The Octave Methodology

OCTAVESM: A description

Software Engineering Institute

Carnegie Mellon University
Pittsburgh, PA 15213

Sponsored by the U.S.

Department of Defense

© 2001 by Carnegie Mellon University

1

Notes:

SM
OCTAVE

Operationally Critical Threat, Asset, and

Vulnerability EvaluationSM

Operationally Critical threat, Asset, and Vulnerability Evaluation and OCTAVE are service
marks of Carnegie Mellon University.

© 2001 by Carnegie Mellon University

2

Notes:

Copyright SEI-CMU Pag. 1

 The Octave Methodology

OCTAVE Goals
Organizations are able to
• direct and manage information security risk
assessments for themselves
• make the best decisions based on their unique risks
• focus on protecting key information assets
• effectively communicate key security information

© 2001 by Carnegie Mellon University

3

Notes:

OCTAVE Principles
Survivability of the organization’s mission

Ensuring business continuity

Critical asset-driven threat and risk definition

Practice-based risk mitigation plans and protection strategy

Targeted data collection

Organization-wide focus: using and establishing communication

among and between organizational levels

Foundation for future security improvement

© 2001 by Carnegie Mellon University

4

Notes:

Copyright SEI-CMU Pag. 2

 The Octave Methodology

Information Security Risk Evaluations

© 2001 by Carnegie Mellon University

5

Notes:

Information Security Risk Management Principles

© 2001 by Carnegie Mellon University

6

Notes:

Copyright SEI-CMU Pag. 3

 The Octave Methodology

Risk Management Regulations

HIPAA Requirements
• periodic information security risk evaluations
• the organization
- assesses risks to information security
- takes steps to mitigate risks to an acceptable level
- maintains that level of risk

Gramm-Leach-Bliley financial legislation that became

law in 1999
• assess data security risks
• have plans to address those risks
* Health Insurance Portability and Accountability Act
© 2001 by Carnegie Mellon University
7

Notes:

Security Approaches
Vulnerability Management (Reactive)
• Identify and fix vulnerabilities

Risk Management (Proactive)

• Identify and manage risks

Reactive

Proactive

© 2001 by Carnegie Mellon University

8

Notes:

Copyright SEI-CMU Pag. 4

 The Octave Methodology

Approaches for Evaluating

Information Security Risks

Tool-Based Workshop-Based
Analysis Analysis
OCTAVE

Interaction Required
© 2001 by Carnegie Mellon University
9

Notes:

Workshop Structure
A team of site personnel facilitates the workshops.

Contextual expertise is provided by your staff.

Activities are driven by your staff.

Decisions are made by your staff.

© 2001 by Carnegie Mellon University

10

Notes:

Copyright SEI-CMU Pag. 5

 The Octave Methodology

OCTAVE Process
Organizational
View

… Progressive Series of Workshops …

Strategy and Plan

Development
Technological
View

© 2001 by Carnegie Mellon University

11

Notes:

Conducting OCTAVE

OCTAVE Process time

Analysis Team

An interdisciplinary team of your personnel that

facilitates the process and analyzes data
• business or mission-related staff
• information technology staff
© 2001 by Carnegie Mellon University
12

Notes:

Copyright SEI-CMU Pag. 6

 The Octave Methodology

Phase 1: Organizational View

Different views of
Critical assets,
Areas of concern,
Security requirements,
Current protection strategy practices,
Organizational vulnerabilities

Consolidated information,
Threats to critical assets
© 2001 by Carnegie Mellon University
13

Notes:

Phase 2: Technological View

© 2001 by Carnegie Mellon University

14

Notes:

Copyright SEI-CMU Pag. 7

 The Octave Methodology

Catalog of Vulnerabilities
http://www.cve.mitre.org/

© 2001 by Carnegie Mellon University

15

Notes:

Phase 3: Risk Analysis

© 2001 by Carnegie Mellon University

16

Notes:

Copyright SEI-CMU Pag. 8

 The Octave Methodology

Outputs of OCTAVE

Protection
Strategy Organization

Mitigation Assets
Plan

Action Items Near-Term

Action List •action 1 Actions
•action 2

© 2001 by Carnegie Mellon University

17

Notes:

Some Keys to Success

Visible, continuous senior management sponsorship

Selecting the right analysis team

• to manage the evaluation process
• to analyze information
• to identify solutions

Scoping OCTAVE to important operational areas

• too broad: difficult to analyze all of the information,
• too small: results may not be as meaningful as they should be,

Selecting participants
• committed to making the process work
• willing to communicate openly

© 2001 by Carnegie Mellon University

18

Notes:

Copyright SEI-CMU Pag. 9

 The Octave Methodology

Selecting the Right Analysis Team

© 2001 by Carnegie Mellon University

19

Notes:

OCTAVESM Phase 1
Process 1-3
Identify Senior Management Knowledge
Identify Operational Area Management Knowledge
Identify Staff Knowledge

Software Engineering Institute

Carnegie Mellon University
Pittsburgh, PA 15213

Sponsored by the U.S.

