Skip to content

Latest commit

 

History

History
62 lines (51 loc) · 5.65 KB

threat-modeling.md

File metadata and controls

62 lines (51 loc) · 5.65 KB

Threat Model Analysis for borgbackup/borg

Threat: Unauthorized Access to Backup Repository

  • Description: An attacker gains unauthorized access to the Borg repository by exploiting weak authentication or access control mechanisms. Once accessed, the attacker can read, modify, or delete backup data using Borg commands.
    • Impact: Confidentiality breach (exposure of sensitive data), integrity compromise (modification or deletion of backups), availability loss (deletion of backups).
    • Borg Component Affected: Repository, Repository Access Layer (SSH, Borg Server if used)
    • Risk Severity: High
    • Mitigation Strategies:
      • Implement strong authentication for repository access, preferably SSH key-based authentication.
      • Utilize access control lists (ACLs) or permissions to restrict repository access to only authorized users and systems.
      • Enforce network segmentation to limit network access to the repository.
      • Regularly audit repository access logs for suspicious activity.

Threat: Compromise of Borg Repository Encryption Key

  • Description: An attacker obtains the encryption key used to protect the Borg repository. This could be achieved by compromising systems where the key is stored, or through vulnerabilities in key management practices. With the key, the attacker can decrypt all backup data using Borg commands.
    • Impact: Confidentiality breach (full exposure of all backup data).
    • Borg Component Affected: Encryption, Key Management
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Generate strong, cryptographically secure encryption keys using Borg's key generation features.
      • Store encryption keys securely, avoiding plaintext storage or easily accessible locations.
      • Consider using hardware security modules (HSMs) or key management systems (KMS) for enhanced key protection.
      • Implement strict access control to key storage locations.
      • Educate users about key security best practices and phishing awareness.

Threat: Unauthorized Modification of Backup Data in Repository

  • Description: An attacker with write access to the Borg repository (due to compromised credentials or access control bypass) uses Borg commands to modify or corrupt existing backup data. This can render backups unusable for restoration.
    • Impact: Integrity compromise (backups become unreliable or unusable), availability loss (effective data loss if backups are corrupted).
    • Borg Component Affected: Repository, Repository Storage, Borg Commands (e.g., borg delete, borg prune)
    • Risk Severity: High
    • Mitigation Strategies:
      • Implement strict write access control to the repository, limiting write access to only authorized backup processes.
      • Utilize repository platforms that offer versioning or write protection features to prevent or detect unauthorized modifications.
      • Regularly perform integrity checks of backups using borg check to detect corruption.
      • Consider immutable storage solutions for backups to prevent any modification after creation.

Threat: Loss of Borg Repository Encryption Key

  • Description: The encryption key for the Borg repository is lost, deleted, or becomes inaccessible due to storage failures or operational errors. Without the key, Borg cannot decrypt and restore the backups.
    • Impact: Availability loss (inability to decrypt and restore backups), permanent data loss.
    • Borg Component Affected: Key Management, Encryption, Borg Restore Process
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Implement robust key backup and recovery procedures. Store backups of the key in secure, separate, and redundant locations.
      • Regularly test key recovery procedures to ensure they are functional and documented.
      • Consider key escrow solutions if appropriate for the application's risk tolerance and compliance requirements.

Threat: Borg Software Vulnerabilities (High/Critical)

  • Description: Undiscovered or unpatched high or critical severity security vulnerabilities in the BorgBackup software itself are exploited by attackers. This could lead to remote code execution, privilege escalation within the backup process, data corruption, or denial of service affecting Borg's functionality.
    • Impact: Confidentiality, Integrity, or Availability compromise depending on the nature of the vulnerability, potentially leading to data breaches, data loss, or backup system failures.
    • Borg Component Affected: Borg Software (various modules and functions, depending on the vulnerability)
    • Risk Severity: High to Critical (depending on the specific vulnerability)
    • Mitigation Strategies:
      • Keep BorgBackup software up-to-date with the latest security patches and versions.
      • Subscribe to security advisories and mailing lists related to BorgBackup to be promptly informed of any disclosed vulnerabilities.
      • Follow security best practices for software deployment and configuration, including running Borg processes with least privilege.
      • Implement intrusion detection and prevention systems to detect and potentially block exploitation attempts targeting Borg vulnerabilities.