diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 102c923c..602beae0 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -18,14 +18,16 @@ - [Staying Informed & Continuous Learning](./awareness/staying-informed-and-continuous-learning.md) - [Resources & Further Reading](./awareness/resources-and-further-reading.md) - [Operational Security](./opsec/README.md) - - [Core principles](./opsec/principles/README.md) - - [Principles in detail](./opsec/principles/principles.md) - - [The five steps](./opsec/principles/five-steps.md) - - [Web3 considerations](./opsec/principles/web3-considerations.md) - - [Threat Modeling overview](./opsec/threat-modeling-overview.md) - - [Risk Management](./opsec/risk-management.md) - - [Governance & Program Management]() - + - [Overview](./opsec/overview/README.md) + - [Security Fundamentals](./opsec/overview/security-fundamentals.md) + - [Implementation Process](./opsec/overview/implementation-process.md) + - [Web3 considerations](./opsec/overview/web3-considerations.md) + - [Threat Modeling Overview](./opsec/threat-modeling-overview.md) + - [Risk Management Overview](./opsec/risk-management-overview.md) + - [While Traveling](./opsec/travel/overview.md) + - [Quick Guide](./opsec/travel/quick-guide.md) + - [Thorough Guide](./opsec/travel/guide.md) + - [Governance & Program Management]() - [Control Domains]() - [Lifecycle]() - [Monitoring & Detection]() diff --git a/src/config/SUMMARY.md.develop b/src/config/SUMMARY.md.develop index 102c923c..602beae0 100644 --- a/src/config/SUMMARY.md.develop +++ b/src/config/SUMMARY.md.develop @@ -18,14 +18,16 @@ - [Staying Informed & Continuous Learning](./awareness/staying-informed-and-continuous-learning.md) - [Resources & Further Reading](./awareness/resources-and-further-reading.md) - [Operational Security](./opsec/README.md) - - [Core principles](./opsec/principles/README.md) - - [Principles in detail](./opsec/principles/principles.md) - - [The five steps](./opsec/principles/five-steps.md) - - [Web3 considerations](./opsec/principles/web3-considerations.md) - - [Threat Modeling overview](./opsec/threat-modeling-overview.md) - - [Risk Management](./opsec/risk-management.md) - - [Governance & Program Management]() - + - [Overview](./opsec/overview/README.md) + - [Security Fundamentals](./opsec/overview/security-fundamentals.md) + - [Implementation Process](./opsec/overview/implementation-process.md) + - [Web3 considerations](./opsec/overview/web3-considerations.md) + - [Threat Modeling Overview](./opsec/threat-modeling-overview.md) + - [Risk Management Overview](./opsec/risk-management-overview.md) + - [While Traveling](./opsec/travel/overview.md) + - [Quick Guide](./opsec/travel/quick-guide.md) + - [Thorough Guide](./opsec/travel/guide.md) + - [Governance & Program Management]() - [Control Domains]() - [Lifecycle]() - [Monitoring & Detection]() diff --git a/src/operational-security/README.md b/src/opsec-old/README.md similarity index 100% rename from src/operational-security/README.md rename to src/opsec-old/README.md diff --git a/src/opsec-old/cloud-third-party/README.md b/src/opsec-old/cloud-third-party/README.md new file mode 100644 index 00000000..057a207e --- /dev/null +++ b/src/opsec-old/cloud-third-party/README.md @@ -0,0 +1,45 @@ +--- +tags: + - Security Specialist + - Operations & Strategy + - Devops + - SRE +--- + +# Cloud and Third-Party Security + +In today's interconnected digital ecosystem, organizations rely heavily on cloud services and third-party vendors to operate efficiently. However, these dependencies introduce security risks that must be carefully managed. + +## Introduction + +Cloud and third-party security focuses on protecting data and operations that depend on external providers. It encompasses the assessment, monitoring, and management of security risks associated with cloud services, software-as-a-service (SaaS) applications, and third-party vendors that have access to your systems or data. + +## Key Components + +This section covers the following aspects of cloud and third-party security: + +1. [G-Suite Security](./g-suite-security.md) - Securing Google Workspace (formerly G-Suite) environments +2. [Cloud Security Fundamentals](./cloud-security-fundamentals.md) - Essential security considerations for cloud environments +3. [SaaS Security](./saas-security.md) - Securing software-as-a-service applications +4. [Vendor Security Assessment](./vendor-security-assessment.md) - Evaluating and monitoring the security of third-party vendors +5. [API Security](./api-security.md) - Securing application programming interfaces + +## Risk-Based Approach + +Cloud and third-party security should be implemented based on the sensitivity of the data being handled and the criticality of the services provided: + +1. Inventory all cloud services and third-party relationships +2. Classify providers based on the data they handle and criticality to operations +3. Implement appropriate security controls and monitoring based on risk levels +4. Regularly review and audit third-party security practices + +## Web3 Considerations + +In Web3 environments, cloud and third-party security includes additional considerations: + +- The security of blockchain infrastructure providers +- The risks associated with decentralized services and protocols +- The assessment of smart contract dependencies +- The security of Web3 development and deployment tools + +The guidance in this section addresses both traditional and Web3-specific cloud and third-party security considerations. \ No newline at end of file diff --git a/src/operational-security/cloud-third-party/g-suite-security.md b/src/opsec-old/cloud-third-party/g-suite-security.md similarity index 100% rename from src/operational-security/cloud-third-party/g-suite-security.md rename to src/opsec-old/cloud-third-party/g-suite-security.md diff --git a/src/opsec-old/core-opsec-principles.md b/src/opsec-old/core-opsec-principles.md new file mode 100644 index 00000000..8496f15c --- /dev/null +++ b/src/opsec-old/core-opsec-principles.md @@ -0,0 +1,148 @@ +--- +tags: + - Security Specialist + - Operations & Strategy + - Devops + - SRE +--- + +# Core OpSec Principles + +Operational security is built on fundamental principles that guide the implementation of security controls and practices. These principles provide a foundation for developing a comprehensive security posture that protects your organization's assets, operations, and reputation. + +> **Practical Example: Web3 Organization** +> +> Consider a Web3 project managing a DeFi protocol with a treasury of $10M in assets. Proper operational security would involve: +> +> - **Multiple security layers**: Hardware wallets for cold storage, multi-signature requirements for transactions, regular security audits, and continuous monitoring +> - **Access control**: Only specific team members have access to deployment keys, with different permission levels for development, testing, and production environments +> - **Compartmentalized information**: Private keys for multi-signature wallets are distributed among trusted team members with no single person having access to all keys, and sensitive incident response procedures are only shared with the security team +> - **Regular threat assessment**: The team conducts quarterly reviews of potential attack vectors, from smart contract vulnerabilities to [social engineering](../awareness/social-engineering.md) attempts targeting team members + +## Defense in Depth + +Defense in Depth is the practice of layering security controls throughout your systems and processes, so that if one control fails, others will provide protection. + +> **πŸ”— Related Framework:** This principle is applied across multiple frameworks including [Infrastructure](../infrastructure/) with [Zero-Trust Principles](../infrastructure/zero-trust-principles.md) and [Network Security](../infrastructure/network-security.md). + +### Implementation + +1. Deploy multiple security controls that address the same risk in different ways +2. Implement security at various layers: physical, technical, administrative, and human +3. Ensure no single point of failure exists in your security architecture +4. Review the effectiveness of security layers regularly to identify gaps +5. Foster a [security-aware mindset](../awareness/cultivating-a-security-aware-mindset.md) across all team members + +## Principle of Least Privilege + +The Principle of Least Privilege dictates that users, systems, and processes should have only the minimum access rights necessary to perform their functions. + +> **πŸ”— Related Framework:** For comprehensive implementation, see [Identity and Access Management](../iam/) and [Role-Based Access Control](../iam/role-based-access-control.md). + +### Implementation + +1. Grant the minimum level of access required for users to perform their duties +2. Review and adjust access rights when roles change +3. Implement role-based access control (RBAC) to standardize permissions +4. Use time-limited and just-in-time access for administrative privileges +5. Regularly audit access rights to identify and remove excessive permissions +6. Establish a thorough offboarding process to immediately revoke access when team members leave +7. Remove credentials for deactivated accounts, as these can become security liabilities even when dormant + +## Need-to-Know Basis + +Information should only be shared with individuals who require that information to perform their duties. + +> **πŸ”— Related Framework:** This principle is supported by practices in [Data Protection](../operational-security/data-protection/) and aspects of [Privacy](../privacy/). + +### Implementation + +1. Classify information based on sensitivity and restrict access accordingly +2. Compartmentalize sensitive information to limit exposure in case of a breach +3. Implement clear data handling and sharing policies +4. Train team members on proper handling and sharing of sensitive information through regular [security training](../awareness/security-training.md) +5. Use secure communication channels for sensitive information + +## Threat Modeling for OpSec + +Threat modeling involves systematically identifying potential threats, vulnerabilities, and attack vectors to prioritize security controls. + +> **πŸ”— Related Framework:** For detailed methodology and implementation, see the [Threat Modeling](../threat-modeling/) framework, including guides on how to [Create and Maintain Threat Models](../threat-modeling/create-maintain-threat-models.md) and [Identify and Mitigate Threats](../threat-modeling/identity-mitigate-threats.md). + +### Implementation + +1. Identify critical assets and operations that need protection +2. Enumerate potential threats and their impact on your organization +3. Assess vulnerabilities that could be exploited +4. Evaluate existing controls and their effectiveness +5. Develop a prioritized plan to address identified risks +6. Maintain awareness of common [threat vectors](../awareness/understanding-threat-vectors.md) relevant to your organization + +## Risk Assessment and Management + +Systematic evaluation and prioritization of security risks to guide resource allocation and security decision-making. + +> **πŸ”— Related Framework:** For comprehensive risk management strategies, refer to [Governance](../governance/) and [Risk Management](../governance/risk-management.md). + +### Implementation + +1. Identify and categorize assets based on their value and criticality +2. Assess threats and vulnerabilities relevant to those assets +3. Determine the likelihood and potential impact of security incidents +4. Implement controls based on risk levels +5. Regularly reassess risks as the environment and threats evolve + +## Continuous Monitoring and Improvement + +Security is not a one-time implementation but a continuous process of monitoring, evaluating, and improving. + +> **πŸ”— Related Framework:** For implementation details, see the [Monitoring](../monitoring/) framework, including [Guidelines](../monitoring/guidelines.md) and [Thresholds](../monitoring/thresholds.md). Also relevant is [Incident Management](../incident-management/) for response to detected issues. + +### Implementation + +1. Establish security metrics to measure the effectiveness of controls +2. Implement monitoring systems to detect security events and anomalies +3. Conduct