Skip to content

Commit

Permalink
Merge pull request #48 from ahouseholder/feature/fix_17
Browse files Browse the repository at this point in the history
Fix #17
  • Loading branch information
j--- authored Oct 16, 2020
2 parents 70b8cd6 + 97e43c3 commit ec10052
Show file tree
Hide file tree
Showing 3 changed files with 87 additions and 79 deletions.
150 changes: 75 additions & 75 deletions data/ssvc_1_applier.csv
Original file line number Diff line number Diff line change
Expand Up @@ -49,31 +49,31 @@
47,none,controlled,mission fail,major,out-of-band
48,none,controlled,mission fail,hazardous,out-of-band
49,none,controlled,mission fail,catastrophic,out-of-band
50,none,unavoidable,none,none,defer
51,none,unavoidable,none,minor,scheduled
52,none,unavoidable,none,major,scheduled
53,none,unavoidable,none,hazardous,out-of-band
54,none,unavoidable,none,catastrophic,immediate
55,none,unavoidable,degraded,none,defer
56,none,unavoidable,degraded,minor,scheduled
57,none,unavoidable,degraded,major,scheduled
58,none,unavoidable,degraded,hazardous,out-of-band
59,none,unavoidable,degraded,catastrophic,immediate
60,none,unavoidable,MEF crippled,none,scheduled
61,none,unavoidable,MEF crippled,minor,scheduled
62,none,unavoidable,MEF crippled,major,scheduled
63,none,unavoidable,MEF crippled,hazardous,out-of-band
64,none,unavoidable,MEF crippled,catastrophic,immediate
65,none,unavoidable,MEF fail,none,scheduled
66,none,unavoidable,MEF fail,minor,scheduled
67,none,unavoidable,MEF fail,major,out-of-band
68,none,unavoidable,MEF fail,hazardous,out-of-band
69,none,unavoidable,MEF fail,catastrophic,immediate
70,none,unavoidable,mission fail,none,out-of-band
71,none,unavoidable,mission fail,minor,out-of-band
72,none,unavoidable,mission fail,major,out-of-band
73,none,unavoidable,mission fail,hazardous,out-of-band
74,none,unavoidable,mission fail,catastrophic,immediate
50,none,open,none,none,defer
51,none,open,none,minor,scheduled
52,none,open,none,major,scheduled
53,none,open,none,hazardous,out-of-band
54,none,open,none,catastrophic,immediate
55,none,open,degraded,none,defer
56,none,open,degraded,minor,scheduled
57,none,open,degraded,major,scheduled
58,none,open,degraded,hazardous,out-of-band
59,none,open,degraded,catastrophic,immediate
60,none,open,MEF crippled,none,scheduled
61,none,open,MEF crippled,minor,scheduled
62,none,open,MEF crippled,major,scheduled
63,none,open,MEF crippled,hazardous,out-of-band
64,none,open,MEF crippled,catastrophic,immediate
65,none,open,MEF fail,none,scheduled
66,none,open,MEF fail,minor,scheduled
67,none,open,MEF fail,major,out-of-band
68,none,open,MEF fail,hazardous,out-of-band
69,none,open,MEF fail,catastrophic,immediate
70,none,open,mission fail,none,out-of-band
71,none,open,mission fail,minor,out-of-band
72,none,open,mission fail,major,out-of-band
73,none,open,mission fail,hazardous,out-of-band
74,none,open,mission fail,catastrophic,immediate
75,poc,small,none,none,defer
76,poc,small,none,minor,defer
77,poc,small,none,major,scheduled
Expand Down Expand Up @@ -124,31 +124,31 @@
122,poc,controlled,mission fail,major,immediate
123,poc,controlled,mission fail,hazardous,immediate
124,poc,controlled,mission fail,catastrophic,immediate
125,poc,unavoidable,none,none,defer
126,poc,unavoidable,none,minor,scheduled
127,poc,unavoidable,none,major,scheduled
128,poc,unavoidable,none,hazardous,out-of-band
129,poc,unavoidable,none,catastrophic,immediate
130,poc,unavoidable,degraded,none,scheduled
131,poc,unavoidable,degraded,minor,scheduled
132,poc,unavoidable,degraded,major,out-of-band
133,poc,unavoidable,degraded,hazardous,out-of-band
134,poc,unavoidable,degraded,catastrophic,immediate
135,poc,unavoidable,MEF crippled,none,scheduled
136,poc,unavoidable,MEF crippled,minor,scheduled
137,poc,unavoidable,MEF crippled,major,out-of-band
138,poc,unavoidable,MEF crippled,hazardous,out-of-band
139,poc,unavoidable,MEF crippled,catastrophic,immediate
140,poc,unavoidable,MEF fail,none,out-of-band
141,poc,unavoidable,MEF fail,minor,out-of-band
142,poc,unavoidable,MEF fail,major,out-of-band
143,poc,unavoidable,MEF fail,hazardous,out-of-band
144,poc,unavoidable,MEF fail,catastrophic,immediate
145,poc,unavoidable,mission fail,none,immediate
146,poc,unavoidable,mission fail,minor,immediate
147,poc,unavoidable,mission fail,major,immediate
148,poc,unavoidable,mission fail,hazardous,immediate
149,poc,unavoidable,mission fail,catastrophic,immediate
125,poc,open,none,none,defer
126,poc,open,none,minor,scheduled
127,poc,open,none,major,scheduled
128,poc,open,none,hazardous,out-of-band
129,poc,open,none,catastrophic,immediate
130,poc,open,degraded,none,scheduled
131,poc,open,degraded,minor,scheduled
132,poc,open,degraded,major,out-of-band
