Skip to content

Commit

Permalink
Merge branch 'main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
@j---
j--- authored Oct 16, 2020
2 parents fc63d08 + ec10052 commit d4ed4f5
Show file tree
Hide file tree
Showing 3 changed files with 90 additions and 79 deletions.
150 changes: 75 additions & 75 deletions data/ssvc_1_applier.csv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,31 +49,31 @@
47,none,controlled,mission fail,major,out-of-cycle
48,none,controlled,mission fail,hazardous,out-of-cycle
49,none,controlled,mission fail,catastrophic,out-of-cycle
50,none,unavoidable,none,none,defer
51,none,unavoidable,none,minor,scheduled
52,none,unavoidable,none,major,scheduled
53,none,unavoidable,none,hazardous,out-of-cycle
54,none,unavoidable,none,catastrophic,immediate
55,none,unavoidable,degraded,none,defer
56,none,unavoidable,degraded,minor,scheduled
57,none,unavoidable,degraded,major,scheduled
58,none,unavoidable,degraded,hazardous,out-of-cycle
59,none,unavoidable,degraded,catastrophic,immediate
60,none,unavoidable,MEF crippled,none,scheduled
61,none,unavoidable,MEF crippled,minor,scheduled
62,none,unavoidable,MEF crippled,major,scheduled
63,none,unavoidable,MEF crippled,hazardous,out-of-cycle
64,none,unavoidable,MEF crippled,catastrophic,immediate
65,none,unavoidable,MEF fail,none,scheduled
66,none,unavoidable,MEF fail,minor,scheduled
67,none,unavoidable,MEF fail,major,out-of-cycle
68,none,unavoidable,MEF fail,hazardous,out-of-cycle
69,none,unavoidable,MEF fail,catastrophic,immediate
70,none,unavoidable,mission fail,none,out-of-cycle
71,none,unavoidable,mission fail,minor,out-of-cycle
72,none,unavoidable,mission fail,major,out-of-cycle
73,none,unavoidable,mission fail,hazardous,out-of-cycle
74,none,unavoidable,mission fail,catastrophic,immediate
50,none,open,none,none,defer
51,none,open,none,minor,scheduled
52,none,open,none,major,scheduled
53,none,open,none,hazardous,out-of-cycle
54,none,open,none,catastrophic,immediate
55,none,open,degraded,none,defer
56,none,open,degraded,minor,scheduled
57,none,open,degraded,major,scheduled
58,none,open,degraded,hazardous,out-of-cycle
59,none,open,degraded,catastrophic,immediate
60,none,open,MEF crippled,none,scheduled
61,none,open,MEF crippled,minor,scheduled
62,none,open,MEF crippled,major,scheduled
63,none,open,MEF crippled,hazardous,out-of-cycle
64,none,open,MEF crippled,catastrophic,immediate
65,none,open,MEF fail,none,scheduled
66,none,open,MEF fail,minor,scheduled
67,none,open,MEF fail,major,out-of-cycle
68,none,open,MEF fail,hazardous,out-of-cycle
69,none,open,MEF fail,catastrophic,immediate
70,none,open,mission fail,none,out-of-cycle
71,none,open,mission fail,minor,out-of-cycle
72,none,open,mission fail,major,out-of-cycle
73,none,open,mission fail,hazardous,out-of-cycle
74,none,open,mission fail,catastrophic,immediate
75,poc,small,none,none,defer
76,poc,small,none,minor,defer
77,poc,small,none,major,scheduled
Expand Down Expand Up @@ -124,31 +124,31 @@
122,poc,controlled,mission fail,major,immediate
123,poc,controlled,mission fail,hazardous,immediate
124,poc,controlled,mission fail,catastrophic,immediate
125,poc,unavoidable,none,none,defer
126,poc,unavoidable,none,minor,scheduled
127,poc,unavoidable,none,major,scheduled
128,poc,unavoidable,none,hazardous,out-of-cycle
129,poc,unavoidable,none,catastrophic,immediate
130,poc,unavoidable,degraded,none,scheduled
131,poc,unavoidable,degraded,minor,scheduled
132,poc,unavoidable,degraded,major,out-of-cycle
133,poc,unavoidable,degraded,hazardous,out-of-cycle
134,poc,unavoidable,degraded,catastrophic,immediate
135,poc,unavoidable,MEF crippled,none,scheduled
136,poc,unavoidable,MEF crippled,minor,scheduled
137,poc,unavoidable,MEF crippled,major,out-of-cycle
138,poc,unavoidable,MEF crippled,hazardous,out-of-cycle
139,poc,unavoidable,MEF crippled,catastrophic,immediate
140,poc,unavoidable,MEF fail,none,out-of-cycle
141,poc,unavoidable,MEF fail,minor,out-of-cycle
142,poc,unavoidable,MEF fail,major,out-of-cycle
143,poc,unavoidable,MEF fail,hazardous,out-of-cycle
144,poc,unavoidable,MEF fail,catastrophic,immediate
145,poc,unavoidable,mission fail,none,immediate
146,poc,unavoidable,mission fail,minor,immediate
147,poc,unavoidable,mission fail,major,immediate
148,poc,unavoidable,mission fail,hazardous,immediate
149,poc,unavoidable,mission fail,catastrophic,immediate
125,poc,open,none,none,defer
126,poc,open,none,minor,scheduled
127,poc,open,none,major,scheduled
128,poc,open,none,hazardous,out-of-cycle