regular security assessments and penetration tests +4. Learn from security incidents and near-misses +5. Update security controls based on new threats, vulnerabilities, and technologies +6. Ensure team members are [staying informed and continuously learning](../awareness/staying-informed-and-continuous-learning.md) about evolving security threats +7. Utilize available [security resources](../awareness/resources-and-further-reading.md) to keep your security practices current + +## Web3-Specific OpSec Principles + +In addition to traditional OpSec principles, Web3 environments require consideration of: + +> **πŸ”— Related Framework:** Explore the dedicated [Web3-Specific OpSec](../operational-security/web3-specific-opsec/) framework for comprehensive guidance. + +### Transparency vs. Privacy + +Balancing the transparent nature of blockchain with the need for operational privacy. + +### Implementation + +1. Understand what information is publicly visible on-chain +2. Develop strategies to maintain operational privacy while utilizing public blockchains +3. Use privacy-enhancing technologies where appropriate + +### Immutability and Finality + +Recognizing that blockchain transactions are generally irreversible, requiring heightened security before execution. + +### Implementation + +1. Implement robust verification procedures before executing transactions +2. Use multi-signature requirements for high-value transactions +3. Deploy transaction simulation tools to verify outcomes before execution + +### Self-Custody Responsibility + +> **πŸ”— Related Framework:** For detailed guidance on wallet security practices, see the [Wallet Security](../wallet-security/) framework. + +### Implementation + +1. Develop clear procedures for wallet security +2. Implement separation of duties for transaction approval +3. Balance security with operational efficiency +4. [Stay up-to-date](../awareness/staying-up-to-date.md) with best practices in wallet security and custody solutions + +By adhering to these core principles, organizations can build a strong foundation for operational security that addresses both traditional and Web3-specific security challenges. diff --git a/src/opsec-old/data-protection/README.md b/src/opsec-old/data-protection/README.md new file mode 100644 index 00000000..83e82ae5 --- /dev/null +++ b/src/opsec-old/data-protection/README.md @@ -0,0 +1,47 @@ +--- +tags: + - Security Specialist + - Operations & Strategy + - Devops + - SRE + - Compliance +--- + +# Data Protection + +Data is one of an organization's most valuable assets, and protecting it throughout its lifecycle is a critical component of operational security. + +## Introduction + +Data protection encompasses the strategies, policies, tools, and techniques used to secure data at rest, in transit, and in use. It involves not only technical controls but also procedural and administrative measures designed to safeguard sensitive information from unauthorized access, use, disclosure, disruption, modification, or destruction. + +## Key Components + +This section covers the following aspects of data protection: + +1. [Data Classification](./data-classification.md) - Categorizing data based on sensitivity and value +2. [Encryption](./encryption.md) - Protecting data through cryptographic methods +3. [Data Loss Prevention](./data-loss-prevention.md) - Controls to prevent unauthorized data exfiltration +4. [Secure Data Sharing](./secure-data-sharing.md) - Methods for securely sharing data with authorized parties +5. [Data Backup and Recovery](./data-backup-recovery.md) - Ensuring data availability and resilience +6. [Data Minimization and Retention](./data-minimization-retention.md) - Principles for data lifecycle management + +## Risk-Based Approach + +Data protection should be implemented based on the sensitivity and value of the data being protected: + +1. Identify and classify data based on sensitivity and regulatory requirements +2. Assess the potential impact of data breaches or loss +3. Implement appropriate security controls based on risk levels +4. Regularly audit data protection measures and adapt to evolving threats + +## Web3 Considerations + +In Web3 environments, data protection includes additional considerations: + +- The balance between on-chain transparency and privacy +- Protecting cryptographic secrets that control assets +- The implications of immutable data stored on blockchains +- Privacy-preserving techniques for blockchain interactions + +The guidance in this section addresses both traditional and Web3-specific data protection considerations, helping organizations implement appropriate safeguards regardless of their technological environment. \ No newline at end of file diff --git a/src/opsec-old/device-endpoint-security/README.md b/src/opsec-old/device-endpoint-security/README.md new file mode 100644 index 00000000..567b3c18 --- /dev/null +++ b/src/opsec-old/device-endpoint-security/README.md @@ -0,0 +1,45 @@ +--- +tags: + - Security Specialist + - Operations & Strategy + - Devops + - SRE +--- + +# Device and Endpoint Security + +Securing the devices used by your organization is a critical component of operational security. Endpoints such as laptops, desktops, mobile devices, and servers are common entry points for attackers and require robust protection. + +## Introduction + +Device and endpoint security encompasses the policies, tools, and practices that protect individual computing devices from threats. As the boundary between work and personal devices blurs, and as remote work becomes more common, securing endpoints has become increasingly challenging and important. + +## Key Components + +This section covers the following aspects of device and endpoint security: + +1. [Standard Operating Environment](./standard-operating-environment.md) - Establishing and maintaining secure baseline configurations +2. [Endpoint Protection](./endpoint-protection.md) - Tools and technologies to protect endpoints from malware and other threats +3. [Mobile Device Security](./mobile-device-security.md) - Securing smartphones, tablets, and other mobile devices +4. [Secure Configuration](./secure-configuration.md) - Hardening devices through secure configuration practices +5. [Patch Management](./patch-management.md) - Keeping systems updated to address known vulnerabilities + +## Risk-Based Approach + +Device and endpoint security should be implemented based on the sensitivity of the data being handled and the criticality of the device to operations: + +1. Inventory all devices that access organizational resources +2. Classify devices based on the data they handle and criticality to operations +3. Implement appropriate security controls based on risk levels +4. Regularly audit device compliance with security policies + +## Web3 Considerations + +In Web3 environments, device and endpoint security includes additional considerations: + +- Securing devices used for cryptocurrency transactions and wallet security +- Protecting hardware wallets and other specialized Web3 hardware +- Addressing the risks of browser-based Web3 interactions +- Securing devices that participate in blockchain networks (e.g., validator nodes) + +The guidance in this section addresses both traditional and Web3-specific device and endpoint security considerations. \ No newline at end of file diff --git a/src/operational-security/device-endpoint-security/standard-operating-environment.md b/src/opsec-old/device-endpoint-security/standard-operating-environment.md similarity index 100% rename from src/operational-security/device-endpoint-security/standard-operating-environment.md rename to src/opsec-old/device-endpoint-security/standard-operating-environment.md diff --git a/src/opsec-old/digital-identity-access/README.md b/src/opsec-old/digital-identity-access/README.md new file mode 100644 index 00000000..6c828191 --- /dev/null +++ b/src/opsec-old/digital-identity-access/README.md @@ -0,0 +1 @@ +# Digital Identity and Access Management diff --git a/src/operational-security/digital-identity-access/password-secrets-management.md b/src/opsec-old/digital-identity-access/password-secrets-management.md similarity index 100% rename from src/operational-security/digital-identity-access/password-secrets-management.md rename to src/opsec-old/digital-identity-access/password-secrets-management.md diff --git a/src/operational-security/digital-identity-access/sim-swapping.md b/src/opsec-old/digital-identity-access/sim-swapping.md similarity index 100% rename from src/operational-security/digital-identity-access/sim-swapping.md rename to src/opsec-old/digital-identity-access/sim-swapping.md diff --git a/src/opsec-old/human-centered-security/README.md b/src/opsec-old/human-centered-security/README.md new file mode 100644 index 00000000..d7451e86 --- /dev/null +++ b/src/opsec-old/human-centered-security/README.md @@ -0,0 +1,38 @@ +--- +tags: + - Security Specialist + - Operations & Strategy + - HR +--- + +# Human-Centered Security + +Security is not just about technologyβ€”it's about people. The human element is often the most vulnerable part of any security system, making human-centered security approaches essential for a robust operational security posture. + +## Introduction + +Human-centered security focuses on understanding, supporting, and enhancing the security behaviors of individuals within an organization. It recognizes that security is a shared responsibility and that technical controls alone cannot provide comprehensive protection without considering the human factors involved. + +## Key Components + +This section covers the following aspects of human-centered security: + +1. [Insider Threat Detection and Mitigation](./detecting-and-mitigating-insider-threats.md) - Strategies for identifying and mitigating risks posed by insiders +2. [Social Engineering Defense](./social-engineering-defense.md) - Techniques to protect against manipulation and deception +3. [Travel Security](./travel-security.md) - Security considerations for team members when traveling +4. [Personal OpSec for Team Members](./personal-opsec.md) - Guidelines for individuals to maintain security in their personal activities + +## Intersection with Awareness + +While this section focuses on operational measures to address human-centered security, it works in close conjunction with the [Security Awareness Framework](../../awareness/). The awareness framework provides the educational foundation, while human-centered security implements the operational controls and procedures needed to protect against human-related security risks. + +## Risk-Based Approach + +Not all human-centered security risks are equal. Organizations should adopt a risk-based approach by: + +1. Identifying roles with access to critical assets or sensitive information +2. Assessing the potential impact of human errors or malicious actions +3. Implementing controls proportionate to the identified risks +4. Creating an environment where security is valued and prioritized + +Focusing on human factors in security, organizations can create a more resilient security posture that combines technical controls with human awareness and behavior. \ No newline at end of file diff --git a/src/operational-security/human-centered-security/detecting-and-mitigating-insider-threats.md b/src/opsec-old/human-centered-security/detecting-and-mitigating-insider-threats.md similarity index 100% rename from src/operational-security/human-centered-security/detecting-and-mitigating-insider-threats.md rename to src/opsec-old/human-centered-security/detecting-and-mitigating-insider-threats.md diff --git a/src/opsec-old/human-centered-security/personal-opsec.md b/src/opsec-old/human-centered-security/personal-opsec.md new file mode 100644 index 00000000..eb0de234 --- /dev/null +++ b/src/opsec-old/human-centered-security/personal-opsec.md @@ -0,0 +1,97 @@ +--- +tags: + - Security Specialist + - Operations & Strategy + - Individual Security +--- + +# Personal OpSec for Team Members + +Personal operational security (OpSec) extends beyond the workplace, encompassing practices that team members should implement in their personal lives to protect both themselves and organizational assets. This is particularly important in Web3 where the boundaries between personal and professional digital presence are often blurred. + +## Digital Footprint Management + +### Social Media Practices + +1. Regularly audit and adjust privacy settings on all social media platforms +2. Be cautious about revealing employment details, especially for high-profile or security-sensitive roles +3. Avoid sharing location data in real-time, particularly during travel +4. Consider using separate accounts for professional and personal interactions +5. Be mindful of information revealed in photos, including backgrounds that might expose sensitive information + +### Public Information Minimization + +1. Periodically search for your own name and digital identifiers to understand your public exposure +2. Request removal of sensitive personal information from data broker sites +3. Use domain privacy services if you own personal domains +4. Consider using pseudonyms for non-professional online activities where appropriate and legal + +## Personal Device Security + +### Home Network Security + +1. Secure home Wi-Fi networks with strong passwords and WPA3 encryption when available +2. Segment networks to separate IoT devices from computers used for work +3. Keep router firmware updated and change default administrative credentials +4. Consider using a dedicated VLAN for work activities conducted from home + +### Personal Device Hardening + +1. Apply the same security standards to personal devices used for work as corporate devices +2. Implement automatic updates for operating systems and applications +3. Use password managers to maintain strong, unique passwords across services +4. Enable full-disk encryption on all personal devices +5. Install and maintain reputable security software + +## Secure Communication Practices + +1. Use end-to-end encrypted messaging platforms for sensitive communications +2. Be aware of metadata exposure even when content is encrypted +3. Verify security of communication channels before discussing sensitive topics +4. Consider using separate phone numbers or identifiers for high-security communications +5. Apply appropriate security measures to personal email accounts, including MFA + +## Physical Security Awareness + +1. Be conscious of physical surroundings when accessing sensitive information +2. Secure physical documents and devices at home, especially when traveling +3. Consider appropriate home security measures based on role sensitivity +4. Practice good physical security habits like using privacy screens in public places + +## Web3-Specific Personal OpSec + +### Cryptocurrency Security + +1. Separate personal and work-related wallets and accounts +2. Apply strong security practices to personal crypto holdings +3. Be cautious about revealing personal cryptocurrency holdings or involvement in projects +4. Consider the implications of blockchain transparency and on-chain activity linkability +5. Use hardware wallets for long-term storage of significant personal assets + +### Identity Separation + +1. Consider separating on-chain identities used for work from personal activities +2. Be aware of how personal ENS names or identifiers may link to work-related activities +3. Understand the risks of doxing in the Web3 space and take appropriate precautions + +## Personal Threat Modeling + +1. Assess personal risk based on role, project visibility, and asset access +2. Identify potential adversaries and their capabilities +3. Implement security measures proportionate to identified risks +4. Periodically reassess as role or external factors change + +## Balance and Sustainability + +1. Focus on high-impact security practices that are sustainable long-term +2. Recognize that perfect security is impossible and aim for reasonable protections +3. Develop habits that incorporate security into daily routines +4. Understand the trade-offs between convenience and security in personal life + +## Reporting and Support + +1. Know how to report suspicious activities that might target you personally due to your role +2. Understand what organizational support is available for personal security incidents +3. Maintain awareness of current threats targeting individuals in your industry or role + +By implementing personal OpSec practices, team members can significantly reduce security risks that originate outside the workplace while maintaining a reasonable balance between security and quality of life. \ No newline at end of file diff --git a/src/opsec-old/human-centered-security/social-engineering-defense.md b/src/opsec-old/human-centered-security/social-engineering-defense.md new file mode 100644 index 00000000..cd1edb51 --- /dev/null +++ b/src/opsec-old/human-centered-security/social-engineering-defense.md @@ -0,0 +1,76 @@ +--- +tags: + - Security Specialist + - Operations & Strategy + - Human Resources +--- + +# Social Engineering Defense + +Social engineering attacks target the human element of security by manipulating individuals into breaking security protocols, revealing sensitive information, or granting unauthorized access. Defending against these attacks requires a combination of awareness, training, and operational controls. + +## Understanding Social Engineering + +Social engineering encompasses various manipulation techniques that exploit human psychology rather than technical vulnerabilities. For a comprehensive overview of common attack vectors, refer to our [Security Awareness Attack Vectors](../../awareness/attack-vectors/README.md) documentation. + +## General Defense Strategies + +Regardless of the specific social engineering technique, several core defensive measures are effective: + +1. **Implement Verification Protocols**: Establish multi-step verification procedures for sensitive requests, especially those involving financial transactions, credential changes, or access modifications + +2. **Develop a Questioning Culture**: Encourage team members to verify unexpected requests through alternative communication channels, even when they appear to come from trusted sources + +3. **Technical Controls**: Deploy appropriate filtering, monitoring, and access control systems to detect and prevent social engineering attempts + +4. **Regular Training**: Conduct ongoing security awareness training with realistic scenarios based on current threats + +5. **Clear Reporting Mechanisms**: Create simple, accessible ways for team members to report suspected social engineering attempts + +## Specific Defensive Considerations + +While general principles apply broadly, some attack vectors require specific defensive approaches: + +### Phishing Defense + +Email and messaging-based deception requires specialized filtering solutions and training team members to recognize suspicious indicators like sender addresses, grammatical errors, and urgent requests. + +### Voice and In-Person Manipulation Defense + +For pretexting, vishing, and impersonation attacks, implement strict identity verification procedures and establish clear escalation paths for unusual requests. + +### Physical Security Considerations + +To counter baiting, tailgating, and physical social engineering, develop protocols for handling unknown devices, visitor management, and physical access controls. + +## Cross-Function Collaboration + +Effective social engineering defense requires collaboration across multiple organizational functions: + +1. **Security Teams**: Implement technical controls and monitoring systems +2. **Human Resources**: Incorporate security awareness into onboarding and ongoing training +3. **Communications**: Develop clear guidelines for verifying the authenticity of communications +4. **Leadership**: Demonstrate a commitment to security through policies and practices + +## Integration with Threat Intelligence + +1. Stay informed about emerging social engineering tactics through threat intelligence sources +2. Update training materials and defenses based on current threat landscape +3. Share information about attempted attacks with the broader security community when appropriate + +## Incident Response for Social Engineering Attacks + +1. Document all suspected social engineering attempts +2. Establish clear reporting mechanisms for team members who believe they've been targeted +3. Create specific response procedures for different types of social engineering attacks +4. Conduct post-incident reviews to identify lessons learned and improve defenses + +## Building Resilience + +The goal of social engineering defense is not just to prevent specific attacks but to build organizational resilience: + +1. Foster a security culture where questioning unusual requests is encouraged, not penalized +2. Develop and practice "security skepticism" as a valued trait +3. Design systems and processes with human behavior in mind, acknowledging that perfect compliance is unrealistic + +Combining technical controls with human awareness and organizational procedures, teams can significantly reduce their vulnerability to social engineering attacks. \ No newline at end of file diff --git a/src/opsec-old/human-centered-security/travel-security.md b/src/opsec-old/human-centered-security/travel-security.md new file mode 100644 index 00000000..b29c1a96 --- /dev/null +++ b/src/opsec-old/human-centered-security/travel-security.md @@ -0,0 +1,94 @@ +--- +tags: + - Security Specialist + - Operations & Strategy + - Travel + - Physical Security +--- + +# Travel Security + +Team members traveling for business purposes face unique security risks that require specialized preparation and awareness. Effective travel security measures help protect both the individual and organizational assets during travel. + +## Pre-Travel Preparation + +### Risk Assessment + +1. Assess destination-specific risks including political stability, crime rates, health concerns, and local laws +2. Consider the sensitivity of work to be conducted during travel and adjust security measures accordingly +3. Consult reliable sources such as government travel advisories and internal threat intelligence + +### Device Preparation + +1. Use dedicated travel devices whenever possible, with minimal data and applications +2. Update all software and security patches before departure +3. Enable full-disk encryption on all devices +4. Install and test VPN software prior to departure +5. Consider using temporary travel accounts with limited access to organizational resources +6. Backup all data before departure and store the backup securely + +### Documentation and Emergency Planning + +1. Create copies of important documents (passport, visas, insurance) +2. Establish emergency communication protocols and points of contact +3. Share itinerary details with appropriate team members +4. Register with embassy or consular services when traveling to high-risk locations + +## In-Transit Security + +1. Maintain physical control of devices and sensitive items at all times +2. Be aware of shoulder surfing when working on sensitive information +3. Avoid connecting to public or hotel Wi-Fi networks without VPN protection +4. Disable Bluetooth, Wi-Fi, and other wireless connectivity when not in use +5. Consider using privacy screens to prevent visual data leakage + +## On-Location Security + +### Physical Security + +1. Store sensitive devices in hotel safes when not in use, or maintain physical possession +2. Be aware of surroundings and potential surveillance or targeting +3. Avoid discussing sensitive business matters in public spaces +4. Use privacy screens when working in public areas + +### Digital Security + +1. Connect to corporate networks only through secure VPN channels +2. Be cautious of USB charging stations which may present data theft risks +3. Report any suspicious activity or security incidents immediately +4. Exercise extra caution when connecting to Wi-Fi networks +5. Use mobile hotspots from trusted providers when possible + +## Post-Travel Procedures + +1. Inspect devices for signs of tampering +2. Change passwords used during travel +3. Run security scans on all devices before reconnecting to corporate networks +4. Report any suspicious incidents or security concerns +5. Debrief with security team about any potential security issues encountered + +## Special Considerations for High-Risk Locations + +1. Consider using "burner" devices for travel to high-risk locations +2. Establish more frequent check-in protocols +3. Be aware of local surveillance capabilities and legal requirements for device inspection +4. Prepare for