Skip to content

Security Event Review Checklist

Priya Kasireddy edited this page Sep 7, 2021 · 66 revisions

Security events will be reviewed every Wednesday. Make github issues for each problem identified. For any incidents that happen regarding accounts, notify the FEC CISO, Wenchun Jiang, and follow the 18F incident response handbook.

The development team will have a rotation of log duty. Scheduling people for their rotation will be managed by the system owner during sprint planning.

Checklist:

  1. If reviewing during week 2 of a sprint, create github issues for next sprint and tag them with the proper milestone.
  2. Review Snyk for all repositories and:
  • Open a ticket for all alerts, including a due date (30 days for high, 60 days for medium, and 90 days for low). Example title: [Snyk: Med] Open Redirect (Due 10/8/18)
  • Make sure open alerts are tagged with a milestone/sprint that is scheduled to be deployed before the due date.
  • Notify PM's in #product-management channel in Slack if open alerts are getting close to their deadline
  1. Review production logs for account creations, ensure these were approved in a ticket, and verify that the number of service keys in cloud.gov is unchanged.
  2. Review production logs for account permission elevations, ensure these were approved in a ticket
  3. Review actionable security events on production logs for successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, system events, all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes.
  4. Deactivate any accounts for people who have left the team.
  5. Note any findings in the Security Event Review issue.
  6. Close the Security Event Review issue.

See all Security Event Review issues here


Example searches and checks

Vulnerabilities

SNYK DASHBOARD: https://snyk.io/org/fecgov/projects

Note: On fec-eregs repo, regulations-parser.txt is mainly used on local environment to parse regulations once every year. At this time we are not fixing any vulnerabilities found in regulations-parser.txt. We just monitor and record them during weekly log review process.

If you haven't done so yet, you can also sign up for a free open-source account with Snyk and make a specialized dashboard and get security alerts mailed to you.

Search logs

Compare account creation to account approvals

Look for account creations and other security events In Kibana do searches like:

CMS accounts created or edited in the past 14 days

check cloud.gov users

Check or via dashboard click on our organization name and select the users section. Users need to be out of all spaces before you can use the dashboard tool to remove them as org users.

Note that deployer accounts have long, random strings for their names.

Clone this wiki locally