129,poc,open,none,catastrophic,immediate
130,poc,open,degraded,none,scheduled
131,poc,open,degraded,minor,scheduled
132,poc,open,degraded,major,out-of-cycle
133,poc,open,degraded,hazardous,out-of-cycle
134,poc,open,degraded,catastrophic,immediate
135,poc,open,MEF crippled,none,scheduled
136,poc,open,MEF crippled,minor,scheduled
137,poc,open,MEF crippled,major,out-of-cycle
138,poc,open,MEF crippled,hazardous,out-of-cycle
139,poc,open,MEF crippled,catastrophic,immediate
140,poc,open,MEF fail,none,out-of-cycle
141,poc,open,MEF fail,minor,out-of-cycle
142,poc,open,MEF fail,major,out-of-cycle
143,poc,open,MEF fail,hazardous,out-of-cycle
144,poc,open,MEF fail,catastrophic,immediate
145,poc,open,mission fail,none,immediate
146,poc,open,mission fail,minor,immediate
147,poc,open,mission fail,major,immediate
148,poc,open,mission fail,hazardous,immediate
149,poc,open,mission fail,catastrophic,immediate
150,active,small,none,none,defer
151,active,small,none,minor,defer
152,active,small,none,major,scheduled
Expand Down Expand Up @@ -199,28 +199,28 @@
197,active,controlled,mission fail,major,immediate
198,active,controlled,mission fail,hazardous,immediate
199,active,controlled,mission fail,catastrophic,immediate
200,active,unavoidable,none,none,defer
201,active,unavoidable,none,minor,scheduled
202,active,unavoidable,none,major,out-of-cycle
203,active,unavoidable,none,hazardous,immediate
204,active,unavoidable,none,catastrophic,immediate
205,active,unavoidable,degraded,none,scheduled
206,active,unavoidable,degraded,minor,out-of-cycle
207,active,unavoidable,degraded,major,out-of-cycle
208,active,unavoidable,degraded,hazardous,immediate
209,active,unavoidable,degraded,catastrophic,immediate
210,active,unavoidable,MEF crippled,none,out-of-cycle
211,active,unavoidable,MEF crippled,minor,out-of-cycle
212,active,unavoidable,MEF crippled,major,out-of-cycle
213,active,unavoidable,MEF crippled,hazardous,immediate
214,active,unavoidable,MEF crippled,catastrophic,immediate
215,active,unavoidable,MEF fail,none,immediate
216,active,unavoidable,MEF fail,minor,immediate
217,active,unavoidable,MEF fail,major,immediate
218,active,unavoidable,MEF fail,hazardous,immediate
219,active,unavoidable,MEF fail,catastrophic,immediate
220,active,unavoidable,mission fail,none,immediate
221,active,unavoidable,mission fail,minor,immediate
222,active,unavoidable,mission fail,major,immediate
223,active,unavoidable,mission fail,hazardous,immediate
224,active,unavoidable,mission fail,catastrophic,immediate
200,active,open,none,none,defer
201,active,open,none,minor,scheduled
202,active,open,none,major,out-of-cycle
203,active,open,none,hazardous,immediate
204,active,open,none,catastrophic,immediate
205,active,open,degraded,none,scheduled
206,active,open,degraded,minor,out-of-cycle
207,active,open,degraded,major,out-of-cycle
208,active,open,degraded,hazardous,immediate
209,active,open,degraded,catastrophic,immediate
210,active,open,MEF crippled,none,out-of-cycle
211,active,open,MEF crippled,minor,out-of-cycle
212,active,open,MEF crippled,major,out-of-cycle
213,active,open,MEF crippled,hazardous,immediate
214,active,open,MEF crippled,catastrophic,immediate
215,active,open,MEF fail,none,immediate
216,active,open,MEF fail,minor,immediate
217,active,open,MEF fail,major,immediate
218,active,open,MEF fail,hazardous,immediate
219,active,open,MEF fail,catastrophic,immediate
220,active,open,mission fail,none,immediate
221,active,open,mission fail,minor,immediate
222,active,open,mission fail,major,immediate
223,active,open,mission fail,hazardous,immediate
224,active,open,mission fail,catastrophic,immediate
17 changes: 14 additions & 3 deletions doc/version_1/040_treesForVulMgmt.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -379,15 +379,25 @@ resiliency</td>
### System Exposure (Deployer)
> The Accessible Attack Surface of the Affected System or Service
Measuring attack surface precisely is difficult, and we do not propose to perfectly delineate between small and controlled access. If a vulnerability cannot be patched, other mitigations may be used. Usually, the effect of these mitigations is to reduce exposure of the vulnerable component. Therefore, an deployer’s response to Exposure may change if such mitigations are put in place. If a mitigation changes exposure and thereby reduces the priority of a vulnerability, that mitigation can be considered a success. Whether that mitigation allows the deployer to defer further action varies according to each case.