potential device confiscation at borders by minimizing sensitive data +5. Consider using end-to-end encrypted communication methods + +## Web3-Specific Travel Security + +1. Use hardware wallets for storing crypto assets and keep them physically secure +2. Be cautious about revealing cryptocurrency holdings or involvement in high-value projects +3. Consider using duress passwords or accounts if traveling to high-risk regions +4. Be aware of targeted attacks at crypto conferences and events +5. Establish specific protocols for transaction approvals while traveling + +## Integration with Other Security Frameworks + +Travel security integrates with several other security frameworks: + +1. [Device and Endpoint Security](../device-endpoint-security/) for device hardening practices +2. [Digital Identity and Access Management](../digital-identity-access/) for authentication during travel +3. [Physical Security](../physical-security/) for protecting physical assets + +By implementing comprehensive travel security measures, organizations can significantly reduce risks associated with business travel while enabling team members to work effectively and safely when away from their primary work location. \ No newline at end of file diff --git a/src/opsec-old/network-communication/README.md b/src/opsec-old/network-communication/README.md new file mode 100644 index 00000000..7dc28665 --- /dev/null +++ b/src/opsec-old/network-communication/README.md @@ -0,0 +1,45 @@ +--- +tags: + - Security Specialist + - Operations & Strategy + - Devops + - SRE +--- + +# Network and Communication Security + +Securing your organization's networks and communication channels is crucial for protecting sensitive information, maintaining business operations, and preventing unauthorized access to resources. + +## Introduction + +Network and communication security encompasses the technologies, policies, and practices that protect the integrity, confidentiality, and availability of data as it travels across networks and communication systems. In today's interconnected world, organizations must address a wide range of threats that target communication channels, from traditional network attacks to sophisticated threats against encrypted communications. + +## Key Components + +This section covers the following aspects of network and communication security: + +1. [Secure Messaging and Communication](./telegram.md) - Best practices for secure messaging platforms, including Telegram +2. [Wireless Network Security](./wireless-security.md) - Securing WiFi and other wireless networks +3. [Virtual Private Networks (VPNs)](./vpn-security.md) - Implementing and using VPNs securely +4. [Secure Remote Access](./remote-access.md) - Approaches for secure remote access to organizational resources +5. [Network Monitoring and Defense](./network-monitoring.md) - Tools and techniques for monitoring network activity and detecting threats + +## Risk-Based Approach + +Network and communication security should be implemented based on the sensitivity of the data being transmitted and the criticality of the communication channels: + +1. Identify critical communication channels and the types of data transmitted +2. Assess the potential impact of communication interception or disruption +3. Implement appropriate security controls based on risk levels +4. Regularly test and audit communication security measures + +## Web3 Considerations + +In Web3 environments, network and communication security includes additional considerations: + +- The role of public blockchain networks in your communications infrastructure +- The security of RPC endpoints and node connections +- Protection against blockchain-specific network attacks +- Balancing transparency with confidentiality in blockchain communications + +The guidance in this section addresses both traditional and Web3-specific network and communication security considerations. \ No newline at end of file diff --git a/src/operational-security/network-communication/telegram.md b/src/opsec-old/network-communication/telegram.md similarity index 100% rename from src/operational-security/network-communication/telegram.md rename to src/opsec-old/network-communication/telegram.md diff --git a/src/operational-security/network-communication/wireless-security.md b/src/opsec-old/network-communication/wireless-security.md similarity index 100% rename from src/operational-security/network-communication/wireless-security.md rename to src/opsec-old/network-communication/wireless-security.md diff --git a/src/operational-security/physical-security/README.md b/src/opsec-old/physical-security/README.md similarity index 100% rename from src/operational-security/physical-security/README.md rename to src/opsec-old/physical-security/README.md diff --git a/src/opsec-old/web3-specific-opsec/README.md b/src/opsec-old/web3-specific-opsec/README.md new file mode 100644 index 00000000..3ba56b9e --- /dev/null +++ b/src/opsec-old/web3-specific-opsec/README.md @@ -0,0 +1,46 @@ +--- +tags: + - Security Specialist + - Operations & Strategy + - Web3 + - Blockchain +--- + +# Web3-Specific Operational Security + +Web3 introduces unique operational security challenges that require specialized approaches beyond traditional security measures. This section focuses on the specific security considerations for organizations operating in the blockchain and decentralized ecosystem. + +## Introduction + +Web3 operational security addresses the distinct threats and vulnerabilities associated with blockchain technologies, decentralized applications, smart contracts, and cryptocurrency operations. The immutable and often public nature of blockchain transactions, combined with the self-custodial responsibility of managing cryptographic assets, creates a security landscape that requires specialized knowledge and techniques. + +## Key Components + +This section covers the following aspects of Web3-specific operational security: + +1. [Wallet Security](./wallet-security.md) - Securing cryptocurrency and NFT wallets +2. [Smart Contract Operational Security](./smart-contract-opsec.md) - Operational considerations for deploying and managing smart contracts +3. [Blockchain Transaction Security](./transaction-security.md) - Securing blockchain transactions against various threats +4. [Decentralized Identity Management](./decentralized-identity.md) - Managing identities in decentralized systems +5. [DAO Security Operations](./dao-security.md) - Operational security considerations for Decentralized Autonomous Organizations +6. [Validator and Node Security](./validator-node-security.md) - Securing blockchain nodes and validators + +## Risk-Based Approach + +Web3 operational security should be implemented based on the value of assets being managed and the criticality of on-chain operations: + +1. Inventory all blockchain assets, wallets, and contracts +2. Classify these assets based on value and criticality to operations +3. Implement appropriate security controls based on risk levels +4. Regularly audit security practices and adapt to emerging threats + +## Intersection with Traditional Security + +While Web3 introduces unique security challenges, it does not replace the need for traditional security measures. This section highlights where Web3-specific controls should be integrated with: + +- Traditional identity and access management +- Device and endpoint security +- Network and communication security +- Human-centered security approaches + +By combining Web3-specific security measures with traditional operational security practices, organizations can build a comprehensive security posture suitable for the decentralized ecosystem. \ No newline at end of file diff --git a/src/opsec/README.md b/src/opsec/README.md index 1b46b840..68047af5 100644 --- a/src/opsec/README.md +++ b/src/opsec/README.md @@ -21,15 +21,21 @@ Operational Security (OpSec) is a systematic approach to identifying critical in This framework is organized into several interconnected components: -1. [Principles & Concepts](./principles/): Core principles and concepts of operational security +1. [Overview](./overview/): Core principles and concepts of operational security 2. [Threat Modeling Overview](./threat-modeling-overview.md): Identifying and analyzing potential security threats -3. [Risk Management](./risk-management.md): Identifying, assessing, and mitigating security risks -4. [Monitoring & Detection](./monitoring.md): Continuous monitoring of security events and anomalies -5. [Incident Response & Recovery](./incident-response-recovery.md): Handling security incidents when they occur -6. [Governance & Program Management](./governance-program-management.md): Establishing security leadership and organizational structures -7. [Control Domains](./control-domains.md): Key areas requiring specific security controls and practices -8. [Lifecycle](./lifecycle.md): The continuous process of implementing and maintaining security measures -9. [Continuous Improvement](./continuous-improvement-metrics.md): Learning from incidents and evolving security practices +3. [Risk Management Overview](./risk-management-overview.md): Identifying, assessing, and mitigating security risks +4. [Monitoring & Detection Overview](): Continuous monitoring of security events and anomalies +5. [Incident Response & Recovery Overview](): Handling security incidents when they occur +6. [Governance & Program Management Overview](): Establishing security leadership and organizational structures +7. [Control Domains Overview](): Key areas requiring specific security controls and practices +8. [Lifecycle Overview](): The continuous process of implementing and maintaining security measures +9. [Continuous Improvement Overview](): Learning from incidents and evolving security practices + +## Additional contents + +- [While Traveling](./opsec/travel/overview.md) + - [Quick Guide](./opsec/travel/quick-guide.md) + - [Thorough Guide](./opsec/travel/guide.md) ## Using This Framework diff --git a/src/opsec/overview/README.md b/src/opsec/overview/README.md new file mode 100644 index 00000000..c7dae883 --- /dev/null +++ b/src/opsec/overview/README.md @@ -0,0 +1,64 @@ +--- +tags: + - Security Specialist + - Operations & Strategy + - Devops + - SRE +contributors: + - role: wrote + users: [mattaereal] + - role: reviewed + users: [] + - role: fact-checked + users: [] +--- + +# Overview + +Operational Security (OpSec) is a practical approach that helps organizations protect sensitive information and critical assets through both foundational security concepts and actionable implementation processes. This section covers the essential frameworks that form the basis of an effective operational security program. + +## What is Operational Security? + +Operational Security is a systematic process that: + +1. Maps and secures critical information and assets +2. Identifies and analyzes relevant threats +3. Discovers and addresses exploitable vulnerabilities +4. Evaluates risks in a business context +5. Deploys targeted controls to mitigate identified risks + +The goal is to prevent unauthorized access to systems and information that could cause operational, financial, or reputational harm if compromised. + +## Security Fundamentals + +The following fundamentals form the foundation of effective operational security: + +- **Layered Protection**: Implementing multiple overlapping security controls so that if one mechanism fails, others will continue to protect your assets. +- **Minimal Access Scopes**: Granting users, systems, and processes only the specific permissions they need to perform their required functions and nothing more. +- **Information Flow Control**: Ensuring sensitive information is only accessible to those with a legitimate need to know, with restrictions on how that information can be shared and used. +- **System Isolation**: Segmenting systems and networks into isolated zones to contain security breaches and limit lateral movement. +- **Continuous Visibility**: Maintaining ongoing awareness of your security posture through active monitoring, testing, and continuous improvement. + +Check the [Security Fundamentals](./security-fundamentals.md) for practical application guidance. + +## Operational Implementation Process + +1. **Critical Asset Identification**: Map and document the assets that would cause significant harm to