... | ... | @@ -5,7 +5,7 @@ |
|
|
* Duration: 1 hour
|
|
|
* Description: a discussion about how teams can build, maintain and evaluate their own security policies. We want to hear suggestions in how security policies can be implemented and what they can contain. Goal is to write some templates and recommendations so each team can use to build their own policies.
|
|
|
|
|
|
Context
|
|
|
# Context
|
|
|
|
|
|
- we have no security policies, but some ad-hoc practices, an oral
|
|
|
tradition
|
... | ... | @@ -18,7 +18,7 @@ Context |
|
|
enumerated some policies, per team
|
|
|
- got stuck at establishing a common policy
|
|
|
|
|
|
Discussion
|
|
|
# Discussion
|
|
|
|
|
|
- maybe we can't have a unique policy at all
|
|
|
- maybe there can be baseline security requirements for all teams, a
|
... | ... | @@ -32,7 +32,7 @@ Discussion |
|
|
- tradeoff between comfort and security
|
|
|
- requires cultural changes
|
|
|
|
|
|
Resources to protect
|
|
|
# Resources to protect
|
|
|
|
|
|
- signing keys
|
|
|
- source code integrity
|
... | ... | @@ -46,7 +46,7 @@ Resources to protect |
|
|
- bridges inventory
|
|
|
- high availability
|
|
|
|
|
|
Attack scenarios
|
|
|
# Attack scenarios
|
|
|
|
|
|
- ransomware attack against ops people
|
|
|
- can limit service (e.g. "no paycheck")
|
... | ... | @@ -62,7 +62,7 @@ Attack scenarios |
|
|
- slander lawsuits (e.g. "someone is saying bad things about me on the
|
|
|
dark web, you are responsible" which would lead to emails leaking)
|
|
|
|
|
|
Possible practices
|
|
|
# Possible practices
|
|
|
|
|
|
- review logging policies regularly
|
|
|
- checklist of things to surveil on services (e.g. logging, backups,
|
... | ... | @@ -76,7 +76,7 @@ Possible practices |
|
|
- CT-style logging (cf [sigstore](https://www.sigstore.dev/), [research about alternatives by
|
|
|
anarcat](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/gitlab#git-repository-integrity-solutions))
|
|
|
|
|
|
Next steps
|
|
|
# Next steps
|
|
|
|
|
|
- make a (private!) survey of security practices, e.g.:
|
|
|
- 2fa? u2f?
|
... | ... | |