Loading EN-304-620.md +73 −83 Original line number Diff line number Diff line Loading @@ -554,16 +554,6 @@ Rationale: An improper account management and authentication implementation can * **[AUT-1]** Identity and authentication are managed through a user-owned and managed centralised identity system * **[AUT-2]** Each system utilised by the user involves its own set of account information and secrets ### C.2.4 RF-DAT: Sensitivity of data Description: Affects impact of threats involving loss of data confidentiality, availability, or integrity. Rationale: More sensitive data leads to a higher impact with a successful breach. * **[DAT-0]** User data is generally trivial and unimportant (ie. TV or streaming content, etc) * **[DAT-1]** User data is moderately important (i.e. may include some Personal Data) * **[DAT-2]** User data is important for preservation of human rights of user ### C.2.5 RF-FUN: Sensitivity of functions Description: Affects impact of threats involving loss of availability of product functions. Loading Loading @@ -680,14 +670,14 @@ Attacker may use unknown exploitable vulnerabilities in the product implementati | Risk factors | Likelihood | Security profiles | |------------------------|------------|-------------------| | max(DAT, FUN, COM) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN, COM) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-1, SP-2 | **Table C.4.3-2: Unknown exploitable vulnerabilities** | Risk factors | Impact | Security profiles | |------------------------|--------|-------------------| | max(DAT, FUN, COM) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN, COM) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-1, SP-2 | Requirements that mitigate this threat: SSDD, NUTI, LOGG Loading @@ -710,14 +700,14 @@ Attacker may use known exploitable vulnerabilities in the product implementation | Risk factors | Likelihood | Security profiles | |------------------------|------------|------------------------| | max(DAT, FUN, COM) > 0 | High | SP-2, SP-3, SP-4, SP-5 | | max(PER, FUN, COM) > 0 | High | SP-2, SP-3, SP-4, SP-5 | | all others | Medium | SP-1 | **Table C.4.4-2: Known exploitable vulnerabilities** | Risk factors | Impact | Security profiles | |-------------------|--------|------------------------| | max(DAT, FUN) > 0 | High | SP-2, SP-3, SP-4, SP-5 | | max(PER, FUN) > 0 | High | SP-2, SP-3, SP-4, SP-5 | | all others | Medium | SP-1 | Requirements that mitigate this threat: NKEV, SSDD, SCUD, NUTI, LOGG, VULH Loading @@ -739,17 +729,17 @@ Attacker may gain unauthorised access to an endpoint in a manner not under contr | Risk factors | Likelihood | Security profiles | |--------------------|------------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2 | | max (DAT, FUN) = 0 | Low | SP-1 | | max (PER, FUN) = 0 | Low | SP-1 | **Table C.4.5-2: Unauthorised endpoint access** | Risk factors | Impact | Security profiles | |--------------------|--------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2 | | max (DAT, FUN) = 0 | Low | SP-1 | | max (PER, FUN) = 0 | Low | SP-1 | Requirements that mitigate this threat: AUTH, DMIN, CDST Loading @@ -771,17 +761,17 @@ Attacker launches denial of service attack on remote data processing solution. | Risk factors | Likelihood | Security profiles | |-------------------------------|------------|-------------------| | RDP = 2 & max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | RDP = 2 & max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2 | | RDP = 0 or DAT = 0 or FUN = 0 | Low | SP-1 | | RDP = 0 or PER = 0 or FUN = 0 | Low | SP-1 | **Table C.4.6-2: Denial of service on remote data processing** | Risk factors | Impact | Security profiles | |--------------------|--------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2 | | max (DAT, FUN) = 0 | Low | SP-1 | | max (PER, FUN) = 0 | Low | SP-1 | Requirements that mitigate this threat: AVAI Loading @@ -803,17 +793,17 @@ Attacker may read or modify traffic by capturing and relaying activity to and fr | Risk factors | Likelihood | Security profiles | |-------------------|------------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2 | | max(DAT, FUN) = 0 | Low | SP-1 | | max(PER, FUN) = 0 | Low | SP-1 | **Table C.4.7-2: Machine-in-the-middle** | Risk factors | Impact | Security profiles | |--------------------|--------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2 | | max (DAT, FUN) = 0 | Low | SP-1 | | max (PER, FUN) = 0 | Low | SP-1 | Table: _Table C.10_ Loading @@ -837,15 +827,15 @@ Attacker may read sensitive data sent outside the VPN connection by the product. | Risk factors | Likelihood | Security profiles | |------------------------------|------------|-------------------| | DNC = 2 & max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | DNC = 2 & max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2 | | DNC = 0 or max(DAT, FUN) = 0 | Low | SP-1 | | DNC = 0 or max(PER, FUN) = 0 | Low | SP-1 | **Table C.4.8-2: Sensitive data leaks** | Risk factors | Impact | Security profiles | |--------------|--------|-------------------| | DAT = 2 | High | SP-3, SP-4, SP-5 | | PER = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-1, SP-2 | Requirements that mitigate this threat: ROUT, CONF, DNSL, IPv6, CRYPT Loading @@ -868,17 +858,17 @@ Attacker may read sensitive data transmitted without encryption in a single endp | Risk factors | Likelihood | Security profiles | |-----------------------------------------|------------|-------------------| | CON = 0 & CFG > 0 & max(DAT, FUN) = 2) | High | SP-3 | | CON = 0 & CFG > 0 & max(PER, FUN) = 2) | High | SP-3 | | all others | Medium | SP-2 | | CON > 0 or CFG = 0 or max(DAT, FUN) = 0 | Low | SP-1, SP-4, SP-5 | | CON > 0 or CFG = 0 or max(PER, FUN) = 0 | Low | SP-1, SP-4, SP-5 | **Table C.4.9-2: Transmitting sensitive data in the clear in a single endpoint VPN** | Risk factors | Impact | Security profiles | |------------------------------|--------|-------------------| | CON = 0 & max(DAT, FUN) = 2 | High | SP-3 | | CON = 0 & max(PER, FUN) = 2 | High | SP-3 | | all others | Medium | SP-2 | | CON > 0 or max(DAT, FUN) = 0 | Low | SP-1, SP-4, SP-5 | | CON > 0 or max(PER, FUN) = 0 | Low | SP-1, SP-4, SP-5 | Requirements that mitigate this threat: EISO, CRYPT, AUTH, ROUT, DNSL Loading @@ -900,17 +890,17 @@ Attacker may read sensitive data transmitted without encryption in a VPN which c | Risk factors | Likelihood | Security profiles | |-----------------------------------------|------------|-------------------| | CON > 0 & CFG > 0 & max(DAT, FUN) = 2 | High | SP-4, SP-5 | | CON > 0 & CFG > 0 & max(PER, FUN) = 2 | High | SP-4, SP-5 | | all others | Medium | none | | CON = 0 or CFG = 0 or max(DAT, FUN) = 0 | Low | SP-1, SP-2, SP-3 | | CON = 0 or CFG = 0 or max(PER, FUN) = 0 | Low | SP-1, SP-2, SP-3 | **Table C.4.10-2: Transmitting sensitive data in the clear in multi-endpoint VPN** | Risk factors | Impact | Security profiles | |------------------------------|--------|-------------------| | CON > 0 & max(DAT, FUN) = 2 | High | SP-4, SP-5 | | CON > 0 & max(PER, FUN) = 2 | High | SP-4, SP-5 | | all others | Medium | none | | CON = 0 or max(DAT, FUN) = 0 | Low | SP-1, SP-2, SP-3 | | CON = 0 or max(PER, FUN) = 0 | Low | SP-1, SP-2, SP-3 | Requirements that mitigate this threat: CRYPT, AUTH, ROUT, DNSL Loading @@ -932,16 +922,16 @@ Attacker may attempt to authenticate in an unauthorised manner to get access to | Risk factors | Likelihood | Security profiles | |-------------------|------------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-1, SP-2 | **Table C.4.11-2: Unauthorised authentication** | Risk factors | Impact | Security profiles | |--------------------|--------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2 | | max (DAT, FUN) = 0 | Low | SP-1 | | max (PER, FUN) = 0 | Low | SP-1 | Requirements that mitigate this threat: AUTH, LOGG Loading @@ -963,14 +953,14 @@ Attacker may remove evidence of compromise from the endpoint. | Risk factors | Likelihood | Security profiles | |-------------------|------------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Low | SP-1, SP-2 | **Table C.4.12-2: Attacker removes evidence of compromise** | Risk factors | Impact | Security profiles | |-------------------|--------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Low | SP-1, SP-2 | Requirements that mitigate this threat: LOGG Loading @@ -993,17 +983,17 @@ Attacker may use configuration errors to get unauthorised access to product asse | Risk factors | Likelihood | Security profiles | |--------------------------------------------------------------|------------|-------------------| | CON = 0 & CFG > 0 & max(ADM, COM) = 2 & max(DAT, FUN) = 2 | High | SP-3 | | CON = 0 & CFG > 0 & max(ADM, COM) = 2 & max(PER, FUN) = 2 | High | SP-3 | | all others | Medium | SP-2 | | CON > 0 or CFG = 0 or max(ADM, COM) = 0 or max(DAT, FUN) = 0 | Low | SP-1, SP-4, SP-5 | | CON > 0 or CFG = 0 or max(ADM, COM) = 0 or max(PER, FUN) = 0 | Low | SP-1, SP-4, SP-5 | **Table C.4.13-2: Access to assets via configuration errors in single endpoint VPN** | Risk factors | Impact | Security profiles | |------------------------------|--------|-------------------| | CON = 0 & max(DAT, FUN) = 2 | High | SP-3 | | CON = 0 & max(PER, FUN) = 2 | High | SP-3 | | all others | Medium | SP-2 | | CON > 0 or max(DAT, FUN) = 0 | Low | SP-1, SP-4, SP-5 | | CON > 0 or max(PER, FUN) = 0 | Low | SP-1, SP-4, SP-5 | Requirements that mitigate this threat: CONF, TRAF, IPv6, CDST, LOGG Loading @@ -1025,17 +1015,17 @@ Attacker may use configuration errors to get unauthorised access to product asse | Risk factors | Likelihood | Security profiles | |--------------------------------------------------------------|------------|-------------------| | CON > 0 & CFG > 0 & max(ADM, COM) = 2 & max(DAT, FUN) = 2 | High | SP-5 | | CON > 0 & CFG > 0 & max(ADM, COM) = 2 & max(PER, FUN) = 2 | High | SP-5 | | all others | Medium | SP-4 | | CON = 0 or CFG = 0 or max(ADM, COM) = 0 or max(DAT, FUN) = 0 | Low | SP-1, SP-2, SP-3 | | CON = 0 or CFG = 0 or max(ADM, COM) = 0 or max(PER, FUN) = 0 | Low | SP-1, SP-2, SP-3 | **Table C.4.14-2: Access to assets via configuration errors in a multi-endpoint VPN** | Risk factors | Impact | Security profiles | |------------------------------|--------|-------------------| | CON > 0 & max(DAT, FUN) = 2 | High | SP-4, SP-5 | | CON > 0 & max(PER, FUN) = 2 | High | SP-4, SP-5 | | all others | Medium | none | | CON = 0 or max(DAT, FUN) = 0 | Low | SP-1, SP-2, SP-3 | | CON = 0 or max(PER, FUN) = 0 | Low | SP-1, SP-2, SP-3 | Requirements that mitigate this threat: CONF, TRAF, IPv6, CDST, LOGG Loading @@ -1056,8 +1046,8 @@ Attacker may use user metadata such as IP addresses and traffic analysis to comp **Table C.4.15-1: Compromise of Personal Data due to metadata and traffic analysis** | Risk factors | Likelihood | Security profiles | |------------------------------|------------|------------------------| | PER = 2 & DATA = 2 & FUN = 2 | High | SP-3 | |---------------------|------------|------------------------| | PER = 2 & & FUN = 2 | High | SP-3 | | all others | Medium | SP-1, SP-2, SP-4, SP-5 | **Table C.4.15-2: Compromise of Personal Data due to metadata and traffic analysis** Loading Loading @@ -1087,17 +1077,17 @@ Attacker may use compromise or isolation errors in remote data processing system | Risk factors | Likelihood | Security profiles | |-------------------------------|------------|-------------------| | RDP = 2 & DAT = 2 & FUN = 2 | High | SP-3, SP-5 | | RDP = 2 & PER = 2 & FUN = 2 | High | SP-3, SP-5 | | all others | Medium | SP-4 | | RDP = 0 or DAT = 0 or FUN = 0 | Low | SP-1, SP-2 | | RDP = 0 or PER = 0 or FUN = 0 | Low | SP-1, SP-2 | **Table C.4.16-2: RDPS compromise and isolation** | Risk factors | Impact | Security profiles | |-------------------|--------|-------------------| | DAT = 2 & FUN = 2 | High | SP-3, SP-5 | | PER = 2 & FUN = 2 | High | SP-3, SP-5 | | all others | Medium | SP-2, SP-4 | | DAT = 0 & FUN = 0 | Low | SP-1 | | PER = 0 & FUN = 0 | Low | SP-1 | Requirements that mitigate this threat: TODO Loading @@ -1119,17 +1109,17 @@ Attacker may get unauthorised access to confidential data stored on the product | Risk factors | Likelihood | Security profiles | |-------------------|------------|-------------------| | ADM > 0 & DAT = 2 | High | SP-3, SP-4 | | ADM > 0 & PER = 2 | High | SP-3, SP-4 | | all others | Medium | SP-2, SP-5 | | DAT = 0 | Low | SP-1 | | PER = 0 | Low | SP-1 | **Table C.4.17-1: Access to data via access to used product** | Risk factors | Impact | Security profiles | |--------------|--------|-------------------| | DAT = 2 | High | SP-3, SP-4, SP-5 | | PER = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2, | | DAT = 0 | Low | SP-1 | | PER = 0 | Low | SP-1 | Requirements that mitigate this threat: AUTH, CDST, SCDL, SDRF Loading @@ -1150,8 +1140,8 @@ Attacker may get unauthorised access to Personal Data stored or transmitted by t **Table C.4.18-1: Compromise of Personal Data stored or transmitted by the product** | Risk factors | Likelihood | Security profiles | |------------------------------|------------|------------------------| | PER = 2 & DATA = 2 & FUN = 2 | High | SP-3 | |-------------------|------------|------------------------| | PER = 2 & FUN = 2 | High | SP-3 | | all others | Medium | SP-1, SP-2, SP-4, SP-5 | **Table C.4.18-2: Compromise of Personal Data stored or transmitted by the product** Loading @@ -1174,14 +1164,14 @@ Mitigations for Impact: **Table C.5-1: Mapping of use cases to risk factors and security profiles** | Use case | Description | CFG | AUT | DAT | FUN | ADM | RDP | DNC | COM | CON | PER | SP | |----------|-----------------------------|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|------| | UC-1 | Individual consumer | 1 | 0 | 0 | 0 | 2 | 2 | 2 | 0 | 0 | 0 | SP-1 | | UC-2 | Privacy conscious household | 1 | 0 | 1 | 1 | 1 | 1 | 2 | 1 | 0 | 1 | SP-2 | | UC-3 | Journalist or activist | 1 | 1 | 2 | 2 | 2 | 2 | 2 | 1 | 0 | 2 | SP-3 | | UC-4 | Small organisation | 2 | 2 | 2 | 1 | 1 | 2 | 2 | 2 | 1 | 1 | SP-4 | | UC-5 | Large enterprise | 2 | 2 | 2 | 2 | 0 | 2 | 2 | 2 | 2 | 1 | SP-5 | | UC-6 | Enterprise client software | 1 | 0 | 2 | 1 | 0 | 0 | 2 | 0 | 1 | 1 | SP-6 | | Use case | Description | CFG | AUT | PER | FUN | ADM | RDP | DNC | COM | CON | SP | |----------|-----------------------------|-----|-----|-----|-----|-----|-----|-----|-----|-----|------| | UC-1 | Individual consumer | 1 | 0 | 0 | 0 | 2 | 2 | 2 | 0 | 0 | SP-1 | | UC-2 | Privacy conscious household | 1 | 0 | 1 | 1 | 1 | 1 | 2 | 1 | 0 | SP-2 | | UC-3 | Journalist or activist | 1 | 1 | 2 | 2 | 2 | 2 | 2 | 1 | 0 | SP-3 | | UC-4 | Small organisation | 2 | 2 | 2 | 1 | 1 | 2 | 2 | 2 | 1 | SP-4 | | UC-5 | Large enterprise | 2 | 2 | 2 | 2 | 0 | 2 | 2 | 2 | 2 | SP-5 | | UC-6 | Enterprise client software | 1 | 0 | 2 | 1 | 0 | 0 | 2 | 0 | 1 | SP-6 | ## C.6 Security profiles Loading @@ -1193,15 +1183,15 @@ Security profiles are an informative resource to the assessor. Each security pro **Table C.6.2-1: Mapping of security profiles to risk factors** | Security Profile | Description | CFG | AUT | DAT | FUN | ADM | RDP | DNC | COM | CON | PER | |------------------|-----------------------------|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| | SP-6 | Enterprise client software | 2 | 0 | 2 | 1 | 0 | 0 | 1 | 0 | 1 | 1 | | SP-1 | Individual consumer | 1 | 0 | 0 | 0 | 2 | 2 | 2 | 0 | 0 | 0 | | SP-2 | Privacy conscious household | 1 | 0 | 1 | 1 | 1 | 0 | 2 | 1 | 0 | 1 | | SP-3 | Journalist or activist | 1 | 1 | 2 | 2 | 2 | 2 | 2 | 1 | 0 | 2 | | SP-4 | Small organisation | 2 | 2 | 2 | 1 | 1 | 1 | 2 | 2 | 1 | 1 | | SP-5 | Large enterprise | 2 | 2 | 2 | 2 | 0 | 1 | 2 | 2 | 2 | 1 | | SP-6 | Enterprise client software | 1 | 0 | 2 | 1 | 0 | 0 | 2 | 0 | 1 | 1 | | Security Profile | Description | CFG | AUT | PER | FUN | ADM | RDP | DNC | COM | CON | |------------------|-----------------------------|-----|-----|-----|-----|-----|-----|-----|-----|-----| | SP-6 | Enterprise client software | 2 | 0 | 2 | 1 | 0 | 0 | 1 | 0 | 1 | | SP-1 | Individual consumer | 1 | 0 | 0 | 0 | 2 | 2 | 2 | 0 | 0 | | SP-2 | Privacy conscious household | 1 | 0 | 1 | 1 | 1 | 0 | 2 | 1 | 0 | | SP-3 | Journalist or activist | 1 | 1 | 2 | 2 | 2 | 2 | 2 | 1 | 0 | | SP-4 | Small organisation | 2 | 2 | 2 | 1 | 1 | 1 | 2 | 2 | 1 | | SP-5 | Large enterprise | 2 | 2 | 2 | 2 | 0 | 1 | 2 | 2 | 2 | | SP-6 | Enterprise client software | 1 | 0 | 2 | 1 | 0 | 0 | 2 | 0 | 1 | # Annex D (informative): Risk evaluation guidance Loading Loading