Measuring attack surface precisely is difficult, and we do not propose to perfectly delineate between small and controlled access.
Exposure should be judged against the system in its deployed context, which may differ from how it is commonly expected to be deployed.
For example, the exposure of a device on a vehicle's CAN bus will vary depending on the presence of a cellular telemetry device on the same bus.

If a vulnerability cannot be patched, other mitigations may be used.
Usually, the effect of these mitigations is to reduce exposure of the vulnerable component.
Therefore, a deployer’s response to Exposure may change if such mitigations are put in place.
If a mitigation changes exposure and thereby reduces the priority of a vulnerability, that mitigation can be considered a success.
Whether that mitigation allows the deployer to defer further action varies according to each case.




| | Table 9: Exposure Decision Values |
| ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Small | Local service or program; highly controlled network |
| Controlled | Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. *Controlled* covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then *exposure* should be *small*. |
| Unavoidable | Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers) |
| Open | Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers) |

### Mission Impact (Deplyer)
> Impact on Mission Essential Functions of the Organization
Expand Down Expand Up @@ -457,7 +467,8 @@ Some of the decision points require some substantial upfront analysis effort to

Stakeholders who use the prioritization method should consider releasing the priority with which they handled the vulnerability. This disclosure has various benefits. For example, if the supplier publishes a priority ranking, then deployers could consider that in their decision-making process. One reasonable way to include it is to break ties for the deployer. If an deployer has three “scheduled” vulnerabilities to patch, they may address them in any order. If two vulnerabilities were produced by the supplier as “scheduled” patches, and one was “out-of-cycle,” then the deployer may want to use that information to favor the latter.

