Unverified Commit 72c9b69a authored by Aki Braun's avatar Aki Braun
Browse files

Resolve pluralisation and ETSI spelling

parent 5c3c59f1

EN-304-620.md

+26 −26
Original line number Diff line number Diff line
@@ -239,18 +239,18 @@ Potential functions include: 


Roles of nodes in VPNs (a node can have some or all):



* Authorisation: grant nodes access to the restricted use network

* Authorization: grant nodes access to the restricted use network

* Encryption: encrypt traffic within the confines of the restricted use network

* Edge: uses a public network to communicate with the restricted use network

* Gateway: provides link between public network and restricted use network

* Router: forward traffic between nodes in the restricted use network

* Filter: select which traffic may transit this node in the restricted use network

* Relays: assist nodes in connecting to the restricted use network

* Relay: assist nodes in connecting to the restricted use network



During reasonably foreseeable use, VPN nodes may:



* Authorise other nodes to use the restricted use network

* Request authorisation to use the restricted network

* Authorize other nodes to use the restricted use network

* Request authorization to use the restricted network

* Serve configuration information

* Update their configuration information

* Assist nodes in connecting to the restricted use network
@@ -357,7 +357,7 @@ The following risks are delegated by the VPN product to other components within 


- **Operating System stability and Runtime Environment robustness**: A VPN product relies on a secure and stable underlying operating system (OS) to function. The risks associated with OS vulnerabilities or a compromised runtime environment are delegated to the OS.

- **Hardware Integrity**: The VPN product depends on the integrity of the physical hardware for the confidentiality of cryptographic keys and data processing. Risks of physical tampering or hardware-based attacks are delegated to the hardware manufacturer.

- **Identity and Authentication**: The VPN product delegates the risks associated with user credential management to a trusted Identity and Access Management (IAM) system. It relies on this external component for secure authentication and authorisation of users.

- **Identity and Authentication**: The VPN product delegates the risks associated with user credential management to a trusted Identity and Access Management (IAM) system. It relies on this external component for secure authentication and authorization of users.



## 4.6 Users
@@ -394,7 +394,7 @@ See [\[i.3\]](#_ref_i.3) for formal definitions of micro, small, and medium-size 
    * Actively circumventing observation from competitors, hackers, opponents, and unsanctioned state actors

    * Does not connect endpoints with other endpoints directly



* **UC-4** Small enterprise, small not-for-profit organisation

* **UC-4** Small enterprise, small not-for-profit organization

    * Limited or no full-time IT/network administration

    * Seeking secure connections primarily to SaaS products

    * Requires managed service for configuration and maintenance
@@ -449,9 +449,9 @@ Once the present document is cited in the Official Journal of the European Union 
| Authentication and access control mechanisms    | AUTH                                |

| Confidentiality protection                      | AUTH, ROUT, DNSL, EISO, IPV6, CRYPT |

| Integrity protection for data and configuration | CONF, DNSL                          |

| Data minimisation                               | DMIN                                |

| Data minimization                               | DMIN                                |

| Availability protection                         | AVAI                                |

| Minimise impact on other devices or services    | NUTI                                |

| Minimize impact on other devices or services    | NUTI                                |

| Limit attack surface                            | EISO, NUTI                          |

| Exploit mitigation by limiting incident impact  | SSD, EISO, NUTI                     |

| Logging and monitoring mechanisms               | LOGG                                |
@@ -539,8 +539,8 @@ Description: Affects likelihood of threats involving authentication. 
Rationale: An improper account management and authentication implementation can directly impact with a successful breach



* **[AUT-0]** User employs a third party identity and authentication provider

* **[AUT-1]** Identity and authentication are managed through a user-owned and managed centralised identity system

* **[AUT-2]** Each system utilised by the user involves its own set of account information and secrets

* **[AUT-1]** Identity and authentication are managed through a user-owned and managed centralized identity system

* **[AUT-2]** Each system utilized by the user involves its own set of account information and secrets



### C.2.5 RF-FUN: Sensitivity of functions
@@ -652,7 +652,7 @@ For each threat, both likelihood and impact must be Low before the risk is consi 


### C.4.3 TH-UEVU: Unknown exploitable vulnerabilities



Attacker may use unknown exploitable vulnerabilities in the product implementation to get unauthorised access to product assets.