EN-304-620.md +73 −83 Original line number Diff line number Diff line Loading @@ -554,16 +554,6 @@ Rationale: An improper account management and authentication implementation can * **[AUT-1]** Identity and authentication are managed through a user-owned and managed centralised identity system * **[AUT-2]** Each system utilised by the user involves its own set of account information and secrets ### C.2.4 RF-DAT: Sensitivity of data Description: Affects impact of threats involving loss of data confidentiality, availability, or integrity. Rationale: More sensitive data leads to a higher impact with a successful breach. * **[DAT-0]** User data is generally trivial and unimportant (ie. TV or streaming content, etc) * **[DAT-1]** User data is moderately important (i.e. may include some Personal Data) * **[DAT-2]** User data is important for preservation of human rights of user ### C.2.5 RF-FUN: Sensitivity of functions Description: Affects impact of threats involving loss of availability of product functions. Loading Loading @@ -680,14 +670,14 @@ Attacker may use unknown exploitable vulnerabilities in the product implementati | Risk factors | Likelihood | Security profiles | |------------------------|------------|-------------------| | max(DAT, FUN, COM) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN, COM) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-1, SP-2 | **Table C.4.3-2: Unknown exploitable vulnerabilities** | Risk factors | Impact | Security profiles | |------------------------|--------|-------------------| | max(DAT, FUN, COM) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN, COM) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-1, SP-2 | Requirements that mitigate this threat: SSDD, NUTI, LOGG Loading @@ -710,14 +700,14 @@ Attacker may use known exploitable vulnerabilities in the product implementation | Risk factors | Likelihood | Security profiles | |------------------------|------------|------------------------| | max(DAT, FUN, COM) > 0 | High | SP-2, SP-3, SP-4, SP-5 | | max(PER, FUN, COM) > 0 | High | SP-2, SP-3, SP-4, SP-5 | | all others | Medium | SP-1 | **Table C.4.4-2: Known exploitable vulnerabilities** | Risk factors | Impact | Security profiles | |-------------------|--------|------------------------| | max(DAT, FUN) > 0 | High | SP-2, SP-3, SP-4, SP-5 | | max(PER, FUN) > 0 | High | SP-2, SP-3, SP-4, SP-5 | | all others | Medium | SP-1 | Requirements that mitigate this threat: NKEV, SSDD, SCUD, NUTI, LOGG, VULH Loading @@ -739,17 +729,17 @@ Attacker may gain unauthorised access to an endpoint in a manner not under contr | Risk factors | Likelihood | Security profiles | |--------------------|------------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2 | | max (DAT, FUN) = 0 | Low | SP-1 | | max (PER, FUN) = 0 | Low | SP-1 | **Table C.4.5-2: Unauthorised endpoint access** | Risk factors | Impact | Security profiles | |--------------------|--------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2 | | max (DAT, FUN) = 0 | Low | SP-1 | | max (PER, FUN) = 0 | Low | SP-1 | Requirements that mitigate this threat: AUTH, DMIN, CDST Loading @@ -771,17 +761,17 @@ Attacker launches denial of service attack on remote data processing solution. | Risk factors | Likelihood | Security profiles | |-------------------------------|------------|-------------------| | RDP = 2 & max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | RDP = 2 & max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2 | | RDP = 0 or DAT = 0 or FUN = 0 | Low | SP-1 | | RDP = 0 or PER = 0 or FUN = 0 | Low | SP-1 | **Table C.4.6-2: Denial of service on remote data processing** | Risk factors | Impact | Security profiles | |--------------------|--------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2 | | max (DAT, FUN) = 0 | Low | SP-1 | | max (PER, FUN) = 0 | Low | SP-1 | Requirements that mitigate this threat: AVAI Loading @@ -803,17 +793,17 @@ Attacker may read or modify traffic by capturing and relaying activity to and fr | Risk factors | Likelihood | Security profiles | |-------------------|------------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2 | | max(DAT, FUN) = 0 | Low | SP-1 | | max(PER, FUN) = 0 | Low | SP-1 | **Table C.4.7-2: Machine-in-the-middle** | Risk factors | Impact | Security profiles | |--------------------|--------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2 | | max (DAT, FUN) = 0 | Low | SP-1 | | max (PER, FUN) = 0 | Low | SP-1 | Table: _Table C.10_ Loading @@ -837,15 +827,15 @@ Attacker may read sensitive data sent outside the VPN connection by the product. | Risk factors | Likelihood | Security profiles | |------------------------------|------------|-------------------| | DNC = 2 & max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | DNC = 2 & max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2 | | DNC = 0 or max(DAT, FUN) = 0 | Low | SP-1 | | DNC = 0 or max(PER, FUN) = 0 | Low | SP-1 | **Table C.4.8-2: Sensitive data leaks** | Risk factors | Impact | Security profiles | |--------------|--------|-------------------| | DAT = 2 | High | SP-3, SP-4, SP-5 | | PER = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-1, SP-2 | Requirements that mitigate this threat: ROUT, CONF, DNSL, IPv6, CRYPT Loading @@ -868,17 +858,17 @@ Attacker may read sensitive data transmitted without encryption in a single endp | Risk factors | Likelihood | Security profiles | |-----------------------------------------|------------|-------------------| | CON = 0 & CFG > 0 & max(DAT, FUN) = 2) | High | SP-3 | | CON = 0 & CFG > 0 & max(PER, FUN) = 2) | High | SP-3 | | all others | Medium | SP-2 | | CON > 0 or CFG = 0 or max(DAT, FUN) = 0 | Low | SP-1, SP-4, SP-5 | | CON > 0 or CFG = 0 or max(PER, FUN) = 0 | Low | SP-1, SP-4, SP-5 | **Table C.4.9-2: Transmitting sensitive data in the clear in a single endpoint VPN** | Risk factors | Impact | Security profiles | |------------------------------|--------|-------------------| | CON = 0 & max(DAT, FUN) = 2 | High | SP-3 | | CON = 0 & max(PER, FUN) = 2 | High | SP-3 | | all others | Medium | SP-2 | | CON > 0 or max(DAT, FUN) = 0 | Low | SP-1, SP-4, SP-5 | | CON > 0 or max(PER, FUN) = 0 | Low | SP-1, SP-4, SP-5 | Requirements that mitigate this threat: EISO, CRYPT, AUTH, ROUT, DNSL Loading @@ -900,17 +890,17 @@ Attacker may read sensitive data transmitted without encryption in a VPN which c | Risk factors | Likelihood | Security profiles | |-----------------------------------------|------------|-------------------| | CON > 0 & CFG > 0 & max(DAT, FUN) = 2 | High | SP-4, SP-5 | | CON > 0 & CFG > 0 & max(PER, FUN) = 2 | High | SP-4, SP-5 | | all others | Medium | none | | CON = 0 or CFG = 0 or max(DAT, FUN) = 0 | Low | SP-1, SP-2, SP-3 | | CON = 0 or CFG = 0 or max(PER, FUN) = 0 | Low | SP-1, SP-2, SP-3 | **Table C.4.10-2: Transmitting sensitive data in the clear in multi-endpoint VPN** | Risk factors | Impact | Security profiles | |------------------------------|--------|-------------------| | CON > 0 & max(DAT, FUN) = 2 | High | SP-4, SP-5 | | CON > 0 & max(PER, FUN) = 2 | High | SP-4, SP-5 | | all others | Medium | none | | CON = 0 or max(DAT, FUN) = 0 | Low | SP-1, SP-2, SP-3 | | CON = 0 or max(PER, FUN) = 0 | Low | SP-1, SP-2, SP-3 | Requirements that mitigate this threat: CRYPT, AUTH, ROUT, DNSL Loading @@ -932,16 +922,16 @@ Attacker may attempt to authenticate in an unauthorised manner to get access to | Risk factors | Likelihood | Security profiles | |-------------------|------------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-1, SP-2 | **Table C.4.11-2: Unauthorised authentication** | Risk factors | Impact | Security profiles | |--------------------|--------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2 | | max (DAT, FUN) = 0 | Low | SP-1 | | max (PER, FUN) = 0 | Low | SP-1 | Requirements that mitigate this threat: AUTH, LOGG Loading @@ -963,14 +953,14 @@ Attacker may remove evidence of compromise from the endpoint. | Risk factors | Likelihood | Security profiles | |-------------------|------------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Low | SP-1, SP-2 | **Table C.4.12-2: Attacker removes evidence of compromise** | Risk factors | Impact | Security profiles | |-------------------|--------|-------------------| | max(DAT, FUN) = 2 | High | SP-3, SP-4, SP-5 | | max(PER, FUN) = 