Department of Defense

© 2001 by Carnegie Mellon University

20

Notes:

Copyright SEI-CMU Pag. 10

 The Octave Methodology

OCTAVE Process
Organizational Organization
View
… Progressive Series of Workshops …

Strategy and Plan

Development
Technological
View

© 2001 by Carnegie Mellon University

21

Notes:

Phase 1: Organizational View

Different views of
Critical assets,
Areas of concern,
Security requirements,
Current protection strategy practices,
Organizational vulnerabilities

Consolidated information,
Threats to critical assets
© 2001 by Carnegie Mellon University
22

Notes:

Copyright SEI-CMU Pag. 11

 The Octave Methodology

Previous Steps
Obtain senior management sponsorship,
• this is the top critical success factor,
• security is not “just an IT issue”,
• get an Octave champion,

Select analysis team members,

Select operational areas to participate,

• Focus on the “critical few”,

Select participants,
• Three organizational levels,

Coordinate logistics.
© 2001 by Carnegie Mellon University
23

Notes:

Asset
Something of value to the organization
• information
• systems
• software
• hardware
• people

© 2001 by Carnegie Mellon University

24

Notes:

Copyright SEI-CMU Pag. 12

 The Octave Methodology

Identifying Assets
Discuss your important assets.

Select the most important assets.

© 2001 by Carnegie Mellon University

25

Notes:

Threat
An indication of a potential undesirable event

© 2001 by Carnegie Mellon University

26

Notes:

Copyright SEI-CMU Pag. 13

 The Octave Methodology

Areas of Concern
Situations where you are concerned about a threat to
your important information assets

© 2001 by Carnegie Mellon University

27

Notes:

Sources of Threat
Deliberate actions by people

Accidental actions by people

System problems

Other problems

© 2001 by Carnegie Mellon University

28

Notes:

Copyright SEI-CMU Pag. 14

 The Octave Methodology

Outcomes of Threats
Disclosure or viewing of sensitive information

Modification of important or sensitive information

Destruction or loss of important information, hardware,

or software

Interruption of access to important information,

software, applications, or services

© 2001 by Carnegie Mellon University

29

Notes:

Identifying Areas of Concern

Discuss scenarios that threaten your important
information assets.

Discuss the resulting impact to the organization.

© 2001 by Carnegie Mellon University

30

Notes:

Copyright SEI-CMU Pag. 15

 The Octave Methodology

Sources and Outcomes for Area of Concern

© 2001 by Carnegie Mellon University

31

Notes:

Sources and Outcomes for Area of Concern

(an example)

© 2001 by Carnegie Mellon University

32

Notes:

Copyright SEI-CMU Pag. 16

 The Octave Methodology

Security Requirements
Outline the qualities of an asset that are important to
protect:
• confidentiality
• integrity
• availability

© 2001 by Carnegie Mellon University

33

Notes:

Identifying Security Requirements

Discuss the security requirements for each important
asset.

Select which security requirement is most important.

© 2001 by Carnegie Mellon University

34

Notes:

Copyright SEI-CMU Pag. 17

 The Octave Methodology

Protection Strategy
Provides direction for future information security efforts

Defines the strategies that an organization uses to

• enable security
• initiate security
• implement security
• maintain security

© 2001 by Carnegie Mellon University

35

Notes:

Protection Strategy Survey

Security issues are incorporated into the Yes No Don’t
organization’s business strategy Know

Yes – The practice is used by the organization.

No – The practice is not used by the organization.

Don’t know – Respondents do not know if the practice is

used by the organization or not.

© 2001 by Carnegie Mellon University

36

Notes:

Copyright SEI-CMU Pag. 18

 The Octave Methodology

OCTAVE Catalog of Practices

© 2001 by Carnegie Mellon University

37

Notes:

Excerpt of a Security Practice Survey

© 2001 by Carnegie Mellon University

38

Notes:

Copyright SEI-CMU Pag. 19

 The Octave Methodology

Protection Strategy Discussion

Discuss important issues from the survey.

Discuss issues or protection strategy aspects not covered

by the survey.

Discuss how effective your organization’s protection

strategy is.

© 2001 by Carnegie Mellon University

39

Notes:

Protection Strategy Benchmarking (.)

© 2001 by Carnegie Mellon University

40

Notes:

Copyright SEI-CMU Pag. 20

 The Octave Methodology

OCTAVESM Phase 1
Process 4
Create Threat Profiles

Software Engineering Institute

Carnegie Mellon University
Pittsburgh, PA 15213

Sponsored by the U.S.

Department of Defense

© 2001 by Carnegie Mellon University

41

Notes:

Asset
Something of value to the organization
• information
• systems
• software
• hardware
• people

© 2001 by Carnegie Mellon University

42

Notes:

Copyright SEI-CMU Pag. 21

 The Octave Methodology

Critical Assets
The most important information assets to the
organization

There will be a large adverse impact to the organization

if one of the following occurs:
• The asset is disclosed to unauthorized people.
• The asset is modified without authorization.
• The asset is lost or destroyed.
• Access to the asset in interrupted.