Attacker may use unknown exploitable vulnerabilities in the product implementation to get unauthorized access to product assets.



**Table C.4.3-1: Unknown exploitable vulnerabilities**
@@ -682,7 +682,7 @@ Mitigations for Impact: 


### C.4.4 TH-KEVU: Known exploitable vulnerabilities



Attacker may use known exploitable vulnerabilities in the product implementation to get unauthorised access to product assets.

Attacker may use known exploitable vulnerabilities in the product implementation to get unauthorized access to product assets.



**Table C.4.4-1: Known exploitable vulnerabilities**
@@ -709,11 +709,11 @@ TODO KEVX - the more enterprise-appropriate version of KEVA 
* Medium to Low: (KEVD or KEVA or KEVX), (KEVT or SCAN), (SUVP or SUAP or SUOE or SUAO), VULH

* High to Low: KEVD, (KEVA or KEVX), (KEVT or SCAN), (SUAP or SUAO), SUCS, SUAU, SUVH, SURP, SURC, SUSR, SUMV, SUED, VULH



### C.4.5 TH-UEAC: Unauthorised endpoint access

### C.4.5 TH-UEAC: Unauthorized endpoint access



Attacker may gain unauthorised access to an endpoint in a manner not under control of the product, exposing product assets.

Attacker may gain unauthorized access to an endpoint in a manner not under control of the product, exposing product assets.



**Table C.4.5-1: Unauthorised endpoint access**

**Table C.4.5-1: Unauthorized endpoint access**



| Risk factors       | Likelihood | Security profiles |

|--------------------|------------|-------------------|
@@ -721,7 +721,7 @@ Attacker may gain unauthorised access to an endpoint in a manner not under contr 
| all others         | Medium     | SP-2              |

| max (PER, FUN) = 0 | Low        | SP-1              |



**Table C.4.5-2: Unauthorised endpoint access**

**Table C.4.5-2: Unauthorized endpoint access**



| Risk factors       | Impact | Security profiles |

|--------------------|--------|-------------------|
@@ -902,18 +902,18 @@ Mitigations for Impact: 
* Medium to Low: LOGG-1

* High to Low: LOGG-1, LOGG-2



### C.4.11 TH-UNAA: Unauthorised authentication

### C.4.11 TH-UNAA: Unauthorized authentication



Attacker may attempt to authenticate in an unauthorised manner to get access to product assets.

Attacker may attempt to authenticate in an unauthorized manner to get access to product assets.



**Table C.4.11-1: Unauthorised authentication**

**Table C.4.11-1: Unauthorized authentication**



| Risk factors      | Likelihood | Security profiles |

|-------------------|------------|-------------------|

| max(PER, FUN) = 2 | High       | SP-3, SP-4, SP-5  |

| all others        | Medium     | SP-1, SP-2        |



**Table C.4.11-2: Unauthorised authentication**

**Table C.4.11-2: Unauthorized authentication**



| Risk factors       | Impact | Security profiles |

|--------------------|--------|-------------------|
@@ -965,7 +965,7 @@ Mitigations for Impact: 


### C.4.13 TH-CNFS: Access to assets via configuration errors in single endpoint VPN



Attacker may use configuration errors to get unauthorised access to product assets in a single endpoint VPN.

Attacker may use configuration errors to get unauthorized access to product assets in a single endpoint VPN.



**Table C.4.13-1: Access to assets via configuration errors in single endpoint VPN**
@@ -997,7 +997,7 @@ Mitigations for Impact: 


### C.4.14 TH-CNFM: Access to assets via configuration errors in a multi-endpoint VPN



Attacker may use configuration errors to get unauthorised access to product assets in a multi-endpoint VPN.

Attacker may use configuration errors to get unauthorized access to product assets in a multi-endpoint VPN.



