Software Engineering Institute Carnegie Mellon

Operationally Critical Threat, Asset, and Vulnerability Evaluation(SM) (OCTAVE[SM]) Framework, Version 1.0

1 Introduction

The Networked Systems Survivability (NSS) Program of the Software Engineering Institute (SEI) has begun developing the Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM)1 framework to describe an information security risk evaluation. OCTAVE defines a set of self-directed activities for organizations to identify and manage their information security risks. Evaluations that are consistent with the OCTAVE framework will be comprehensive and will allow an organization to identify the information assets that are important to its mission, the threats to those assets, and the vulnerabilities that may expose those information assets to the threats. By putting together the information assets, threats, and vulnerabilities, the organization can begin to understand what information is at risk. Once it has a picture of the risks, the organization can design a protection strategy to reduce the overall risk exposure of its information assets.

This document describes the essential components of OCTAVE, focusing on what each process step accomplishes. Issues such as who will perform the steps or how to perform them will be addressed in subsequent publications. By issuing this report, we intend to initiate a discussion of what elements make up a comprehensive information security risk assessment that examines both organizational and technology issues. Over time, as we develop and pilot an evaluation method consistent with the OCTAVE framework, we anticipate that the details described in this report will be modified. When appropriate, we will revise this document and the method to reflect changes based on comments from the community as well as on our field experience.

The current version of OCTAVE comes primarily from the following three sources:

  • Information Security Evaluation (ISE). The ISE is an information security vulnerability evaluation developed by the Software Engineering Institute’s Networked Systems Survivability Program. It focuses on identifying vulnerabilities in an organization’s computing infrastructure. It addresses assets and threats implicitly. OCTAVE developers are incorporating the lessons learned from the development and delivery of the ISE into the OCTAVE framework and method.

  • Software risk management expertise. OCTAVE is also incorporating many of the diagnostic techniques and theories developed by the SEI’s Risk Program, which focused on identifying risks to software development projects. Many of the principles for OCTAVE’s Phase 1 are derived from work that focused on risk management issues facing managers in a software development organization.

  • Surveying the current state of the practice in information security risk management. Articles about state-of-the-practice information security assessments were examined prior to the development of OCTAVE. This information was used to determine what is working in the community and where the community could benefit from a self-directed comprehensive information security risk assessment.
  

 

1.1 The Need for OCTAVE

Information systems are essential to most organizations today. The integrity, availability, and confidentiality of information are critical to organizations’ missions. However, few organizations focus on their most important information assets when they make decisions about protecting their information. For example, a bank might consider its customers’ bank records to be one of its important information assets. Likewise, a military organization responsible for deploying troops might consider logistical data to be an important information asset. Most organizations form their protection strategies by focusing solely on infrastructure weaknesses. Those organizations fail to establish the effect of the infrastructure weaknesses on information assets, such as bank records or logistical data.

This leads to a gap between the organization’s operational requirements and information technology (IT) requirements. Often, the computing infrastructure is set up without the IT staff having a clear understanding of the organization’s mission- or business-related needs. It is not clear if important information is being adequately protected. Likewise, significant effort might be directed toward protecting relatively unimportant information. In these situations, the operational or business units of the organization and the information technology department are not communicating effectively.

Often, information protection decisions are made in an ad hoc manner, based on the IT department’s prior experience with vulnerabilities and the threats that they currently know about. Thus, risks tend not to be systematically managed or are managed by the wrong people.

Most current approaches to information-security risk management tend to be incomplete, expert-driven, or both. Most approaches fail to include all the components of information security risk (assets, threats, and vulnerabilities). In these cases, the organization has insufficient data to fully match a protection strategy to its security risks.

Many organizations outsource information security risk assessments because they do not have in-house capability to perform this vital service. They hire experts to perform risk assessments, and the resulting assessment is only as good as the experts who perform it. Often the consumers of such services have no way to understand if the risk assessment performed for them is adequate for their enterprise.

OCTAVE enables organizations to avoid those problems. It defines the essential components of a systematic information-security risk assessment. By following the OCTAVE framework, an organization can make information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information assets. The operational or business units and the departments responsible for the information infrastructure work together to address the information security needs of the enterprise. OCTAVE thus gives the organization a comprehensive, systematic, context-driven approach to managing information-security risks.  

 

1.2 Overview of OCTAVE

OCTAVE examines organizational issues and technology issues to assemble a comprehensive picture of the information security needs of an enterprise. It contains the following phases:

Phase 1, Build Enterprise-Wide Security Requirements

Phase 2, Identify Infrastructure Vulnerabilities

Phase 3, Determine Security Risk Management Strategy  

Each phase of OCTAVE is designed to produce meaningful results for the organization.

During Phase 1, information assets and their values, threats to those assets, and security requirements are identified using knowledge of the staff from multiple levels within the organization, along with standard catalogs of information. For example, known threat profiles and good organizational and technical practices are used to probe staff members for their knowledge of the organization’s assets, threats, and current protection strategies. This information can then be used to establish the security requirements of the enterprise, which is the goal of the first phase of OCTAVE.

Figure 1: OCTAVE Phase 1, Build Enterprise-Wide Security Requirements
Figures in this file are displayed in a separate browser window. This window will remain open to display figures in this file, although it might be hidden behind other browser windows.
 

 

Phase 2 of OCTAVE builds on the information captured during Phase 1 by mapping the information assets of the organization to the information infrastructure components (both the physical environment and networked IT environment) to identify the high-priority infrastructure components. Once this is done, an infrastructure vulnerability evaluation is performed to identify vulnerabilities. As in Phase 1, standard catalogs of information are used; for example, standard intrusion scenarios and vulnerability information are used as a basis for the infrastructure vulnerability evaluation. At the conclusion of Phase 2, the organization has identified the high-priority information infrastructure components, missing policies and practices, and vulnerabilities.