© 2001 by Carnegie Mellon University

43

Notes:

Identifying Critical Assets

Select up to five (5) critical assets,

For each critical asset answer:

• Who controls it?
• Who is responsible for it?
• Who uses it?
• How is it used?

© 2001 by Carnegie Mellon University

44

Notes:

Copyright SEI-CMU Pag. 22

 The Octave Methodology

Security Requirements
Outline the qualities of an asset that are important to
protect:
• confidentiality
• integrity
• availability

Your task is to view the information from the

perspective of the organization,

© 2001 by Carnegie Mellon University

45

Notes:

Identifying Security
Requirements
Describe the security requirements for each critical
asset.

Decide which of the security requirements is most

important for each critical asset.

© 2001 by Carnegie Mellon University

46

Notes:

Copyright SEI-CMU Pag. 23

 The Octave Methodology

Threat
An indication of a potential undesirable event

© 2001 by Carnegie Mellon University

47

Notes:

Threat Properties
Asset

Access (optional - only relevant for human actors)

Actor

Motive (optional - only relevant for human actors)

Outcome

© 2001 by Carnegie Mellon University

48

Notes:

Copyright SEI-CMU Pag. 24

 The Octave Methodology

Threat Sources
Human actors using network access

Human actors using physical access

System problems

Other problems

© 2001 by Carnegie Mellon University

49

Notes:

Threat Profile
A threat profile contains a range of threat scenarios for
the following sources of threats:
• human actors using network access
• human actors using physical access
• system problems
• other problems

The threat profile is visually represented using asset-

based threat trees.

© 2001 by Carnegie Mellon University

50

Notes:

Copyright SEI-CMU Pag. 25

 The Octave Methodology

Human Actors - Network Access

disclosure
modification
accidental loss/destruction
interruption
inside
disclosure
modification
deliberate
loss/destruction
network interruption
asset
disclosure
accidental modification
loss/destruction
interruption
outside
disclosure
deliberate modification
loss/destruction
interruption

asset access actor motive outcome

© 2001 by Carnegie Mellon University
51

Notes:

Human Actors - Physical Access

disclosure
modification
accidental loss/destruction
interruption
inside
disclosure
modification
deliberate
loss/destruction
physical interruption
asset
disclosure
accidental modification
loss/destruction
interruption
outside
disclosure
deliberate modification
loss/destruction
interruption

asset access actor motive outcome

© 2001 by Carnegie Mellon University
52

Notes:

Copyright SEI-CMU Pag. 26

 The Octave Methodology

System Problems
disclosure
modification
software defects
loss/destruction
interruption
disclosure
modification
viruses
loss/destruction
asset interruption
disclosure
system crashes modification
loss/destruction
interruption
disclosure
modification
hardware defects
loss/destruction
interruption

asset actor outcome

© 2001 by Carnegie Mellon University
53

Notes:

Other Problems
disclosure
modification
natural disasters
loss/destruction
interruption
disclosure
modification
third party
loss/destruction
asset problems interruption
disclosure
telecommunications modification
problems or loss/destruction
unavailability interruption
disclosure
modification
power supply
loss/destruction
problems
interruption

asset actor outcome

© 2001 by Carnegie Mellon University
54

Notes:

Copyright SEI-CMU Pag. 27

 The Octave Methodology

Stop, verification check

For each critical asset compare now threat trees and
security requirements,
• consistency?
• completeness?

© 2001 by Carnegie Mellon University

55

Notes:

Threat tree for human actors with

network access

© 2001 by Carnegie Mellon University

56

Notes:

Copyright SEI-CMU Pag. 28

 The Octave Methodology

Threat tree for human actors with

physical access

© 2001 by Carnegie Mellon University

57

Notes:

Threat tree for system problems

© 2001 by Carnegie Mellon University

58

Notes:

Copyright SEI-CMU Pag. 29

 The Octave Methodology

Threat tree for other problems

© 2001 by Carnegie Mellon University

59

Notes:

© 2001 by Carnegie Mellon University

60

Notes:

Copyright SEI-CMU Pag. 30

 The Octave Methodology

OCTAVE Process
Organizational
View
… Progressive Series of Workshops …

Strategy and Plan

Development
Technological
View

Technology
© 2001 by Carnegie Mellon University
61

Notes:

OCTAVESM Phase 2
Process 5
Identify Key Components

Software Engineering Institute

Carnegie Mellon University
Pittsburgh, PA 15213

Sponsored by the U.S.

