over budget

Cardano Risk Profile Audit

$40,000.00 Requested
Ideascale logo View on ideascale
Community Review Results (4 reviewers)
Addresses Challenge
Feasibility
Auditability
Problem:

<p>Cardano stakepool operators face a variety of cybersecurity risks that they have not adequately prepared to defend against.</p>

Yes Votes:
₳ 106,347,743
No Votes:
₳ 18,970,363
Votes Cast:
348

Detailed Plan

<u>Overview</u>

Understanding the risk posture for organizations, systems and applications is critical in developing mitigation strategies, managing the risk tolerance, and communicating security plans.

Beyond the message of how to remediate a risk finding, it is also important to easily and properly score and report through a framework that is consistent and well known to the community at large.

We propose a Risk Profile for Cardano stakepool operators who manage individual nodes across the network. The risk profile would be a streamlined process with several stages. The audit will build upon standards developed by the US National Institute of Science and Technology (NIST), the European Union Agency for Cybersecurity (ENISA), and the International Standards Organization (ISO). We will work closely with the SPOCRA community of stakepool operators to identify the key security vulnerabilities, complete audits of a wide group of stakepool operators, and to disseminate the proposed surveys.

The first stage which is the focus of this proposal will address the inherent risk profile. This will be an easy-to-follow psychometric evaluation of the key areas of risk defined by the model. It is a self-assessment that provides an initial risk profile based on the stakeholder's own responses to allow the framework to easily score and point out weak areas of risk and concern within the system.

A companion proposal, Cardano Risk Control System, submitted to the F6 Disaster: When all is a Stake challenge is a six-month project focused on the second phase of validation of the self-audits. A third phase, focused on modeling risk management scenarios, will be proposed during Fund 7.

<u>Proposed Objectives and Key Results (OKRs)</u>

Building and developing the approach for a Risk Profile will require the implementation of an application that will easily integrate into a great community of risk, for which the risk profile can be one of the variables in contributing to the overall risk catalog for the stakeholders's unit under management.

To accomplish this we propose the following objectives and key results:

1. Integrate Cardano Stakepools onto the NOXMON C2RM (Control Cyber Risk Management) tool

a. 5 major and 10 minor security indicators have been identified for stakepool operation

b. 2 stakepool operators have validated the operation of the website integration

2. Develop templates for independent Stakepool node assessment

a. 10 assessment questions have been composed and validated for the survey

b. 10 stakepool operators have been identified to participate in the initial survey

3. Reporting engine for stakepool operators to publish current findings on the Stakepool Node assessments

a. 2 stakepool operators have contributed to the development of the reporting engine

b. 5 stakepool operators have published survey results with the SPOCRA community

<u>Schedule</u>

Nov 2021 - Integrate NOXMON Stakepool tool

Lead: Alexander Miranda

Support Staff: Nelson, Stiglics, Span, Web Developer

Staff Budget: $12,065

Computer Supplies: $1,268

Dec 2021 - Templates for Stakepool assessment

Lead: Lauris Stiglics

Support Staff: Miranda, Nelson, Span, Web Developer

Staff Budget: $12,782

Survey Supplies: $551

Jan 2021 - Reporting engine

Lead: Nelson

Support Staff: Miranda, Stiglics, Span, Web Developer

Staff Budget: $13,334

Six Month Milestone: Propose and Complete Phase II Control System

Twelve Month Milestone: Propose and Complete Phase III Risk Analysis of Cardano Stakepools

<u>References</u>

A. W. Miranda and S. Goldsmith, "Cyber-physical risk management for PV photovoltaic plants," in 2017 International Carnahan Conference on Security Technology (ICCST), 2017, pp. 1–8.

H. Sridhar, S., M. A., Govindarasu, Framework for Improving Critical Infrastructure Cybersecurity, Vol. 100, Gaithersburg, MD, 2018, pp. 210–224.

A. Dedeke, Cybersecurity Framework Adoption: Using Capability Levels for Implementation Tiers and Profiles, IEEE Security & Privacy 15 (5) (2017) 47–54. doi:10.1109/MSP.2017.3681063.

