aiwg
Version:
Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo
141 lines (103 loc) • 6.2 kB
Markdown
# Physical Threat Scenarios
> **Template usage**: One record per system that faces physical-access adversaries. Lives in `.aiwg/security-engineering/physical-threats/<system-name>.md`. Driven by the `physical-threat-modeling` skill. Complements (does not replace) `sdlc-complete/templates/security/threat-scenario-card.md` which is network/app-focused. Replace all `[bracketed]` placeholders.
## Document Control
| Field | Value |
|---|---|
| System | `[Name]` |
| Document ID | `[PT-NNN]` |
| Date Created | `[YYYY-MM-DD]` |
| Authors | `[role / agent]` |
| Reviewers | `[independent reviewer]` |
| Status | `[Draft / Under Review / Approved / Implemented]` |
## 1. Asset and Operator Profile
| Aspect | Value |
|---|---|
| Asset class | `[portable laptop / portable USB-secrets / fixed datacenter / IoT field device]` |
| Operator role | `[security operator / journalist / executive / sysadmin / SRE]` |
| Travel pattern | `[domestic only / international / hostile-jurisdictions]` |
| Storage when not in use | `[hotel room / safe / office / never unattended]` |
| Operational environment | `[private office / shared workspace / public / semi-public]` |
| Adversary profile | `[opportunistic / criminal / corporate competitor / nation-state]` |
| Physical-access exposure | `[never / rare / regular / continuous risk]` |
## 2. Applicability Decision
Walked through the `physical-threat-modeling` Section 2 decision tree:
```
Asset portable: [Y/N]
High-value target: [Y/N]
Cross-references TEMPEST-relevant operations: [Y/N]
```
**Resulting threat applicability** (check all that apply):
- [ ] Threat 1: Evil-maid swap of bootstrap / boot media
- [ ] Threat 2: Thunderbolt / USB-C DMA attack
- [ ] Threat 3: Hostile USB peripheral (BadUSB)
- [ ] Threat 4: Travel-host root compromise
- [ ] Threat 5: Coercion of operator
- [ ] Threat 6: Cold-boot RAM extraction
- [ ] Threat 7: Hardware implant in supply chain
- [ ] Threat 8: Side-channel observation
- [ ] Threat 9: Visual / shoulder-surfing
- [ ] Threat 10: Lost or stolen device
For each unchecked, document why it's NOT applicable in §3.
## 3. Threat-by-Threat Analysis
For each applicable threat:
### Threat N: `[name from library]`
| Aspect | Value |
|---|---|
| **Applicability** | `[in scope / out of scope / partial]` |
| **Why** | `[one sentence; cite asset/operator profile fields]` |
| **Attack steps** | `[summary of how the attack proceeds]` |
| **Detection** | `[how/whether we can detect this]` |
| **Mitigation in this design** | `[concrete reference: 'chain-of-trust-design Pattern A+D' or 'BIOS-level Thunderbolt DMA disable per operator runbook §3.4']` |
| **Mitigation effectiveness** | `[Defeated / Detection-only / Partial / None]` |
| **Residual risk** | `[what remains after mitigation; explicitly accepted by [whom]]` |
| **Cross-references** | `[other docs that contain mitigation detail]` |
`[Repeat for each applicable threat. Out-of-scope threats can be tabulated more briefly.]`
## 4. Mitigation Cross-Reference Matrix
Roll-up: which other documents address each applicable threat?
| Threat | `chain-of-trust-design.md` | `factor-design-rationale.md` | `degraded-mode-matrix.md` | `supply-chain-pins.yaml` | Operator runbook |
|---|---|---|---|---|---|
| 1. Evil-maid | ✓ | | | | |
| 2. DMA | (assumption) | | | | ✓ |
| 4. Travel-host | ✓ (Pattern B) | | | | ✓ |
| 5. Coercion | | ✓ (PIN factor) | | | ✓ (duress procedure) |
| `[…]` | | | | | |
If any applicable threat has no ✓ in any column, it's an unaddressed risk.
## 5. Operational Hardening Checklist
For threats whose mitigation is operational (not technical), document the requirements operators must follow.
- [ ] BIOS settings: `[specific values — Secure Boot enabled, Thunderbolt Security Level User, USB Boot disabled]`
- [ ] Storage when unattended: `[hotel safe / personal carry / never unattended]`
- [ ] Charging from public sources: `[USB data blocker required / forbidden / acceptable]`
- [ ] Privacy filter on screen: `[required when working in public / always]`
- [ ] Lock to S5 (full shutdown), not S3 (suspend), when: `[hostile environment / always when leaving device]`
## 6. Tabletop Exercise Log
Per recommendation #10 from the gap analysis, run periodic tabletop exercises walking through threat scenarios.
| Date | Scenario | Witnesses | Findings | Procedure updates |
|---|---|---|---|---|
| `[YYYY-MM-DD]` | `[e.g., "USB stolen from hotel room while operator at conference"]` | `[names]` | `[gaps found]` | `[document refs]` |
## 7. Worked Example: Review Findings B3 / H4
### Original system
`[Description: portable hardware-backed secrets system; travels with operator; left unattended in hotels.]`
### Decision tree results
- Asset portable: Y
- High-value target: Y (security operator)
- TEMPEST-relevant: N
### Applicable threats and current mitigation status
| Threat | Pre-review status | Post-fix status | Reference |
|---|---|---|---|
| 1. Evil-maid | NOT addressed (review B3) | Pattern A+D from `chain-of-trust-design.md` | COT-001 |
| 2. DMA | not documented | accepted-with-mitigation: BIOS DMA disable in operator runbook §3.4 | runbook |
| 4. Travel-host | Partial (review H4) | Pattern B (signed live image) — primary mitigation | COT-001 |
| 5. Coercion | NOT addressed (review H2) | FIDO2 PIN added per `factor-design-rationale.md` | FACTOR-001 |
| 6. Cold-boot | not documented | accepted; lock to S5 in hostile environments per runbook | runbook |
| 7. Hardware implant | accepted-with-mitigation | procurement controls per `supply-chain-pins.yaml` | supply chain |
| 9. Shoulder-surf | operator-managed | privacy filter required per runbook | runbook |
| 10. Lost device | core threat | LUKS + factor separation (basic design) | COT-001 |
## 8. Cross-references
- Skill: `agentic/code/frameworks/security-engineering/skills/physical-threat-modeling/SKILL.md`
- Companion network/app threats: `sdlc-complete/templates/security/threat-scenario-card.md`
- Mitigation docs referenced above
- Operator runbook: `[link]`
## 9. Review Trail
| Date | Reviewer | Findings | Resolution |
|---|---|---|---|
| `[date]` | `[reviewer]` | `[findings]` | `[resolution]` |