Department of Defense

© 2001 by Carnegie Mellon University

62

Notes:

Copyright SEI-CMU Pag. 31

 The Octave Methodology

Phase 2: Technological View

© 2001 by Carnegie Mellon University

63

Notes:

Terminology
Technology vulnerability
• weakness in a system that can directly lead to unauthorized
action

Types of vulnerabilities:
• design: even a perfect implementation will result in troubles,
• implementation: an error made in implementing a satisfactory
design,
• configuration: an error in the configuration or administration,

Exploit
• process of using a technology vulnerability to violate security
policy

© 2001 by Carnegie Mellon University

64

Notes:

Copyright SEI-CMU Pag. 32

 The Octave Methodology

Vulnerability Tools
Vulnerability tools identify
• known weaknesses in technology
• miss configurations of ‘well known’ administrative
functions, such as
- file permissions on certain files
- accounts with null passwords
• what an attacker can determine about your systems
and networks

© 2001 by Carnegie Mellon University

65

Notes:

What Vulnerability Tools Identify

© 2001 by Carnegie Mellon University

66

Notes:

Copyright SEI-CMU Pag. 33

 The Octave Methodology

What Vulnerability Identification

Tools Do Not Identify
Misapplied or improper system administration (users,
accounts, configuration settings)
• users are given access to more information or services
than they need?

Unknown vulnerabilities in operating systems, services,

applications, and infrastructure

Incorrect adoption or implementation of organizational

procedures
• security rules are in line with your business
objectives?
© 2001 by Carnegie Mellon University
67

Notes:

Vulnerability Evaluation Tools

Operating system scanners

Network infrastructure scanners

Specialty, targeted, and hybrid scanners

Checklists

© 2001 by Carnegie Mellon University

68

Notes:

Copyright SEI-CMU Pag. 34

 The Octave Methodology

Operating System Scanners

Operating system scanners target specific operating
systems, including

• Windows NT/2000
• Sun Solaris
• Red Hat Linux
• Apple Mac OS

See Micro$oft Baseline Security Analyzer (MBSA -

http://www.microsoft.com/technet/security/tools/mbsaho
me.mspx)
© 2001 by Carnegie Mellon University
69

Notes:

Network Infrastructure
Scanners
Network infrastructure scanners target the network
infrastructure components, including

• routers and intelligent switches

• DNS servers
• firewall systems
• intrusion detection systems

See nmap (http://www.insecure.org/nmap/)

© 2001 by Carnegie Mellon University

70

Notes:

Copyright SEI-CMU Pag. 35

 The Octave Methodology

Specialty, Targeted, and Hybrid

Scanners
Specialty, targeted, and hybrid scanners target a range of
services, applications, and operating system functions,
including

• web servers (CGI, JAVA)

• database applications
• registry information (Windows NT/2000)
• weak password storage and authentication services

See Nessus (http://www.nessus.org/)

© 2001 by Carnegie Mellon University
71

Notes:

Checklists
Checklists provide the same functionality as automated
tools,

Checklists are manual, not automated,

• check CVE (http://www.cve.mitre.org/),
• check CERT/CC Vulnerability Notes Database
(http://www.kb.cert.org/vuls),

Checklists require a consistent review of the items being

checked and must be routinely updated,

Useful for components that are not currently supported

by tools (e.g. mainframes),
© 2001 by Carnegie Mellon University
72

Notes:

Copyright SEI-CMU Pag. 36

 The Octave Methodology

Vulnerability Tool Reports

Vulnerability reports usually provide:
• identification and ranking of the severity of
technological weaknesses found
• mitigation and corrective steps to eliminate
vulnerabilities

Determine what information you require, and then match

your requirements to the report(s) provided by the
tool(s).

© 2001 by Carnegie Mellon University

73

Notes:

Sample Report

© 2001 by Carnegie Mellon University

74

Notes:

Copyright SEI-CMU Pag. 37

 The Octave Methodology

Other Report Data

© 2001 by Carnegie Mellon University

75

Notes:

Scoping Vulnerability Evaluations

You need to scope a vulnerability evaluation.

Two approaches are

• examining every component of your computing
infrastructure over a defined period of time
(comprehensive vulnerability evaluation)
• grouping similar components into categories and
examining selected components from each category
(targeted vulnerability evaluation)

© 2001 by Carnegie Mellon University

76

Notes:

Copyright SEI-CMU Pag. 38

 The Octave Methodology

Targeted Vulnerability
Evaluation Strategies
Strategies for targeted vulnerability evaluations include
grouping similar components into categories.

Categories can include

• how components are used
• the primary operators of components
• classes of components

© 2001 by Carnegie Mellon University

77

Notes:

Relationship Between a Threat Tree

and Infrastructure Components

© 2001 by Carnegie Mellon University

78

Notes:

Copyright SEI-CMU Pag. 39

 The Octave Methodology

OCTAVE Phase 2 Strategy

Phase 2 of OCTAVE is a targeted vulnerability
evaluation.

Key classes of components are identified by considering

how critical assets are
• stored
• processed
• transmitted

Check system of interests, access paths, …

© 2001 by Carnegie Mellon University

79

Notes:

System of Interest
The system that is most closely linked to the critical
asset
• the system that gives legitimate users access to a
critical asset
• the system that gives a threat actor access to a critical
asset

It is possible to have multiple systems of interest for a

critical asset.