133,poc,open,degraded,hazardous,out-of-band
134,poc,open,degraded,catastrophic,immediate
135,poc,open,MEF crippled,none,scheduled
136,poc,open,MEF crippled,minor,scheduled
137,poc,open,MEF crippled,major,out-of-band
138,poc,open,MEF crippled,hazardous,out-of-band
139,poc,open,MEF crippled,catastrophic,immediate
140,poc,open,MEF fail,none,out-of-band
141,poc,open,MEF fail,minor,out-of-band
142,poc,open,MEF fail,major,out-of-band
143,poc,open,MEF fail,hazardous,out-of-band
144,poc,open,MEF fail,catastrophic,immediate
145,poc,open,mission fail,none,immediate
146,poc,open,mission fail,minor,immediate
147,poc,open,mission fail,major,immediate
148,poc,open,mission fail,hazardous,immediate
149,poc,open,mission fail,catastrophic,immediate
150,active,small,none,none,defer
151,active,small,none,minor,defer
152,active,small,none,major,scheduled
Expand Down Expand Up @@ -199,28 +199,28 @@
197,active,controlled,mission fail,major,immediate
198,active,controlled,mission fail,hazardous,immediate
199,active,controlled,mission fail,catastrophic,immediate
200,active,unavoidable,none,none,defer
201,active,unavoidable,none,minor,scheduled
202,active,unavoidable,none,major,out-of-band
203,active,unavoidable,none,hazardous,immediate
204,active,unavoidable,none,catastrophic,immediate
205,active,unavoidable,degraded,none,scheduled
206,active,unavoidable,degraded,minor,out-of-band
207,active,unavoidable,degraded,major,out-of-band
208,active,unavoidable,degraded,hazardous,immediate
209,active,unavoidable,degraded,catastrophic,immediate
210,active,unavoidable,MEF crippled,none,out-of-band
211,active,unavoidable,MEF crippled,minor,out-of-band
212,active,unavoidable,MEF crippled,major,out-of-band
213,active,unavoidable,MEF crippled,hazardous,immediate
214,active,unavoidable,MEF crippled,catastrophic,immediate
215,active,unavoidable,MEF fail,none,immediate
216,active,unavoidable,MEF fail,minor,immediate
217,active,unavoidable,MEF fail,major,immediate
218,active,unavoidable,MEF fail,hazardous,immediate
219,active,unavoidable,MEF fail,catastrophic,immediate
220,active,unavoidable,mission fail,none,immediate
221,active,unavoidable,mission fail,minor,immediate
222,active,unavoidable,mission fail,major,immediate
223,active,unavoidable,mission fail,hazardous,immediate
224,active,unavoidable,mission fail,catastrophic,immediate
200,active,open,none,none,defer
201,active,open,none,minor,scheduled
202,active,open,none,major,out-of-band
203,active,open,none,hazardous,immediate
204,active,open,none,catastrophic,immediate
205,active,open,degraded,none,scheduled
206,active,open,degraded,minor,out-of-band
207,active,open,degraded,major,out-of-band
208,active,open,degraded,hazardous,immediate
209,active,open,degraded,catastrophic,immediate
210,active,open,MEF crippled,none,out-of-band
211,active,open,MEF crippled,minor,out-of-band
212,active,open,MEF crippled,major,out-of-band
213,active,open,MEF crippled,hazardous,immediate
214,active,open,MEF crippled,catastrophic,immediate
215,active,open,MEF fail,none,immediate
216,active,open,MEF fail,minor,immediate
217,active,open,MEF fail,major,immediate
218,active,open,MEF fail,hazardous,immediate
219,active,open,MEF fail,catastrophic,immediate
220,active,open,mission fail,none,immediate
221,active,open,mission fail,minor,immediate
222,active,open,mission fail,major,immediate
223,active,open,mission fail,hazardous,immediate
224,active,open,mission fail,catastrophic,immediate
14 changes: 11 additions & 3 deletions doc/version_1/040_treesForVulMgmt.md
Original file line number Diff line number Diff line change
Expand Up @@ -378,15 +378,23 @@ resiliency</td>
### System Exposure (Applier)
> The Accessible Attack Surface of the Affected System or Service
Measuring attack surface precisely is difficult, and we do not propose to perfectly delineate between small and controlled access. If a vulnerability cannot be patched, other mitigations may be used. Usually, the effect of these mitigations is to reduce exposure of the vulnerable component. Therefore, an applier’s response to Exposure may change if such mitigations are put in place. If a mitigation changes exposure and thereby reduces the priority of a vulnerability, that mitigation can be considered a success. Whether that mitigation allows the applier to defer further action varies according to each case.
Measuring attack surface precisely is difficult, and we do not propose to perfectly delineate between small and controlled access.
Exposure should be judged against the system in its deployed context, which may differ from how it is commonly expected to be deployed.
For example, the exposure of a device on a vehicle's CAN bus will vary depending on the presence of a cellular telemetry device on the same bus.

