FUN = 0 \| Low \| SP-1, SP-2 \|

		\| Risk factors \| Impact \| Security profiles \|
		\|-------------------\|--------\|-------------------\|
		@@ -1047,7 +1030,7 @@ Mitigations for Impact:
		\| UC-1 \| Individual consumer \| 1 \| 0 \| 0 \| 0 \| 2 \| 2 \| 2 \| 0 \| SP-1 \|
		\| UC-2 \| Privacy conscious household \| 1 \| 0 \| 1 \| 1 \| 1 \| 0 \| 2 \| 1 \| SP-2 \|
		\| UC-3 \| Journalist or activist \| 1 \| 1 \| 2 \| 2 \| 2 \| 2 \| 2 \| 1 \| SP-3 \|
		\| UC-4 \| Small organization \| 2 \| 1 \| 2 \| 1 \| 0 \| 1 \| 2 \| 2 \| SP-4 \|
		\| UC-4 \| Small organization \| 2 \| 1 \| 2 \| 1 \| 1 \| 1 \| 2 \| 2 \| SP-4 \|

		_Table C.5.1 — Use cases mapped to risk factors and security profiles_

clauses/5.Requirements.md

+117 −9

Original line number	Diff line number	Diff line
		@@ -865,8 +865,6 @@ The VPN provider shall use a preshared key to mitigate post-quantum decryption

		#### 5.2.14.3 MI-CRYPT-2: Use conformant encryption

		> TODO-HAS: Fill in below

		VPN encryption shall use cryptographic algorithms, keys, and parameters as described in EUCC Guidelines Cryptography v2 [\[3\]](#_ref_3) or demonstrably equivalent state-of-the-art mechanisms.

		* Reference: TR-CRYPT
		@@ -1134,7 +1132,7 @@ _Description of mitigation in "shall" format_.
		* Verdict:
		* Evidence:

		## 5.3 Risk Mitigation Sets
		## 5.3 Risk mitigation sets

		### 5.3.1 General

		@@ -1142,18 +1140,128 @@ This clause lists all the mitigations necessary to meet requirements for each se

		### 5.3. SP-1 Individual consumer required mitigations


		1. SSCA
		1. SCFS
		1. NPII-1
		1. LOGG-1
		1. (KEVD or KEVA or KEVT or SCAN)
		1. KEVM
		1. (SUVP or SUAP or SUOE or SUAO)
		1. VULH
		1. EISO
		1. AUTH-6
		1. ROUT-1
		1. AUTH-1
		1. AUTH-2
		1. CONF-6
		1. EISO
		1. (TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4))
		1. IPv6-\*
		1. CDST

		### 5.3. SP-2 Privacy conscious household required mitigations


		1. SSCA
		1. SCFS
		1. NPII-1
		1. LOGG-1
		1. (KEVD or KEVA or KEVT or SCAN)
		1. KEVM
		1. (SUVP or SUAP or SUOE or SUAO)
		1. VULH
		1. AUTH-3
		1. AUTH-5
		1. NPII-1
		1. DOST
		1. FDRP
		1. LMEM
		1. CRYPT-2
		1. CONF-3
		1. DNSL-1
		1. DNSL-2
		1. DNSL-7
		1. DNSL-8
		1. IPv6-\*
		1. EISO
		1. AUTH-6
		1. CRYPT-\*
		1. SCDL-\*
		1. ROUT-\*
		1. AUTH-\*
		1. CONF-6
		1. EISO
		1. (TRAF-1 or (TRAF-2 and TRAF-3 and TRAF-4))
		1. IPv6-\*
		1. CDST

		### 5.3. SP-3 Journalist or activist required mitigations


		1. SSCA
		1. (FZ95 or BTIN or IMSL)
		1. SCFS
		1. NPII-\*
		1. LOGG-\*
		1. KEVD
		1. KEVA
		1. (KEVT or SCAN)
		1. KEVM
		1. (SUAP or SUAO)
		1. VULH
		1. AUTH-3
		1. AUTH-4
		1. AUTH-5
		1. DOST
		1. FDRP
		1. LMEM
		1. FAIR
		1. CRYPT-1
		1. CRYPT-2
		1. EISO
		1. AUTH-6
		1. CRYPT-\*
		1. SCDL-\*
		1. ROUT-\*
		1. AUTH-\*
		1. EISO
		1. TRAF-1
		1. IPv6-\*
		1. CDST
		1. CONF-\*
		1. DNSL-\*

		### 5.3. SP-4 Small organization required mitigations



		> TODO-HAS: Fill out risk mitigation sets
		1. SSCA
		1. SCFS
		1. NPII-1
		1. LOGG-\*
		1. KEVD
		1. KEVA
		1. (KEVT or SCAN)
		1. KEVM
		1. (SUAP or SUAO)
		1. VULH
		1. AUTH-3
		1. AUTH-5
		1. NPII-1
		1. DOST
		1. FDRP
		1. LMEM
		1. CRYPT-\*
		1. CONF-3
		1. DNSL-1
		1. DNSL-2
		1. DNSL-6
		1. DNSL-7
		1. DNSL-8
		1. IPv6-\*
		1. EISO
		1. AUTH-6
		1. CRYPT-\*
		1. SCDL-\*
		1. ROUT-\*
		1. AUTH-\*
		1. EISO
		1. TRAF-1
		1. IPv6-\*
		1. CDST