© 2001 by Carnegie Mellon University

80

Notes:

Copyright SEI-CMU Pag. 40

 The Octave Methodology

Access Paths
Ways in which critical assets can be accessed via your
organization’s network(s)

© 2001 by Carnegie Mellon University

81

Notes:

Identifying Key Classes of

Components
Establish the system of interest for the critical asset.

Examine network access paths in the context of threat

scenarios to identify the important classes of
components for critical assets.

© 2001 by Carnegie Mellon University

82

Notes:

Copyright SEI-CMU Pag. 41

 The Octave Methodology

Selecting Components
Review your organization’s network topology diagram.

Select specific component(s) in each key class to

evaluate for vulnerabilities.

Select an approach for evaluating each infrastructure

component.

© 2001 by Carnegie Mellon University

83

Notes:

Network Topology Diagram

(an example)

© 2001 by Carnegie Mellon University

84

Notes:

Copyright SEI-CMU Pag. 42

 The Octave Methodology

Network Topology Diagram

(an example – central node and filtering)

© 2001 by Carnegie Mellon University

85

Notes:

Network Topology Diagram

(an example – a typical node and filtering)

© 2001 by Carnegie Mellon University

86

Notes:

Copyright SEI-CMU Pag. 43

 The Octave Methodology

Selecting Approaches
Look across the critical assets and selected components
for duplication, overlaps, etc.

Select an approach for evaluating each infrastructure

component.
• Who will perform the evaluation?
• Which tool(s) will be used?

© 2001 by Carnegie Mellon University

87

Notes:

Vulnerability Evaluation Approaches

© 2001 by Carnegie Mellon University

88

Notes:

Copyright SEI-CMU Pag. 44

 The Octave Methodology

Approval for Automated Tools

Automated tools can affect the operations of the
organization. You must:
• determine what effects the tools will have on the
organization’s operations and personnel
• gain approval to run the tools and agreement on when
they can be run
• notify all personnel who may be affected

You may also be required to estimate costs for

management approval

© 2001 by Carnegie Mellon University

89

Notes:

OCTAVESM Phase 2
Process 6
Evaluate Selected Components

Software Engineering Institute

Carnegie Mellon University
Pittsburgh, PA 15213

Sponsored by the U.S.

Department of Defense

© 2001 by Carnegie Mellon University

90

Notes:

Copyright SEI-CMU Pag. 45

 The Octave Methodology

Phase 2: Technological View

© 2001 by Carnegie Mellon University

91

Notes:

Technology Vulnerability
Summary
Contains the following information for each component
that was evaluated:
• the number of vulnerabilities to fix immediately
(high-severity vulnerabilities)
• the number of vulnerabilities to fix soon (medium-
severity vulnerabilities)
• the number of vulnerabilities to fix later (low-
severity vulnerabilities)

© 2001 by Carnegie Mellon University

92

Notes:

Copyright SEI-CMU Pag. 46

 The Octave Methodology

Vulnerability Severity Levels

© 2001 by Carnegie Mellon University

93

Notes:

Vulnerability Summary
A vulnerability summary contains
• the types of vulnerabilities found and when they need
to be addressed
• the potential effect on the critical assets
• how the technology vulnerabilities could be addressed
(applying a patch, hardening a component, etc.)

© 2001 by Carnegie Mellon University

94

Notes:

Copyright SEI-CMU Pag. 47

 The Octave Methodology

Reviewing Technology
Vulnerabilities
For each selected component, review the types of
technology vulnerabilities that were identified,

Did change your threat trees with your new knowledge

about how vulnerable your infrastructure is?

© 2001 by Carnegie Mellon University

95

Notes:

Identifying Threats
Perform a gap analysis of the the threat three for human
actors using network access

Do the technology vulnerabilities associated with the

critical asset’s key infrastructure components indicate
that there is a non-negligible possibility of a threat to the
asset?

© 2001 by Carnegie Mellon University

96

Notes:

Copyright SEI-CMU Pag. 48

 The Octave Methodology

© 2001 by Carnegie Mellon University

97

Notes:

OCTAVE Process
Organizational
View
… Progressive Series of Workshops …

Strategy and Plan

Development
Technological
View
Conduct Risk
© 2001 by Carnegie Mellon University
Analysis
98

Notes:

Copyright SEI-CMU Pag. 49

 The Octave Methodology

OCTAVESM Phase 3
Process 7
Conduct Risk Analysis

Software Engineering Institute

Carnegie Mellon University
Pittsburgh, PA 15213

Sponsored by the U.S.

Department of Defense

© 2001 by Carnegie Mellon University

99

Notes:

Phase 3: Risk Analysis

© 2001 by Carnegie Mellon University

100

Notes:

Copyright SEI-CMU Pag. 50

 The Octave Methodology

Risk
Risk is a combination of the threat and the impact to the
organization resulting from the following outcomes:
• disclosure
• modification
• destruction /loss
• Interruption

© 2001 by Carnegie Mellon University

101

Notes:

Identifying Impact
Describe the impact of each threat outcome to the
organization.

The impact describes the effect of a threat on an

organization’s mission and business objectives.

