As a part of our ongoing SOC II compliance we are required to perform an annual risk assessment

in compliance with our Risk Assessment & Management Program (see attached)

Risk Assessment Program.pdf

The goal of this meeting is to determine the relative risks of data loss or system failure as well as to understand the possible threat actors that might be involved and the relative monetary risk to the business for each system.

Data Classification Levels

https://app.vanta.com/invisibletechnologies/doc/Data Classification Policy-j1brq0sjzxx89phazhxe8y

Systems In Scope (see Service Catalog for additional candidates)

  1. Mimir (Customer Confidential)
    1. Threats
      1. Unauthorized Access
        1. Could expose client confidential data
          1. Exfiltration is repetitional risk
        2. Undermine trust
        3. Could allow inaccurate financial transactions
      2. Unauthorized Writes
      3. Agents/Partners (internal actor) disgruntled employee scenarios
        1. Agent could attempt to increase their pay rate or hours worked
        2. Agents could perform unauthorized activities using their data access
        3. Additional social engineering attacks are possible
    2. Vulnerabilities
      1. 0day exploits (risk: low) (impact: could lose major customers, 50% of revenue)
      2. Disgruntled workers (risk: medium) (impact: lower, $50-100k, would likely only impact single customers)
      3. Dependency supply chain vulnerabilities (risk: medium) (impact: could lose major customers, 50% revenue)
    3. Existing Mitigations
      1. Backups
      2. Access control
      3. Vulnerability / Dependency scanners as a part of github
      4. Background checks / ID verification
      5. Cyber Insurance
      6. Data loss prevention systems (Teramind)
      7. VDI (malware)
        1. Would mitigation known desktop vulnerabilities
    4. Future Mitigations
      1. Additional Network Segmentation
    5. Risk Level = MEDIUM
  2. Vor (Customer Confidential) - See above for Mimir
    1. Threats
    2. Vulnerabilities
    3. Mitigations
  3. Data Warehouse (Customer Confidential)
    1. Threats
      1. Data exfiltration
      2. Inaccurate financial reporting
      3. Inaccurate financial transactions (payments to vendors)
    2. Vulnerabilities
      1. Leaked credentials (likelihood: high) (impact: low)
      2. Lack of network level segment (open to the internet) (likelihood: high) (impact: low)
      3. Unencrypted access (likelihood: medium) (impact: low)
      4. Lack of security expertise from main Data Warehouse team (likelihood: high) (impact: low)
    3. Existing Mitigations
      1. Access control
      2. Using a provider that will patch versions
    4. Future
      1. Force encryption for db connections
      2. Could allow whitelisted IP access (or VPN access)
    5. Risk Level = HIGH
  4. Forest Admin
    1. Threats
      1. Data Exfiltration (direct access to production and staging database)
    2. Vulnerabilities
      1. Loosely managed access control (this was more historical) (likelihood: high) (impact: high)
      2. Risk of inaccurate data entering the system due to untrained/nontechnical staff (likelihood: high) (impact: medium; $50k mitigations)
      3. Last Pass sharing of Forest Admin accounts
    3. Existing Mitigations
      1. Access Control
      2. Offboarding controlled by google auth
      3. License / cost controls will catch people who no longer need access
    4. Future Mitigations
      1. Audit of access control (@Drew Sutherland will handle via Vanta audit)
    5. Risk Level = HIGH
  5. Manticore / DAL / Portal (Customer Confidential)
    1. Threats
      1. Similar threat profile to Mimir / VOR but with a higher risk related to HTTP vulnerabilities
        1. XSS
        2. (see OWASP http list)
    2. Vulnerabilities
    3. Mitigations

Agenda