[Servercert-wg] Risk Assessment Approach

Thu Oct 7 13:58:59 UTC 2021

Greetings SCWG,

Over in the NetSec Subcommittee we're working to finish a risk assessment
to use as a basis for further work on the NCSSRs. To communicate the
approach we're taking and solicit feedback from the larger working group,
I'm sharing below the methodology we've agreed on and started to implement.
There is a great deal of prior work over the last few years we'll be
pulling in with this effort to get over the finish line.

Feedback and comments are welcome.
Background

The Network Security Subcommittee was chartered with the following purpose:

The Network Security Subcommittee shall propose ballots to the SCWG to
improve the minimal security standards within the mission defined above.
This includes modifying the existing Network and Certificate System
Security Requirements (NCSSR) or to create new requirements, guidelines, or
best practices. Among other activities, the Network Security Subcommittee
shall perform security analysis on typical CA Management Systems offering
options to the Server Certificate Working Group for establishing minimal
security standards. Risk analysis will also be used to provide a better
understanding of threats and vulnerabilities in Certificate Management
Systems. This process can be used to provide better reasoning and
justification of existing or future security guidelines.

The mandate to improve the NCSSR is firmly rooted in an expectation that a
risk assessment specific to Certificate Management Systems be produced and
used to guide improvement proposals. Several steps have been taken on this
path, but we do not yet have an accepted risk assessment.
Objective

This document will define the methodology to be used and the expected
deliverables at the end of the risk assessment process. We will follow the
general approach outlined in NIST SP 800-30r1, 800-37 and 800-39.
Purpose

The purpose of this risk assessment is to evaluate in sufficient detail the
risks faced by public CAs to guide improvement of the NCSSR. The resulting
product will be a critical tool for the subcommittee and others to use in
proposing appropriate mitigations.
Scope

To maintain focus on the NCSSR and the mission of the subcommittee, the
risk assessment will primarily focus on risks at the information systems
tier (tier 3) and with some items from business processes (tier 2) and
little focus on organizational issues (tier 1). The assessment will
approach this in a generalized way to be as applicable to all CA Management
Systems as possible.
Assumptions and Constraints

This assessment will include threat sources, threat events, vulnerabilities
and impacts that have caused serious issues for CAs or other high security
organizations in the past or are likely to in the future. Likelihood will
be evaluated within the space of a year.
Sources

Threat, vulnerability and impact information will be drawn from industry
sources such as incident reports, general technical security reports, the
experience of participants in the risk assessment and the documents
previously generated by this group such as Root CA System Threat
Analysis2.xlsx
<https://docs.google.com/spreadsheets/d/1X3tLarx42JBEa6faaL9qgAaUPKYuaEeD/e>
and Threat Modeling per Use Case/Story
<https://docs.google.com/document/d/1nHpYpTFhYlSJoweOu3xH1XuJG9h5OpxdApnYWuhd8RY/>
.
Approach

We will take a threat-oriented approach, meaning that in our generated
table, threat sources will occupy the left-most column and threat events,
assets, vulnerabilities, likelihoods and impacts will follow to the right.
The reason for this ordering over an asset- or impact-oriented approach is
that a threat source-threat event-vulnerability combination will often have
similar details on multiple assets, so the completed table may be more
compact and easier to make use of.

We will take a qualitative approach to recording values such as likelihood
and impact, as these will be most useful and are more honest in recognizing
the vagaries and variability of doing the analysis at this level and
distance from any particular CA Management System.

Our evaluations will be fairly risk intolerant due to the sensitive and
very high trust nature of CA systems. At this point in time we will prepare
the risk assessment without evaluating current NCSSR expectations or
mitigating controls.
Conducting the Risk Assessment

Following the methodology outlined above, we will generate a table. The
rows will capture a threat source, threat event, asset, vulnerability,
likelihood and impact. As necessary for clarity and completeness, a threat
source may be repeated multiple times. Once all combinations of these
columns have been exhausted and evaluated, the risk assessment will be
reviewed by the subcommittee and then shared with the SCWG.
Further Work

An immediate follow-on to this work should be the full mapping of the risk
assessment to existing mitigations and controls in the NCSSR. Additionally,
we should do a similar mapping against other regulatory frameworks we are
considering to replace components of the NCSSR and guide us in creating a
WebPKI-specific overlay to complement the framework.

-- 

*Daniel Jeffery* | TLS
fastly.com | @fastly <https://twitter.com/fastly> | LinkedIn
<http://www.linkedin.com/company/fastly>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20211007/552510d6/attachment.html>