Changes

{{note|This section is moving over to https://infosec.mozilla.org/|error}}=Enterprise Information Security TeamInfosec={{TOC right|limit=2}}Infosec assists Mozillians in defining and operating security controls to ensure that data at Mozilla is protected consistently across the organization.* we help you define the risks around your services and data* we help projects design and implement security controls* we maintain a risk-based inventory of systems and their functional security controls to help Mozilla management determine where to invest in security measures* we develop a catalog of services and tools that help you appropriately secure your data* we respond to security investigations and incidents* we provide baseline practices and assist teams in defining their security standards

= Contact =For security incidents, file a bug in Bugzilla under the product/component [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=Investigation] or [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=Incident]. Or email '''foxsignal''' [at] mozilla.com. Our IRC channel is #infosec or #security at [irc://irc.mozilla.org/security irc.mozilla.org]. = Members =[[File:OpSec.png|left|200px]]* [https://mozillians.org/en-US/u/jbryner/ Jeff Bryner] [:jeff]* [https://mozillians.org/en-US/u/alm/ Aaron Meihm] [:alm]* [https://mozillians.org/en-US/u/phrozyn/ Alicia Smith] [:phrozyn]* [https://mozillians.org/en-US/u/akrug/ Andrew Krug] [:andrew]* [https://mozillians.org/en-US/u/april/ April King] [:April]* [https://mozillians.org/en-US/u/bmyers/ Brandon Myers] [:pwnbus]* [https://mozillians.org/ Caglar Ulucenk] [:Cag]* [https://mozillians.org/en-US/u/gene/ Gene Wood] [:gene]* [https://mozillians.org/en-US/u/kang/ Guillaume Destuynder] [:kang]* [https://mozillians.org/en-US/u/jclaudius/ Jonathan Claudius] [:claudijd]* [https://mozillians.org/en-US/u/jabba/ Justin Dow] [:jabba]* [https://mozillians.org/en-US/u/michalpurzynski/ Michal Purzynski] [:michal`]* [https://mozillians.org/en-US/u/tweir/ Tristan Weir] [:weir] = Service Catalog = The services listed below are available to everyone working on the Mozilla project. Contact us directly for more details on any of the services listed below. == Service: Security Information and Event Management (SIEM) ==[[File:MozDefAlerts.png|right|300px]]; Support commitment: 5k-10k events per second capacity; 10 days of event storage online; 1 year offline in AWS glacier; Costs: Engineering time, compute resources, AWS archiving; Service request: [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=MozDef&assigned_to=jbryner%40mozilla.com request bug] [[File:MozDefAttackerGlobe.png|right|300px]][[File:MozDefAttackerOgres.png|right|300px]] === Description === InfoSec develops and operates MozDef as a service to assist Mozilla projects in defending their operations. Mozilla systems can send events, logs and other data to MozDef to be automatically correlated and consistently treated. === What you can do with this service === * Send events to be stored* Search events* Create dashboards summarizing events* Create alerts* Correlate on events* Collaborate in real time with incident handlers* Integrate systems into automated response to security events == Service: NSM: Network Security Monitoring == ; Support commitment: best effort, non-HA A statistical approach is used so results might not be 100% accurate by design. Logs limited to between 3 and 10 days.; Costs: traffic interception capabilities, servers for running it, disk space for log storage.; Service request: [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=NSM&assigned_to=mpurzynski%40mozilla.com request bug] === Description === The goal of the NSM project is to provide useful context information for both the IR and early detection of possible intrusions. === What you can do with this service === * Coverage of traffic at the entry point and key routing points of Mozilla’s data centers including firewalls and Load Balancers.* Interfaces and utilities to facilitate and accelerate Incident Response* Detection of various network level anomalies that might suggest either intrusion or network issues.* Give a lot of statistical information that traditional monitoring systems can’t, from the application level protocols.* Make sense out of the data at the higher protocol levels, sessions and packets. == Service: Real-time systems forensic ==[[File:MIG-logo-CC-small.jpg|right|400px]]; Support commitment: business hours availability. 1 year data retention.; Costs: platform supported by InfoSec. Subscriber’s handles the cost of provisioning and monitoring the agents on target systems.: [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=MIG&assigned_to=jvehent%40mozilla.com&blocked=896480 request bug] === Description ===[[File:Mig-console.png|right|300px]]InfoSec operates a client/server platform to facilitate the investigation of large numbers of systems in parallel. We distribute agents across endpoints of an infrastructure that can be queried in real-time through a central console. This service uses Mozilla InvestiGator (MIG). === What you can do with this service === * Search filesystems by filename, content and hashes.* Check, add and delete user accounts.* Read and write host firewall rules.* Search through the memory of a live system.* Search for MAC addresses, IP addresses and connected IPs.* Verify conformity of a configuration with InfoSec best practices. == Service: Test driven systems security ==[[File:Compliance Chart 1.png|right{{note|600px]]; Support commitment: business hours availability. 1 year data retention.; Costs: platform supported by InfoSec. Subscriber’s handles the cost of provisioning and monitoring the agents on target systems.; Service request: [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=MIG&assigned_to=jvehent%40mozilla.com&blocked=896480 request bug] === Description === Test driven systems security uses a battery of tests run against a system to evaluate its conformance with security best practices. The tests can be ran daily, or trigger on-demand, making it easy to implement and review security controls in real time. === What you can do with this service === * Obtain a detailed view of the security controls deployed on a system, or across an infrastructure.* Fast iterations on the implementation and review of security controls. This is designed to accelerate the feedback loop between operational and security teams. immediate feedback is necessary. == Service: Rapid Risk (Impact) Assessment (RRA) ==[[File:Rra.png|right|450px]]; Support commitment: Response within a week.; Costs: 30 minutes meeting with InfoSec.; Service request: [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=Rapid%20Risk%20Analysis request bug] === Description === The Rapid Risk (Impact) Assessment (also called Rapid Risk Analysis) is a 30 minutes or less discussion about the potential risks of a project. The RRA is high level and lightweight. === What you can do with this service === * Quickly identify risks impacts related to your project, service, tool, etc.