|
|
|
CWRAF Vignette Details - Domain banking-finance
The MITRE Corporation Copyright © 2013
http://cwe.mitre.org/cwraf/
|
|
CWRAF version: 0.8.3 |
Date: April 3, 2013 |
Project Coordinator:
Bob Martin (MITRE)
|
Document Editor:
Steve Christey (MITRE)
|
CWRAF Vignettes - banking-finance
CWRAF Vignettes - banking-finance
Within the Common Weakness Risk Analysis
Framework (CWRAF), a vignette
provides a shareable, formalized way to define a particular
environment, the role that software plays within that environment, and
an organization's priorities with respect to software security. It
identifies essential resources and capabilities, as well as their
importance relative to security principles such as confidentiality,
integrity, and availability. For example, in an e-commerce context,
99.999% uptime may be a strong business requirement that drives the
interpretation of the severity of discovered weaknesses.
Vignettes allow CWSS to
support diverse audiences who may have different requirements for how
to prioritize weaknesses. CWSS scoring can occur within the context of a vignette.
This page currently contains details for 2 vignettes within
the "banking-finance" domain. These are illustrative only; the CWRAF
community will help to refine these and develop others. Feedback is
welcome.
|
Vignette Summary
Vignette Summary
Name | Description |
Financial Trading | Internet-facing, E-commerce provider of retail goods or services. Data-centric -
Database containing PII, credit card numbers, and inventory. |
Online Banking | The web-based interaction between a bank, credit union, or other financial
institution and its consumers for managing accounts, paying bills, and conducting
financial transactions. |
Vignette Details
Vignette Details
Vignette Definition: Financial Trading
Name | Financial Trading
| ID | fin-trade
| Maturity | under-development
| Domain | banking-finance
| Desc | Internet-facing, E-commerce provider of retail goods or services. Data-centric -
Database containing PII, credit card numbers, and inventory.
| Archetypes | N-tier distributed, J2EE and supporting frameworks, Transactional engine |
Business Value Context (BVC) | High on integrity - transactions should not be modified. Availability also very
high - if system goes down, financial trading can stop and critical transactions are
not processed.
| Notes |
| References | No references recorded.
|
Technical Impact Scorecard
Impact | Layer | Subscore | Notes
| Modify data | System | |
| Modify data | Application | 8 | Delete or modify transactions; inject fraudulent transactions; remove
transaction history.
| Modify data | Network | |
| Modify data | Enterprise | |
| Read data | System | |
| Read data | Application | 7 | Enable insider trading; breach confidentiality of transactions between
multiple parties.
| Read data | Network | |
| Read data | Enterprise | |
| DoS: resource consumption | System | |
| DoS: resource consumption | Application | 4 | Lost or multiply-filed transactions due to high volume or traffic;
possible DoS impact on downstream systems. Inability to process new
transactions, or they take longer to perform than usual. Significant
reduction in number of transactions that can be processed.
| DoS: resource consumption | Network | |
| DoS: resource consumption | Enterprise | |
| DoS: unreliable execution | System | |
| DoS: unreliable execution | Application | 5 | Inability to process new transactions, or they take longer to perform than
usual. Significant reduction in number of transactions that can be
processed. Difficulty tracking whether transactions have succeeded or not;
disruption of time-sensitive operations where small delays may have
significant financial consequences.
| DoS: unreliable execution | Network | |
| DoS: unreliable execution | Enterprise | |
| Execute unauthorized code or commands | Application | 10 | Steal financial data, make unauthorized transactions.
| Execute unauthorized code or commands | System | 10 | Disable essential services.
| Execute unauthorized code or commands | Network | 8 | Make fraudulent transactions that appear to come from the victim user.
Financial and reputation loss for the victim.
| Gain privileges / assume identity | Network | 7 | Avoid detection of attacks; possibly steal data; pose as others.
| Bypass protection mechanism | Application | 3 | Cannot obtain sufficient evidence for criminal prosecution.
| Hide activities | Application | 3 | Cannot obtain sufficient evidence for criminal prosecution.
| Hide activities | Network | |
| Hide activities | Enterprise | |
|
Vignette Definition: Online Banking
Name | Online Banking
| ID | e-banking
| Maturity | stub
| Domain | banking-finance
| Desc | The web-based interaction between a bank, credit union, or other financial
institution and its consumers for managing accounts, paying bills, and conducting
financial transactions.
| Archetypes | Web browser, Web server, Database, Transactional engine |
Business Value Context (BVC) | High on integrity - transactions should not be modified. Availability is moderate
- other avenues of communication exist, e.g. a physical visit. Confidentiality is
high, due to customer privacy concerns, risk of financial loss due to identity
theft.
| Notes |
| References | No references recorded.
|
Technical Impact Scorecard
Impact | Layer | Subscore | Notes
| Modify data | System | |
| Modify data | Application | |
| Modify data | Network | |
| Modify data | Enterprise | |
| Read data | System | |
| Read data | Application | |
| Read data | Network | |
| Read data | Enterprise | |
| DoS: unreliable execution | System | |
| DoS: unreliable execution | Application | |
| DoS: unreliable execution | Network | |
| DoS: unreliable execution | Enterprise | |
| DoS: resource consumption | System | |
| DoS: resource consumption | Application | |
| DoS: resource consumption | Network | |
| DoS: resource consumption | Enterprise | |
| Execute unauthorized code or commands | System | |
| Execute unauthorized code or commands | Application | |
| Execute unauthorized code or commands | Network | |
| Execute unauthorized code or commands | Enterprise | |
| Gain privileges / assume identity | System | |
| Gain privileges / assume identity | Application | |
| Gain privileges / assume identity | Network | |
| Gain privileges / assume identity | Enterprise | |
| Bypass protection mechanism | System | |
| Bypass protection mechanism | Application | |
| Bypass protection mechanism | Network | |
| Bypass protection mechanism | Enterprise | |
| Hide activities | System | |
| Hide activities | Application | |
| Hide activities | Network | |
| Hide activities | Enterprise | |
|
More information is available — Please edit the custom filter or select a different filter.
|