Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0

Alberts, Christopher; Behrens, Sandra G.; Pethia, Richard D.; Wilson, W. R. D.

doi:10.21236/ada367718

Cited by 88 publications

(80 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a qualitative risk assessment approach proposed by CERT-SEI (Alberts et al 1999) to manage information security risks, helping organizations to map threats and protect organization assets. One characteristic that makes OCTAVE unique is that it is based on operational risk and security practices that are identified by the organization, not relying on outside requirements.…”

Section: Security Assessment Methodologiesmentioning

confidence: 99%

Security Benchmarks for Web Serving Systems

Mendes

Madeira

Duraes

2014

2014 IEEE 25th International Symposium on Software Reliability Engineering

View full text Add to dashboard Cite

The assessment of the security level of computer systems in a standardized and regular manner (security benchmarking) has become a very relevant subject, especially for those who use computer systems to support critical business missions or to store confidential information. The concern about computer-based system security is totally justified: systems have become increasingly complex, interconnected, and pervasive, and their security have been threatened by many types of attacks. These attacks are unavoidable, as the root causes for them are tied up to human aspects that cannot be removed (intention to cause harm, intention to steal information, etc.), and the losses attacks can cause to their targets (when successful) can be very significant. This scenario of attack inevitability has led companies and governments to invest massively in the development of regulations and mechanisms aimed at the improvement of the security of computer systems (e.g., training developer teams, rapidly solving discovered vulnerabilities, using tools to detect and prevent attacks). Despite these efforts, successful attacks continue to happen, showing that computer systems remain insecure. This is why end-users, system administrators, and systems integrators (to mention just a few classes of users) consider security as an important decision factor when choosing which system to buy and use. These individuals are looking for the means to assess and compare the security of functionally-similar systems/components that will enable them to make a decision taking into account the assessment of security risk.This thesis presents a novel, reproducible, risk-based methodology to benchmark the security of software-based systems. This is a generic methodology that can be instantiated to any class of software-based system. Our benchmark methodology uses the notion of risk in a quantifiable way to measure the security of systems, with a single security metric (SBench) to simplify the comparison of different systems (or different configurations of the same system), enabling users and system integrators to identify and select the most secure one, allowing as well the breakdown of this single metric for more detailed analysis. Our methodology follows the approach of benchmarks proposed in the field of performance and dependability, containing elements such as metrics, workload, and experimental setup, and defining a comprehensive set of procedures and rules to ensure the compliance with key properties such as repeatability.Our security benchmark methodology cover the two complementary views of a 8 given system concerning security: the first takes into account concrete vulnerabilities effectively existing for that system (measures what is already known), and the second estimates the effects of possible yet-to-discover vulnerabilities (and, in fact, many attacks are based on previously unknown vulnerabilities). In fact, these views correspond to the two parts of our benchmark methodology: the static and the dynamic. The static part corresponds ...

show abstract

Section: Security Assessment Methodologiesmentioning

confidence: 99%

Security Benchmarks for Web Serving Systems

Mendes

Madeira

Duraes

2014

2014 IEEE 25th International Symposium on Software Reliability Engineering

View full text Add to dashboard Cite

show abstract

“…Fuel shortage crisis is one of the major risk, to manage this risk, several international standards can be used as a guideline, some of them are, the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE SM ) that has three phases, they are build organisation security requirements, identify infrastructure vulnerabilities, and determine security risk management strategy [9]. One more standard is the American National Institute of Standards & Technology (NIST) issued the Federal Information Processing Standards Publications (FIPS PUBS) [10].…”

Section: Conducting a Counterespionage Risk Assessmentmentioning

confidence: 99%

A New Counterfeiting Approach: Computer Security Evaluation Of Fuel Rationing System

Al-Shawabkeh¹,

Li²

2017

Proceedings of the 2017 2nd Joint International Information Technology, Mechanical and Electronic Engineering Conference (JIMEC

View full text Add to dashboard Cite

Engineering, Car Industry, Electronics, Software Suppliers, and Banks depending on the technology and highly sensitive information for their success, they have to invest on espionage and counterfeiting to keep a head of their competitors. Fuel rationing was introduced in 1941 as part of the war effort and it was not removed until 1950. In this period the fuel was banned for private vehicles and heavy penalties applied if it was discovered. When the ration was removed in 1950 there was a widespread black market, and extensive forgery of ration coupons. Longer term secure rationing is inevitable and there has been no investment in the approach to be used. It is clear that a paper coupon book will be widely counterfeited in its current form and a new approach is required with either a stronger coupon design or a different method. This research plan and develop a secure fuel rationing system. Finding confirms the need of return of invest on the fuel chain contingency system provide a model to describe how the rationing system resist counterfeiting, corruptions, hacking and cyber-attacks. Furthermore, the research state the main three effective attacks and how the proposed rationing systems deal with them.

show abstract

“…The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method [10] is a framework for identifying and managing information security risks developed by Computer Emergency Response Team. It also is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning.…”

Section: Related Workmentioning

confidence: 99%

Telecommunications Networks Risk Assessment with Bayesian Networks

Szpyrka

Jasiul

Wrona³

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We propose a solution which provides a system operator with valuation of security risk introduced by various components of the communication and information system. This risk signature of the system enables the operator to make an informed decision about which network elements shall be used in order to provide a service requested by the user while minimising security risk related to service execution. In considered scenario transmitted data can be intercepted, modified or dropped by an attacker. Each network component and path can be potentially used to compromise information, since an adversary is able to utilise various vulnerabilities of network elements in order to perform an attack. The impact and probability of such successful attacks can be assessed by analysing the severity of the vulnerabilities and the difficulty of exploiting them, including the required equipment and knowledge. In consequence, each possible service work-flow can be assigned a security risk signature.

show abstract

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0

Abstract: The ideas and findings in this report should not be construed as an official DoD position. It is published in the interest of scientific and technical information exchange.

Cited by 88 publications

References 0 publications

Security Benchmarks for Web Serving Systems

Security Benchmarks for Web Serving Systems

A New Counterfeiting Approach: Computer Security Evaluation Of Fuel Rationing System

Telecommunications Networks Risk Assessment with Bayesian Networks

Contact Info

Product

Resources

About