Commit 0573aa57 authored by Valerie Aurora (Bow Shock)'s avatar Valerie Aurora (Bow Shock)
Browse files

Add SENS risk factor, expand levels of some other risk factors

parent e2fdeeb7

EN-304-626.md

+41 −27
Original line number Diff line number Diff line
@@ -447,11 +447,14 @@ _The following use cases are provided to assist manafacturers in selecting risk 


* UC-MOB-1 A personal smart phone

  * stores highly sensitive personal information

  * large number of sensors allow mass collection of sensitive personal data

  * size and cost make it a common target of theft

  * device usage is not limited to trusted locations and loss is forseeable

  * hardware and operating system configuration not intended for modification by users

  * end-users frequently install software of uncertain provenance

  * device frequently connects to untrusted networks

  * device frequently collects user's location at all times

  * device is often always on and always connected



* UC-WE-1 A wearable health tracker, such as a smart watch

  * stores information about a single user only
@@ -551,7 +554,7 @@ Note: "account" refers to a user in the operating systems sense: a unique system 
* CUSR-1: the operating system is designed to only allow one end-user to authenticate; to switch users,t he device must be reset.

* CUSR-2: the operating system is designed to allow for more than one end-user account, and end-user accounts may be simultaneously active on the device.



#### 4.5.1.3 Sensitive or Artibrary Data Storage

#### 4.5.1.3 Data Storage



**[DATA]:** Manufacturers of operating systems may implement measures to prevent the on-device storage of user data, and shall document this and implement appropriate steps to ensure that no user data is stored on the device. Manufacturers may also enable the storage of specific types of data or generally of any user-specified data, and shall document the measures available for the protection of such data.
@@ -559,9 +562,18 @@ Note: "account" refers to a user in the operating systems sense: a unique system 
* DATA-1: the operating system is designed only to store limited data types

* DATA-2: the operating system is designed to store arbitrary data



FIXME needs to reflect sensitivity of data

#### 4.5.1.4 Collection or sharing of sensitive personal data



#### 4.5.1.4 Physical Access by Threat Actors to the Device

**[SENS]:** Manufacturers of operating systems whose common use case allows collection or sharing of sensitive personal data may implement measures to prevent or limit the collection or sharing of sensitive personal data, and shall document this and implement appropriate steps to ensure that sensitive personal data is not collected or shared. Manufacturers may also enable the collection or sharing of sensitive personal data, and shall document the measures available for the protection of such data.



* SENS-0: the operating system is effectively unable to collect sensitive personal data

* SENS-1: the operating system is designed to limit collection of sensitive personal data

* SENS-2: the operating system is designed to collect sensitive personal data

* SENS-3: the operating system is collects sensitive personal data by default



FIXME add SENS



#### 4.5.1.5 Physical Access by Threat Actors to the Device



**[PHYS]:** Manufacturers of operating systems may implement protective measures, such as preventing peripheral device driver loading or relying on hardware capabilities such as tamper-evident mechanisms, to mitigate physical access based threats to the device.
@@ -569,15 +581,16 @@ FIXME needs to reflect sensitivity of data 
* PHYS-1: may be incidentally exposed to untrusted users

* PHYS-2: used primarily by untrusted users, e.g. the general public



#### 4.5.1.5 Probability of Loss of the Device

#### 4.5.1.6 Probability of Loss of the Device



**[LOSS]:** likelihood of loss or theft should be accounted for in the risk calculation, particularly for devices that store sensitive personal data.



* LOSS-0: forseeable use of the operating system is limited to stationary devices or devices with other loss-prevention mechanisms

* LOSS-1: forseeable use of the operating system is in a device with only incidental loss likelyhood

* LOSS-2: forseeable use of the operating system is in a device with a high loss likelyhood, such as devices which are common targets of theft such as mobile phones

* LOSS-2: forseeable use of the operating system is in a device with moderate loss likelyhood

* LOSS-3: forseeable use of the operating system is in a device with a high loss likelyhood, such as devices which are common targets of theft such as mobile phones



#### 4.5.1.6 Hardware Modifiabiliy by End Users

#### 4.5.1.7 Hardware Modifiability by End Users



**[HWMD]:** Manufacturers of operating systems shall account for forseeable risks from hardware modifications within the intended use of the product.
@@ -585,15 +598,16 @@ FIXME needs to reflect sensitivity of data 
* HWMD-1: forseeable use of the operating system includes hardware modifications by skilled or trusted users, such as corporate IT support staff

* HWMD-2: forseeable use of the operating system includes hardware modification by unskilled users, such as in a personal computer



#### 4.5.1.7 Software Modifiability by End Users

#### 4.5.1.8 Software Modifiability by End Users



**[SWMD]:** Manufacturers of operating systems which are designed to allow end-users to install or substantially modify the software shall account for the risks from arbitrary software execution.



* SWMD-0: forseeable use lacks any reasonable means for end-users to install or modify the software

* SWMD-1: forseeable use only allows the installation of trusted and verified software

* SWMD-2: forseeable use allows for the installation of arbitrary software or for substantial modification of pre-installed software

* SWMD-3: forseeable use actively encourages and facilitates the installation of arbitrary software



#### 4.5.1.8 Untrusted Peripheral Devices

#### 4.5.1.9 Untrusted Peripheral Devices



**[DVCS]:** Manufacturers of operating systems which are intended for devices that support attached peripheral devices, such as those utilizing USB or PCI conenctions, shall account for the risk posed by untrusted or compromised peripheral devices and implement appropriate safeguards.
@@ -601,7 +615,7 @@ FIXME needs to reflect sensitivity of data 
* DVCS-1: forseeable use includes only trusted and safe peripheral devices

* DVCS-2: forseeable use allows for arbitrary peripheral device attachment



#### 4.5.1.9 Access To The Internet

#### 4.5.1.10 Access To The Internet



**[TNET]:** Manufacturers of operating systems designed to provide end-users with access to the internet shall implement appropriate safeguards based on the nature of internet access and forseeable use of the operating system.
@@ -609,15 +623,15 @@ FIXME needs to reflect sensitivity of data 
* TNET-1: forseeable use allows internet access for only highly restricted functions, such as retrieving security updates

* TNET-2: forseeable use allows for arbitrary access to the internet, such as by browsing the web



#### 4.5.1.10 Accessed From Untrusted Networks Including The Internet

#### 4.5.1.11 Accessed From Untrusted Networks Including The Internet



**[FNET]:** Manufacturers of operating systems designed to be connected to directly from the internet, rather than placed behind NAT or a firewall, shall implement appropriate safeguards to mitigate risks.