© 2001 by Carnegie Mellon University

102

Notes:

Copyright SEI-CMU Pag. 51

 The Octave Methodology

Risk Impact Evaluation

Risks are evaluated to provide the following additional,
key information needed by decision makers:
• which risks to actually mitigate
• relative priority

Impact and probability are two attributes of risks that are

often evaluated.

Only impact is evaluated in OCTAVE.

© 2001 by Carnegie Mellon University

103

Notes:

Evaluation Criteria
Qualitative criteria for impact values
• high
• medium
• low

© 2001 by Carnegie Mellon University

104

Notes:

Copyright SEI-CMU Pag. 52

 The Octave Methodology

Impact Areas for Evaluation

Criteria
Evaluation criteria should be considered for multiple
types of impacts:
• reputation/customer confidence
• safety/life/health of customers
• fines/legal penalties
• financial
• productivity
• other

© 2001 by Carnegie Mellon University

105

Notes:

Create Narrative Impact

Descriptions
“someone inside the organization uses network access to
deliberately modify the medical records database. This
could result in patient death, improper treatment
delivered to patients, lawsuits, and additional staff time
to correct the records”

“…”

“…”

© 2001 by Carnegie Mellon University

106

Notes:

Copyright SEI-CMU Pag. 53

 The Octave Methodology

Identifying Evaluation Criteria

Describe the evaluation criteria for your organization.

Consider what defines

• a high impact
• a medium impact
• a low impact

© 2001 by Carnegie Mellon University

107

Notes:

Evaluating Risk’s Impact

Evaluate the value of each impact to your critical assets.

Decide which impacts cause

• a high loss to your organization
• a medium loss to your organization
• a low loss to your organization

© 2001 by Carnegie Mellon University

108

Notes:

Copyright SEI-CMU Pag. 54

 The Octave Methodology

Evaluation Criteria (an example)

© 2001 by Carnegie Mellon University

109

Notes:

Risk profile with multiple impacts

© 2001 by Carnegie Mellon University

110

Notes:

Copyright SEI-CMU Pag. 55

 The Octave Methodology

Evaluating Risk’s Probability

It’s not easy to evaluate numerically a risk probability,

How would you estimate reliably the probability of an

attacker viewing confidential customer data from your
organization’s customer database?
• how much historical information do you have?
- how many times this attack has occurred but gone
undetected?
• how much industry data do you have?
• how do you establish which events are similar?

That leaves us with subjective probability for threats

resulting from human attackers.
© 2001 by Carnegie Mellon University
111

Notes:

Evaluating Risk’s Probability (.)

Subjectively estimating probability is also tricky. You
need to consider the following factors:
• motive: how motivated is the attacker? Political
motivation? A disgruntled employee? Is the asset
especially attractive?
• means: do likely attackers have the skills to execute
the attack?
• opportunity: how vulnerable is your computing
infrastructure?

Then, make and educated guess!

© 2001 by Carnegie Mellon University
112

Notes:

Copyright SEI-CMU Pag. 56

 The Octave Methodology

Probability Evaluation Criteria

© 2001 by Carnegie Mellon University

113

Notes:

Risk Profile: Human Actors Using

Network Access Tree

© 2001 by Carnegie Mellon University

114

Notes:

Copyright SEI-CMU Pag. 57

 The Octave Methodology

OCTAVESM Phase 3
Process 8
Develop Protection Strategy

Workshop A: Protection Strategy Development

Software Engineering Institute

Carnegie Mellon University
Pittsburgh, PA 15213

Sponsored by the U.S.

Department of Defense

© 2001 by Carnegie Mellon University

115

Notes:

Phase 3: Risk Analysis

© 2001 by Carnegie Mellon University

116

Notes:

Copyright SEI-CMU Pag. 58

 The Octave Methodology

Outputs of OCTAVE - 1

Protection
Strategy Organization

Mitigation Assets
Plan

Action Items Near-Term

Action List •action 1 Actions
•action 2

© 2001 by Carnegie Mellon University

117

Notes:

Outputs of OCTAVE - 2

Protection Strategy long-term

Maintain Security Infrastructure

(strategies to enable, initiate, implement

and maintain security within the organization)

Mitigation Plan mid-term

(practices to mitigate risks to critical assets)

Action List immediate

(near-term actions)
© 2001 by Carnegie Mellon University
118

Notes:

Copyright SEI-CMU Pag. 59

 The Octave Methodology

Protection Strategy
Provides direction for future information security efforts

Defines the strategies that an organization uses to

• enable security
• initiate security
• implement security
• maintain security

© 2001 by Carnegie Mellon University

119

Notes:

Protection Strategy (.)