2 | High | SP-3, SP-4, SP-5 | | all others | Low | SP-1, SP-2 | Requirements that mitigate this threat: LOGG Loading @@ -993,17 +983,17 @@ Attacker may use configuration errors to get unauthorised access to product asse | Risk factors | Likelihood | Security profiles | |--------------------------------------------------------------|------------|-------------------| | CON = 0 & CFG > 0 & max(ADM, COM) = 2 & max(DAT, FUN) = 2 | High | SP-3 | | CON = 0 & CFG > 0 & max(ADM, COM) = 2 & max(PER, FUN) = 2 | High | SP-3 | | all others | Medium | SP-2 | | CON > 0 or CFG = 0 or max(ADM, COM) = 0 or max(DAT, FUN) = 0 | Low | SP-1, SP-4, SP-5 | | CON > 0 or CFG = 0 or max(ADM, COM) = 0 or max(PER, FUN) = 0 | Low | SP-1, SP-4, SP-5 | **Table C.4.13-2: Access to assets via configuration errors in single endpoint VPN** | Risk factors | Impact | Security profiles | |------------------------------|--------|-------------------| | CON = 0 & max(DAT, FUN) = 2 | High | SP-3 | | CON = 0 & max(PER, FUN) = 2 | High | SP-3 | | all others | Medium | SP-2 | | CON > 0 or max(DAT, FUN) = 0 | Low | SP-1, SP-4, SP-5 | | CON > 0 or max(PER, FUN) = 0 | Low | SP-1, SP-4, SP-5 | Requirements that mitigate this threat: CONF, TRAF, IPv6, CDST, LOGG Loading @@ -1025,17 +1015,17 @@ Attacker may use configuration errors to get unauthorised access to product asse | Risk factors | Likelihood | Security profiles | |--------------------------------------------------------------|------------|-------------------| | CON > 0 & CFG > 0 & max(ADM, COM) = 2 & max(DAT, FUN) = 2 | High | SP-5 | | CON > 0 & CFG > 0 & max(ADM, COM) = 2 & max(PER, FUN) = 2 | High | SP-5 | | all others | Medium | SP-4 | | CON = 0 or CFG = 0 or max(ADM, COM) = 0 or max(DAT, FUN) = 0 | Low | SP-1, SP-2, SP-3 | | CON = 0 or CFG = 0 or max(ADM, COM) = 0 or max(PER, FUN) = 0 | Low | SP-1, SP-2, SP-3 | **Table C.4.14-2: Access to assets via configuration errors in a multi-endpoint VPN** | Risk factors | Impact | Security profiles | |------------------------------|--------|-------------------| | CON > 0 & max(DAT, FUN) = 2 | High | SP-4, SP-5 | | CON > 0 & max(PER, FUN) = 2 | High | SP-4, SP-5 | | all others | Medium | none | | CON = 0 or max(DAT, FUN) = 0 | Low | SP-1, SP-2, SP-3 | | CON = 0 or max(PER, FUN) = 0 | Low | SP-1, SP-2, SP-3 | Requirements that mitigate this threat: CONF, TRAF, IPv6, CDST, LOGG Loading @@ -1056,8 +1046,8 @@ Attacker may use user metadata such as IP addresses and traffic analysis to comp **Table C.4.15-1: Compromise of Personal Data due to metadata and traffic analysis** | Risk factors | Likelihood | Security profiles | |------------------------------|------------|------------------------| | PER = 2 & DATA = 2 & FUN = 2 | High | SP-3 | |---------------------|------------|------------------------| | PER = 2 & & FUN = 2 | High | SP-3 | | all others | Medium | SP-1, SP-2, SP-4, SP-5 | **Table C.4.15-2: Compromise of Personal Data due to metadata and traffic analysis** Loading Loading @@ -1087,17 +1077,17 @@ Attacker may use compromise or isolation errors in remote data processing system | Risk factors | Likelihood | Security profiles | |-------------------------------|------------|-------------------| | RDP = 2 & DAT = 2 & FUN = 2 | High | SP-3, SP-5 | | RDP = 2 & PER = 2 & FUN = 2 | High | SP-3, SP-5 | | all others | Medium | SP-4 | | RDP = 0 or DAT = 0 or FUN = 0 | Low | SP-1, SP-2 | | RDP = 0 or PER = 0 or FUN = 0 | Low | SP-1, SP-2 | **Table C.4.16-2: RDPS compromise and isolation** | Risk factors | Impact | Security profiles | |-------------------|--------|-------------------| | DAT = 2 & FUN = 2 | High | SP-3, SP-5 | | PER = 2 & FUN = 2 | High | SP-3, SP-5 | | all others | Medium | SP-2, SP-4 | | DAT = 0 & FUN = 0 | Low | SP-1 | | PER = 0 & FUN = 0 | Low | SP-1 | Requirements that mitigate this threat: TODO Loading @@ -1119,17 +1109,17 @@ Attacker may get unauthorised access to confidential data stored on the product | Risk factors | Likelihood | Security profiles | |-------------------|------------|-------------------| | ADM > 0 & DAT = 2 | High | SP-3, SP-4 | | ADM > 0 & PER = 2 | High | SP-3, SP-4 | | all others | Medium | SP-2, SP-5 | | DAT = 0 | Low | SP-1 | | PER = 0 | Low | SP-1 | **Table C.4.17-1: Access to data via access to used product** | Risk factors | Impact | Security profiles | |--------------|--------|-------------------| | DAT = 2 | High | SP-3, SP-4, SP-5 | | PER = 2 | High | SP-3, SP-4, SP-5 | | all others | Medium | SP-2, | | DAT = 0 | Low | SP-1 | | PER = 0 | Low | SP-1 | Requirements that mitigate this threat: AUTH, CDST, SCDL, SDRF Loading @@ -1150,8 +1140,8 @@ Attacker may get unauthorised access to Personal Data stored or transmitted by t **Table C.4.18-1: Compromise of Personal Data stored or transmitted by the product** | Risk factors | Likelihood | Security profiles | |------------------------------|------------|------------------------| | PER = 2 & DATA = 2 & FUN = 2 | High | SP-3 | |-------------------|------------|------------------------| | PER = 2 & FUN = 2 | High | SP-3 | | all others | Medium | SP-1, SP-2, SP-4, SP-5 | **Table C.4.18-2: Compromise of Personal Data stored or transmitted by the product** Loading @@ -1174,14 +1164,14 @@ Mitigations for Impact: **Table C.5-1: Mapping of use cases to risk factors and security profiles** | Use case | Description | CFG | AUT | DAT | FUN | ADM | RDP | DNC | COM | CON | PER | SP | |----------|-----------------------------|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|------| | UC-1 | Individual consumer | 1 | 0 | 0 | 0 | 2 | 2 | 2 | 0 | 0 | 0 | SP-1 | | UC-2 | Privacy conscious household | 1 | 0 | 1 | 1 | 1 | 1 | 2 | 1 | 0 | 1 | SP-2 | | UC-3 | Journalist or activist | 1 | 1 | 2 | 2 | 2 | 2 | 2 | 1 | 0 | 2 | SP-3 | | UC-4 | Small organisation | 2 | 2 | 2 | 1 | 1 | 2 | 2 | 2 | 1 | 1 | SP-4 | | UC-5 | Large enterprise | 2 | 2 | 2 | 2 | 0 | 2 | 2 | 2 | 2 | 1 | SP-5 | | UC-6 | Enterprise client software | 1 | 0 | 2 | 1 | 0 | 0 | 2 | 0 | 1 | 1 | SP-6 | | Use case | Description | CFG | AUT | PER | FUN | ADM | RDP | DNC | COM | CON | SP | |----------|-----------------------------|-----|-----|-----|-----|-----|-----|-----|-----|-----|------| | UC-1 | Individual consumer | 1 | 0 | 0 | 0 | 2 | 2 | 2 | 0 | 0 | SP-1 | | UC-2 | Privacy conscious household | 1 | 0 | 1 | 1 | 1 | 1 | 2 | 1 | 0 | SP-2 | | UC-3 | Journalist or activist | 1 | 1 | 2 | 2 | 2 | 2 | 2 | 1 | 0 | SP-3 | | UC-4 | Small organisation | 2 | 2 | 2 | 1 | 1 | 2 | 2 | 2 | 1 | SP-4 | | UC-5 | Large enterprise | 2 | 2 | 2 | 2 | 0 | 2 | 2 | 2 | 2 | SP-5 | | UC-6 | Enterprise client software | 1 | 0 | 2 | 1 | 0 | 0 | 2 | 0 | 1 | SP-6 | ## C.6 Security profiles Loading @@ -1193,15 +1183,15 @@ Security profiles are an informative resource to the assessor. Each security pro **Table C.6.2-1: Mapping of security profiles to risk factors** | Security Profile | Description | CFG | AUT | DAT | FUN | ADM | RDP | DNC | COM | CON | PER | |------------------|-----------------------------|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| | SP-6 | Enterprise client software | 2 | 0 | 2 | 1 | 0 | 0 | 1 | 0 | 1 | 1 | | SP-1 | Individual consumer | 1 | 0 | 0 | 0 | 2 | 2 | 2 | 0 | 0 | 0 | | SP-2 | Privacy conscious household | 1 | 0 | 1 | 1 | 1 | 0 | 2 | 1 | 0 | 1 | | SP-3 | Journalist or activist | 1 | 1 | 2 | 2 | 2 | 2 | 2 | 1 | 0 | 2 | | SP-4 | Small organisation | 2 | 2 | 2 | 1 | 1 | 1 | 2 | 2 | 1 | 1 | | SP-5 | Large enterprise | 2 | 2 | 2 | 2 | 0 | 1 | 2 | 2 | 2 | 1 | | SP-6 | Enterprise client software | 1 | 0 | 2 | 1 | 0 | 0 | 2 | 0 | 1 | 1 | | Security Profile | Description | CFG | AUT | PER | FUN | ADM | RDP | DNC | COM | CON | |------------------|-----------------------------|-----|-----|-----|-----|-----|-----|-----|-----|-----| | SP-6 | Enterprise client software | 2 | 0 | 2 | 1 | 0 | 0 | 1 | 0 | 1 | | SP-1 | Individual consumer | 1 | 0 | 0 | 0 | 2 | 2 | 2 | 0 | 0 | | SP-2 | Privacy conscious household | 1 | 0 | 1 | 1 | 1 | 0 | 2 | 1 | 0 | | SP-3 | Journalist or activist | 1 | 1 | 2 | 2 | 2 | 2 | 2 | 1 | 0 | | SP-4 | Small organisation | 2 | 2 | 2 | 1 | 1 | 1 | 2 | 2 | 1 | | SP-5 | Large enterprise | 2 | 2 | 2 | 2 | 0 | 1 | 2 | 2 | 2 | | SP-6 | Enterprise client software | 1 | 0 | 2 | 1 | 0 | 0 | 2 | 0 | 1 | # Annex D (informative): Risk evaluation guidance Loading
