Page MenuHomePhabricator

Document and test security response process
Open, MediumPublic

Description

It would be good to have our security response to a few common incident scenarios documented, so we don't have to always figure things out on the fly. If this is already documented somewhere, awesome, I just haven't found it yet. It's probably just a case of compiling stuff we have documented in different place into one place, I would guess.

Specific scenarios,

  • Compromised user account - where are all of the places we should check to revoke access? what is the process to kill all current ssh sessions for someone with shell access? If someone has access to root passwords, what is the process for changing the password? If someone had access to the private mediawiki repo, what's the process for rotating all of those secrets?
  • Compromised server - What tools should we use for full memory dumps, and getting a forensic copy of the data? Where can we store forensic images safely for analysis? What are the options / what is the process for network isolation between the time that we suspect compromise to having the disk/memory dumps saved? Where should we document the incident timeline during an ongoing investigation?

Once this is documented, I'd like to do a fire-drill and test the response process sometime in Q3.

Event Timeline

csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added a project: Security-Team.

Here are a couple of others that I was thinking about last week, not for immediate addition to the list, but which remain open questions for me:

  • compromise of an ops workstation (the vector of access is not important, but let's say, via SSH port forwarding from a home router/firewall)
  • loss/theft of a laptop with non-anonymized user data (an Analytics workstation, for instance).

Removing task assignee due to inactivity, as this open task has been assigned to the same person for more than two years (see the emails sent to the task assignee on Oct27 and Nov23). Please assign this task to yourself again if you still realistically [plan to] work on this task - it would be welcome.
(See https://www.mediawiki.org/wiki/Bug_management/Assignee_cleanup for tips how to best manage your individual work in Phabricator.)