Versions Compared

Old Version 3

changes.mady.by.user user-f8986

Saved on

compared with

New Version Current

changes.mady.by.user user-5e993

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

PGP/GPG is a form of asymmetric encryption that makes use of two different encryption keys called your public key and your private key. The public key is intended to be shared; you advertise your public key, and individuals or organizations wishing to contact you use your public key to encrypt a message. Messages encrypted to your public key can only be decrypted by the private key; therefore, it is important that your private key stays private, and that no one outside of your team or organization has access to this key.


A general discussion on encryption algorithms is beyond the scope of this report, but at the time of this writing, it is recommended to generate RSA keys with a length of at least 4096 bits to ensure security into the near-to-moderate-term future.

...

Traffic Light Protocol (TLP)

...

The

...

Traffic

...

Light

...

Protocol

...

(TLP)

...

has

...

been

...

adopted

...

for

...

a

...

standards-track

...

by

...

FIRST

...

[

...

1].

...

By

...

marking

...

a

...

document

...

with

...

a

...

TLP

...

level—Red,

...

Amber,

...

Green,

...

or

...

White—a

...

sender

...

can

...

easily

...

communicate

...

the

...

sensitivity

...

of

...

vulnerability

...

information

...

and

...

expectations

...

about

...

sharing

...

it

...

further.

...

In

...

the

...

context

...

of

...

CVD,

...

the

...

following

...

applies:

  • TLP:GREEN and TLP:AMBER are best suited for information shared between reporters, vendors, and coordinators during phases prior to public announcement of a vulnerability.
  • If pre-publication announcements are made to deployers or other stakeholders, TLP:RED or TLP:AMBER could be a good fit.
  • TLP:WHITE is most useful for public disclosures.

See Appendix B for more on TLP.

Don't Automatically Trust Reports

There are two reasons that organizations receiving vulnerability reports should maintain a degree of wariness regarding the reports they receive. The first is intentional misdirection of your CVD capability, which we already discussed in Section 4.3.1. 1. The second is subtler, in that the technical infrastructure you deploy to manage CVD cases can potentially be affected by the vulnerabilities you are coordinating.

...

CVD participants should keep in mind that their case tracking and email systems themselves present attack surface and may be affected by the very vulnerabilities they are designed to coordinate. We have witnessed reports containing examples of image parsing vulnerabilities causing problems for both webmail and ticketing systems that automatically generate thumbnail previews of image attachments. Vendors and coordinators concerned about such risks should consider the degree to which their CVD support infrastructure is integrated with normal business operations systems. In some scenarios, maintaining parallel infrastructure may be preferable.


Panel
borderStylesolid

< 7.1 Tools of the Trade | 7.3 CVD Staffing Considerations >

References

  1. FIRST, "TRAFFIC LIGHT PROTOCOL (TLP) FIRST Standards Definitions and Usage Guidance — Version 1.0," [Online]. Available: https://www.first.org/tlp. [Accessed 16 May 2017].