* FNET-0: forseeable use is limited to trusted and private networks.

* FNET-1: forseeable use includes untrusted local networks but not the open internet.

* FNET-2: forseeable use includes being connected directly to the open internet.

* FNET-0: forseeable use is limited to trusted and private networks

* FNET-1: forseeable use includes untrusted local networks but not the open internet

* FNET-2: forseeable use includes being connected directly to the open internet



#### 4.5.1.11 Configurability

#### 4.5.1.12 Configurability



**[CONF]:** Manufacturers of operating systems which are intended to be configurable by end users shall provide secure-by-default configurations and document all available configuration options. Such documentation shall detail any effects on safety and security that such configuration changes may cause.
@@ -627,18 +641,18 @@ FIXME needs to reflect sensitivity of data 


### 4.5.1 Mapping of use cases to risk factors



| Use Case | NUSR | CUSR | DATA | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|----------|------|------|------|------|------|------|------|------|------|------|------|---------|

|UC-IoT-1  |    0 |    0 |    0 |    1 |    0 |    0 |    0 |    0 |    0 |    0 |    0 |       1 |

|UC-IoT-2  |    0 |    0 |    1 |    1 |    0 |    0 |    0 |    0 |    1 |    0 |    1 |       4 |

|UC-IoT-3  |    0 |    0 |    1 |    1 |    0 |    1 |    0 |    0 |    1 |    0 |    1 |       5 |

|UC-OT-1   |    0 |    0 |    1 |    1 |    0 |    0 |    0 |    0 |    2 |    2 |    2 |       8 |

|UC-OT-2   |    0 |    0 |    0 |    2 |    0 |    0 |    0 |    0 |    1 |    2 |    1 |       6 |

|UC-MOB-1  |    1 |    0 |    2 |    1 |    2 |    0 |    1 |    2 |    2 |    2 |    2 |      15 |

|UC-WE-1   |    1 |    0 |    1 |    1 |    2 |    0 |    0 |    0 |    1 |    1 |    0 |       7 |

|UC-PC-1   |    1 |    0 |    0 |    1 |    0 |    0 |    0 |    0 |    0 |    0 |    0 |       1 |

|UC-PC-2   |    1 |    0 |    2 |    1 |    1 |    2 |    2 |    2 |    2 |    1 |    2 |      16 |

|UC-PC-3   |    2 |    2 |    2 |    0 |    0 |    1 |    1 |    1 |    2 |    0 |    1 |      12 |

| Use Case | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |

|----------|------|------|------|------|------|------|------|------|------|------|------|------|---------|

|UC-IoT-1  |    0 |    0 |    0 |    0 |    1 |    0 |    0 |    0 |    0 |    0 |    0 |    0 |       1 |

|UC-IoT-2  |    0 |    0 |    1 |    0 |    1 |    0 |    0 |    0 |    0 |    1 |    0 |    1 |       4 |

|UC-IoT-3  |    0 |    0 |    1 |    0 |    1 |    0 |    1 |    0 |    0 |    1 |    0 |    1 |       5 |

|UC-OT-1   |    0 |    0 |    1 |    0 |    1 |    0 |    0 |    0 |    0 |    2 |    2 |    2 |       8 |

|UC-OT-2   |    0 |    0 |    0 |    0 |    2 |    0 |    0 |    0 |    0 |    1 |    1 |    1 |       6 |

|UC-MOB-1  |    1 |    1 |    2 |    3 |    1 |    3 |    0 |    3 |    2 |    2 |    2 |    2 |      22 |

|UC-WE-1   |    1 |    1 |    1 |    2 |    1 |    2 |    0 |    0 |    0 |    1 |    1 |    0 |      10 |

|UC-PC-1   |    1 |    2 |    2 |    1 |    0 |    0 |    2 |    2 |    1 |    2 |    1 |    2 |      15 |

|UC-PC-2   |    1 |    2 |    2 |    1 |    1 |    1 |    1 |    2 |    2 |    2 |    2 |    2 |      19 |

|UC-PC-3   |    2 |    2 |    2 |    0 |    0 |    0 |    1 |    2 |    1 |    1 |    1 |    2 |      15 |



**Discussion**
@@ -652,7 +666,7 @@ Potential additional risk factors: 
* Running on bare metal vs. hypervisor

* Many devices have multiple OS's for elements



Val: Phone should be significantly riskier than a personal laptop but comes out less risky, suggests that the available risk levels may need to be changed. The goes-everywhere, always-on, super loaded with personally identifiable data, filled with data stealing apps part isn't fully reflected. I would expand FNET, PHYS, LOSS, DATA perhaps? Also maybe add the lower admin/user sophistication?

Val: Phone should be significantly riskier than a personal laptop. The phone goes everywhere, is always on, always connected, filled with sensors, super loaded with personally identifiable data, practically begs you to install with data stealing apps.



Carl-Daniel:

Separate question for the application delivery mechanism: