CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWRAF > CWE List > CWRAF Vignette Details - Domain ecomm  
ID

CWRAF Vignette Details - Domain ecomm

The MITRE Corporation
Copyright © 2013
http://cwe.mitre.org/cwraf/

CWRAF version: 0.8.3

Date: April 3, 2013

Project Coordinator:

Bob Martin (MITRE)

Document Editor:

Steve Christey (MITRE)
CWRAF Vignettes - ecomm
CWRAF Vignettes - ecomm

Within the Common Weakness Risk Analysis Framework (CWRAF), a vignette provides a shareable, formalized way to define a particular environment, the role that software plays within that environment, and an organization's priorities with respect to software security. It identifies essential resources and capabilities, as well as their importance relative to security principles such as confidentiality, integrity, and availability. For example, in an e-commerce context, 99.999% uptime may be a strong business requirement that drives the interpretation of the severity of discovered weaknesses.

Vignettes allow CWSS to support diverse audiences who may have different requirements for how to prioritize weaknesses. CWSS scoring can occur within the context of a vignette.

This page currently contains details for 1 vignettes within the "ecomm" domain. These are illustrative only; the CWRAF community will help to refine these and develop others. Feedback is welcome.

Vignette Summary
Vignette Summary
NameDescription
Web-Based Retail ProviderInternet-facing, E-commerce provider of retail goods or services. Data-centric - Database containing PII, credit card numbers, and inventory.
Vignette Details
Vignette Details

Vignette Definition: Web-Based Retail Provider

NameWeb-Based Retail Provider
IDretail-www
Maturityunder-development
Domainecomm
DescInternet-facing, E-commerce provider of retail goods or services. Data-centric - Database containing PII, credit card numbers, and inventory.
ArchetypesDatabase, Web browser, Web server, General-purpose OS
Business Value Context (BVC)Confidentiality essential from a financial PII perspective, identity PII usually less important. PCI compliance a factor.

Security incidents might have organizational impacts including financial loss, legal liability, compliance/regulatory concerns, and reputation/brand damage.

Notes
ReferencesNo references recorded.

Technical Impact Scorecard

ImpactLayerSubscoreNotes
Modify dataSystem9Deface web pages; install malware through web pages; modify system configuration. Cause DoS (crash) or corrupt data; in some cases, execute arbitrary code.
Modify dataApplication9Modify or delete customer order status and pricing, contact information, inventory tracking, customer credit card numbers, cryptographic keys and passwords (plaintext and encrypted).
Modify dataNetwork
Modify dataEnterprise
Read dataSystem7Read system/application configuration.
Read dataApplication7Read customer credit card numbers, customer credit card numbers, order status, cryptographic keys and passwords (plaintext and unencrypted).
Read dataNetwork
Read dataEnterprise
DoS: unreliable executionSystem
DoS: unreliable executionApplication4Customers cannot reach site or experience delays in reaching site; delays in order placement and resulting financial loss.
DoS: unreliable executionNetwork
DoS: unreliable executionEnterprise
DoS: resource consumptionSystem
DoS: resource consumptionApplication
DoS: resource consumptionNetwork
DoS: resource consumptionEnterprise
Execute unauthorized code or commandsSystem10Read or modify customer credit card numbers, contact information, order status and pricing, inventory tracking, cryptographic keys and passwords (plaintext and encrypted). Cause denial of service. Modify web site to deface or install malware to deliver to customers; uninstall critical software.
Execute unauthorized code or commandsApplication10Read or modify customer credit card numbers, contact information, order status and pricing, inventory tracking, cryptographic keys and passwords (plaintext and encrypted). Cause denial of service. Modify web site to deface or install malware to deliver to customers; uninstall critical software.
Execute unauthorized code or commandsNetwork
Execute unauthorized code or commandsEnterprise
Gain privileges / assume identitySystem9Attacker can perform administrative functions as the system admin or other system user that the attacker does not have direct access to.
Gain privileges / assume identityApplication9Attacker can perform administrative functions as the application admin, or gain privileges as other users.
Gain privileges / assume identityNetwork
Gain privileges / assume identityEnterprise
Bypass protection mechanismApplication7Avoid detection of attacks; possibly steal data; pose as others.
Bypass protection mechanismSystem7Avoid detection of attacks; possibly steal data; pose as others.
Bypass protection mechanismNetwork7Bypass firewalls that may be protecting private systems from direct Internet access. Monitor private network traffic.
Bypass protection mechanismEnterprise7Compromise security/networking devices to perform MitM attacks, monitor network traffic.
Hide activitiesSystem3Inability to identify source of attack; cannot obtain sufficient evidence for criminal prosecution.
Hide activitiesApplication3Inability to identify source of attack; cannot obtain sufficient evidence for criminal prosecution.
Hide activitiesNetwork3Inability to identify source of attack; cannot obtain sufficient evidence for criminal prosecution.
Hide activitiesEnterprise3Inability to identify source of attack; cannot obtain sufficient evidence for criminal prosecution.
Page Last Updated: January 18, 2017