CARVER+Shock Vulnerability Assessment Tool “As Agile As the Enemy” The Foundation for Institutional Development.

Slides:

Advertisements

Similar presentations

DoD Logistics Human Capital Strategy (HCS) Executive Overview 1 October 2008.

Advertisements

1 Protecting the Long Island Business Community A Public Safety Partnership.

Idaho Critical Infrastructure and Key Resources Protection Program and Fusion Center Brief.

Visual 1.1 Course Overview Unit 1: Course Overview.

National Infrastructure Protection Plan

Addressing Terrorist Use of the Internet, Cyber Crime and Other Threats: National Expert Workshop Forging a Comprehensive Approach to Cyber Security Richard.

DHS, National Cyber Security Division Overview

National Space-Based Positioning, Navigation, and Timing (PNT) Federal Advisory Board DHS Challenges & Opportunities Captain Curtis Dubay, P.E. Department.

1 Telstra in Confidence Managing Security for our Mobile Technology.

Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

Commercial Egg Production and Processing Ryan A. Meunier 1 & Dr. Mickey A. Latour 2 Purdue University 1151 Smith Hall West Lafayette, IN Department.

Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.

Lecture 11 Reliability and Security in IT infrastructure.

Critical Infrastructure Interdependencies H. Scott Matthews March 30, 2004.

Physical and Cyber Attacks1. 2 Inspirational Quote Country in which there are precipitous cliffs with torrents running between, deep natural hollows,

Predictive Maintenance: Condition monitoring Tools and Systems for asset management September 19, 2007.

Critical Infrastructure Protection and Higher Education: University of California Hazard Vulnerability Assessment Kristine Hafner University of California.

Food Safety and Inspection Service U.S. Department of Agriculture Homeland Security: Protecting the U.S. Food Supply Office of Food Security & Emergency.

Management Information Systems

IBM Academic Initiative Skills for a Smarter Planet Cloud Computing John Schilt Lead, IBM Academic Initiative Australia / New Zealand

Isdefe ISXXXX XX Your best ally Panel: Future scenarios for European critical infrastructures protection Carlos Martí Sempere. Essen.

1 Information System Security Assurance Architecture A Proposed IEEE Standard for Managing Enterprise Risk February 7, 2005 Dr. Ron Ross Computer Security.

New York State Food Defense Initiatives Darby Greco, M.P.H., R.S. New York State Department of Health Bureau of Community Environmental Health and Food.

IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Journey to a Real Time Enterprise

Managing Risks, Countering Threats: Protecting Critical National Infrastructure Against Terrorism Martin Rudner Canadian Centre of Intelligence and Security.

Feeding the World Chapter 14 Feeding the World Chapter 14.

Terrorism Introduction Meg Scott Phipps, Commissioner John T. Hoffman Director, Threat & Mitigation

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

Standardized Awareness Authorized Training, Train-the-Trainer Prevention and Deterrence.

Business Driven Technology Unit 5 Transforming Organizations Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution.

Developing a 21st-Century Organization CHAPTER 20 McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.

InfraGard A Government and Private Sector Alliance Information sharing begins with human relationships – people talking with people whom they trust. Information.

Randy Beavers CS 585 – Computer Security February 19, 2009.

CONCEPT OF MIS. Management “Management can be defined as a science of using resources rationally (utilization of resources in judicious manner using appropriate.

A Global Approach to Protecting the Global Critical Infrastructure Dr. Stephen D. Bryen.

1 Washington State Critical Infrastructure Program “No security, No infrastructure” Infrastructure Protection Office Emergency Management Division Washington.

Understanding the Threats of and Defenses Against Cyber Warfare.

Governor’s Office of Homeland Security & Emergency Preparedness LOUISIANA BANKERS ASSOCIATION 2010 Louisiana Emergency Preparedness Coalition Meetings.

Cyber Attacks Threaten: privacy reliability safety resiliency 2.

Feeding the World Chapter Human Nutrition  humans need energy to carry out life processes  Growth  Movement  Tissue repair  humans are omnivores.

Boston – June 12 th. 2 Joe Rozek Microsoft Corporation.

1. The production, processing, marketing, distribution, financing and development of agricultural commodities and resources including food, fiber, wood.

Homeland Security CJ 355 Unit 6 Professor David R. Thompson.

Business Driven Technology Unit 5 Transforming Organizations McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.

Modeling and Simulation of Critical Infrastructure Interdependencies H.S. Jason Min, Walter Beyeler, and Theresa Brown Sandia National Laboratories Critical.

Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.

November 19, 2002 – Congress passed the Homeland Security Act of 2002, creating a new cabinet-level agency DHS activated in early 2003 Original Mission.

SEC 480 assist Expect Success/sec480assistdotcom FOR MORE CLASSES VISIT

MarketsandMarkets Presents MarketsandMarkets Presents Global Software Defined Networking (SDN) Market Buzz Around $2.10 Billion in 2017 Global Software.

Enterprise Architectures Course Code : CPIS-352 King Abdul Aziz University, Jeddah Saudi Arabia.

For more course tutorials visit SEC 480 Entire Course For more course tutorials visit SEC 480 Week 1 DQs SEC 480 Week.

Center of Excellence in Cyber Security

Problem Statement and Research Question

and Security Management: ISO 28000

RISK MANAGEMENT An Overview: NIPC Model

Best Practices in Cyber Security Maggy Powell Senior Manager Real-Time Systems Security Exelon 21 March 2018.

The U.S. Department of Homeland Security

© 2018 VynZ Research All rights reserved Get in Touch: Mobile Virtual Private Network (VPN) Market.

Coordinated Security Response

Best Practices in Cyber Security Maggy Powell Senior Manager Real-Time Systems Security Exelon 26 September 2018.

IT Management Services Infrastructure Services

Houston Code Wars Bob Moore March 2, 2019 WWAS 2019 | Confidential.

CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com

CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com

Presentation transcript:

CARVER+Shock Vulnerability Assessment Tool “As Agile As the Enemy” The Foundation for Institutional Development

The Cycle of Security Assessment Mitigation Occurrence Time Assessment Mitigation Occurrence Assessment Mitigation Occurrence As time goes on, we must assess our vulnerabilities. As the biggest holes in our defenses are plugged, we either move on to the next weakest area, or an occurrence drives us to reassess Security is a cycle, a business process, not an event

How Our System Works  Based off of Sun Tzu principles of War –Know Yourself –Know Your Enemy –Know Your Environment –Know What Your Enemy Knows About You  Use the CARVER+ Shock Vulnerability Assessment Tool  Can be used on all 13 Critical Infrastructures at any level

Critical Infrastructures  Agriculture  Food  Water  Public Health  Emergency Services  Government  Defense Industrial Base  Information and Telecommunications  Energy  Transportation  Banking and Finance  Chemical Industry  Postal and Shipping

The Targeting Process “Know Yourself”  Each Critical Infrastructure is a Target System  Target Systems (Sub-systems) –A series of steps in the process  Target Complexes!!! –Targets in the same geographical area  Target Components –Specific pieces of machinery, structures, personnel, supplies, or computer files –Critical to overall target system  Critical Nodes –Critical to operation of target component –How component is disabled

The Targeting Process

Sample Target System (Power) Control Center Target System Or Subsystem { Target Complexes Target Components

The Target System  The process that grows, harvests, processes, transports, and distributes any foodstuff is a target system. Each step can be considered a target sub-system. Grow Harvest Process Transport Distribute Consume  The process that grows, harvests, processes, transports, and distributes any foodstuff is a target system. Each step can be considered a target sub-system.

Target Complexes Harvest Facility Processing Facility Distribution (Retail) Transport Services Layer Farm A target complex is be a subset of a target subsystem. A target complex is a concentrated, integrated series of targets. It consists of facilities and activities that are close to each other geographically or virtually. Within a target complex, individual targets will be identified

Target Components Egg Breaker Machines Production Animals Feed Plant Workers Inspectors Grading and Packaging Machines Target components are the pieces of the target you can see or touch. Target components can be Service providers (Humans, animals) Infrastructure (Buildings/equipment) Consumables (Feed, medicine, etc) Cyber (Hardware software, network)

CARVER + Shock (Assessment)  Criticality  Accessibility  Recuperability  Vulnerability  Effect  Recognizability  Shock (Consider multiple attacks occurring at the same time)

Design Basis Threat “Know Your Enemy”  Develop a design basis threat to ensure continuity in planning/prioritization  Eliminates the need for Probability  Can encompass more than one scenario  Include: –WHO Means (Methodology, MO, Weapons, Resources) –HOW Type of Target (Include how they are selected) –WHY (Political, Financial, Theological)  Update as threat changes on a permanent basis

Red Teaming “Through the Eyes of the Enemy”  Uses Open Source Information  Let’s you look at your target system through the eyes of the enemy  Helps determine where to commit mitigation resources

Curriculum  Executive Overview –Informs government and corporate leadership on the program, tools and techniques to be used, and benefits to their organization  CARVER+Shock Vulnerability Assessment Tool –Used during national level assessments in first phase –Highly scaleable –Ubiquitous across any infrastructure  Open Source Intelligence Course –Trains candidates to exploit open sources to obtain information on their own weaknesses as well as their threat  Red Team Course –Trains analysts to view their facility as a target through the eyes of the enemy.