[GENIVI security group] Security group assessment method discussion

Jeremiah Foster jeremiah.foster at pelagicore.com
Mon Aug 15 15:27:51 EDT 2016


Hi everyone,

To summarize, we plan the next GENIVI Security meeting at 14:00 UTC
Thursday the 18th of August. In other time zones;

Taiwan       22:00
Paris          16:00
Greenwich 15:00
New York   10:00
Portland     07:00

Shall I schedule a Webex session and send a calendar invite for the same?

Regards,

Jeremiah




On Sat, Aug 13, 2016 at 8:15 AM, Stacy Janes <stacy.janes at irdeto.com> wrote:

> Thanks Peter.  If this time if good for everyone else, we will try this
> time for the next call.
>
>
>
> Stacy
>
>
>
> *From: *"peter_yang at trend.com.tw" <peter_yang at trend.com.tw>
> *Date: *Friday, August 12, 2016 at 7:29 PM
> *To: *Stacy Janes <stacy.janes at irdeto.com>, "Feuer, Magnus" <
> mfeuer1 at jaguarlandrover.com>, Jeremiah Foster <jeremiah.foster at pelagicore.
> com>
> *Cc: *"anuja at computer.org" <anuja at computer.org>, "
> tal.bendavid at karambasecurity.com" <tal.bendavid at karambasecurity.com>, "
> genivi-projects at lists.genivi.org" <genivi-projects at lists.genivi.org>,
> Yoram Berholtz <yoram at argus-sec.com>, "assaf.harel at karambasecurity.com" <
> assaf.harel at karambasecurity.com>, Antonio De Rosa <
> Antonio.DeRosa at opensynergy.com>
> *Subject: *RE: [GENIVI security group] Security group assessment method
> discussion
>
>
>
> Stacy,
>
> 10PM works for Taiwan.
>
>
>
> Thank you.
>
>
>
> Peter
>
>
>
>
>
> -------- Original message --------
>
> From: Stacy Janes <stacy.janes at irdeto.com>
>
> Date: 8/13/16 04:54 (GMT+08:00)
>
> To: "Feuer, Magnus" <mfeuer1 at jaguarlandrover.com>, Jeremiah Foster <
> jeremiah.foster at pelagicore.com>
>
> Cc: anuja at computer.org, tal.bendavid at karambasecurity.com,
> genivi-projects at lists.genivi.org, "Peter Yang (PM-TW)" <
> peter_yang at trend.com.tw>, Yoram Berholtz <yoram at argus-sec.com>,
> assaf.harel at karambasecurity.com, Antonio De Rosa <
> Antonio.DeRosa at opensynergy.com>
>
> Subject: Re: [GENIVI security group] Security group assessment method
> discussion
>
>
>
> Jeremiah,
>
>
>
> I am also in EST and agree that the 1am calls are not ideal.  There is
> involvement from Asia as well, so I am currently looking a better time.
> Magnus’s suggestion below puts it at 10pm CST (Taiwan).  Is that workable
> for those from that timezone?
>
>
>
> Stacy
>
>
>
> *From: *"Feuer, Magnus" <mfeuer1 at jaguarlandrover.com>
> *Date: *Friday, August 12, 2016 at 3:55 PM
> *To: *Jeremiah Foster <jeremiah.foster at pelagicore.com>
> *Cc: *Stacy Janes <stacy.janes at irdeto.com>, "anuja at computer.org" <
> anuja at computer.org>, "tal.bendavid at karambasecurity.com" <
> tal.bendavid at karambasecurity.com>, "genivi-projects at lists.genivi.org" <
> genivi-projects at lists.genivi.org>, "peter_yang at trend.com.tw" <
> peter_yang at trend.com.tw>, Yoram Berholtz <yoram at argus-sec.com>, "
> assaf.harel at karambasecurity.com" <assaf.harel at karambasecurity.com>,
> Antonio De Rosa <Antonio.DeRosa at opensynergy.com>
> *Subject: *Re: [GENIVI security group] Security group assessment method
> discussion
>
>
>
> Unless Asia is heavily involved, I propose 7:00 PST / 10:00 EST / 15:00
> GMT / 16:00 CET. That usually works for us Left coasters.
>
>
>
> /Magnus F.
>
>
> -------------------
>
>
> *Head System Architect - Open Source Projects **Jaguar Land Rover*
>
> *Email*: mfeuer1 at jaguarlandrover.com
> *Mobile*: +1 949 294 7871
>
>
>
> Jaguar Land Rover North America, LLC
>
> 1419 NW 14th Ave, Portland, OR 97209
> -------------------
> Business Details:
> Jaguar Land Rover Limited
> Registered Office: Abbey Road, Whitley, Coventry CV3 4LF
>
> Registered in England No: 1672070
>
>
> This e-mail and any attachments contain confidential information for a
> specific individual and purpose.  The information is private and privileged
> and intended solely for the use of the individual to whom it is addressed.
> If you are not the intended recipient, please e-mail us immediately.  We
> apologise for any inconvenience caused but you are hereby notified that any
> disclosure, copying or distribution or the taking of any action in reliance
> on the information contained herein is strictly prohibited.
>
> This e-mail does not constitute an order for goods or services unless
> accompanied by an official purchase order.
>
>
>
