[cabf_netsec] Minutes of NetSec meeting - 2020-01-23

[Neil Dunbar]

Colleagues,

I'm attaching the minutes of yesterday's discussion for updates or 
corrections. As always, do check that your name is on the list of 
attendees, and let me know any changes as soon as you can.

Cheers,

Neil

-------------- next part --------------
NetSec Subgroup Meeting - 2020-01-23

Present

Neil Dunbar (TrustCor) [Chair]
Clint Wilson (Apple)
Corey Rasmussen (OATI)
Tim Crawford (BDO)
Ben Wilson (IP)
David Kluge (Google)
Dustin Hollenback (Microsoft)
Mariusz Kondratowicz (Opera)
Tobias Josefowitz (Opera)
Trevoli Ponds-White (Amazon)
Joanna Fox (GoDaddy)
Patrick Milot (IP)

1. Review Agenda

The agenda was agreed without modification.

2. Agree Last Meeting Minutes

The minutes for the meeting on 2020-01-23 were agreed.

3. Discuss Communication Methods

David mentioned that posting the information for meetings (including passwords/phrases) on the public lists, and that
we should clarify what the appropriate protocols were for such communications. Neil replied that a concern was that
anyone can see the archives for the mailing list, exposing potentially restricted information to a larger audience than
intended.

Ben replied that there was a problem using the wiki for Interested Parties, since they don't have access to it (at least
his access was removed), thus making that information access difficult. Neil suggested mailing the wiki information to
IPs. Trev suggested further that if that were to be done, it would be better to mail everyone on the list (but via a mass
mailing rather than a posting to the netsec list).

Trev then asked what problem we were trying to solve. Ben replied that passwords have been leaked before and no-one
seemed to take advantage of the leaks. Neil said that some members have expressed reservations about the potential of
people joining the meetings without having signed up to the IPR agreements, contrary to the policies of their company
counsels.

Neil took the action item to update the wiki with current Subgroup and team meeting information.

4. Discuss CVS URL Change

Neil introduced (from Josh Aas via Dimitris) that the current NSR link to nvd.nist.gov is suboptimal,
with a newer one being more appropriate to showing the CVSS metrics. Since the change was trivial, would it be sensible to
include it in a clean-up ballot?

Ben replied that there was also the textual change which states that a Critical Vulnerability is actually at CVSSv3 score
of 9.0, whereas the NSRs refer to the earlier value of 7.0. Trev said that this was a material change, thus making that
more than a cleanup ballot. Neil agreed that this was a true ballot.

Neil took the action item to circulate a preliminary ballot to the group.

5. Pain Points SG Update

David replied that there was no call last week because of Martin Luther King day in the US.

He reiterated that the log retention ballot still needed work from the SG and general group, therefore the
action remains outstanding.

6. Threat Modelling SG Update

Mariusz said that there was no meeting last time, so there was no update, but that the meeting would commence
following this NetSec group meeting.

The topic for the next meeting was on expressing risks coming from the models so far, with the intention to
produce a good data set at the next Face to Face meeting in Bratislava.

7. Document Structuring SG Update

Ben said that the next call would be on Monday (2020-01-27). He recounted the discussion between Ryan (Sleevi) and himself on
the list which made clear that the document restructuring was more than just a renumbering exercise, and that 
substantive changes would be coming into the new document. Ben also has made the documentation publicly readable so
that interested parties can view the state of discussions.

David offered to help in summarising the eventual goals of the Document Structuring group.

Neil then asked the minutes should be placed on the wiki, but then said the netsec archives should show that for
anyone sufficiently interested.

8. Work on upcoming ballot texts

Neil mentioned that the redline has been placed in the current ballot document for SC20 v2. Neil asked if the seconders
were still happy to second the document. Dustin said that he would check with his team to ensure that his seconding
can continue. Tobias said that he was happy to continue as seconder for the ballot.

For the log retention ballot, Neil asked if the Pain Points group could come up with a Risks vs Benefits section in the
text. Tim said that he was happy to do this. Neil also asked for a redline.

Tim also said that the main pain point which brought this forward was "firewall and router activities"; some people
interpret that as meaning configuration changes only, whereas he and others interpret it as the full traffic logs for the firewalls
and routers.

David said that he couldn't see how ingress and egress logs were particularly useful over a long period. Neil
said that he also couldn't see how the "configuration changes only" was a valid interpretation of the text. He then
asked should we change the text to explicitly refer to the configurations only.

Trev asked if we really want to change the retention period and the information under audit in the same ballot.
Neil said that makes the ballot discussion more problematic. He added that the security events information in the BRs
does cover a lot of disparate information types, and that it might need a fourth category of information, which
makes the ballot a lot more complex. Tim agreed that it did complicate the ballot.

Neil then asked even if the information were limited to configuration changes, does that still justify a retention
period of over 2 years? In which case, is the split even needed. He then asked the pain points subgroup to consider
this ballot a little further, regarding splitting the categories of information.

Ben said that he liked the notion of a blanket limitation to two years.

9. Any other business.

Neil asked if participants could prepare for a discussion next time about what we would like to see presented at
the Face to Face meeting in February.

Mariusz asked if we know how much time we will have for presentation. Neil asked Ben, and he thought around 45
minutes.

Mariusz also asked if the Threat Modelling group wanted to meet earlier, since we had some spare time. That
team agreed to start sooner.

10. Adjourn

The meeting was adjourned until 2020-02-06