1 / 14

CARVER+Shock Vulnerability Assessment Tool “As Agile As the Enemy”

CARVER+Shock Vulnerability Assessment Tool “As Agile As the Enemy”. The Foundation for Institutional Development. Security is a cycle, a business process, not an event. As time goes on, we must assess our vulnerabilities. As the biggest holes in our defenses are plugged, we either move on

eldon
Download Presentation

CARVER+Shock Vulnerability Assessment Tool “As Agile As the Enemy”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CARVER+ShockVulnerability Assessment Tool“As Agile As the Enemy” The Foundation for Institutional Development

  2. Security is a cycle, a business process, not an event As time goes on, we must assess our vulnerabilities. As the biggest holes in our defenses are plugged, we either move on to the next weakest area, or an occurrence drives us to reassess Assessment Assessment Assessment Occurrence Occurrence Occurrence Mitigation Mitigation Mitigation Time The Cycle of Security

  3. How Our System Works • Based off of Sun Tzu principles of War • Know Yourself • Know Your Enemy • Know Your Environment • Know What Your Enemy Knows About You • Use the CARVER+ Shock Vulnerability Assessment Tool • Can be used on all 13 Critical Infrastructures at any level

  4. Agriculture Food Water Public Health Emergency Services Government Defense Industrial Base Information and Telecommunications Energy Transportation Banking and Finance Chemical Industry Postal and Shipping Critical Infrastructures

  5. The Targeting Process“Know Yourself” • Each Critical Infrastructure is a Target System • Target Systems (Sub-systems) • A series of steps in the process • Target Complexes!!! • Targets in the same geographical area • Target Components • Specific pieces of machinery, structures, personnel, supplies, or computer files • Critical to overall target system • Critical Nodes • Critical to operation of target component • How component is disabled

  6. The Targeting Process

  7. Sample Target System(Power) { Target Complexes Target System Or Subsystem Control Center Target Components

  8. Grow Harvest Process Transport Distribute Consume The Target System • The process that grows, harvests, processes, transports, and distributes any foodstuff is a target system. Each step can be considered a target sub-system. • The process that grows, harvests, processes, transports, and distributes any foodstuff is a target system. Each step can be considered a target sub-system.

  9. Layer Farm Harvest Facility Processing Facility Target Complexes A target complex is be a subset of a target subsystem. A target complex is a concentrated, integrated series of targets. It consists of facilities and activities that are close to each other geographically or virtually. Within a target complex, individual targets will be identified Transport Services Distribution (Retail)

  10. Production Animals Feed Grading and Packaging Machines Egg Breaker Machines Target Components • Target components are the pieces of the target you can see or touch. Target components can be • Service providers (Humans, animals) • Infrastructure (Buildings/equipment) • Consumables (Feed, medicine, etc) • Cyber (Hardware software, network) Plant Workers Inspectors

  11. CARVER + Shock(Assessment) • Criticality • Accessibility • Recuperability • Vulnerability • Effect • Recognizability • Shock (Consider multiple attacks occurring at the same time)

  12. Design Basis Threat“Know Your Enemy” • Develop a design basis threat to ensure continuity in planning/prioritization • Eliminates the need for Probability • Can encompass more than one scenario • Include: • WHO Means (Methodology, MO, Weapons, Resources) • HOW Type of Target (Include how they are selected) • WHY (Political, Financial, Theological) • Update as threat changes on a permanent basis

  13. Red Teaming“Through the Eyes of the Enemy” • Uses Open Source Information • Let’s you look at your target system through the eyes of the enemy • Helps determine where to commit mitigation resources

  14. Curriculum • Executive Overview • Informs government and corporate leadership on the program, tools and techniques to be used, and benefits to their organization • CARVER+Shock Vulnerability Assessment Tool • Used during national level assessments in first phase • Highly scaleable • Ubiquitous across any infrastructure • Open Source Intelligence Course • Trains candidates to exploit open sources to obtain information on their own weaknesses as well as their threat • Red Team Course • Trains analysts to view their facility as a target through the eyes of the enemy.

More Related