> On Fri, Aug 12, 2016 at 12:40 PM, Jeremiah Foster <
> jeremiah.foster at pelagicore.com> wrote:
>
> Hi,
>
> 07:00 CET is 01:00 EST and 22:00 PST. Isn't there a better time,
> especially for CET where many European automotive engineers can't attend
> due to being outside of work hours?
>
> Regards,
>
> Jeremiah
>
>
>
> On Aug 12, 2016 2:26 PM, "Stacy Janes" <stacy.janes at irdeto.com> wrote:
>
> Jeremiah,
>
>
>
> The calls are typically 7am CET.
>
>
>
> Stacy
>
>
>
> *From: *Jeremiah Foster <jeremiah.foster at pelagicore.com>
> *Date: *Wednesday, August 10, 2016 at 9:26 PM
> *To: *"Gunnar Andersson ()" <gunnar.x.andersson at volvocars.com>
> *Cc: *"tal.bendavid at karambasecurity.com" <tal.bendavid at karambasecurity.com>,
> "peter_yang at trend.com.tw" <peter_yang at trend.com.tw>, Yoram Berholtz <
> yoram at argus-sec.com>, "anuja at computer.org" <anuja at computer.org>, "
> genivi-projects at lists.genivi.org" <genivi-projects at lists.genivi.org>, "
> assaf.harel at karambasecurity.com" <assaf.harel at karambasecurity.com>,
> Antonio De Rosa <Antonio.DeRosa at opensynergy.com>, Stacy Janes <
> stacy.janes at irdeto.com>
> *Subject: *Re: [GENIVI security group] Security group assessment method
> discussion
>
>
>
> So it's the 18th of August? At what time?
>
>
>
> On Aug 10, 2016 8:00 PM, "Andersson, Gunnar" <
> gunnar.x.andersson at volvocars.com> wrote:
>
> Bi-weekly. Got it. Going back to sleep.
>
> --
>
> Sent from phone - please excuse brevity.
>
>
>
>
> On Aug 11, 2016, at 01:45, Stacy Janes <stacy.janes at irdeto.com> wrote:
>
> Gunnar,
>
>
>
> It should be in one week + 6 hours from now :-}  The last call was on Aug
> 4.
>
>
>
> Stacy
>
>
>
> *From: *"Andersson, Gunnar" <gunnar.x.andersson at volvocars.com>
> *Date: *Wednesday, August 10, 2016 at 7:09 PM
> *To: *Stacy Janes <stacy.janes at irdeto.com>
> *Cc: *"anuja at computer.org" <anuja at computer.org>, "
> tal.bendavid at karambasecurity.com" <tal.bendavid at karambasecurity.com>, "
> genivi-projects at lists.genivi.org" <genivi-projects at lists.genivi.org>, "
> peter_yang at trend.com.tw" <peter_yang at trend.com.tw>, Yoram Berholtz <
> yoram at argus-sec.com>, "assaf.harel at karambasecurity.com" <
> assaf.harel at karambasecurity.com>, Antonio De Rosa <
> Antonio.DeRosa at opensynergy.com>, "Feuer, Magnus" <
> mfeuer1 at jaguarlandrover.com>
> *Subject: *Re: [GENIVI security group] Security group assessment method
> discussion
>
>
>
> Sorry for an unrelated topic but I did not find any WebEx scheduled
> tomorrow and I have been searching for an email with the customary "Next
> meeting time" and/or a wiki page with minutes.
>
>
>
> Is there a security meeting planned at the usual time (in 6 hours from
> now)? Apologies if I missed some correspondence or did not know where to
> look.
>
> - Gunnar
> --
>
> Sent from phone - please excuse brevity.
>
>
>
>
> On Aug 4, 2016, at 00:53, Feuer, Magnus <mfeuer1 at jaguarlandrover.com>
> wrote:
>
> Hello Stacy, and welcome to GENIVI.
>
>
>
> Since we at the RVI expert group are in the middle of putting together a
> PKI system to be used on top of our existing (TLS-based) security, I think
> we would be a good first candidate to run through the process
>
>
>
> Ulf Wiger is formally responsible for the effort, although we are doing
> this as a team of about 5-6 people.
>
>
>
> Since we are still in the design phase of PKI, we don't really have any
> documentation yet. Would it, as a starter, be possible to bring you in on a
> conf call where we walk you through the current state of our ideas?
>
>
>
> Sincerely,
>
>
>
> /Magnus F.
>
>
> -------------------
>
>
> *Head System Architect - Open Source Projects **Jaguar Land Rover*
>
> *Email*: mfeuer1 at jaguarlandrover.com
> *Mobile*: +1 949 294 7871
>
>
>
> Jaguar Land Rover North America, LLC
>
> 1419 NW 14th Ave, Portland, OR 97209
> -------------------
> Business Details:
> Jaguar Land Rover Limited
> Registered Office: Abbey Road, Whitley, Coventry CV3 4LF
>
> Registered in England No: 1672070
>
>
> This e-mail and any attachments contain confidential information for a
> specific individual and purpose.  The information is private and privileged
> and intended solely for the use of the individual to whom it is addressed.
> If you are not the intended recipient, please e-mail us immediately.  We
> apologise for any inconvenience caused but you are hereby notified that any