Structured around the catalog of practices and addresses
the following areas:
• Security Awareness and Training
• Security Strategy
• Security Management
• Security Policies and Regulations
• Collaborative Security Management
• Contingency Planning/Disaster Recovery
• Physical Security
• Information Technology Security
• Staff Security
© 2001 by Carnegie Mellon University
120

Notes:

Copyright SEI-CMU Pag. 60

 The Octave Methodology

OCTAVE Catalog of Practices

© 2001 by Carnegie Mellon University

121

Notes:

OCTAVE Catalog of Practices

Catalog of
Practices

Strategic Operational
Practice Practice
Areas Areas

© 2001 by Carnegie Mellon University

122

Notes:

Copyright SEI-CMU Pag. 61

 The Octave Methodology

Strategic Practice Areas

Strategic
Practice Areas

Security Security Security Security Collaborative Contingency

Awareness Strategy Management Policies and Security Planning/
and Training Regulations Management Disaster
Recovery

© 2001 by Carnegie Mellon University

123

Notes:

Operational Practice Areas

Operational
Practice Areas

Physical Information Staff Security

Security Technology
Security
Physical Security Plans System and Network Management Incident Management
and Procedures System Administration Tools General Staff
Physical Access Control Monitoring and Auditing IT Security Practices
Monitoring and Auditing Authentication and Authorization
Physical Security
Vulnerability Management
Encryption
Security Architecture and Design
© 2001 by Carnegie Mellon University
124

Notes:

Copyright SEI-CMU Pag. 62

 The Octave Methodology

Next Steps
Develop a Protection Strategy for Strategic Practice Areas
• the current strategies that your organization should continue to
use in each area
• new strategies that your organization should adopt in each area

Develop a Protection Strategy for Operational Practice Areas

considering:
• training and education initiatives
• funding
• policies and procedures
• roles and responsibilities
• collaborating with other organizations and with external experts
© 2001 by Carnegie Mellon University
125

Notes:

Before Workshops: Consolidate

Information from Processes 1 to 3

© 2001 by Carnegie Mellon University

126

Notes:

Copyright SEI-CMU Pag. 63

 The Octave Methodology

Before Workshops: Consolidate

Information Enterprise-wide

© 2001 by Carnegie Mellon University

127

Notes:

Identify Organizational Vulnerabilities

© 2001 by Carnegie Mellon University

128

Notes:

Copyright SEI-CMU Pag. 64

 The Octave Methodology

Develop a Protection Strategy for

Security Awareness and Training

© 2001 by Carnegie Mellon University

129

Notes:

Key questions to ask

Strategjc Practice Area Key Questions
What can you do to maintain or improve the level of information security training that all staff members receive (consider
awareness training as well as technology-related training)?
Security awareness and training Does your organization have adequate in-house expertise for all supported technologies? What can you do to improve
your staff's technology expertise?
What can you do to ensure that all staff members understand their security roles and responsibilities?
Are security issues incorporated into your organization's business strategy? What can you do to improve the way in which
security issues are integrated into your organization's business strategy?
Are business issues incorporated into your organization's security strategy? What can you do to improve the way in which
Security strategy
business issues are integrated into your organization's security strategy?
What can you do to improve the way in which security strategies, goals, and objectives are documented and
communicated to the organization?
Does management allocate sufficient funds and resources to information security activities? What level of funding for
information security activities is appropriate for your organization?
What can you do to ensure that security roles and responsibilities are defined for all staff in your organization?
Do your organization's hiring and retention practices take information security issues into account (also applies to
Security management
contractors and vendors)? What could you do to improve your organization's hiring and retention practices?
What can you do to improve the way in which your organization manages its information security risk?
What can you do to improve the way in which security-related information is communicated to your organization's
management?
What can you do to ensure that your organization has a comprehensive set of documented, current security policies?
What can you do to improve the way in which your organization creates, updates, and communicates security policies?
Security policies and regulations Does your organization have procedures to ensure compliance with laws and regulations affecting security? What can you
do to improve how well your organization complies with laws and regulations affecting security?
What can you do to ensure that your organization uniformly enforces its security policies?
Does your organization have policies and procedures for protecting information when working with external
organizations (e.g., third parties, collaborators, subcontractors, or partners)? What can your organization do to improve
the way in which it protects information when working with external organizations?
Collaborative security management What can your organization do to improve the way in which it verifies that external organizations are taking proper steps
to protect critical information and systems?
What can your organization do to improve the way in which it verifies that outsourced security services, mechanisms, and
technologies meet its needs and requirements?
Does your organization have a defined business continuity plan? Has the business continuity plan been tested? What can
you do to ensure that your organization has a defined and tested business continuity plan?
Does your organization have a defined disaster recovery plan? Has the disaster recovery plan been tested? What can you
Contingency planning/disaster recovery
do to ensure that your organization has a defined and tested disaster recovery plan?
© 2001 by Carnegie Mellon University What can you do to ensure that staff members are aware of and understand your organization's business continuity and
130
disaster recovery plans?

Notes:

Copyright SEI-CMU Pag. 65

 The Octave Methodology

Develop a Protection Strategy for

Information Technology Security

© 2001 by Carnegie Mellon University

131

Notes:

OCTAVESM Phase 3
Process 8
Develop Protection Strategy

Workshop B: Protection Strategy Selection

Software Engineering Institute

Carnegie Mellon University
Pittsburgh, PA 15213

Sponsored by the U.S.