your organization if compromised. +2. **Practical Threat Analysis**: Identify specific, relevant threat actors and their tactics based on your organization's profile. +3. **Actionable Vulnerability Assessment**: Systematically identify and validate weaknesses in your environment through practical testing. +4. **Contextual Risk Evaluation**: Analyze identified risks in the context of your business to drive informed decision-making. +5. **Targeted Control Deployment**: Implement security controls that address prioritized risks while minimizing operational friction. + +Check out the [Operational Implementation Process](./implementation-process.md) for detailed implementation actions. + +## Web3-Specific Considerations + +In Web3 environments, operational security must address unique challenges: + +- **Transparency vs. Privacy**: Balancing blockchain transparency with the need for operational secrecy +- **Decentralized Operations**: Securing operations across distributed teams and systems +- **Cryptocurrency Security**: Protecting digital assets and private keys +- **Smart Contract Vulnerabilities**: Addressing the immutable nature of deployed code +- **Community Dynamics**: Managing security in open, community-driven projects + +Check out [Web3 considerations](./web3-considerations.md) for more details on these topics. diff --git a/src/opsec/overview/implementation-process.md b/src/opsec/overview/implementation-process.md new file mode 100644 index 00000000..ed087edf --- /dev/null +++ b/src/opsec/overview/implementation-process.md @@ -0,0 +1,145 @@ +--- +tags: + - Security Specialist + - Operations & Strategy +contributors: + - role: wrote + users: [mattaereal] + - role: reviewed + users: [] + - role: fact-checked + users: [] +--- + +# Operational Implementation Process + +> πŸ”‘ **Key Takeaway**: Operational security is implemented through a practical five-phase process: critical asset identification, practical threat analysis, actionable vulnerability assessment, contextual risk evaluation, and targeted control deployment. + +## Relationship to Security Fundamentals + +This document outlines a practical implementation process for operational security that organizations can follow in sequence. This process complements the [Security Fundamentals](security-fundamentals.md) document, which defines the guiding principles: + +- This process provides a **sequential workflow** for security teams to follow +- The fundamentals establish **enduring principles** that shape security architecture + +While this process offers a concrete methodology for implementation, the fundamentals establish the ongoing security approaches that must be maintained throughout your systems. Both elements must work together - the fundamentals guide your overall approach, while this process provides the tactical roadmap. + +For organizations just beginning their security journey, start here with these concrete implementation steps. + +## 1. Critical Asset Identification + +Map and document the assets that would cause significant harm to your organization if compromised. + +> **πŸ”— Related Framework:** This phase integrates with [Asset Inventory](../infrastructure/asset-inventory.md) practices and drives [Data Protection](../operational-security/data-protection/) strategies. + +### Implementation Actions + +1. Conduct asset discovery across your environment using both automated tools and manual inventorying + - For digital assets: Use network scanning, CMDB tools, and cloud resource inventories + - For physical assets: Document hardware, systems and access points +2. Apply a practical classification system with clear, actionable categories + - High-value assets: Direct financial impact if compromised (e.g., private keys, treasury wallets) + - Operational assets: Required for continued business operations + - Sensitive data: Customer information, intellectual property, strategic plans +3. Map information flows to understand how data moves between systems +4. Assign specific owners responsible for each asset category +5. Establish a sustainable review cadence based on your environment + - High-volatility environments: Monthly reviews + - Stable environments: Quarterly reviews + - Document trigger events requiring immediate review (acquisitions, new products, etc.) + +## 2. Practical Threat Analysis + +Identify specific, relevant threat actors and their tactics based on your organization's profile. + +> **πŸ”— Related Framework:** For hands-on approaches, see [Understanding Threat Vectors](../awareness/understanding-threat-vectors.md) and [Threat Modeling](../threat-modeling/) frameworks. + +### Implementation Actions + +1. Create a focused threat profile based on: + - Your industry's recent attack history (consult threat intelligence reports) + - Your organization's specific attack surface + - The value of your assets to different adversaries +2. Document concrete adversary personas with specific capabilities: + - External attackers: Targeted vs. opportunistic + - Insider risks: Privileged users, contractors, disgruntled employees + - Supply chain actors: Vendors with access to your systems +3. Map threat actors to their likely tactics using MITRE ATT&CK or similar frameworks +4. Establish threat intelligence feeds relevant to your environment +5. Create a lightweight process for updating threat models when new intelligence emerges + +## 3. Actionable Vulnerability Assessment + +Systematically identify and validate weaknesses in your environment through practical testing. + +> **πŸ”— Related Framework:** This aligns with the [Security Testing](../security-testing/) framework and includes practices like [Static Application Security Testing](../security-testing/static-application-security-testing.md) and [Dynamic Application Security Testing](../security-testing/dynamic-application-security-testing.md). + +### Implementation Actions + +1. Implement a layered vulnerability discovery program: + - Automated scanning: Deploy tools appropriate for your environment (infrastructure, applications, cloud) + - Manual testing: Conduct regular penetration tests focusing on critical systems + - Red team exercises: Simulate real-world attacks against your defenses +2. Examine security processes for operational gaps: + - Incident response procedures: Test through tabletop exercises + - Access management: Audit privilege escalation paths + - Change management: Review for security bypass opportunities +3. Evaluate security awareness through: + - Targeted phishing simulations + - Knowledge assessments + - Procedural compliance checks +4. Document findings in a centralized vulnerability management system with clear ownership +5. Implement a consistent vulnerability scoring system to enable prioritization + +## 4. Contextual Risk Evaluation + +Analyze identified risks in the context of your business to drive informed decision-making. + +> **πŸ”— Related Framework:** For practical approaches, see [Governance](../governance/) and [Risk Management](../governance/risk-management.md) frameworks. + +### Implementation Actions + +1. Establish a practical risk calculation methodology that considers: + - Business impact (financial, operational, reputational) + - Exploitation likelihood based on real-world attack patterns + - Existing control effectiveness +2. Create a prioritized risk register with clear owners and timelines +3. Define risk acceptance criteria based on your organization's risk tolerance +4. Develop risk narratives that translate technical findings into business impacts +5. Implement a streamlined risk review process that: + - Enables timely decisions + - Involves appropriate stakeholders + - Documents rationale for future reference + - Triggers reassessment when conditions change + +## 5. Targeted Control Deployment + +Implement security controls that address prioritized risks while minimizing operational friction. + +> **πŸ”— Related Framework:** Implementation integrates with [Security Automation](../security-automation/) and control frameworks like [Infrastructure](../infrastructure/) and [Identity and Access Management](../iam/). + +### Implementation Actions + +1. Design a defense-in-depth strategy with layered controls: + - Preventive: Stop attacks before they succeed + - Detective: Identify attacks in progress + - Responsive: Limit damage from successful attacks + - Recovery: Restore normal operations +2. Select controls using a balanced approach: + - Technical feasibility in your environment + - Implementation and maintenance costs + - Potential operational impact + - Coverage of multiple risks where possible +3. Implement controls using a phased approach: + - Quick wins: Deploy high-impact, low-effort controls first + - Foundational controls: Build core security capabilities + - Advanced measures: Address sophisticated threats +4. Validate control effectiveness through: + - Technical testing + - Process verification + - Metrics collection +5. Document clear procedures for: + - Control operation + - Maintenance requirements + - Monitoring and alerting + - Incident response when controls fail diff --git a/src/opsec/overview/security-fundamentals.md b/src/opsec/overview/security-fundamentals.md new file mode 100644 index 00000000..068d8178 --- /dev/null +++ b/src/opsec/overview/security-fundamentals.md @@ -0,0 +1,184 @@ +--- +tags: + - Security Specialist + - Operations & Strategy +contributors: + - role: wrote + users: [mattaereal] + - role: reviewed + users: [] + - role: fact-checked + users: [] +--- + +# Security Fundamentals + +> πŸ”‘ **Key Takeaway**: Effective security operations are built on five practical fundamentals: layered protective measures, minimized access scopes, controlled information flows, system isolation, and continuous visibility β€” working together to secure critical assets in dynamic environments. + +## Relationship to Implementation Process + +This document outlines the foundational security approaches that should be embedded throughout your organization's operations. They complement the practical [Operational Implementation Process](implementation-process.md), which defines specific action steps: + +- These fundamentals establish **enduring approaches** that shape your security architecture +- The implementation process provides a **sequential workflow** for security teams to follow + +While these fundamentals provide the security principles that should be consistently applied across your environment, the implementation process offers a structured methodology for putting security into practice. Both elements must work in concert - these fundamentals guide your overall approach, while the implementation process provides the tactical roadmap. + +For organizations just beginning their security journey, start with the [Operational Implementation Process](implementation-process.md) for concrete steps. + +The ultimate goal is to prevent unauthorized access to systems and information that could cause operational, financial, or reputational harm if compromised. + +> **Practical Example: Web3 Organization** +> +> Consider a Web3 project managing a DeFi protocol with a treasury of $10M in assets. Practical security fundamentals in action include: +> +> - **Layered protection**: Hardware security modules for key storage, multi-signature requirements (3-of-5) for transactions, automated monitoring for unusual patterns, and regular third-party security audits +> - **Minimal access scopes**: Deployment keys accessible only to specific DevOps team members, with different permission levels strictly enforced between development, staging, and production environments +> - **Information flow control**: Private keys for multi-signature wallets distributed among trusted team members based on role, with sensitive incident response procedures restricted to the security team +> - **System isolation**: Clear separation between development environments and production systems, with treasury management isolated from day-to-day operations +> - **Continuous visibility**: Real-time monitoring systems tracking transaction patterns, weekly security reviews, and quarterly penetration tests with findings addressed in prioritized sprints + +## 1. Layered Protection + +Implement multiple overlapping security controls so that if one mechanism fails, others will continue to protect your assets. + +> **πŸ”— Related