achave11-ucsc
commented
1 year ago @hannes-ucsc to read description before we discuss this Thursday.
Closed theathorn closed 11 months ago
achave11-ucsc
commented
1 year ago @hannes-ucsc to read description before we discuss this Thursday.
nolunwa-ucsc
commented
1 year ago @hannes-ucsc link to the SSP https://docs.google.com/document/d/1lA5KF1ARfUX_T5UXLMv8tj-1aKNazT9r/edit#bookmark=id.wufc4d29zmaw
nolunwa-ucsc
commented
1 year ago @hannes-ucsc to enumerate the important security functions that needs to be verified on a monthly basis
hannes-ucsc
commented
1 year ago The following steps are performed on every production zone. Steps pertaining to GitHub are performed once.
Verify that MA metadata is only accessible via the Data Browser (Azul service) when logged in with the credentials of (passing an access token of) a user with authorization to access MA metadata.
Verify that only public metadata is accessible anonymously or with the credentials of (passing an access token of) a user without authorization. Note that project (dataset) level HCA (AnVIL) metadata of MA snapshots is considered public.
Verify that GitHub actions are not run on PRs from non-contributors. This should be tested yearly for every repository we maintain on GitHub and monthly for the Azul, Data Browser and Data Portal repositories.
Verify that GitLab instances are inaccessible without a VPN connection.
Verify that accessing GitLab through a VPN connection, but without being logged in, only shows the GitLab login page. GitLab can optionally make projects public in which read-only access is provided without authentication. Use deep-links to projects like https://gitlab.dev.singlecell.gi.ucsc.edu/ucsc/azul. This test verifies that all projects are private.
Perform account review.
Verify that there are no AWS security hub findings regarding encryption at rest for buckets, EBS volumes and ES domains.
Verify that the Azul service and indexer REST APIs, GitLab and the Data Browser are only exposed via HTTPS. Replace https:// with http:// in the URLs of these endpoints and ensure that the connection is either refused or redirected to the corresponding https:// URL.
With the VPN disconnected, use nmap to scan for open ports on the IPs to which the hostnames of the Azul service & indexer REST APIs, GitLab and the Data Browser resolve. Repeat for GitLab with VPN connected. Only port 443 should be open except for GitLab which should have no ports open with the VPN disconnected and ports 443, 22 and 22022.
With the VPN connected, scan the private IP of the GitLab instance. Ports 80 and 22 and 22022 should be open.
Verify that GuardDuty is enabled for the GitLab instance.
Verify that clamav is run weekly on the GitLab instance.
Verify that Inspector scanning is enabled for EC2 instances and ECR images.
Verify that monthly GitLab data volume backup snapshots exist. Create a volume from the most recent snapshot. Mount the volume to a new temporary EC2 instance and perform a file system check on it.
Examine the IncomingBytes and IncomingLogEvents for every log group in the system, over the past 60 days. Examine, log groups that show a sudden decrease or increase in either of these metrics.
Ensure that the ES domain has no pending updates.
Ensure that all ECR findings for EC2 instances and ECR images have been triaged.
Ensure that all GitHub Security findings for Azul and Data Browser have been triaged.
nolunwa-ucsc
commented
1 year ago SSP has been updated
[ ] @hannes-ucsc Step 1: The team needs to define the security function as it applies to the Data Explorer (see discussion for what a security function is). This should include identifying the specific security controls, mechanisms, and features that need to be in place.
[ ] Step 2: Develop verification procedures that outline how security functions should be tested and verified during transition states (such as system deployments or changes), upon command (as needed), and on a monthly basis. These procedures should specify the methods, tools, and criteria for verification.
[ ] Step 3: Testing and Verification: Implement the verification procedures by conducting tests and checks to verify the correct operation of security functions. This may include reviewing configuration settings, conducting vulnerability assessments (Inviti scan), and assessing the effectiveness of security controls (annual assessment).
[ ] @nolunwa-ucsc Step 4: Document the security functions in the SSP
Discussion:
Security functions are specific capabilities, mechanisms, or features within a system that are designed and implemented to protect data, assets, and resources from various security threats and vulnerabilities. These functions work to ensure the confidentiality, integrity, and availability of information and systems, as well as to safeguard against unauthorized access, disclosure, alteration, or destruction.
Here's an explanation of key security functions:
Access Control: Access control functions determine who is allowed to access specific resources or data within a system. This includes authentication (verifying user identities), authorization (granting or denying access based on permissions), and accountability (keeping track of user actions).
Authentication: Authentication functions verify the identity of users, devices, or entities attempting to access a system or data. Common methods include passwords, biometrics (e.g., fingerprint or facial recognition), and smart cards.
Encryption: Encryption functions protect data by converting it into a secure and unreadable format (cipher text) that can only be deciphered with the appropriate decryption key. This ensures the confidentiality of data, even if it is intercepted.
Firewalls: Firewalls are security functions that filter network traffic based on predefined rules to allow or block data packets. They protect networks by preventing unauthorized access and potentially malicious traffic.
Intrusion Detection and Prevention Systems (IDPS): IDPS functions monitor network or system activities to detect and respond to suspicious or malicious behavior. They can alert administrators or take automatic actions to block or mitigate threats.
Virus and Malware Protection: These functions include antivirus and anti-malware software, which scan for and remove malicious software (viruses, worms, Trojans, etc.) that can compromise the security of a system.
Data Backup and Recovery: Backup and recovery functions ensure that critical data is regularly backed up and can be restored in case of data loss, system failure, or security incidents. This function is essential for maintaining data integrity and availability.
Logging and Auditing: Logging and auditing functions record events, actions, and changes within an information system. They provide a trail of evidence for investigating security incidents and ensuring accountability.
Patch Management: Patch management functions involve applying software updates and patches to address known vulnerabilities in operating systems, applications, and software components.