> disclosure, copying or distribution or the taking of any action in reliance
> on the information contained herein is strictly prohibited.
>
> This e-mail does not constitute an order for goods or services unless
> accompanied by an official purchase order.
>
>
>
> On Sun, Jul 31, 2016 at 8:58 AM, Stacy Janes <stacy.janes at irdeto.com>
> wrote:
>
> Hello all,
>
> I would like to start the conversation on the methods the Security Team
> will use to construct a security analysis for projects by other GENIVI
> Expert Groups.  Below is a recommendation of the basic framework based on
> work I have done in the past.  All aspects are open to debate as I want to
> ensure we get to the best solution possible.  I suspect the process will be
> continuously fine tuned as we move forward.
>
>
> 1. At the beginning of a new engagement with an Expert Group, the team
> members that will be involved in that assessment should read and understand
> the Architecture/Design from the EG as it exists.  The team will need to be
> in constant contact with Architect and other technical experts from the EG
> (calls, email, etc) during this phase.
>
> 2. During this phase, the team to strive to acquire a detailed
> understanding of the following:
>        a. What assets does the architecture already have listed?
>        b. What data is stored by the system?
>        c. How is data handled by the system (in transit, in process, at
> rest)?
>        d. What interfaces does the system present to external systems?
>        e. What interfaces does the system utilize from external systems?
>        f. What existing security mitigations have already been built into
> the system (secure storage, cryptographic keys, security functions)?
>
> 3. From the above, the security team will be able to gather the first
> round of assets and document them.
>
> 4. The security team documents their understanding of the
> architecture/design, including the assets that are known at this point.
> For each asset, the document should include a description of the asset,
> their importance and the result of them being compromised.  This is then
> presented back to the client EG for review to ensure everyone has a common
> understanding of the system.
>
> 5. The next step is to go through the process of discovering the attack
> vectors that would be viable against the system.  For this part of the
> process, I prefer to use Attack Trees (https://www.schneier.com/
> academic/archives/1999/12/attack_trees.html).  These are not only good
> for the assessor to work out all of the possible attack vectors, but we
> have found them to be very useful for non-security people to understand how
> we get to certain attack vectors.  Attack Trees will also help the team
> divide up the analysis work, as the different sub-trees can be handled by
> individual team members.
>
> 6. The detailed analysis through attack trees will expose more assets that
> will need to be documented similar to the original list.
>
> 7. For each attack vector, we use a STRIDE (see below) description and
> document the difficultly and result of an exploit of that vector.  The
> HEAVENS Security Model has a good approach for using STRIDE to document
> automotive risk assessments and I think we can borrow from that.  There is
> a short overview of HEAVENS in Appendix A.1.5 of J3061.
>
> 8. Typically, in a commercial evaluation, the final document will contain
> suggested mitigations for all of the attack vectors exposed by the attack
> trees.  In the case of GENIVI however, I recommend the following:
>        a. Suggest mitigations in the form of architectural or design
> changes if appropriate
>        b. Suggest open-source mitigations (list benefits and limitations)
> if appropriate
>        c. Reference or create a specific security requirement (from our
> that can be used to determine commercial mitigations in the final product.
>
> 9. Mitigations and architectural/design changes can introduce new assets.
> These and the threats to them need to be documented as above.
>
> 10. Any new requirements generated as part of ‘c’ will be integrated into
> the existing security requirements document if appropriate.
>
>
> Before we engage on the first assessment, those of us with experience
> doing this type of work can present the various aspects (how to determine a
> security asset, how to create an attack tree) to the team.  From there, I