If a vulnerability cannot be patched, other mitigations may be used.
Usually, the effect of these mitigations is to reduce exposure of the vulnerable component.
Therefore, an applier’s response to Exposure may change if such mitigations are put in place.
If a mitigation changes exposure and thereby reduces the priority of a vulnerability, that mitigation can be considered a success.
Whether that mitigation allows the applier to defer further action varies according to each case.



| | Table 9: Exposure Decision Values |
| ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Small | Local service or program; highly controlled network |
| Controlled | Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. *Controlled* covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then *exposure* should be *small*. |
| Unavoidable | Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers) |
| Open | Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers) |

### Mission Impact (Applier)
> Impact on Mission Essential Functions of the Organization
Expand Down Expand Up @@ -456,7 +464,7 @@ Some of the decision points require some substantial upfront analysis effort to

Stakeholders who use the prioritization method should consider releasing the priority with which they handled the vulnerability. This disclosure has various benefits. For example, if the developer publishes a priority ranking, then appliers could consider that in their decision-making process. One reasonable way to include it is to break ties for the applier. If an applier has three “scheduled” vulnerabilities to patch, they may address them in any order. If two vulnerabilities were produced by the developer as “scheduled” patches, and one was “out-of-cycle,” then the applier may want to use that information to favor the latter.