**Table C.4.14-1: Access to assets via configuration errors in a multi-endpoint VPN**
@@ -1091,7 +1091,7 @@ Mitigations for Impact: 


### C.4.17 TH-USED: Access to data via access to used product



Attacker may get unauthorised access to confidential data stored on the product through access to or acquisition of a device containing the used product.

Attacker may get unauthorized access to confidential data stored on the product through access to or acquisition of a device containing the used product.



**Table C.4.17-1: Access to data via access to used product**
@@ -1123,7 +1123,7 @@ Mitigations for Impact: 


### C.4.18 TH-CPER: Compromise of Personal Data stored or transmitted by the product



Attacker may get unauthorised access to Personal Data stored or transmitted by the product.

Attacker may get unauthorized access to Personal Data stored or transmitted by the product.



**Table C.4.18-1: Compromise of Personal Data stored or transmitted by the product**
@@ -1157,7 +1157,7 @@ Mitigations for Impact: 
| UC-1     | Individual consumer         | 1   | 0   | 0   | 2   | 2   | 2   | 0   | 0   | 0   | SP-1 |

| UC-2     | Privacy conscious household | 1   | 0   | 1   | 1   | 1   | 2   | 1   | 0   | 1   | SP-2 |

| UC-3     | Journalist or activist      | 1   | 1   | 2   | 2   | 2   | 2   | 1   | 0   | 2   | SP-3 |

| UC-4     | Small organisation          | 2   | 2   | 1   | 1   | 2   | 2   | 2   | 1   | 1   | SP-4 |

| UC-4     | Small organization          | 2   | 2   | 1   | 1   | 2   | 2   | 2   | 1   | 1   | SP-4 |

| UC-5     | Large enterprise            | 2   | 2   | 2   | 0   | 2   | 2   | 2   | 2   | 1   | SP-4 |

| UC-6     | Enterprise client software  | 1   | 0   | 2   | 1   | 0   | 0   | 2   | 0   | 1   | SP-6 |

| UC-7     | Mesh network                | 2   | 2   | 1   | 1   | 1   | 2   | 2   | 0   | 1   | SP-7 |
@@ -1177,7 +1177,7 @@ Security profiles are an informative resource to the assessor. Each security pro 
| SP-1             | Individual consumer         | 1   | 0   | 0   | 2   | 2   | 2   | 0   | 0   | 0   |

| SP-2             | Privacy conscious household | 1   | 0   | 1   | 1   | 0   | 2   | 1   | 0   | 1   |

| SP-3             | Journalist or activist      | 1   | 1   | 2   | 2   | 2   | 2   | 1   | 0   | 2   |

| SP-4             | Small organisation          | 2   | 2   | 1   | 1   | 1   | 2   | 2   | 1   | 1   |

| SP-4             | Small organization          | 2   | 2   | 1   | 1   | 1   | 2   | 2   | 1   | 1   |

| SP-5             | Large enterprise            | 2   | 2   | 2   | 0   | 1   | 2   | 2   | 2   | 1   |

| SP-6             | Enterprise client software  | 1   | 0   | 2   | 1   | 0   | 0   | 2   | 0   | 1   |

| SP-7             | Mesh network                | 2   | 2   | 1   | 1   | 1   | 2   | 2   | 0   | 1   |

clauses/5.Requirements.md

+6 −6
Original line number Diff line number Diff line
@@ -130,7 +130,7 @@ The product shall be checked for memory errors by running a tool that exercises 
The product shall be implemented in a memory-safe language. Any use of unsafe memory features shall be documented to explain how that feature does not present a cybersecurity risk.



* Reference: TR-SSDD

* Objective: Prevent unauthorised memory access

* Objective: Prevent unauthorized memory access

* Preparation: None

* Activities: Review source code to determine its language and what exceptions to memory safety exist

* Verdict: Source code is in a memory-safe language and the documentation of all uses of unsafe memory features convincingly demonstrates that each one does not present a cybersecurity risk => PASS, otherwise FAIL
@@ -531,7 +531,7 @@ The VPN client shall by default encrypt all transmitted user credentials or sens 
The VPN client, server, or other nodes shall not use session credentials with indefinite validity. 