Framework:** This approach is reinforced in frameworks like [Infrastructure](../infrastructure/) with [Zero-Trust Principles](../infrastructure/zero-trust-principles.md) and [Network Security](../infrastructure/network-security.md). + +### Practical Application + +1. Implement multiple defensive mechanisms that protect against the same risks using different methods + - Example: Protect admin interfaces using network ACLs, MFA, time-limited access windows, and anomaly detection +2. Deploy protection at each layer of your technology stack + - Network layer: Firewalls, network segmentation, DDoS protection + - Host layer: Endpoint protection, host-based IDS, secure configuration + - Application layer: Input validation, output encoding, API security + - Data layer: Encryption, access controls, data loss prevention +3. Identify and eliminate single points of failure in your security architecture + - Map defense coverage to ensure overlapping protections + - Document security dependencies and create contingency plans +4. Test defensive layers regularly through realistic scenarios + - Conduct tabletop exercises focused on specific defensive failures + - Use red team exercises to validate defense-in-depth effectiveness +5. Maintain a continuous improvement cycle for each defensive layer + - Review and update security controls after incidents or near-misses + - Track industry developments to identify emerging defensive tactics + +## 2. Minimal Access Scopes + +Grant users, systems, and processes only the specific permissions they need to perform their required functions and nothing more. + +> **πŸ”— Related Framework:** For detailed implementation, see [Identity and Access Management](../iam/) and [Role-Based Access Control](../iam/role-based-access-control.md). + +### Practical Application + +1. Implement a structured permission model that starts with zero access + - Default deny: Require explicit permission grants for all access + - Document justification for each permission granted + - Create standardized role templates for common job functions +2. Establish automated processes for access lifecycle management + - Onboarding: Provision minimal initial access based on role + - Role changes: Adjust permissions when responsibilities change + - Offboarding: Remove all access immediately upon departure +3. Apply time-based restrictions to elevated privileges + - Use just-in-time access for administrative functions + - Implement automatic session termination after periods of inactivity + - Require re-authentication for sensitive operations +4. Conduct regular access reviews with verification + - Quarterly: Review all privileged accounts and service accounts + - Semi-annually: Audit all standard user accounts and group memberships + - Use automated tools to identify inactive or excessive permissions +5. Implement technical controls to enforce minimal access + - Application permissions: API scopes, feature flags, entitlement checks + - Infrastructure permissions: IAM policies, network ACLs, resource policies + - Database permissions: Row-level security, column-level controls + +## 3. Information Flow Control + +Ensure sensitive information is only accessible to those with a legitimate need to know, with restrictions on how that information can be shared and used. + +> **πŸ”— Related Framework:** This approach is supported by practices in [Data Protection](../operational-security/data-protection/) and aspects of [Privacy](../privacy/). + +### Practical Application + +1. Implement a practical data classification system with clear handling requirements + - Public: Information approved for general distribution + - Internal: Business information for employee use only + - Confidential: Sensitive information requiring specific protections + - Restricted: Critical information with strictly controlled access +2. Define and enforce data handling procedures for each classification level + - Storage requirements: Where information can be stored + - Transmission rules: How information can be sent/shared + - Processing restrictions: How information can be used + - Retention limits: How long information should be kept +3. Deploy technical controls to enforce information flow policies + - Data loss prevention tools to monitor and block unauthorized sharing + - Encryption for data at rest and in transit based on sensitivity + - Information rights management for persistent protection +4. Establish secure channels for different types of communication + - High-sensitivity: End-to-end encrypted messaging with disappearing messages + - Medium-sensitivity: Encrypted collaboration platforms with access controls + - Low-sensitivity: Standard business communication tools +5. Train users on practical information handling procedures + - Provide clear guidelines with concrete examples + - Use realistic scenarios in training materials + - Conduct periodic verification checks + +## 4. System Isolation + +Segment systems and networks into isolated zones to contain security breaches and limit lateral movement. + +### Practical Application + +1. Implement network segmentation based on security requirements + - Create security zones with consistent trust levels + - Implement strict traffic control between zones + - Document and regularly review allowed communication paths +2. Establish environment separation with controlled boundaries + - Maintain distinct development, testing, staging, and production environments + - Implement one-way data flows from higher to lower environments + - Control code promotion processes between environments +3. Isolate high-value systems with enhanced protection + - Place critical infrastructure on dedicated hardware + - Example: Run blockchain nodes on dedicated hardware isolated from general workstations + - Implement jump servers or privileged access workstations for administrative access +4. Apply micro-segmentation where appropriate + - Container isolation: Enforce pod security policies and network policies + - Application segmentation: Implement service meshes with mutual TLS + - Process isolation: Use containerization, virtualization, or sandboxing +5. Monitor and enforce boundary controls + - Implement egress filtering to control outbound connections + - Deploy internal firewalls between segments + - Use network monitoring to detect unauthorized communication attempts + +## 5. Continuous Visibility + +Maintain ongoing awareness of your security posture through active monitoring, testing, and continuous improvement. + +> **πŸ”— Related Framework:** For implementation details, see the [Monitoring](../monitoring/) framework, including [Guidelines](../monitoring/guidelines.md) and [Thresholds](../monitoring/thresholds.md). Also relevant is [Incident Management](../incident-management/) for response to detected issues. + +### Practical Application + +1. Implement a multi-layered monitoring strategy + - System monitoring: Performance, availability, and system integrity + - Security monitoring: Threat detection, anomaly identification, and correlation + - Compliance monitoring: Policy enforcement and regulatory requirements + - Establish clear ownership for each monitoring domain +2. Define actionable metrics tied to security objectives + - Leading indicators: Metrics that help predict future issues + - Example: Percentage of systems with current patches + - Lagging indicators: Metrics that measure past performance + - Example: Mean time to detect and respond to incidents +3. Establish a regular testing cadence to validate security controls + - Vulnerability scanning: Weekly automated scans + - Penetration testing: Quarterly focused tests on critical systems + - Red team exercises: Annual comprehensive assessments +4. Implement a structured incident management process + - Define clear incident response procedures with specific roles + - Conduct regular tabletop exercises to practice response + - Perform thorough post-incident reviews focused on improvement + - Create feedback loops to security controls based on incidents +5. Maintain an active threat intelligence program + - Collect intelligence relevant to your specific environment + - Analyze and contextualize threats for your organization + - Disseminate actionable intelligence to appropriate teams + - Use threat intelligence to drive security improvements diff --git a/src/opsec/overview/web3-considerations.md b/src/opsec/overview/web3-considerations.md new file mode 100644 index 00000000..5b904c51 --- /dev/null +++ b/src/opsec/overview/web3-considerations.md @@ -0,0 +1,163 @@ +--- +tags: + - Security Specialist + - Operations & Strategy +contributors: + - role: wrote + users: [mattaereal] + - role: reviewed + users: [] + - role: fact-checked + users: [] +--- + +# Web3-Specific OpSec Considerations + +> πŸ”‘ **Key Takeaway**: Web3 environments require specialized security approaches that balance blockchain transparency with privacy, address immutability risks, manage self-custody responsibilities, secure decentralized operations, mitigate smart contract vulnerabilities, and navigate community-driven security challenges. + +In addition to traditional OpSec principles, Web3 environments require consideration of unique challenges. Many organizations claim to be backed only by decentralized technologies, but they later realize that part of their process is dependant on technologies that are not. + + + +## Transparency vs. Privacy + +Balancing the transparent nature of blockchain with the need for operational privacy. + +### Suggested steps + +1. Understand what information is publicly visible on-chain + - Transaction amounts, addresses, contract interactions, and timestamps + - Use block explorers and analysis tools to understand your on-chain footprint +2. Develop strategies to maintain operational privacy while utilizing public blockchains + - Use different addresses for different transaction types or business functions + - Consider privacy-focused layer 2 solutions for sensitive operations +3. Use privacy-enhancing technologies where appropriate + - ZK (Zero-Knowledge) protocols for privacy-preserving computations + - Privacy pools or similar technologies (when legally permissible) + - Privacy-focused blockchains for specific operations (e.g., Monero, Zcash) + +## Immutability and Finality + +Recognizing that blockchain transactions are generally irreversible, requiring heightened security before execution. + +### Suggested steps + +1. Implement robust verification procedures before executing transactions + - Mandatory multi-person review for transactions above defined thresholds + - Automated checks for anomalous transaction patterns + - Hash verification of destination addresses +2. Use multi-signature requirements for high-value transactions + - 3-of-5 or 2-of-3 signature schemes for treasury operations + - Hardware wallets for each signer with physical separation + - Time-locks for large transfers (24-48 hour delay before execution) +3. Deploy transaction simulation tools to verify outcomes before execution + - Use Tenderly or similar platforms to simulate transactions in a fork of the chain + - Verify gas estimates and test with small amounts first when using new contracts\ + - Use auxiliary tools such as [Safe Multi-sig Transaction Hashes](https://github.com/pcaversaccio/safe-tx-hashes-util) +4. Establish secure deployment practices for smart contracts + - Use formal verification tools before mainnet deployment + - Implement deployment scripts with dry-run functionality + - Require multiple approvals in your deployment pipeline + - Consider gradual deployments with circuit breakers for critical contracts + +## Self-Custody Responsibility + +Managing private keys and digital assets with appropriate security controls. + +> **πŸ”— Related Framework:** For detailed guidance on wallet security practices, see the [Wallet Security](../../wallet-security/) framework. + +### Suggested steps + +1. Develop clear procedures for wallet security + - Air-gapped hardware wallet setups for cold storage + - Specific seed phrase backup procedures (e.g., metal backups, split storage) + - Clear rules for when hot vs. cold wallets should be used +2. Implement separation of duties for transaction approval + - Different roles for transaction initiation, verification, and execution + - Rotation of responsibilities to prevent single points of compromise + - Hardware security modules (HSMs) for institutional-grade key management +3. Balance security with operational efficiency + - Define thresholds for different security requirements (e.g., <$10K, $10K-$100K, >$100K) + - Implement tiered wallet architecture (hot wallets for operations, cold storage for reserves) + - Establish secure methods for replenishing hot wallets from cold storage +4. [Stay up-to-date](../../awareness/staying-up-to-date.md) with best practices in wallet security and custody solutions + - Subscribe to security advisory services for cryptocurrencies + - Follow developments in MPC (Multi-Party Computation) wallet technologies + - Regularly review and test recovery procedures + +## Decentralized Operations + +Securing operations across distributed teams and systems. + +### Suggested steps + +1. Establish clear security protocols for remote team members + - Device security requirements (disk encryption, endpoint protection, auto-updates) + - Secure home network guidelines (dedicated VLANs, strong WPA3 passwords) + - Clear policies for public WiFi usage (always-on VPN requirement) +2. Use secure communication channels for sensitive discussions + - End-to-end encrypted messaging (Signal, Matrix/Element with verified devices) + - Ephemeral messaging for highly sensitive topics (disappearing messages) + - Encrypted video conferencing with waiting rooms and passwords (Jitsi, Signal) + - PGP-encrypted emails for sensitive communications that need to be preserved +3. Implement strong authentication for all team members + - Hardware security keys (Yubikeys, Passkeys) as primary 2FA method + - TOTP apps as backup authentication method (not SMS) + - Passwordless authentication where possible (WebAuthn/FIDO2) + - Regular access review and prompt offboarding procedures +4. Create guidelines for secure collaboration in a distributed environment + - Encrypted file storage and sharing (Cryptomator, end-to-end encrypted cloud storage) + - Private repositories with signed commits for code collaboration + - Secure DevOps practices for CI/CD pipelines + - Role-based access to administrative systems with just-in-time privilege elevation + +## Smart Contract Vulnerabilities + +Addressing the immutable nature of deployed code. + +### Suggested steps + +1. Conduct thorough code reviews and security audits before deployment + - Multiple independent security audits for critical contracts + - Comprehensive test coverage (>95%) for all contract functions + - Symbolic execution and static analysis tools (Slither, Mythril) +2. Implement upgradability patterns where appropriate + - Proxy patterns with clear governance mechanisms + - Immutable core logic with upgradeable periphery + - Emergency pause functionality with decentralized controls +3. Use formal verification where possible + - Mathematical proofs of contract correctness for critical functions + - Verification of business logic and security properties + - Property-based testing frameworks (Echidna, Scribble) +4. Maintain comprehensive testing environments + - Local development environments with mainnet forking + - Testnet deployments with real-world simulation + - Adversarial testing and red team exercises +5. Consider timelocks and circuit breakers for critical functions + - Time-delayed administration actions (48-72 hours) + - Value-limit circuit breakers for suspicious transaction volumes + - Decentralized monitoring and alerting systems + +## Community Dynamics + +Managing security in open, community-driven projects. + +### Suggested steps + +1. Develop clear security guidelines for community contributors + - Documented security policies in repositories + - Security templates for pull requests + - Required security reviews for changes to sensitive components +2. Establish review processes for community-submitted code + - Multi-level review requirements based on code criticality + - Automated security scanning integrated into CI/CD pipelines + - Bounty programs for vulnerability identification +3. Create security awareness programs for the community + - Educational resources on common vulnerabilities + - Regular security-focused community calls or workshops + - Recognition for security-conscious contributions +4. Balance transparency with operational security needs + - Clear guidelines on what information should remain private + - Secure channels for reporting vulnerabilities + - Responsible disclosure policies and timelines + - Public security incident post-mortems (with appropriate redactions) diff --git a/src/opsec/risk-management-overview.md b/src/opsec/risk-management-overview.md new file mode 100644 index 00000000..29bf1edf --- /dev/null +++ b/src/opsec/risk-management-overview.md @@ -0,0 +1,155 @@ +--- +tags: + - Security Specialist + - Operations & Strategy + - Devops + - SRE +contributors: + - role: wrote + users: [mattaereal] + - role: reviewed + users: [] + - role: fact-checked + users: [] +--- + +# Risk Management + +> πŸ”‘ **Key takeaway**: Risk management transforms threat information into actionable priorities. It helps you determine which threats matter most, where to allocate resources, and how to make security trade-offs that align with business goals. + +Effective risk management builds upon threat modeling to assess, prioritize, and mitigate identified security risks. While threat modeling identifies what needs protection and potential attack vectors, risk management determines which threats warrant immediate attention and resources. + +## Risk Assessment Process + + + +> **πŸ”— Related Framework:** This process builds directly on outputs from [Threat Modeling](./threat-modeling-overview.md). + +### Key Components + +1. **Impact Analysis**: Estimating the potential consequences of a security incident +2. **Likelihood Determination**: Assessing the probability of a threat exploiting a vulnerability +3. **Risk Calculation**: Combining impact and likelihood to determine risk levels +4. **Risk Prioritization**: Determining which risks to address first + +### Implementation Steps + +1. For each threat scenario identified in threat modeling, assign impact ratings based on financial, operational, and reputational factors +2. Determine likelihood based on threat intelligence and historical data +3. Calculate risk scores (typically Risk = Impact Γ— Likelihood) +4. Prioritize risks based on scores and organizational context + +### Prioritization Methodology + +Not all risks require the same level of attention. Prioritize based on: + +| Factor | Description | +|--------|-------------| +| **Risk Level** | Focus on high and critical risks first | +| **Asset Value** | Prioritize risks to your most valuable assets | +| **Mitigation Feasibility** | Consider how easily and cost-effectively a risk can be addressed | +| **Regulatory Requirements** | Address risks with compliance implications | +| **Strategic Alignment** | Focus on risks that align with strategic security initiatives | + +## Trade-off Analysis + +Security decisions often involve trade-offs between security, usability, cost, and other factors. Trade-off analysis helps make informed decisions. + +### Key Considerations + +| Trade-off | Description | +|-----------|-------------| +| **Security vs. Usability** | More security controls often mean less convenience | +| **Cost vs. Risk Reduction** | Security measures must be cost-effective | +| **Speed vs. Security** | Fast implementation may compromise security | +| **Centralization vs. Decentralization** | Control vs. resilience | +| **Transparency vs. Security** | Open information vs. operational secrecy | + +### Decision-Making Framework + +1. **Define**: Clearly articulate the security challenge and objectives +2. **Identify**: Enumerate all viable options +3. **Analyze**: Evaluate each option against established criteria +4. **Select**: Choose the option that best balances competing priorities +5. **Implement**: Execute the chosen option +6. **Review**: Assess the effectiveness of the decision and adjust as needed + +## Web3-Specific Considerations + +In Web3 environments, risk management must address unique challenges: + +### Unique Risk Factors + +| Risk Factor | Description | +|-------------|-------------| +| **Smart Contract Vulnerabilities** | Immutable code with potential security flaws | +| **Private Key Management** | Securing cryptographic keys that control assets | +| **Decentralized Governance** | Distributed decision-making for security matters | +| **Protocol Inter-dependencies** | Risks from connected protocols and services | +| **Regulatory Uncertainty** | Evolving legal landscape for blockchain technologies | + +### Best Practices for Web3 Organizations + +| Practice | Implementation | Primary Risk Addressed | +|----------|----------------|------------------------| +| **Key Management** | Implement multi-signature wallets, hardware security, and key rotation procedures | Private key compromise | +| **Smart Contract Security** | Conduct thorough code audits, formal verification, and staged deployments | Contract vulnerabilities | +| **Incident Response** | Develop cryptocurrency-specific incident plans with predefined actions | All attack vectors | +| **Security Governance** | Establish clear security roles even in decentralized organizations | Governance gaps | +| **Dependency Monitoring** | Regularly audit connected protocols and dependencies | Supply chain attacks | +| **Regulatory Compliance** | Stay informed about evolving regulations across jurisdictions | Legal/regulatory risks | + +
+⬇️ Collapsable Example: Risk Assessment for Pinnipeds Inc. + +### Pinnipeds Inc. Risk Assessment + +Building on the threat vectors identified during threat modeling, Pinnipeds Inc. conducted a risk assessment: + +#### Risk Calculation Methodology + +| Rating | Impact | Likelihood | +|--------|--------|------------| +| **1** | Minimal | Rare | +| **2** | Minor | Unlikely | +| **3** | Moderate | Possible | +| **4** | Major | Likely | +| **5** | Severe | Almost Certain | + +**Formula: Risk Score = Impact Γ— Likelihood** + +#### High Risk Threats (Score 15-25) + +| Threat Scenario | Likelihood | Impact | Risk Score | Reasoning | +|-----------------|------------|--------|------------|-----------| +| Treasury wallet compromise | 4 | 5 | 20 | High impact due to direct financial loss; relatively high likelihood given frequency of attacks on crypto companies | +| Source code theft | 3 | 5 | 15 | High impact due to IP loss and potential backdoor insertion; medium likelihood based on industry intelligence | +| Phishing of employees | 5 | 3 | 15 | Medium impact as most employees have limited access; very high likelihood based on attack trends | + +#### Medium Risk Threats (Score 8-14) + +| Threat Scenario | Likelihood | Impact | Risk Score | Reasoning | +|-----------------|------------|--------|------------|-----------| +| Client data breach | 3 | 4 | 12 | Major impact to reputation; moderate likelihood based on API exposure | +| DDoS on infrastructure | 4 | 3 | 12 | Moderate impact on operations; likely to occur given industry trends | +| AWS credentials leaked | 2 | 5 | 10 | Severe impact if exploited; unlikely due to current controls | + +#### Mitigation Decision Process + +| Factor | Approach | +|--------|----------| +| **Resource allocation** | 60% of security budget allocated to high-risk threats | +| **Implementation timeline** | High-risk mitigations scheduled for completion within 30 days | +| **Control selection criteria** | Controls evaluated based on cost, operational impact, effectiveness, and implementation time | + +This risk-based approach allowed Pinnipeds Inc. to make informed decisions about which security controls to implement first, focusing resources where they would have the greatest risk-reduction impact. + +