In the case where no information is available or the organization has not yet matured its initial situational analysis, we can suggest something like defaults for some decision points. If the applier does not know their exposure,<!--lowercase exposure on purpose, this is the general concept--> that means they do not know where the devices are or how they are controlled, so they should assume *Exposure* is **unavoidable**. If the decision maker knows nothing about the environment in which the device is used, we suggest assuming a **major** *Safety Impact*. This position is conservative, but software is thoroughly embedded in daily life now, so we suggest that the decision maker provide evidence that no one’s well-being will suffer. The reach of software exploits is no longer limited to a research network. Similarly, with *Mission Impact*, the applier should assume that the software is in use at the organization for a reason, and that it supports essential functions unless they have evidence otherwise. With a total lack of information, assume **MEF support crippled** as a default. *Exploitation* needs no special default; if adequate searches are made for exploit code and none is found, the answer is **none**. The decision set {**none**, **unavoidable**, **MEF crippled**, **major**} results in a scheduled patch application.
In the case where no information is available or the organization has not yet matured its initial situational analysis, we can suggest something like defaults for some decision points. If the applier does not know their exposure,<!--lowercase exposure on purpose, this is the general concept--> that means they do not know where the devices are or how they are controlled, so they should assume *Exposure* is **open**. If the decision maker knows nothing about the environment in which the device is used, we suggest assuming a **major** *Safety Impact*. This position is conservative, but software is thoroughly embedded in daily life now, so we suggest that the decision maker provide evidence that no one’s well-being will suffer. The reach of software exploits is no longer limited to a research network. Similarly, with *Mission Impact*, the applier should assume that the software is in use at the organization for a reason, and that it supports essential functions unless they have evidence otherwise. With a total lack of information, assume **MEF support crippled** as a default. *Exploitation* needs no special default; if adequate searches are made for exploit code and none is found, the answer is **none**. The decision set {**none**, **open**, **MEF crippled**, **major**} results in a scheduled patch application.

## Development Methodology

Expand Down
2 changes: 1 addition & 1 deletion doc/version_1/060_workedExample.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ This information rules out “active” given the (perhaps limited) search proce

- **Deployment of affected system** - These pumps are attached directly to the client. If an update is required, the client is permitted to do that through their own computer or app. However, we have not provided them with documentation on properly using their computer or app to securely access their device. This is done for convenience so that if the user needs to change something quickly, they can. They also can also come to us (hospital) for a change in their device’s settings for dosage etc. The doctor’s computer that directly handles interfacing with these devices is only connected to the intranet for the purpose of updating the client’s settings on the device. Doctors authenticate with ID badge and password.

*Exposure* is less straightforward than *Exploitation*. The option **unavoidable** is clearly ruled out. However, it is not clear whether the optional Bluetooth connection between the medical device and a phone app represents **controlled** or **small** exposure. The description does not explicitly handle the capture/replay aspect of the vulnerability. If the only way to exploit the vulnerability is to be within physical transmission range of the device, then that physical constraint argues for exposure being **small**. However, if the client’s phone app could be used to capture and replay attack packets, then unless that app is particularly well secured, the answer should be **controlled**. Regardless, the answer is not clear from the supplied information. Furthermore, if this fictional app is specific to the insulin pump, then even if it is not compromised, the attack might use its installation to remotely identify targets. However, since most of the hospital’s clients have not installed the app, and for nearly all cases, physical proximity to the device is necessary; therefore, we select **small** and move on to ask about mission impact.
*Exposure* is less straightforward than *Exploitation*. The option **open** is clearly ruled out. However, it is not clear whether the optional Bluetooth connection between the medical device and a phone app represents **controlled** or **small** exposure. The description does not explicitly handle the capture/replay aspect of the vulnerability. If the only way to exploit the vulnerability is to be within physical transmission range of the device, then that physical constraint argues for exposure being **small**. However, if the client’s phone app could be used to capture and replay attack packets, then unless that app is particularly well secured, the answer should be **controlled**. Regardless, the answer is not clear from the supplied information. Furthermore, if this fictional app is specific to the insulin pump, then even if it is not compromised, the attack might use its installation to remotely identify targets. However, since most of the hospital’s clients have not installed the app, and for nearly all cases, physical proximity to the device is necessary; therefore, we select **small** and move on to ask about mission impact.

According to the fictional pilot scenario, “Our mission dictates that the first and foremost priority is to contribute to human welfare and to uphold the Hippocratic oath (do no harm).” The continuity of operations planning for a hospital is complex, with many MEFs. However, even from this abstract, it seems clear that “do no harm” is at risk due to this vulnerability. A mission essential function to that mission is each of the various medical devices works as expected, or at least if a device fails, it cannot actively be used to inflict harm. Unsolicited insulin delivery would mean that MEF “fails for a period of time longer than acceptable,” matching the description of MEF failure. The question is then whether the whole mission fails, which does not seem to be the case. The recovery of MEF functioning is not affected, and most MEFs (the emergency services, surgery, oncology, administration, etc.) would be unaffected. Therefore, we select **MEF failure** and move on to ask about safety impact.

Expand Down

0 comments on commit ec10052

Please sign in to comment.