* Make decision making more efficient: spend more time where it matters on your project, service, tool (where the risks are).* Get your service recorded in a risk heatmap to compare it with other services.* Find out if you need a threat model. == Service: Vulnerability Assessment == ; Support commitment: Response within a week.; Costs: One or more meetings with InfoSec.; Service request: [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=Vulnerability%20Assessment&assigned_to=jclaudius%40mozilla.com request bug] === Description === A vulnerability assessment is a semi-automated point-in-time assessment conducted by Mozilla Security using a vulnerability scanner and other “point and shoot” tools for an explicit set of target(s). May include a validation component, depending on scope and service risk. === What you can do with this service === * Quickly identify commonly known vulnerabilities/misconfigurations in your application ranked by severity* Get a sense of a vendor systems security posture if the vendor is not forthcoming but is willing to be scanned* Get a manual verification of vulnerabilities/misconfigurations to weed out false positives (optional - based on scope and risk) == Service: Threat Modeling == ; Support commitment: Response within a week.; Costs: One or more meeting with InfoSec.; Service request: [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=Threat%20Modeling request bug] === Description === Threat modeling defines a set of attack scenarios to consider against an application. They are more specific, thorough and often more time consuming than Rapid Risk Assessments (RRA).When a threat model or analysis is requested on a large service (ie, larger than a quick reply in a bug), an RRA is required to ensure that the security recommendations cover the areas of concerns of the service. === What you can do with this service === * Get an in depth threat model of your project with technical details, recorded in a document.* Get a quick in-line reply in Bugzilla (responses sec-review flag).* Get architectural tips from the security point of view at the project design time. == Service: Penetration Testing == ; Support commitment: Response within a week: Testing timelines vary based on testing scope; Costs: One or more meeting with InfoSec.; Service request: [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=Penetration%20Test&assigned_to=jclaudius%40mozilla.com request bug] === Description === An adversarial exercise with the goal of demonstrating risks that could be exploited by a threat actor. Testing scope is heavily influenced by RRA and Threat Modeling results, which should be completed prior to Penetration Testing. === What you can do with this service === * Get a detailed report of security controls that were tested and found effective/ineffective* Get recommendations on how to remedy ineffective security controls* Get proof of concept (PoC) evidence that demonstrates the ineffectiveness of security controls to support development and prioritization efforts == Security Incident Response == ; Support commitment: ASAP ; Service request: [https://bugzilla.mozilla.org/enter_bug.cgi?product=Enterprise%20Information%20Security&component=Incident request bug] === Description === The Security Incident Response process is designed to facilitate a rapid coordinated response to system and network security incidents. === What you can do with this service === * Incident investigation.* Coordinated response.* Containment, eradication, and recovery of security incident* Notification and communication of incident related details, activities, status, and resolution.* Post Mortem. = Tools catalog = == System call auditing: Audisp-json == ; Services provided: Auditing; Maturity: Production; Source code: https://github.com/gdestuynder/audisp-json === Description === Linux Audit can record information about any system call, and relay it to a user-space process. Audisp-json is a plugin for Auditd which takes these events, correlate them and issue a standard, single JSON message in the MozDef format -over HTTPS (it does not use syslog). Audisp-json coupled with MozDef provide a strong solution to monitor and correlate security event on linux systems. It supersede the audisp-cef plugin. == Trophy Store == ; Services Provided: Development; Maturity: Alpha; Source Code: https://github.com/gene1wood/trophy-store === Description === A web application to automate and simplify the process of requesting or renewing certificates, generating SSL keys, issuing certificates and deploying the resulting keys and certificates into software load balancers. == MIG: Mozilla InvestiGator == ; Services Provided: Endpoint Security; Maturity: Production; Source Code: http://mig.mozilla.org === Description === MIG is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents. MIG is composed of agents installed on all systems of an infrastructure. The agents can be queried in real-time using a messaging protocol implemented in the MIG Scheduler. MIG page has an API, a database, RabbitMQ relays and a console client. It allows investigators to send actions to pools of agents, and check for indicator of compromise, verify the state of a configuration, block an account, create a firewall rule, update a blacklist and so on. == MozDef: The Mozilla Defense Platform == ; Services Provided: Development; Maturity: Production; Source Code: http://mozdef.com === Description === The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers. Goals: * Provide a platform for use by defenders to rapidly discover and respond been moved to security incidents.* Automate interfaces to other systems like bunker, banhammer, mig* Provide metrics for security events and incidents* Facilitate real-time collaboration amongst incident handlers* Facilitate repeatable, predictable processes for incident handling* Go beyond traditional SIEM systems in automating incident handling, information sharing, workflow, metrics and response automation = Documentation maintained by InfoSec =* [https://wikiinfosec.mozilla.org/Security/OpSec This page]* [https://wiki.mozilla.org/Security/Server_Side_TLS Server Side TLS]* [https://wiki.mozilla.org/Security/Guidelines/Key_Management Key Management]* [https://wiki.mozilla.org/Security/Guidelines/OpenSSH OpenSSH] = Honorary members =* [https://mozillians.org/en-US/u/joes/ Joe Stevensen] [:joe]|error}}