R. Azmi, W. Tibben, K. T. Win, Review of cybersecurity frameworks: context and shared concepts, Journal of Cyber Policy 3 (2) (2018) 258–283. doi:10.1080/23738871.2018.1520271.

NIST Cybersecurity Framework, Website: <https://www.nist.gov/cyberframework>

ENISA Cybersecurity Standards and Certification, Website: <https://www.enisa.europa.eu/topics/standards>

ISO Information Security Management System (ISMS) Standards, Website: <https://www.itgovernanceusa.com/shop/product/isoiec-27001-2013-and-isoiec-27002-2013-standards>

<u>Team</u>

Dr. Kenric Nelson is President and Founder of Photrek, which is developing novel approaches to Complex Decision Systems, including the dynamics of cryptocurrency protocols, sensor systems for ecological studies, and robust machine learning methods. His recent experience includes Research Professor with Boston University's Department of Electrical & Computer Engineering and Sr. Principal Systems Engineer with Raytheon Company. He has pioneered novel approaches to measuring and fusing information, which has been applied to improving the accuracy and robustness of radar signal processing, sensor fusion, cybersecurity, and machine learning algorithms. His education in electrical engineering includes completing a B.S. degree summa cum laude from Tulane University, an M.S. degree from Rensselaer Polytechnic Institute, and a Ph.D. degree from Boston University. His professional education includes an Executive Certificate from MIT Sloan and a certification with the Program Management Institute.

Nelson is the Principal Investigator for the project and is currently leading the "Diversify Voting Influence" project. Nelson ran the AdaStar staking node during Cardano's Incentivized Test Network for the Shelley development. His expertise in designing and analyzing complex systems will be applied to ensuring that the cybersecurity assessments are aggregated in a risk-averse manner.

Dr. Alexander Miranda is a Technology Risk Professional – A technologist and Information security executive with 15 years of diversified experience and proven leadership capabilities in security best practices, architecture, engineering, operations, governance, risk management, and compliance. Adept at building innovative security solutions to address complex challenges, and effective in fostering relationships with stakeholders to support business objectives. Broad experience in the private and public sectors, with both large corporate environments and small startup ventures.

Lauris Stiglics was elected a Cardano Catalyst Circle member representing the Stakepool Operators. He is a founding member of SPOSCRA an alliance of stakepool operators seeking to "fill a need in the (Cardano) community - a trade guild to represent and support Stake Pool Operators in order to maintain a healthy, secure, and decentralized Cardano network infrastructure. " Stiglics operates Stakepool247.

Ron Span holds a degree in computer science (1993) and completed professional studies in business and economics (1994) Span has 25 years of experience leading cutting-edge advances in Information Technology. He has continuously expanded his responsibilities in programming, consultancy, pre-sales, and professional services management working for an international company working with large enterprise clients. More recently Span has lead business development efforts for an international operation consultancy company working with large enterprise clients. Since 2016, Span has run his own software company and is leading several start-up companies, including software development within the Cardano community.

Span describes his avocation for the Cardano community: " What IOHK wanted to achieve impressed me. After reading their first published whitepaper, I was convinced of the approach, the network, and the connections within the space. So I decided to contribute to this project. As such, I became an early stake pool operator that ran nodes on ITN and HTN and read the many papers and technical documentation provided by the team of IOHK and its researchers. Contributing to the Cardano community with a community-based solution delegationtracker.com built on basis of stake pool rewards. Being one of the 8 companies selected for the original Plutus Dev Partner program. Now I am joining this exciting project to contribute to better security of the Cardano network in which I think I can help on basis of running Cardano stake pools for years as an SPO. There is literally no day passing by without being a part of the exciting developments for Cardano."

コミュニティ・アドバイザー・レビュー (4)

Addresses Challenge

3.5 / 5
4 レビュー

Does the proposal effectively addresses the challenge?

Commenter gravatar

This look like a great idea, however the question has to be asked is 80% of the challenge budget best spent on building a 15 point risk profile checklist, create a 10 question survey and , and place to publish it for SPO's?

Assessment Quality Assurance

Assessment Quality Assurance is an offered role to veteran in the Cardano Project Catalyst Community. The purpose is to review PA assessments of proposals, providing a second layer of Quality Assurance.

Assessor ID
z_assessor_11
Total QA Ratings
14
QA Rating Outcome
人間性の確認

コメントを書く

Replying to

Commenter gravatar

The proposal is very well aligned with the challenge since it raises and addresses a very important problem regarding the Cardano community, since SPs are the backbone of Cardano blockchain. The reliability of the network is something that is constantly mentioned, especially today when it's possible to run a stake-pool in a cloud service such as AWS. Understanding the reliability of each SP, and consequently of the whole network, is something very valuable. The funding of this proposal, on the other hand, would limit the impact of the challenge as a whole, since it is asking for 80% of all the budget, even though it mentions that part of the proposal is covered by another proposal in Fund6, and there will be a 3rd one in Fund7 as well. Score: 4

Assessment Quality Assurance

Assessment Quality Assurance is an offered role to veteran in the Cardano Project Catalyst Community. The purpose is to review PA assessments of proposals, providing a second layer of Quality Assurance.

Assessor ID
z_assessor_31
Total QA Ratings
10
QA Rating Outcome
人間性の確認

コメントを書く

Replying to

Commenter gravatar

The challenge is to help stakeholders identify serious emerging systemic threats for the Cardano blockchain before a threat overcomes the system. The proposal does put forward a convincing path to conducting risk profile cybersecurity audits for stakepool operators (SPOs). The campaign brief specifies that Cardano stakeholders (users, SPOs, DApp developers, partners, Exchanges, governments, companies) need a resilient system that is able to identify and grade developing threats to its own existence. The challenge brief is wide and I would welcome a wider ranging solution that would encompass more types of threats - as a better fit as it would cover more ground and would represent a better fit to the scope of the challenge. The risk profile audit will help identify and grade developing threats - but will inherently be limited by its narrow scope. It targets cybersecurity risks specifically and I think it addresses that narrow segment competently. The proposing team proposes a "Risk Profile for Cardano stakepool operators who manage individual nodes across the network". BTW, it is not clear to me from this sentence whether the focus will be stakepool operators who manage "individual nodes" only or does the scope also include stakepool operators who manage "multiple nodes" - meaning multiple pools, but this does not detract from the score (I presume it means all SPOs).

Maybe there could be space for using the experience gained in developing templates for independent Stakepool node assessment - for other elements of the Cardano ecosystem as well? Or trying to widen the project to cover more threat sources in a similar fashion?

Ultimately, the proposed solution does not address other novel, emerging systemic threats to the Cardano ecosystem. Other important threat sources, include economic and social threats, or regulatory sources, or operational issues related to the structure of Cardano and its components, major stakeholders, market destabilizing activities, attempts to destabilize the chain from other sources, etc…

Assessment Quality Assurance

Assessment Quality Assurance is an offered role to veteran in the Cardano Project Catalyst Community. The purpose is to review PA assessments of proposals, providing a second layer of Quality Assurance.

Assessor ID
z_assessor_35
Total QA Ratings
8
QA Rating Outcome
人間性の確認

コメントを書く

Replying to

Commenter gravatar

This proposal takes a standards approach to targeting threats to stakepool operators. This is on-theme with the challenge brief, however the approach isn't validated with any rationale in the project description. For instance, why is a "psychometric evaluation of the key areas of risk " a better approach than any other? There are also some elements of the proposal that are a little hard to follow. For example, references to the NOXMON C2RM (Control Cyber Risk Management) tool are made but it isn't clear why this tool is best suited for the job. Additionally, while the SPOCRA website is referenced, the reference to "Photrek" team is't elaborated on. It is true that the companion proposal in the Disaster: When all is a Stake challenge has some more details, but considered in isolation the proposal was unclear to me. Perhaps an example of the type of analysis the proposal aims to deliver would make this clearer to those reviewing the proposal.

Assessment Quality Assurance

Assessment Quality Assurance is an offered role to veteran in the Cardano Project Catalyst Community. The purpose is to review PA assessments of proposals, providing a second layer of Quality Assurance.

