Loading EN-304-626.md +79 −11 Original line number Diff line number Diff line Loading @@ -2021,7 +2021,7 @@ Assumptions can be updated to be less stringent as more use cases and mitigation # Annex D (informative): Risk evaluation guidance ## D.0 Explanation of Risk Modeling Approach ## D.1 Explanation of Risk Modeling Approach **Aeva's Notes on Risk Model** Loading @@ -2045,16 +2045,84 @@ Approach to the whole document: - start from a (possibly too long) list of product use cases - articulate risks that emerge from forseeable (mis)uses of products - map each risk to each use case - for each use case, sum the risks into an aggregated risk score - for each use case, combine the risks into an aggregated risk score using likelihood and impact - articulate mitigations that protect against forseeable risks - map each risk to one or more mitigations that protect against it - map each use case to the relevant set of mitigations (by linking through the risk mapping, but hiding the risks in the final mapping) - verify that there are more mitigations required for use cases that had a higher aggregated risk score - verify that the risk score of each use cases is proximate to other similarly-risky forseeable use cases, even in different product categories. - map each use case to the relevant set of mitigations (by linking through the risk mapping, but hiding the risks in the final mapping) - verify that there are more mitigations required for use cases that had a higher aggregated risk score - verify that the risk score of each use cases is proximate to other similarly-risky forseeable use cases, even in different product categories. **Val's notes on risk model, ignore** The fundamental types of attack of an OS are: * Local threats: Running code on the platform of the OS that results in unauthorized access to assets * Remote threats: Unauthorized read/write of data transmitted in/out of the OS * Physical threats: Physical tampering of platform * Denial of service: Deny access to assets by triggering specific code paths in OS We need to reframe the risk factors in terms of things that affect the likelihood and impact of the risk that a technical requirement is mitigating. What affects (1) the likelihood, (2) the impact of each of these types of attack? * Local threats * Likelihood: * User accounts can be created by untrusted users * Writable storage * Accepts connections from a public network * Initiates connections to a public network * Web browsing * Installing software * Installing hardware * Plugging in peripherals * Configurability * Physical access to device by untrusted users * Impact: * Type of data stored * Sensitivity of data stored * Sensitivity of functions * Number of users affected * Remote threats * Likelihood: * Accepts connections * Makes connections * RDPS * Web browsing * Impact: * Sensitivity of data transmitted * Physical threats * Likelihood: * Physical access to device by untrusted users * Impact: * Type of data stored * Sensitivity of data stored * Sensitivity of functions * Number of users affected * Denial of service * Likelihood: * Combination of local and remote likelihood factors * Impact: * Type of data stored * Sensitivity of data stored * Sensitivity of functions * Number of users affected The major risks for operating systems depend on: * Likelihood of attacker running code on the same platform as the OS * Platform includes hypervisor/container host * Is platform is shared with hostile users? * What software is installed? * Web browser? * Plug in peripherals which may load drivers or contain software * Add hardware that does the same * Install drivers/modify kernel * Likelihood of attacker breaking the isolation between its code and the OS or its users' assets * Impact of data leak * Impact of loss of data integrity ## D.1 Mapping of risks to requirements Loading Loading
EN-304-626.md +79 −11 Original line number Diff line number Diff line Loading @@ -2021,7 +2021,7 @@ Assumptions can be updated to be less stringent as more use cases and mitigation # Annex D (informative): Risk evaluation guidance ## D.0 Explanation of Risk Modeling Approach ## D.1 Explanation of Risk Modeling Approach **Aeva's Notes on Risk Model** Loading @@ -2045,16 +2045,84 @@ Approach to the whole document: - start from a (possibly too long) list of product use cases - articulate risks that emerge from forseeable (mis)uses of products - map each risk to each use case - for each use case, sum the risks into an aggregated risk score - for each use case, combine the risks into an aggregated risk score using likelihood and impact - articulate mitigations that protect against forseeable risks - map each risk to one or more mitigations that protect against it - map each use case to the relevant set of mitigations (by linking through the risk mapping, but hiding the risks in the final mapping) - verify that there are more mitigations required for use cases that had a higher aggregated risk score - verify that the risk score of each use cases is proximate to other similarly-risky forseeable use cases, even in different product categories. - map each use case to the relevant set of mitigations (by linking through the risk mapping, but hiding the risks in the final mapping) - verify that there are more mitigations required for use cases that had a higher aggregated risk score - verify that the risk score of each use cases is proximate to other similarly-risky forseeable use cases, even in different product categories. **Val's notes on risk model, ignore** The fundamental types of attack of an OS are: * Local threats: Running code on the platform of the OS that results in unauthorized access to assets * Remote threats: Unauthorized read/write of data transmitted in/out of the OS * Physical threats: Physical tampering of platform * Denial of service: Deny access to assets by triggering specific code paths in OS We need to reframe the risk factors in terms of things that affect the likelihood and impact of the risk that a technical requirement is mitigating. What affects (1) the likelihood, (2) the impact of each of these types of attack? * Local threats * Likelihood: * User accounts can be created by untrusted users * Writable storage * Accepts connections from a public network * Initiates connections to a public network * Web browsing * Installing software * Installing hardware * Plugging in peripherals * Configurability * Physical access to device by untrusted users * Impact: * Type of data stored * Sensitivity of data stored * Sensitivity of functions * Number of users affected * Remote threats * Likelihood: * Accepts connections * Makes connections * RDPS * Web browsing * Impact: * Sensitivity of data transmitted * Physical threats * Likelihood: * Physical access to device by untrusted users * Impact: * Type of data stored * Sensitivity of data stored * Sensitivity of functions * Number of users affected * Denial of service * Likelihood: * Combination of local and remote likelihood factors * Impact: * Type of data stored * Sensitivity of data stored * Sensitivity of functions * Number of users affected The major risks for operating systems depend on: * Likelihood of attacker running code on the same platform as the OS * Platform includes hypervisor/container host * Is platform is shared with hostile users? * What software is installed? * Web browser? * Plug in peripherals which may load drivers or contain software * Add hardware that does the same * Install drivers/modify kernel * Likelihood of attacker breaking the isolation between its code and the OS or its users' assets * Impact of data leak * Impact of loss of data integrity ## D.1 Mapping of risks to requirements Loading