+ +## Further Reading & Tools + +- [NIST Risk Management Framework](https://csrc.nist.gov/projects/risk-management) +- [ISO 31000:2018 Risk Management Guidelines](https://www.iso.org/standard/65694.html) +- [FAIR (Factor Analysis of Information Risk) Framework](https://www.fairinstitute.org/) +- [OWASP Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology) +- Tools: [Eramba](https://www.eramba.org/) (open source GRC) \ No newline at end of file diff --git a/src/opsec/threat-modeling-overview.md b/src/opsec/threat-modeling-overview.md index 1eff9566..41a2f8c5 100644 --- a/src/opsec/threat-modeling-overview.md +++ b/src/opsec/threat-modeling-overview.md @@ -17,6 +17,28 @@ contributors: Effective security requires understanding **what you're protecting and who you're protecting it from**. Without a structured threat model, security efforts become unfocused and inefficient. Different entities face different threats based on their assets, visibility, and technological footprint. +## Why is it important + +Failure to implement threat modeling has led to catastrophic security breaches: + +- [How Threat Modeling Could Have Prevented the 1.5B ByBit Hack](https://blog.trailofbits.com/2025/02/25/how-threat-modeling-could-have-prevented-the-1.5b-bybit-hack/) +- [North Korea's Lazarus Group stole $620 million from Axie Infinity's Ronin bridge (2022)](https://home.treasury.gov/news/press-releases/jy0768) through a sophisticated attack targeting blockchain infrastructure +- [The Nomad bridge lost $190 million (2022)](https://medium.com/nomad-xyz-blog/nomad-bridge-hack-root-cause-analysis-875ad2e5aacd) through a critical vulnerability that allowed attackers to bypass transaction validation +- [The 2020 Twitter compromise](https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident) resulted in hijacked high-profile accounts being used for cryptocurrency scams + +### Common pitfalls & examples + +- **Tunnel vision**: The Colonial Pipeline attack (2021) succeeded through a legacy VPN account without MFA, while the company focused security resources on operational technology +- **Unrealistic scenarios**: Many organizations over-invested in zero-day defense while leaving basic phishing vulnerabilities open +- **Static models**: Equifax's 2017 breach occurred partly because threat models weren't updated to reflect new attack patterns +- **Insider blindness**: The 2020 Twitter compromise of high-profile accounts happened when internal admin tools weren't included in threat modeling + +Organizations that implement threat modeling can focus limited security resources on their most significant risks, avoiding both over-protection of low-value assets and under-protection of critical systems. A DeFi protocol that fails to properly identify potential attack vectors, might focus extensively on their website and marketing infrastructure while overlooking smart contract security. + +Effective threat modeling ensures security teams can identify and document all potential attack paths - enabling risk management teams to later assess and prioritize these threats effectively. Without threat modeling, organizations often distribute security resources evenly across all assets regardless of risk levels. + + + ## Practical guidance > **πŸ”— Related Framework:** For detailed approaches, see [Understanding Threat Vectors](../awareness/understanding-threat-vectors.md) and [Threat Modeling](../threat-modeling/) frameworks. @@ -25,7 +47,7 @@ Effective security requires understanding **what you're protecting and who you'r 1. **Digital value stores**: Document cryptocurrencies, tokens, NFTs, and any assets directly convertible to monetary value 2. **Credentials & access information**: Catalog passwords, API keys, recovery seeds/phrases, private keys, and other non-physical authentication data -3. **Hardware & physical devices**: +3. Identify all **Hardware & physical devices**: - **Computing devices**: Computers, phones, tablets, servers - **Security hardware**: Hardware wallets, YubiKeys, MFA devices, HSMs - **Physical security**: Office equipment, security systems, physical access controls @@ -33,8 +55,14 @@ Effective security requires understanding **what you're protecting and who you'r 5. **Sensitive information & intellectual property**: Track code repositories, proprietary algorithms, customer data, business documents, email archives, and backup files 6. **Legal & compliance assets**: Identify digital certificates, identity documents, contracts, and regulatory compliance documentation +For these, you can use technologies such as: + +- Configuration Management Databases (CMDBs) +- Specialized asset tracking software +- GRC (Governance, Risk, and Compliance) platforms with asset inventory modules +
-Example: Pinnipeds Inc. asset inventory +⬇️ Collapsible Example: Pinnipeds Inc. asset inventory ### Pinnipeds Inc. Asset Inventory @@ -63,7 +91,7 @@ Pinnipeds Inc. is a small company with 15 employees. Here's how they categorized - Persistence level (hit-and-run vs. long-term compromise)
-Example: Analysis of adversaries targeting Pinnipeds Inc. +⬇️ Collapsible Example: Analysis of adversaries targeting Pinnipeds Inc. ### Pinnipeds Inc. Adversary Analysis @@ -86,7 +114,7 @@ Pinnipeds Inc. is a small company with 15 employees. Here's how they categorized 3. **Link attack vectors to adversary capabilities** identified in your adversary analysis
-Example: Attack Vector Mapping for Pinnipeds Inc. +⬇️ Collapsible Example: Attack Vector Mapping for Pinnipeds Inc. ### Pinnipeds Inc. Attack Vector Analysis @@ -119,19 +147,6 @@ Pinnipeds Inc. is a small company with 15 employees. Here's how they categorized
-## Why is it important - -Failure to implement threat modeling has led to catastrophic security breaches: - -- [How Threat Modeling Could Have Prevented the 1.5B ByBit Hack](https://blog.trailofbits.com/2025/02/25/how-threat-modeling-could-have-prevented-the-1.5b-bybit-hack/) -- [North Korea's Lazarus Group stole $620 million from Axie Infinity's Ronin bridge (2022)](https://home.treasury.gov/news/press-releases/jy0768) through a sophisticated attack targeting blockchain infrastructure -- [The Nomad bridge lost $190 million (2022)](https://medium.com/nomad-xyz-blog/nomad-bridge-hack-root-cause-analysis-875ad2e5aacd) through a critical vulnerability that allowed attackers to bypass transaction validation -- [The 2020 Twitter compromise](https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident) resulted in hijacked high-profile accounts being used for cryptocurrency scams - -Organizations that implement threat modeling can focus limited security resources on their most significant risks, avoiding both over-protection of low-value assets and under-protection of critical systems. - -Without threat modeling, organizations often distribute security resources evenly across all assets regardless of risk levels. A real-world example shows how costly this approach can be: a DeFi protocol failed to properly identify potential attack vectors, focusing extensively on their website and marketing infrastructure while overlooking smart contract security. The result was a million-dollar exploit through a contract vulnerability that proper threat modeling would have identified as a critical attack vector. Effective threat modeling ensures security teams can identify and document all potential attack paths - enabling risk management teams to later assess and prioritize these threats effectively. - ## Implementation details | When to implement | Description | @@ -149,27 +164,28 @@ Without threat modeling, organizations often distribute security resources evenl - **HR/Management**: Address insider threat risks and security awareness training - **Community/Marketing**: Consider reputation risks and public-facing attack surfaces -## Common pitfalls & examples +## Practical Frameworks and Tools -- **Tunnel vision**: The Colonial Pipeline attack (2021) succeeded through a legacy VPN account without MFA, while the company focused security resources on operational technology -- **Unrealistic scenarios**: Many organizations over-invested in zero-day defense while leaving basic phishing vulnerabilities open -- **Static models**: Equifax's 2017 breach occurred partly because threat models weren't updated to reflect new attack patterns -- **Insider blindness**: The 2020 Twitter compromise of high-profile accounts happened when internal admin tools weren't included in threat modeling +After completing the asset inventory, adversary analysis, and attack vector mapping, organizations can leverage established frameworks and visualization techniques to systematize their threat modeling approach. These tools help translate the theoretical understanding of threats into practical, actionable security measures. + +### STRIDE Threat Categorization Framework + +The STRIDE framework, developed by Microsoft in the late 1990s, offers a systematic approach to identifying and categorizing threats. It maps directly to key security properties that must be protected in any system: -## Quick-reference / Cheat sheet +| STRIDE Category | Security Property Violated | Description | Example in Web3 | Common Mitigations | +|-----------------|----------------------------|-------------|-----------------|-------------------| +| **S**poofing | Authentication | Impersonating something or someone else | Phishing attacks to steal wallet credentials | Strong MFA, hardware security keys, signing operations | +| **T**ampering | Integrity | Modifying data or code | Smart contract manipulation through vulnerable functions | Integrity checks, code signing, immutable audit logs | +| **R**epudiation | Non-repudiation | Denying performed actions | Disputing transaction authorization | Blockchain transaction signing, comprehensive logging | +| **I**nformation disclosure | Confidentiality | Exposing sensitive data | Private key extraction from insecure storage | Encryption, proper key management, minimal privilege | +| **D**enial of service | Availability | Disrupting availability for legitimate users | Network congestion attacks, high gas fees | Rate limiting, redundancy, circuit breakers | +| **E**levation of privilege | Authorization | Gaining unauthorized access | Exploiting admin functions in contracts | Least privilege, strict role separation, multi-sig | -### STRIDE Threat Categorization +Organizations can apply STRIDE systematically to each component identified in their asset inventory to ensure comprehensive threat coverage. -| Category | Description | Example Mitigation | -|----------|-------------|-------------------| -| **S**poofing | Identity impersonation | Strong authentication, signing | -| **T**ampering | Unauthorized modifications | Integrity checks, access controls | -| **R**epudiation | Denying performed actions | Logging, audit trails | -| **I**nformation disclosure | Exposing sensitive data | Encryption, minimal privileges | -| **D**enial of service | Disrupting availability | Rate limiting, redundancy | -| **E**levation of privilege | Gaining unauthorized access | Least privilege, segmentation | +### Attack Trees: Visualizing Attack Paths -### Attack Tree Example +Attack trees provide a structured method to visualize potential attack scenarios against critical assets. They help security teams understand the relationship between different attack vectors and identify the most critical paths requiring mitigation: ``` Goal: Steal crypto assets @@ -193,4 +209,4 @@ Goal: Steal crypto assets - [OWASP Threat Modeling Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html) - [Microsoft STRIDE Model](https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats) - [MITRE ATT&CK Framework](https://attack.mitre.org/) -- Tools: Microsoft Threat Modeling Tool, OWASP Threat Dragon +- Tools: [Microsoft Threat Modeling Tool](https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling), [OWASP Threat Dragon](https://owasp.org/www-project-threat-dragon/) \ No newline at end of file diff --git a/src/opsec/travel/guide.md b/src/opsec/travel/guide.md new file mode 100644 index 00000000..883aeb5e --- /dev/null +++ b/src/opsec/travel/guide.md @@ -0,0 +1 @@ +# Thorough Guide diff --git a/src/opsec/travel/overview.md b/src/opsec/travel/overview.md new file mode 100644 index 00000000..79d8cbf3 --- /dev/null +++ b/src/opsec/travel/overview.md @@ -0,0 +1 @@ +# While Traveling diff --git a/src/opsec/travel/quick-guide.md b/src/opsec/travel/quick-guide.md new file mode 100644 index 00000000..67b3414b --- /dev/null +++ b/src/opsec/travel/quick-guide.md @@ -0,0 +1 @@ +# Quick Guide diff --git a/wordlist.txt b/wordlist.txt index aa6be532..9ef3c871 100644 --- a/wordlist.txt +++ b/wordlist.txt @@ -392,4 +392,19 @@ levation exfiltration validators hotspots -Terpin's \ No newline at end of file +Terpin's +CMDB +CMDBs +ZK +Monero +Zcash +MPC +Jitsi +Passwordless +WebAuthn +FIDO +Cryptomator +redactions +sandboxing +Eramba +GRC \ No newline at end of file