Department of Defense

© 2001 by Carnegie Mellon University

132

Notes:

Copyright SEI-CMU Pag. 66

 The Octave Methodology

Phase 3: Risk Analysis

© 2001 by Carnegie Mellon University

133

Notes:

Risk
Risk is a combination of the threat and the impact to the
organization resulting from the following outcomes:
• disclosure
• modification
• destruction /loss
• Interruption

Risk is a quantified threat

Risk = Threat + Impact + Probability

© 2001 by Carnegie Mellon University

134

Notes:

Copyright SEI-CMU Pag. 67

 The Octave Methodology

Risk profile with technological

vulnerabilities

© 2001 by Carnegie Mellon University

135

Notes:

Mitigation Plan
Defines the activities required to mitigate risks/threats

A mitigation plan focuses on activities to

• recognize or detect threats as they occur
• resist or prevent threats from occurring
• recover from threats if they occur

© 2001 by Carnegie Mellon University

136

Notes:

Copyright SEI-CMU Pag. 68

 The Octave Methodology

Creating Mitigation Plans

Develop mitigation plans for each critical asset considering

• actions to recognize or detect this threat type as it occurs

• actions to resist this threat type or prevent it from
occurring
• actions to recover from this threat type if it occurs
• other actions to address this threat type

© 2001 by Carnegie Mellon University

137

Notes:

Some Ideas for Mitigation Plans

You can mitigate a risk with:
• Technology,
• Security Policies,
• Buy some insurance for the Critical Asset,
• Give the Critical Asset on Outsourcing,

Or alternatively accept the risk…

© 2001 by Carnegie Mellon University

138

Notes:

Copyright SEI-CMU Pag. 69

 The Octave Methodology

Action List
Defines the near-term actions that the organization’s
staff can take

Actions on the action list generally don’t require

specialized training, policy changes, or changes to roles
and responsibilities.

© 2001 by Carnegie Mellon University

139

Notes:

Creating an Action List

Develop an action list considering
• near-term actions that need to be taken
• who will be responsible for the actions
• by when the actions need to be addressed
• any actions that management needs to take to facilitate
this activity

© 2001 by Carnegie Mellon University

140

Notes:

Copyright SEI-CMU Pag. 70

 The Octave Methodology

Reviewing Protection Strategy

and Risk Information
Review the following information:
• protection strategy practices
• organizational vulnerabilities
• technology vulnerabilities
• security requirements
• risk profiles

© 2001 by Carnegie Mellon University

141

Notes:

Protection Strategy and

Mitigation Plans
The protection strategy and mitigation plans were
created using
• risk profiles for critical assets
• areas of concern for critical assets
• current practices
• organizational vulnerabilities
• technology vulnerabilities
• catalog of practices

© 2001 by Carnegie Mellon University

142

Notes:

Copyright SEI-CMU Pag. 71

 The Octave Methodology

Protection Strategy and

Mitigation Plans (an example)

© 2001 by Carnegie Mellon University

143

Notes:

Phase 3: Risk Analysis

© 2001 by Carnegie Mellon University

144

Notes:

Copyright SEI-CMU Pag. 72

 The Octave Methodology

After OCTAVE
Remember: OCTAVE is the foundation for a continuous
process,

You will need to present your findings to Senior

Managers:
• And get paid $$$

© 2001 by Carnegie Mellon University

145

Notes:

Key Elements of Presentation to

Senior Managers
Presentation Theme Information Description
Background risk Asset information Asset information includes a summary of all of the assets that were
information identified during the evaluation and those that were identified as
important by each workshop group from processes 1 to 3.
Critical assets and the rationale for their This information indicates which of the assets you believe to be
selection most critical to the organization. You also need to include your
rationale for designating these assets as critical.
Security practices and organizational This part of the presentation summarizes the results of the security
vulnerabilities practices surveys and follow-up discussions. This information
conveys what the organization is doing well in addition to which
practices are missing or inadequate.
Risk profile for each critical asset The risk profile for each critical asset includes the threats to that
critical asset, potential impact on the organization (narrative
descriptions and qualitative impact values), key infrastructure
components, and a summary of the vulnerabilities that were
discovered.
Solutions Protection strategy The protection strategy highlights the long-term initiatives you
propose to improve the organization's security posture.
Risk mitigation plan for each critical asset These plans illustrate proposed actions that are intended to reduce
the risks to critical assets.
Action list The action list is a set of proposed action items that need to be
© 2001 by Carnegie Mellon University addressed in the near term.
146

Notes:

Copyright SEI-CMU Pag. 73

 The Octave Methodology

Identify Next Steps

Ask the senior managers the following questions:
• What will your organization do to build on the results
of this evaluation?
• What will you do to ensure that your organization
improves its information security?
• What can you do to support this security improvement
initiative? What can other managers in your
organization do?
• What are your plans for ongoing security evaluation
activities?

© 2001 by Carnegie Mellon University

147

Notes:

Q&A
© 2001 by Carnegie Mellon University
148

Notes:

Copyright SEI-CMU Pag. 74