Download presentation
Presentation is loading. Please wait.
Published byAnabel Whitehead Modified over 9 years ago
1
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense
2
S5-2 © 2001 Carnegie Mellon University OCTAVE SM Operationally Critical Threat, Asset, and Vulnerability Evaluation SM OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.
3
S5-3 © 2001 Carnegie Mellon University OCTAVE Process Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans Identify Key Components
4
S5-4 © 2001 Carnegie Mellon University Objectives of this Workshop To identify classes of infrastructure components to evaluate To select one or more infrastructure components from each class To select an approach for evaluating each infrastructure component
5
S5-5 © 2001 Carnegie Mellon University Asset Something of value to the organization information systems software hardware people
6
S5-6 © 2001 Carnegie Mellon University System of Interest The system that is most closely linked to the critical asset the system that gives legitimate users access to a critical asset the system that gives a threat actor access to a critical asset It is possible to have multiple systems of interest for a critical asset.
7
S5-7 © 2001 Carnegie Mellon University Key Classes of Components Types of devices and components that are related to the system of interest
8
S5-8 © 2001 Carnegie Mellon University Access Paths Ways in which critical assets can be accessed via your organization’s network(s)
9
S5-9 © 2001 Carnegie Mellon University Identifying Key Classes of Components Establish the system of interest for the critical asset. Examine network access paths in the context of threat scenarios to identify the important classes of components for critical assets.
10
S5-10 © 2001 Carnegie Mellon University Selecting Components Review your organization’s network topology diagram. Select specific component(s) in each key class to evaluate for vulnerabilities. Select an approach for evaluating each infrastructure component.
11
S5-11 © 2001 Carnegie Mellon University Selecting Approaches Look across the critical assets and selected components for duplication, overlaps, etc. Select an approach for evaluating each infrastructure component. Who will perform the evaluation? Which tool(s) will be used?
12
S5-12 © 2001 Carnegie Mellon University Types of Vulnerability Identification Tools Operating system scanners Network infrastructure scanners Specialty, targeted, or hybrid scanners Checklists Scripts
13
S5-13 © 2001 Carnegie Mellon University Approval for Automated Tools Automated tools can affect the operations of the organization. You must: determine what effects the tools will have on the organization’s operations and personnel gain approval to run the tools and agreement on when they can be run notify all personnel who may be affected You may also be required to estimate costs for management approval
14
S5-14 © 2001 Carnegie Mellon University Summary We have completed the following in this workshop: identified classes of infrastructure components to evaluate selected one or more infrastructure components from each class selected an approach for evaluating each infrastructure component
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.