> think we could start on a small project to work out the kinks and figure
> out what needs to be changed.
>
> Also, in the last call, we discussed implementing “Compliance and
> Robustness” rules as a way to document our security requirements where all
> of the requirements are listed in the “robustness rules” and the
> “compliance rules” map specific types of features to specific
> requirements.  If we are in agreement on this, we should start with the
> existing security requirements list and see how they logically break up.
>
>
> Description of STRIDE:
> • Spoofing identity: An example of identity spoofing is illegally
> accessing and then using another user's authentication information, such as
> username and password.
> • Tampering with data: Data tampering involves the malicious modification
> of data. Examples include unauthorized changes made to persistent data,
> such as that held in a database, and the alteration of data as it flows
> between two computers over an open network, such as the Internet.
> • Repudiation: Repudiation threats are associated with users who deny
> performing an action without other parties having any way to prove
> otherwise—for example, a user performs an illegal operation in a system
> that lacks the ability to trace the prohibited operations. Nonrepudiation refers
> to the ability of a system to counter repudiation threats. For example, a
> user who purchases an item might have to sign for the item upon receipt.
> The vendor can then use the signed receipt as evidence that the user did
> receive the package.
> • Information disclosure: Information disclosure threats involve the
> exposure of information to individuals who are not supposed to have access
> to it—for example, the ability of users to read a file that they were not
> granted access to, or the ability of an intruder to read data in transit
> between two computers.
> • Denial of service: Denial of service (DoS) attacks deny service to valid
> users—for example, by making a Web server temporarily unavailable or
> unusable. You must protect against certain types of DoS threats simply to
> improve system availability and reliability.
> • Elevation of privilege: In this type of threat, an unprivileged user
> gains privileged access and thereby has sufficient access to compromise or
> destroy the entire system. Elevation of privilege threats include those
> situations in which an attacker has effectively penetrated all system
> defenses and become part of the trusted system itself, a dangerous
> situation indeed.
>
> Discuss :-}
>
> Stacy Janes
> Security Group
>
>
>
> _______________________________________________
> genivi-projects mailing list
> genivi-projects at lists.genivi.org
> http://lists.genivi.org/cgi-bin/mailman/listinfo/genivi-projects
>
>
>
> _______________________________________________
> genivi-projects mailing list
> genivi-projects at lists.genivi.org
> http://lists.genivi.org/cgi-bin/mailman/listinfo/genivi-projects
>
>
> _______________________________________________
> genivi-projects mailing list
> genivi-projects at lists.genivi.org
> http://lists.genivi.org/cgi-bin/mailman/listinfo/genivi-projects
>
>
> _______________________________________________
> genivi-projects mailing list
> genivi-projects at lists.genivi.org
> http://lists.genivi.org/cgi-bin/mailman/listinfo/genivi-projects
>
>
>
> TREND MICRO EMAIL NOTICE
>
> The information contained in this email and any attachments is confidential
>
> and may be subject to copyright or other intellectual property protection.
>
> If you are not the intended recipient, you are not authorized to use or
>
> disclose this information, and we request that you notify us by reply mail or
>
> telephone and delete the original message from your mail system.
>
>
>



-- 
Jeremiah C. Foster
GENIVI COMMUNITY MANAGER

Pelagicore AB
Ekelundsgatan 4, 6tr, SE-411 18
Gothenburg, Sweden
M: +1.860.772.9242
jeremiah.foster at pelagicore.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.genivi.org/pipermail/genivi-projects_lists.genivi.org/attachments/20160815/5a934409/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PELAGICORE_RGB_Black_horizontal.png
Type: image/png
Size: 11841 bytes
Desc: not available
URL: <http://lists.genivi.org/pipermail/genivi-projects_lists.genivi.org/attachments/20160815/5a934409/attachment.png>


More information about the genivi-projects mailing list