Assessor ID
z_assessor_590
Total QA Ratings
10
QA Rating Outcome
人間性の確認

コメントを書く

Replying to

Feasibility

4.3 / 5
4 レビュー

Given experience and plan presented is likely that this proposal will be implemented successfully

Commenter gravatar

The proposers should have the ability to deliver this plan, as what is proposed is clearly set out and they have the experience and connections.

Assessment Quality Assurance

Assessment Quality Assurance is an offered role to veteran in the Cardano Project Catalyst Community. The purpose is to review PA assessments of proposals, providing a second layer of Quality Assurance.

Assessor ID
z_assessor_11
Total QA Ratings
14
QA Rating Outcome
人間性の確認

コメントを書く

Replying to

Commenter gravatar

The team seems to have enough experience to deliver what they are promising, since their background covers most of the areas required to develop and deliver it. The plan is well defined, some deliverables and goals are mentioned, the technical aspect is also well explained. Although, the budget is only partially broken down, and sections like 'staff budget' and 'supplies' are provided as a lump sum and it's not possible to really know the effort involved in order to assess if the budget is appropriate. Score: 4

Assessment Quality Assurance

Assessment Quality Assurance is an offered role to veteran in the Cardano Project Catalyst Community. The purpose is to review PA assessments of proposals, providing a second layer of Quality Assurance.

Assessor ID
z_assessor_31
Total QA Ratings
10
QA Rating Outcome
人間性の確認

コメントを書く

Replying to

Commenter gravatar

I think that the proposers of this challenge are an impressive combination. The right mix of theoretical experience, practical experience in running a stakepool and technology risk professional experience. The proposers' solution is to develop a Risk Profile Cybersecurity Audit for SPOs using NIST, ENISA, and ISO cybersecurity standards. These standards are publically referenced and the proposal includes links to the NIST Cybersecurity Framework, ENISA Cybersecurity Standards and Certification, and the ISO Information Security Management System (ISMS) Standards. I think that the proposal seems feasible, well in the competencies of the proposing team and would provide some great value. There is something I noticed too. According to the scoring criteria for feasibility a feasible proposal has considered the following aspect as well: (The proposal clearly explains technical aspects like architecture, language and technologies if they are crucial for implementation.). So, while the NIST, ENISA and ISO standards are referenced with links, I was trying to explore to learn more about the proposed integration of Cardano stakepools onto the NOXMON C2RM (Control Cyber Risk Management) tool. The tool is not presented in any detail in the proposal and its significance is not explained, so I tried searching for it on my own. From where I am based (on Sep 11) a Google Search reveals only one result (https://noxmon.com/), when I open the webpage I see a page for what is presented as a technology & cyber risk management company. However, the company's page is full of placeholder (dummy) text commonly used to demonstrate the visual form of a document without meaningful content. The Case Studies page on this website (http://noxmon.com/project/consumer-products/ ) is non-existent, while the Testimonials page (https://noxmon.com/testimonials/) is full of John Doe ("Lorem Ipsum") quotes. Effectively, I am not able to get a picture of what is NOXMON C2RM - the proposers have not explained to voters the importance of the NOXMON C2RM integration for stakepools and no relevant links have been provided. This NOXMON C2RM integration roughly accounts for one-third of the budget - so this part of the budget is now hanging on a lack of relevant and reliable information. It requires a leap of faith (not a good sign -when trust needs to be implied, instead of being documented). As for the rest of the budget, the budget is well presented for a proposal of this size and relatable to the activities that are proposed.

Assessment Quality Assurance

Assessment Quality Assurance is an offered role to veteran in the Cardano Project Catalyst Community. The purpose is to review PA assessments of proposals, providing a second layer of Quality Assurance.

Assessor ID
z_assessor_35
Total QA Ratings
8
QA Rating Outcome
人間性の確認

コメントを書く

Replying to

Commenter gravatar

The team credentials are very impressive and align with the intent of the proposal. In addition, it is clear that the proposal team have built the team up through Collaboration and reaching out to the rest of the Cardano community. The requested budget has been broken down into monthly deliverables. The amount of funds requested amount to 80% of the challenge budget. Taking into consideration the opportunity cost of other projects not being funded vs. what would be delivered by this project, on balance I believe the ask may be a little too high. A smaller funding amount for a shorter time horizon may build credibility for the idea

Assessment Quality Assurance

Assessment Quality Assurance is an offered role to veteran in the Cardano Project Catalyst Community. The purpose is to review PA assessments of proposals, providing a second layer of Quality Assurance.