Figure 2: OCTAVE Phase 2, Identify Infrastructure Vulnerabilities
Figures in this file are displayed in a separate browser window. This window will remain open to display figures in this file, although it might be hidden behind other browser windows.
 

 

Phase 3 of OCTAVE builds on the information captured during Phases 1 and 2. Risks are identified by analyzing the assets, threats, and vulnerabilities identified in OCTAVE’s earlier phases in the context of standard intrusion scenarios. The impact and probability of the risks (also called the risk attributes) are estimated and subsequently used to help prioritize the risks. The prioritized list of risks is used in conjunction with information from the previous phases to develop a protection strategy for the enterprise and to establish a comprehensive plan for managing security risks, which are among the goals of Phase 3.

Figure 3: OCTAVE Phase 3, Determine Security Risk Management Strategy
Figures in this file are displayed in a separate browser window. This window will remain open to display figures in this file, although it might be hidden behind other browser windows.
 

 

1.3 Example Scenario

To illustrate how using OCTAVE can help an enterprise understand its information security risks, consider the following example. An enterprise with sensitive financial information is interested in understanding and addressing its information security risks. The enterprise’s management is concerned that outsiders could have access to financial information that could be used for illegal stock trading. The senior managers decide to perform a security assessment to understand its risk in this area.

An outside consulting firm is hired to evaluate the enterprise’s security. The following observations are among those identified by the consultants:

  • The enterprise’s firewall is functioning correctly—outsiders would have a hard time getting in.

  • There are no back doors into the network.

  • The number of accounts on most servers is limited.

  • Most servers are accessed remotely.

  • Authentication is required when users access servers.

  • There is one vulnerability: user IDs and passwords travel across the network in clear text.
  

The consultants failed to develop a picture of the risk facing the enterprise. Consequently, senior managers believed that the financial information was secure, based on the results of the assessment. They felt safe from the threat of outsiders breaking into their network and stealing sensitive financial information. They were not considering other potential threats.

Consider a second evaluation, which is performed by following the OCTAVE framework. Personnel from senior management, middle management, and staff levels participated in the risk evaluation. Phase 1 of OCTAVE was performed to identify assets, threats, and security requirements.

One of the most critical assets identified was the sensitive financial information. If this information were made public, the reputation of the enterprise would suffer and could result in millions of dollars of lost business. In addition, anyone knowing this information could use it to profit illegally by trading stocks. The relative impact of losing the confidentiality of this information was high. Thus, one of the security requirements for the financial information was that it must be confidential.

OCTAVE requires participants to consider a variety of potential threats. (The term "threats" indicates what or whom the assets are being protected from.) Several threats had motivation to possess this information, because the information could be used for financial gain. Furthermore, it was determined that the threats could be insiders or outsiders. One possible means for threats to gain access to the information was via the network, and all employees had access to the network. Technically savvy employees might be able to exploit any vulnerabilities that might be present.

In addition, the information supplied by staff-level employees indicated that there was some dissatisfaction among some of the technical employees in the company. Thus, disgruntled insiders might have both the motive and the means to steal the information.

Next, Phase 2 of OCTAVE was performed to identify infrastructure vulnerabilities. First, the important infrastructure components were identified through an examination of the layout of the physical and IT infrastructures. Because sensitive financial information was an important information asset, the server that contained the database with that information was identified as a high-priority component. A vulnerability evaluation for the server was performed.

The vulnerability evaluation indicated the following:

  • The number of accounts on the server holding the sensitive information is limited.

  • The server is accessed remotely.

  • Authentication is required when a user accesses the server.

  • There was one major vulnerability: user IDs and passwords travel across the network in clear text.

Phase 3 of OCTAVE calls for an analysis of the asset, threat, and vulnerability information identified during Phases 1 and 2, in the context of intrusion scenarios to identify the organization’s risks. For example, the following intrusion scenario can be built using the information in this example:

A technically savvy, disgruntled insider uses a network sniffer to steal passwords to the server containing the sensitive database. As soon as a password is known, the insider can access the sensitive information and use it for personal gain or make it public.

The likelihood of such an attack was judged to be moderate to high. The impact would be high in terms of damage to the company’s reputation. This was judged to be a big risk to the enterprise.

The senior managers understood the nature of this risk. They understood that it was possible for a sufficiently motivated insider to steal sensitive financial information and use it for profit. This was only one of many such risks to be identified using OCTAVE. The enterprise staff was now ready to start developing a strategy to protect the sensitive financial information as well as other important assets.

By performing a comprehensive risk assessment that considers asset, threat, and vulnerability information and puts it into the context of the enterprise, the risks facing the enterprise can be identified. In addition, personnel from all levels can understand risks when they are put into the context of the enterprise, and can make sensible decisions concerning a protection strategy.  

 

1.4 Report Overview

In the rest of this report, OCTAVE will be outlined in detail. We will describe each of the three phases of OCTAVE and the multiple processes within each phase. For each OCTAVE process, we include the following:

  • process activities—a high-level description of what happens at each step of the process. Included with the description of each activity is a description of the inputs and outputs of each process.

  • process diagram—a data-flow diagram showing the inputs and outputs of the process

Following the phase and process descriptions are higher-level views of OCTAVE. Section 5 concisely summarizes OCTAVE goals and processes. The appendix provides a flowchart of the OCTAVE method.  

 

 

 

 

 

1 Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University.
 

 

[Figures]     [Title Page]     [Acknowledgments]     [Chapter 1]     [Chapter 2]     [Chapter 3]     [Chapter 4]     [Chapter 5]     [Appendix A]     [DTIC page]     [PDF file]