## 20160328 AK ---- [[RiskAssessment/CZ|česky]] | '''english''' ---- ==== Prelude ==== This is a risk assessment based on AS/NZS 4360:2004. This is work in progress and not endorsed by CAcert board. <> = Context = This risk assessment applies to the CAcert operation as a certificate authority. A lot of the governance obligations of the operation as a certificate authority tie to the operation of CAcertIncorporated Association and these aspects are incorporated into this risk assessment. Risks that are to be managed are ones that affect the viability of the CAcerts certificate authority function. ''Q(iang): organistion is what? There is the CAcert Inc Association, the certificate authority, the Assurer network, sundry others and finally, the Community. If organisation as a whole, perhaps the Community, but also the CA ... (dan) scoped to CA and to some extend addressed the governance/ community dependencies'' == External Context == CAcert is a community organisation that is in the business of validating identities and provides a certificate/X509 service based on this. It operates globally. Like all certification authorities (CAs) risk are ones of proper process and technology that support a high validation of identities to the owners of certificates. Reputation is highly important to CAcert. CAcerts certificate authority obligations are dependant on the community of assurers and the [[http://www.cacert.org/policy/CAcertCommunityAgreement.php|Community Agreement]] sets a standard of mutual obligation that CAcert is determined to uphold. Unlike most CAs the split between assurance and certificate issuance creates a large obligation to serve the assurance community. Key business goals are to gain InclusionStatus into major browsers. The [[http://www.mozilla.org/projects/security/certs/policy/|Mozilla organisation]] has required the completion of an [[Audit]] Project to forfill its inclusion status and as such this is the major goal. The [[Audit]] project is funded by [[http://www.nlnet.nl/|NLnet]] and is under [[http://svn.cacert.org/CAcert/CAcert_Inc/Funding/MoU_Audit_for_CAcert_Final.pdf|obligation]] to deliver outcomes at specified dates. == Internal Context == The board and management subcommittee (M-SC) are volunteers committed to these goals of the organisation. Their time however is limited. CAcert is an [[CAcertIncorporated|incorporated organisation]] in NSW Australia that is managed by the [[Board|board]]. The board has deligated CEO like duties to the M-SC. CAcert's assets include ownership of servers that provide various online functions necessary for the performance of a CA. Audit and documentation services have been contracted out as have hosting, firewall management. CAcert's financial assets are largely funded activities dependent on delivering outcomes. Internal goals are to enhance the system administration to a supportable level. = Risk Measurement = Risks rated above Medium will be managed. Medium risks will be managed if time/cost permits. The below consequence/likelyhood factors determine risk. == Consequence Ratings == These describe the harms that occur if the threat is realized. || '''Consequence Category''' || '''Meaning''' || || Catastrophic || Will impact the long term viability of the organisation || || Major || Will result in CAcert's root certificate being revoked out of major browsers || || || Loss of confidentially of CAcert root private keys || || || Will result in wide scale revocation or reissuing of certificates || || || Serious damage of the reputation of CAcert's management /staff / critical systems || || || Inability to issue certificates for more that two weeks || || || Wide scale significant inconvenience to users of CAcert certificates e.g. no reading validation of CAcert signed email/ no accessability to CAcert server sites due to CRL/OCSP failure || || Moderate || Inability to issue certificates for a period less than two weeks || || || Denial of service of CRL or OCSP services greater than 5 minutes || || || Significant PR required to address failures|| || || Delays to the progress of the Audit / Systems Manual || || || Unplanned costs greater that 1000 EU || || Minor || Press associated with the compromise of non-critical systems || || || Actions that require legal representation || || || Breach of confidential communications || || || Unplanned costs greater that 400 EU || || Insignificant|| Unavailability of non-critical systems for less that one day || || || Need to revoke individual identity registration || (really these should be determined and signed off by management) ''Q(iang): there is an interesting comment in the choice of catastrophic and major risks, which places the survival of the organisation above the CA and reliance by (explicit and implicit) parties. I do not disagree, but it is certainly a debate to be had. The choice above to some extent reflects the "wider mission" of security rather than the "narrow mission" of "free certs". (dan): To my understanding to meet the "wider mission of security" a governance structure is required to obtain the necessary credability that is pretty mandated in the security community.'' ''Q(iang): the recent debate over DoB was based on the threat of identity theft. recent USA-credit-market developments indicate that a large scale identity theft has rocketed from a minor risk (if covered up) to a