From 0eccd6a0fc085c9159c3b7d6f116e5b52d102911 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Wed, 3 Jan 2024 08:52:32 -0500 Subject: [PATCH 1/4] Changes addressing in issue 127 --- ...s Minimum Viable Secure Configuration Baseline v0.1.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md index 0adc74e4..6889355c 100644 --- a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md +++ b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md @@ -56,7 +56,7 @@ Agencies SHOULD disable sharing outside of the organization's domain. - [T1537: Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537/) #### GWS.DRIVEDOCS.1.2v0.1 -If disabling sharing outside of the organization's domain, then agencies SHOULD also disable users' receiving files from outside of the organization's domain. +Agencies SHOULD disable users' receiving files from outside of the organization's domain. - Rationale - If the agency decides that external sharing should be disabled, users should not be able to receive files from outside the organization as well. Disabling external sharing ensures that all communication stays within the organization, which helps mitigate risk from malicious files from an external source. @@ -324,7 +324,7 @@ This section covers whether users have access to Google Drive with the Drive SDK ### Policies #### GWS.DRIVEDOCS.4.1v0.1 -Agencies SHOULD disable Drive SDK access to restrict information sharing and prevent data leakage. +Agencies SHOULD disable Drive SDK access. - Rationale - The Drive SDK allows third-party external applications to access data and files from within Drive. Disabling the Drive SDK prevents third party applications from accessing the files and data from within the organization, which protects against data leakage and unintentional information sharing. @@ -361,7 +361,7 @@ This section covers whether users can use add-ons in file editors within Google ### Policies #### GWS.DRIVEDOCS.5.1v0.1 -Agencies SHALL disable Add-Ons with the exception of those that are approved within the organization. +Agencies SHALL disable Add-Ons. - Rationale - Google Docs Add-Ons can pose a great security risk based on the permissions the add-on is given. Add-ons can be given full access to the google drive, permission to add or edit existing documents, share documents, connect to external services, and more. Any add-on needs to be fully vetted before given access to the google workspace. Therefore, unapproved add-ons need to be disabled. @@ -393,7 +393,7 @@ To configure the settings for add-ons: ## 6. Drive for Desktop -This section covers that Google Drive for Desktop, if not disabled entirely, should only be allowed on authorized devices. +This section covers the implications of not disabling Drive for Desktop and considerations around authorized device use. ### Policies From 0e69f0bec125479fe5f558aa9e7cdc80ddb85643 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre <135844572+jkaufman-mitre@users.noreply.github.com> Date: Tue, 9 Jan 2024 06:44:15 -0500 Subject: [PATCH 2/4] Update baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md Co-authored-by: Alden Hilton <106177711+adhilto@users.noreply.github.com> --- ...nd Docs Minimum Viable Secure Configuration Baseline v0.1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md index 6889355c..81398a47 100644 --- a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md +++ b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md @@ -393,7 +393,7 @@ To configure the settings for add-ons: ## 6. Drive for Desktop -This section covers the implications of not disabling Drive for Desktop and considerations around authorized device use. +This section addresses Drive for Desktop, a feature that enables users to interact with their Drive files directly through their desktop's file explorer or finder, rather than through the browser. ### Policies From 3ca35869f24d3d6d30345b01dd3618abb225b1ae Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Thu, 11 Jan 2024 08:43:38 -0500 Subject: [PATCH 3/4] Fixed Last Modified --- ... Docs Minimum Viable Secure Configuration Baseline v0.1.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md index 81398a47..60beb8c5 100644 --- a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md +++ b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md @@ -60,7 +60,7 @@ Agencies SHOULD disable users' receiving files from outside of the organization' - Rationale - If the agency decides that external sharing should be disabled, users should not be able to receive files from outside the organization as well. Disabling external sharing ensures that all communication stays within the organization, which helps mitigate risk from malicious files from an external source. -- Last Modified: July 10, 2023 +- Last Modified: January 9, 2024 - Note: - This policy only applies if sharing outside was disabled in Policy 1.1 @@ -365,7 +365,7 @@ Agencies SHALL disable Add-Ons. - Rationale - Google Docs Add-Ons can pose a great security risk based on the permissions the add-on is given. Add-ons can be given full access to the google drive, permission to add or edit existing documents, share documents, connect to external services, and more. Any add-on needs to be fully vetted before given access to the google workspace. Therefore, unapproved add-ons need to be disabled. -- Last Modified: July 10, 2023 +- Last Modified: January 9, 2024 - MITRE ATT&CK TTP Mapping - [T1195: Supply Chain Compromise](https://attack.mitre.org/techniques/T1195/) From 0b3b8d5619f1d2aff0422473d12b9698c15efc15 Mon Sep 17 00:00:00 2001 From: jkaufman-mitre Date: Thu, 11 Jan 2024 08:44:34 -0500 Subject: [PATCH 4/4] Fixed Last Modified --- ...ocs Minimum Viable Secure Configuration Baseline v0.1.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md index 60beb8c5..6e746787 100644 --- a/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md +++ b/baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.1.md @@ -60,7 +60,7 @@ Agencies SHOULD disable users' receiving files from outside of the organization' - Rationale - If the agency decides that external sharing should be disabled, users should not be able to receive files from outside the organization as well. Disabling external sharing ensures that all communication stays within the organization, which helps mitigate risk from malicious files from an external source. -- Last Modified: January 9, 2024 +- Last Modified: January 3, 2024 - Note: - This policy only applies if sharing outside was disabled in Policy 1.1 @@ -328,7 +328,7 @@ Agencies SHOULD disable Drive SDK access. - Rationale - The Drive SDK allows third-party external applications to access data and files from within Drive. Disabling the Drive SDK prevents third party applications from accessing the files and data from within the organization, which protects against data leakage and unintentional information sharing. -- Last Modified: July 10, 2023 +- Last Modified: January 3, 2024 - MITRE ATT&CK TTP Mapping - [T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/) @@ -365,7 +365,7 @@ Agencies SHALL disable Add-Ons. - Rationale - Google Docs Add-Ons can pose a great security risk based on the permissions the add-on is given. Add-ons can be given full access to the google drive, permission to add or edit existing documents, share documents, connect to external services, and more. Any add-on needs to be fully vetted before given access to the google workspace. Therefore, unapproved add-ons need to be disabled. -- Last Modified: January 9, 2024 +- Last Modified: January 3, 2024 - MITRE ATT&CK TTP Mapping - [T1195: Supply Chain Compromise](https://attack.mitre.org/techniques/T1195/)