* Reference: TR-AUTH

* Objective: Protect VPN connection from unauthorised use

* Objective: Protect VPN connection from unauthorized use

* Preparation: Inspect, obtain or configure the session lifetime

* Activities: Obtain a session credential. After the configured session credential validity periode, attempt to conntect to the VPN server.

* Verdict: Connection is rejected => PASS, otherwise FAIL
@@ -581,7 +581,7 @@ DNS leaks occur if the client does not or only partially tunnels cleartext DNS t 


Further, the user might want to set special DNS configuration either configured by the enterprise or custom configured in a consumer context. The VPN provider then must honour this DNS configuration.



A DNS server is authorised if:

A DNS server is authorized if:



1. the DNS server is configured by administrating user, or

2. the DNS server is provided by the VPN manufacturer
@@ -848,14 +848,14 @@ The minium scope of cybersecurity-relevant events logged by the VPN client may i 
* changes applied by the VPN client to the host system's network configuration technically relevant for the VPN service provision, or

* software update successes or failures.



The log messages shall not include any confidential information such as Personal Data, network traffic content, connection metadata (e.g., destination IPs, DNS queries), secrets, or credentials. These logs shall be retained locally on the endpoint. To comply with data minimisation requirements, the VPN client shall not transmit these logs to the remote data processing solutions of the VPN manufacturer by default. Transmission of local logs to the manufacturer (e.g., for technical support or troubleshooting) shall require explicit, informed user authorisation (e.g. explicit opt-in).

The log messages shall not include any confidential information such as Personal Data, network traffic content, connection metadata (e.g., destination IPs, DNS queries), secrets, or credentials. These logs shall be retained locally on the endpoint. To comply with data minimization requirements, the VPN client shall not transmit these logs to the remote data processing solutions of the VPN manufacturer by default. Transmission of local logs to the manufacturer (e.g., for technical support or troubleshooting) shall require explicit, informed user authorization (e.g. explicit opt-in).



* Reference: TR-LOGG, TR-DMIN

* Objective: Monitoring and recording cybersecurity-relevant events

* Preparation: Review the manufacturer's documentation to confirm the scope of cybersecurity-relevant internal events implemented in the logging mechanism.

* Activities: For each type of cybersecurity-relevant internal event (authentication, connection state change, configuration modification, etc.), trigger the event on the endpoint. Attempt to locate any automated transmission of these logs to the manufacturer without explicit user consent.

* Verdict: For each triggered event, the local log contains a message indicating the event, log message does not include any information likely to be confidential, and logs are not transmitted to the manufacturer without explicit user authorisation => PASS, otherwise FAIL

* Evidence: Method of triggering events, log messages with annotations, and packet captures demonstrating no unauthorised transmission of logs.

* Verdict: For each triggered event, the local log contains a message indicating the event, log message does not include any information likely to be confidential, and logs are not transmitted to the manufacturer without explicit user authorization => PASS, otherwise FAIL

* Evidence: Method of triggering events, log messages with annotations, and packet captures demonstrating no unauthorized transmission of logs.



> NOTE: One type of event for which log messages must take care to not accidentally include a secret is failed password authentication attempts. Since users often type their password into the username field, including the username field in the log message may result in including a secret in the log message. Additionally, the product may provide an easy-to-use opt-out mechanism for users who do not wish to have internal activity recorded locally

clauses/6.Assessment-Criteria.md

+3 −3
Original line number Diff line number Diff line
@@ -104,7 +104,7 @@ In this clause, reference can be made to the Annex K (normative), specifying Sta 


Proposed ESR code: INT



## 6.8 Data Minimisation

## 6.8 Data Minimization



Proposed ESR code: DM
@@ -112,11 +112,11 @@ Proposed ESR code: DM 


Proposed ESR code: AP



## 6.10 Impact Minimisation

## 6.10 Impact Minimization



Proposed ESR code: IM



## 6.11 Minimisation of Attack Surfaces

## 6.11 Minimization of Attack Surfaces



Proposed ESR code: MAS