major risk (as regulators get involved, fines are likely, wholescale revision of security is indicated, etc). (dan) this almost leads to a risk assessment based on PR and legal risk (which is almost is anyway). I'm not sure that is such a bad thing either.'' == Likelihood Ratings == || Almost Certain || every day || || Likely || Once every 3 months || || Possible || Once a year || || Unlikely || Once in 5 years || || Rare || Less than once in 5 years || == Risk Matrix == Risks are: * E - Extreme * H - High * M - Medium * L - Low |||||||||||| '''Consequence''' || || || Insignificant || Minor || Moderate || Major || Catastrophic || || Almost Certian || H || H || E || E || E|| || Likely || M || H || H || E || E || || Possible || L || M || H || E || E || || Unlikely || L || L || M || H || E || || Rare || L || L || L || M || H || = Assets = Assets here are annotated with the consequence rating should the asset no longer be available. === Intangible Assets === * Meeting obligations of an included CA in Mozilla (Major) * Incorporation Status (Moderate) * Reputation (Major) * Community Support e.g. Assurers willingness to assure people (Moderate) == Systems == Different assets are critical for different reasons. The below indicates which security aspect of the asset has consequences. === Critical Systems === || Asset || Confidentiality || Integrity || Availability short term || Availability long term || || Root key (RK)<> || Major || Moderate || Moderate (<1 week) || Major (>1 weeks) || || signing mechanism (SM) including main website || Insignificant || Major || Moderate (<2 week) || Major (>2 weeks) || || OCSP service /CRL distribution points<>^,^<> || Insignificant || Major || Moderate (<5 minutes) or 99.9999% || Major (>5 minutes) or < 99.999%|| || DNS <>|| None || Major || Moderate (<5 minutes) or 99.9999% || Major (>5 minutes) or < 99.999%|| || User database (UDB) || Major || Major || Minor (<24 hours) || Moderate <> (>24 hours) || || Main website including email/domain ping testing || Minor<> || Insignificant || Minor (<24 hours) || Moderate<> (>24 hours) || === Non-critical systems === || Asset || Confidentiality || Integrity || Availability short Term|| Availability long term|| || List server (board/arbitration lists) || Moderate || Moderate || Minor <1week || Moderate >1week || || email server || Moderate || Moderate || Minor <1week || Moderate<> >1week || || Wiki || Minor (for acl pages) || Minor (for acl pages) || Minor <1week|| Moderate >1week || || Blog || Insignificant || Moderate || Insignificant <2 weeks|| Minor >2 weeks || || IRC || Insignificant || Insignificant || Insignificant <2 weeks|| Minor >2 weeks|| || SVN || Insignificant || Minor || Insignificant <2 weeks|| Minor >2 weeks|| || audit || || || || || || CATS || Minor || Moderate || Insignificant <2 weeks|| Minor >2 weeks|| || test || Insignificant || Moderate<> || Insignificant <2 weeks|| Minor >2 weeks|| || audit || || || || || ''TODO find/determine the purpose of audit'' === Other Assets === * Financial Assets (Moderate) * Relationships of service providers ([[http://www.bit.nl|Bit]] and [[http://www.tunix.nl|Tunix]]) (Major) * Domains (cacert.org + others(cacert.at - as significant?)) (Major) = Threats = Once inclusion into Mozilla browsers the threat profile is raised significantly. As the ability to respond to this threat is timely, this risk assessment assumes inclusion status has been obtained. * Commercial CAs * CAcert's zero cost model significantly undermines the viability of other CAs business. * Crackers * These are largely assumed to be financed by the commercial CAs * Criminal Fraud Organisations * Issuing certificates of financial institutions will be highly profitable in phishing attacks * Government * Some governments view wide scale encryption as a management threat ''need to map threat to legal/intelligence service objectives/priorities to address this'' * Law * Being summonsed to court to defend a certificate issue * Confiscation of system assets on charges like piracy, copyright infringement * Disgruntled staff / members ''Q(iang): the above seem to be the actors, whereas the threats might be: hacking, legal (filed case, legal seizure, privacy investigation, investigation by other regulator, etc); outside theft, loss, destruction, backups unreadable; leakage of data, sharing of data, misuse of resources, ... hmm seems like another matrix. Actor / act / summary effect ? A(dan) I'm tempted to address these in the RA table below.'' = Risk Assessment = == Systems == Risk IDs are a concatination of the system, the security risk ('''C'''onfidentiality/ '''I'''ntegrity / '''A'''vailability) plus a unique identifier. || id || Asset || Threat || Likelihood || Consequence || Resultant Risk || Treatment || Likelihood (after treatment) || Consequence (after treatment) || Risk (after treatment || || RK.C.1 || Confidentiality of Root key || Criminal Fraud Organisations || Unlikely || Major || High || Physical Access control + tamper zeroisation || Rare || Major || Medium || || RK.C.2 || Confidentiality of Root key backup || Criminal Fraud Organisations || Unlikely || Major || High || Bank Vault || Rare || Major || Medium || || RK.I || Root Key integrity || Rival CA/cracker || Moderate || Unlikely || Low || not required || || || || || RK.A || Root key availability (long term) || Risk RK.C.1 or Legal supenona || unlikely || Major || High || accessable backup/restore procedures + multi country operation || Rare || Major || Medium || || SM.I || Signing mechanism tampered || Rival CA/cracker || Unlikely|| Major || High || Audit Procedures to detect false signature issue || Rare || Major || Medium || || SM.A || Signing mechanism availability long term || Rival CA/cracker || Unlikely|| Major || High || per RK.A || Rare || Major || Medium || || OCSP.I || OCSP/CRL points compromised resulting in - DoS against legitimate users (invalid status for valid cert)/ (valid status for invalid certificate) || Criminal Fraud organisation / Cracker / Rival CA || Unlikely || Major || High || trusted services || || || || || OCSP.A || DDoS of CRL/OCSP || Extortion from Criminal Fraud Organisation/ Cracker/Rival CA || Unlikely || Major || High || Service redundacy (possible?) || Rare || Major || Medium || || DNS.I || False DNS entries for main website/ crl/OCSP || Cracker/Rival CA/Criminal Fraud || Unlikely || Major || High || Change Control + Integrity monitoring services with action to fix/shutdown. Low TTL policy(?). DNSSEC || Unlikely || Moderate || Medium || || DNS.A || DNS unavailable due to DDoS || As per OCSP.A || Rare || Major || Medium || Addition services if DNS.I treatments can occur || Rare || Moderate || Medium || || UDB.C || User database compromised || Crackers/Rival CA, Criminal Fraudsters || Possible || Major || Extreme || Triggers for unexpected queries to shutdown DB + CodeAudit on main interface + IDS on SM || Unlikely || Moderate || Low || || UDB.I || User database corrupted || Criminal Fraudsters through assurer extortion to obtain lucretive certificates || Possible || Moderate || Medium || Spot checking on domains/assurances || Possible || Minor || Low || == Mozilla Criteria == These are based of the Mozilla CA Certificate Policy (1.2). The numbers reflect the requirement in http://www.mozilla.org/projects/security/certs/policy/. || id || Asset || Threat || Likelihood || Consequence || Resultant Risk || Treatment || Likelihood (after treatment) || Consequence (after treatment) || Risk (after treatment || || MOZ.4.U || Issuing certificates without the knowledge of the entities whose information is referenced in the certificates || Internal errors/malicious insiders || || || || || || || || || MOZ.4.F || knowingly issue certificates that appear to be intended for fraudulent use. || Internal errors/malicious insiders || || || || || || || || || MOZ.4.T.1 || ASN.1 DER encoding errors, invalid public keys, duplicate issuer names and serial numbers, incorrect extensions || Internal errors/malicious insiders || || || || || || || || || MOZ.4.T.2 || cRLDistributionPoints or OCSP authorityInfoAccess extensions for which no operational CRL or OCSP service exists. || Internal errors/malicious insiders || || || || || || || || || MOZ.6.I || provide some service relevant to typical users of our software products || Internal errors/malicious insiders || || || || || || || || || MOZ.6.F || publicly disclose information about their policies and business practices || Internal errors/malicious insiders || || || || || || || || || MOZ.6.V || prior to issuing certificates, verify certificate signing requests in a manner acceptable to Mozilla Foundation || Internal errors/malicious insiders || || || || || || || || || MOZ.6.G || provide attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties with access to details of the CA's internal operations || Poor governance || || || || || || || || || MOZ.7.CV || for a certificate to be used for digitally signing and/or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder's behalf || Internal errors/malicious insiders || || || || || || || || || MOZ.7.SV || for a certificate to be used for SSL-enabled servers, the CA takes reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf; || Internal errors/malicious insiders || || || || || || || || || MOZ.7.CS || for certificates to be used for digitally signing code objects, the CA takes reasonable measures to verify that the entity submitting the certificate signing request is the same entity referenced in the certificate or has been authorized by the entity referenced in the certificate to act on that entity's behalf; || Internal errors/malicious insiders || || || || || || || || || MOZ.7.EV || Complies with [[http://www.cabforum.org/EV_Certificate_Guidelines.pdf|Guidelines for the Issuance and Management of Extended Validation Certificates]] and [[http://www.cabforum.org/erratum.html|erratum]] || Internal errors/malicious insiders || || || || || || || || == Legal == || id || Asset || Threat || Likelihood || Consequence || Resultant Risk || Treatment || Likelihood (after treatment) || Consequence (after treatment) || Risk (after treatment || || || || || || || || || || || || ==== References ==== * [[http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf|Risk Management Guide for Information Technology Systems]] * RisksLiabilitiesObligations * [[Audit/CommunityReport20080602]] * [[Board/Minutes/20080229]] * [[Advisory/AMinutes20080416]] * [[OverviewProjectsBoard/AuditToDo]] * [[ThreatList]] * [[https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html|Security Policy]] and [[SecurityManual]] * [[http://svn.cacert.org/CAcert/SecurityManual/|Older SM and threat analysis]] by [[Philipp Güring]] ==== Footnotes ==== ---- . CategoryAudit