Direct SA1 Links
Etics Portal
- Etics Web - EticsAgendas - ETICS 2 SA1 Savannah - SA1Actions (in Savannah) , SA1 Internal
Etics Portal
- Etics Web - EticsAgendas - ETICS 2 SA1 Savannah - SA1Actions (in Savannah) , SA1 Internal
ETICS Risk Assessment
Short Description of the Task
This task consists in the identification of threats, impacts and risks of the ETICS software, services, infrastructure and organization.Useful Links
Links to document, attach material needed, external resources, example, etc.- ISSEG website www.isseg.eu
Threats
Software / Services
CLI Client- Certificate Agent: Other processes could use the certificate through the agent without password
- T2
- Certificates: Cross Site Request Forging (XSRF) via HTTPS URLS
- Authentication: some methods do not check privileges.
- Denial of Service: Single server used
- Replace configuration data with malicious code to produce packages
- Certificates: Cross Site Request Forging (XSRF) via HTTPS URLS
- Denial of Service: Single server used
- Replace packages in AFS with malicious ones and get imported in Repo WS
- GWT XSS: setInnerHTML content parsing
- GWT XSS: JSNI Usage
- GWT XSS: JSON API String parsing
- GWT XSS: Not GWT Javascript on the same server
- GWT XSS: setInnerHTML content parsing
- GWT XSS: JSNI Usage
- GWT XSS: JSON API String parsing
- GWT XSS: Not GWT Javascript on the same server
- GWT XSS: setInnerHTML content parsing
- GWT XSS: JSNI Usage
- GWT XSS: JSON API String parsing
- GWT XSS: Not GWT Javascript on the same server
- JavaScript: Cross Site Scripting (XSS)
- JavaScript: Cross Site Request Forging (XSRF)
- Certificates: Cross Site Request Forging (XSRF) via HTTPS URLS
- Replace configuration data with malicious code to produce packages
- GWT XSS: setInnerHTML content parsing
- GWT XSS: JSNI Usage
- GWT XSS: JSON API String parsing
- GWT XSS: Not GWT Javascript on the same server
- Certificates: Cross Site Request Forging (XSRF) via HTTPS URLS
- Granting permission to non authorized users
- Register a fake user through registration page
- GWT XSS: setInnerHTML content parsing
- GWT XSS: JSNI Usage
- GWT XSS: JSON API String parsing
- GWT XSS: Not GWT Javascript on the same server
- Get a malicious package registered in the repository giving a malicious binaries URL
- Replaced at file system level to add malicious code
- If replaced with malicious ones in AFS, they could change the code during the build
- Used to do a denial of service to the repository (heavy queries)
- T2
- Malicious submitter gets in the pool
- T2
Infrastructure
Server Security- Software updates have not been applied
- Access to physical hardware in the computer center. Access control
- Network problem
- Hardware breakdown
- A job in a WN could affect another one injecting malicious code
- T2
- Software updates have not been applied
- Database read/write through file system access in the server
- Database Password available in configuration files in the same server
- Backups with DB info/schema available publicly
- Software updates have not been applied
- DNS replace at CERN to point to different resources
- Software updates have not been applied
- Malicious joining of a WN in the pool
- CVS code injections of malicious code
- T2
- Stolen credentials
- Proxy certificates with a new DN matching a user ??
Organization / Social
Developer PCs- Stolen certificates/password
- Using the browser to have sysadmin access to the system
- weak passwords
- passwords in AFS or publicly available
- Old members of the project still have root accesses/sysadmin permissions
- Alberto sosia
Plans, Dates and Status
To Do
- Each responsible identifies possible threats
Meeting 14.7.2009
Risk Assessment Theory| Threat | Impact | Likelihood | Risk | Mitigation | Remaining Risk |
|---|---|---|---|---|---|
| T1 | 1 | 4 | 4 | / | / |
| T2 | 4 | 3 | 12 | Actions | / |
| T3 | 4 | 1 | 4 | Actions | Risk |
| T4 | 2 | 1 | 2 | / | Risk |
- Threat: description of the threat
- Impact: (1 to 4) Importance of the threat according to it is potential damage
- Likelihood: (1 to 4) Probability of the threat to happen
- Risk = Impact * Likelihood
- Mitigation: brief description of the actions to do to solve/mitigate the threat
- Remaining Risk: brief description of the risk after the threat has been mitigated
Topic revision: r4 - 2009-07-27 - LorenzoDini
- ETICS Web
- ETICS Web Home
- Changes
- Index
- Search
- Support Knowledge Base
- ABATBEA
- ACPP
- ADCgroup
- AEGIS
- AfricaMap
- AgileInfrastructure
- ALICE
- AliceEbyE
- AliceSPD
- AliceSSD
- AliceTOF
- AliFemto
- ALPHA
- Altair
- ArdaGrid
- ASACUSA
- AthenaFCalTBAna
- Atlas
- AtlasLBNL
- AXIALPET
- CAE
- CALICE
- CDS
- CENF
- CERNSearch
- CLIC
- Cloud
- CloudServices
- CMS
- Controls
- CTA
- CvmFS
- DB
- DefaultWeb
- DESgroup
- DPHEP
- DM-LHC
- DSSGroup
- EGEE
- EgeePtf
- ELFms
- EMI
- ETICS
- FIOgroup
- FlukaTeam
- Frontier
- Gaudi
- GeneratorServices
- GuidesInfo
- HardwareLabs
- HCC
- HEPIX
- ILCBDSColl
- ILCTPC
- IMWG
- Inspire
- IPv6
- IT
- ItCommTeam
- ITCoord
- ITdeptTechForum
- ITDRP
- ITGT
- ITSDC
- LAr
- LCG
- LCGAAWorkbook
- Leade
- LHCAccess
- LHCAtHome
- LHCb
- LHCgas
- LHCONE
- LHCOPN
- LinuxSupport
- Main
- Medipix
- Messaging
- MPGD
- NA49
- NA61
- NA62
- NTOF
- Openlab
- PDBService
- Persistency
- PESgroup
- Plugins
- PSAccess
- PSBUpgrade
- R2Eproject
- RCTF
- RD42
- RFCond12
- RFLowLevel
- ROXIE
- Sandbox
- SocialActivities
- SPI
- SRMDev
- SSM
- Student
- SuperComputing
- Support
- SwfCatalogue
- TMVA
- TOTEM
- TWiki
- UNOSAT
- Virtualization
- VOBox
- WITCH
- XTCA
 |
|
Copyright &© 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback