160 likes | 480 Vues
CARVER+Shock Vulnerability Assessment Tool “As Agile As the Enemy”. The Foundation for Institutional Development. Security is a cycle, a business process, not an event. As time goes on, we must assess our vulnerabilities. As the biggest holes in our defenses are plugged, we either move on
E N D
CARVER+ShockVulnerability Assessment Tool“As Agile As the Enemy” The Foundation for Institutional Development
Security is a cycle, a business process, not an event As time goes on, we must assess our vulnerabilities. As the biggest holes in our defenses are plugged, we either move on to the next weakest area, or an occurrence drives us to reassess Assessment Assessment Assessment Occurrence Occurrence Occurrence Mitigation Mitigation Mitigation Time The Cycle of Security
How Our System Works • Based off of Sun Tzu principles of War • Know Yourself • Know Your Enemy • Know Your Environment • Know What Your Enemy Knows About You • Use the CARVER+ Shock Vulnerability Assessment Tool • Can be used on all 13 Critical Infrastructures at any level
Agriculture Food Water Public Health Emergency Services Government Defense Industrial Base Information and Telecommunications Energy Transportation Banking and Finance Chemical Industry Postal and Shipping Critical Infrastructures
The Targeting Process“Know Yourself” • Each Critical Infrastructure is a Target System • Target Systems (Sub-systems) • A series of steps in the process • Target Complexes!!! • Targets in the same geographical area • Target Components • Specific pieces of machinery, structures, personnel, supplies, or computer files • Critical to overall target system • Critical Nodes • Critical to operation of target component • How component is disabled
Sample Target System(Power) { Target Complexes Target System Or Subsystem Control Center Target Components
Grow Harvest Process Transport Distribute Consume The Target System • The process that grows, harvests, processes, transports, and distributes any foodstuff is a target system. Each step can be considered a target sub-system. • The process that grows, harvests, processes, transports, and distributes any foodstuff is a target system. Each step can be considered a target sub-system.
Layer Farm Harvest Facility Processing Facility Target Complexes A target complex is be a subset of a target subsystem. A target complex is a concentrated, integrated series of targets. It consists of facilities and activities that are close to each other geographically or virtually. Within a target complex, individual targets will be identified Transport Services Distribution (Retail)
Production Animals Feed Grading and Packaging Machines Egg Breaker Machines Target Components • Target components are the pieces of the target you can see or touch. Target components can be • Service providers (Humans, animals) • Infrastructure (Buildings/equipment) • Consumables (Feed, medicine, etc) • Cyber (Hardware software, network) Plant Workers Inspectors
CARVER + Shock(Assessment) • Criticality • Accessibility • Recuperability • Vulnerability • Effect • Recognizability • Shock (Consider multiple attacks occurring at the same time)
Design Basis Threat“Know Your Enemy” • Develop a design basis threat to ensure continuity in planning/prioritization • Eliminates the need for Probability • Can encompass more than one scenario • Include: • WHO Means (Methodology, MO, Weapons, Resources) • HOW Type of Target (Include how they are selected) • WHY (Political, Financial, Theological) • Update as threat changes on a permanent basis
Red Teaming“Through the Eyes of the Enemy” • Uses Open Source Information • Let’s you look at your target system through the eyes of the enemy • Helps determine where to commit mitigation resources
Curriculum • Executive Overview • Informs government and corporate leadership on the program, tools and techniques to be used, and benefits to their organization • CARVER+Shock Vulnerability Assessment Tool • Used during national level assessments in first phase • Highly scaleable • Ubiquitous across any infrastructure • Open Source Intelligence Course • Trains candidates to exploit open sources to obtain information on their own weaknesses as well as their threat • Red Team Course • Trains analysts to view their facility as a target through the eyes of the enemy.