Assessor ID
z_assessor_590
Total QA Ratings
10
QA Rating Outcome
人間性の確認

コメントを書く

Replying to

Auditability

3.5 / 5
4 レビュー

Does the proposal provides sufficient information to assess and audit progress and completion?

Commenter gravatar

Progress on the timetable of deliverables for this proposal should be easy to asses. But what is success? Would a target not be to have an aggregated risk score produced which could be used in the delegation tools to allow delegators to choose SPO's who are low risk, thus driving all SPO's to spend the resources on reducing their risks and thus the risks to Cardano as a whole?

Assessment Quality Assurance

Assessment Quality Assurance is an offered role to veteran in the Cardano Project Catalyst Community. The purpose is to review PA assessments of proposals, providing a second layer of Quality Assurance.

Assessor ID
z_assessor_11
Total QA Ratings
14
QA Rating Outcome
人間性の確認

コメントを書く

Replying to

Commenter gravatar

The proposing team presents a roadmap, and the deliverables of each step are mentioned in the proposed objectives and key results. Success metrics along the way are clear. Although, the lack of budget breakdown regarding the 'Staff Budget' mainly, but also 'Supplies', makes it a bit harder to audit the project expenditures, especially the individual participations in the project. In order to improve auditability, a more detailed budget breakout could be included. Score: 4

Assessment Quality Assurance

Assessment Quality Assurance is an offered role to veteran in the Cardano Project Catalyst Community. The purpose is to review PA assessments of proposals, providing a second layer of Quality Assurance.

Assessor ID
z_assessor_31
Total QA Ratings
10
QA Rating Outcome
人間性の確認

コメントを書く

Replying to

Commenter gravatar

Finally, as regards clarity and auditability, or effectively the ability to audit the progress and success there are is some good and some not so good. A roadmap with milestones and a time horizon for achievement has been provided and Metrics/KPIs that define the success of the proposal are there too. But not all key metrics are clear (See NOXMON C2RM below). As regards the solution's clarity, I think that it clearly falls short of addressing a wider scope of problems/threats for the Cardano ecosystem as I feel the spirit of the challenge requires. The proposed solution also lacks links to explain or reference the importance of using the proposed NOXMON C2RM (Control Cyber Risk Management) tool, but that would not be a problem if a simple Google Search were to reveal the answer. Unfortunately, a Google Search opens up more questions about NOXMON C2RM than it answers and - voters would probably want more explanation for this segment that accounts for a third of the budget. So, effectively, I think this proposal would benefit from the team explaining what does NOXMON C2RM provide and why has it been chosen over other solutions. The NOXMON company's page is full of placeholder (dummy) text commonly used to demonstrate the visual form of a document without meaningful content, no commercial products are visible and the testimonial and other page are effectively placeholders.

Assessment Quality Assurance

Assessment Quality Assurance is an offered role to veteran in the Cardano Project Catalyst Community. The purpose is to review PA assessments of proposals, providing a second layer of Quality Assurance.

Assessor ID
z_assessor_35
Total QA Ratings
8
QA Rating Outcome
人間性の確認

コメントを書く

Replying to

Commenter gravatar

A clear roadmap and timeline provides transparent targets for the project to hit, providing sufficient means to audit the project's success. A more detailed analysis of the risks and challenges of the approach would have made the proposal

Assessment Quality Assurance

Assessment Quality Assurance is an offered role to veteran in the Cardano Project Catalyst Community. The purpose is to review PA assessments of proposals, providing a second layer of Quality Assurance.

Assessor ID
z_assessor_590
Total QA Ratings
10
QA Rating Outcome
人間性の確認

コメントを書く

Replying to

Comments

No comments yet…

avatar
You can use Markdown