In the case where no information is available or the organization has not yet matured its initial situational analysis, we can suggest something like defaults for some decision points. If the deployer does not know their exposure,<!--lowercase exposure on purpose, this is the general concept--> that means they do not know where the devices are or how they are controlled, so they should assume *Exposure* is **unavoidable**. If the decision maker knows nothing about the environment in which the device is used, we suggest assuming a **major** *Safety Impact*. This position is conservative, but software is thoroughly embedded in daily life now, so we suggest that the decision maker provide evidence that no one’s well-being will suffer. The reach of software exploits is no longer limited to a research network. Similarly, with *Mission Impact*, the deployer should assume that the software is in use at the organization for a reason, and that it supports essential functions unless they have evidence otherwise. With a total lack of information, assume **MEF support crippled** as a default. *Exploitation* needs no special default; if adequate searches are made for exploit code and none is found, the answer is **none**. The decision set {**none**, **unavoidable**, **MEF crippled**, **major**} results in a scheduled patch application.
In the case where no information is available or the organization has not yet matured its initial situational analysis, we can suggest something like defaults for some decision points. If the deployer does not know their exposure,<!--lowercase exposure on purpose, this is the general concept--> that means they do not know where the devices are or how they are controlled, so they should assume *Exposure* is **open**. If the decision maker knows nothing about the environment in which the device is used, we suggest assuming a **major** *Safety Impact*. This position is conservative, but software is thoroughly embedded in daily life now, so we suggest that the decision maker provide evidence that no one’s well-being will suffer. The reach of software exploits is no longer limited to a research network. Similarly, with *Mission Impact*, the deployer should assume that the software is in use at the organization for a reason, and that it supports essential functions unless they have evidence otherwise. With a total lack of information, assume **MEF support crippled** as a default. *Exploitation* needs no special default; if adequate searches are made for exploit code and none is found, the answer is **none**. The decision set {**none**, **open**, **MEF crippled**, **major**} results in a scheduled patch application.


## Development Methodology

Expand Down
2 changes: 1 addition & 1 deletion doc/version_1/060_workedExample.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ This information rules out “active” given the (perhaps limited) search proce

- **Deployment of affected system** - These pumps are attached directly to the client. If an update is required, the client is permitted to do that through their own computer or app. However, we have not provided them with documentation on properly using their computer or app to securely access their device. This is done for convenience so that if the user needs to change something quickly, they can. They also can also come to us (hospital) for a change in their device’s settings for dosage etc. The doctor’s computer that directly handles interfacing with these devices is only connected to the intranet for the purpose of updating the client’s settings on the device. Doctors authenticate with ID badge and password.

*Exposure* is less straightforward than *Exploitation*. The option **unavoidable** is clearly ruled out. However, it is not clear whether the optional Bluetooth connection between the medical device and a phone app represents **controlled** or **small** exposure. The description does not explicitly handle the capture/replay aspect of the vulnerability. If the only way to exploit the vulnerability is to be within physical transmission range of the device, then that physical constraint argues for exposure being **small**. However, if the client’s phone app could be used to capture and replay attack packets, then unless that app is particularly well secured, the answer should be **controlled**. Regardless, the answer is not clear from the supplied information. Furthermore, if this fictional app is specific to the insulin pump, then even if it is not compromised, the attack might use its installation to remotely identify targets. However, since most of the hospital’s clients have not installed the app, and for nearly all cases, physical proximity to the device is necessary; therefore, we select **small** and move on to ask about mission impact.
*Exposure* is less straightforward than *Exploitation*. The option **open** is clearly ruled out. However, it is not clear whether the optional Bluetooth connection between the medical device and a phone app represents **controlled** or **small** exposure. The description does not explicitly handle the capture/replay aspect of the vulnerability. If the only way to exploit the vulnerability is to be within physical transmission range of the device, then that physical constraint argues for exposure being **small**. However, if the client’s phone app could be used to capture and replay attack packets, then unless that app is particularly well secured, the answer should be **controlled**. Regardless, the answer is not clear from the supplied information. Furthermore, if this fictional app is specific to the insulin pump, then even if it is not compromised, the attack might use its installation to remotely identify targets. However, since most of the hospital’s clients have not installed the app, and for nearly all cases, physical proximity to the device is necessary; therefore, we select **small** and move on to ask about mission impact.

According to the fictional pilot scenario, “Our mission dictates that the first and foremost priority is to contribute to human welfare and to uphold the Hippocratic oath (do no harm).” The continuity of operations planning for a hospital is complex, with many MEFs. However, even from this abstract, it seems clear that “do no harm” is at risk due to this vulnerability. A mission essential function to that mission is each of the various medical devices works as expected, or at least if a device fails, it cannot actively be used to inflict harm. Unsolicited insulin delivery would mean that MEF “fails for a period of time longer than acceptable,” matching the description of MEF failure. The question is then whether the whole mission fails, which does not seem to be the case. The recovery of MEF functioning is not affected, and most MEFs (the emergency services, surgery, oncology, administration, etc.) would be unaffected. Therefore, we select **MEF failure** and move on to ask about safety impact.

Expand Down

0 comments on commit d4ed4f5

Please sign in to comment.