CWRAF Vignette Details - Domain soc-media
The MITRE Corporation Copyright © 2013 http://cwe.mitre.org/cwraf/
|
|
CWRAF version: 0.8.3 |
Date: April 3, 2013 |
Project Coordinator:
Bob Martin (MITRE)
|
Document Editor:
Steve Christey (MITRE)
|
CWRAF Vignettes - soc-media
CWRAF Vignettes - soc-media
Within the Common Weakness Risk Analysis
Framework (CWRAF), a vignette
provides a shareable, formalized way to define a particular
environment, the role that software plays within that environment, and
an organization's priorities with respect to software security. It
identifies essential resources and capabilities, as well as their
importance relative to security principles such as confidentiality,
integrity, and availability. For example, in an e-commerce context,
99.999% uptime may be a strong business requirement that drives the
interpretation of the severity of discovered weaknesses.
Vignettes allow CWSS to
support diverse audiences who may have different requirements for how
to prioritize weaknesses. CWSS scoring can occur within the context of a vignette.
This page currently contains details for 2 vignettes within
the "soc-media" domain. These are illustrative only; the CWRAF
community will help to refine these and develop others. Feedback is
welcome.
|
Vignette Summary
Vignette Summary
| Name | Description |
| Social Networking | Web site for enabling a large community of people to post comments, create
profiles, exchange messages or pictures, and join affiliation groups, e.g. Facebook,
MySpace, Twitter, or LinkedIn. Free-form content, high connectivity between users,
private messaging. Heavy Web 2.0 usage. |
| Electronic Dating | Web site for electronic dating. Users can create profiles with pictures, exchange
private email, participate in discussion forums, perform searches. Heavy Web
2.0. |
Vignette Details
Vignette Details
Vignette Definition: Social Networking
| Name | Social Networking
| | ID | soc-net
| | Maturity | example
| | Domain | soc-media
| | Desc | Web site for enabling a large community of people to post comments, create
profiles, exchange messages or pictures, and join affiliation groups, e.g. Facebook,
MySpace, Twitter, or LinkedIn. Free-form content, high connectivity between users,
private messaging. Heavy Web 2.0 usage.
| | Archetypes | Service-oriented architecture, Web browser, Web server |
| Business Value Context (BVC) | Availability is the most important concern. Users want to restrict access to
pictures and private messages, but many are willing to give up some privacy (e.g.
usage habits) for some benefits, or do not care about it. Integrity is desired to
keep malware from spreading between users and to limit hijacking of user accounts,
but accuracy of the shared data is less important (e.g., modification of profile
contact information or spoofing of status updates).
| | Notes |
| | References | No references recorded.
|
Technical Impact Scorecard
| Impact | Layer | Subscore | Notes
| | Modify data | System | |
| | Modify data | Application | 7 | Falsify or delete user profiles, affiliations, contact information,
private or public messages. Deface web site or redirect users to malware.
| | Modify data | Network | |
| | Modify data | Enterprise | |
| | Read data | System | |
| | Read data | Application | 4 | Steal data related to basic PII (phone, email, address, location),
affiliations with other people, reading private communications.
| | Read data | Network | |
| | Read data | Enterprise | |
| | DoS: unreliable execution | System | |
| | DoS: unreliable execution | Application | 9 | Customers cannot use site; financial loss due to downtime.
| | DoS: unreliable execution | Network | 9 | Customers cannot reach site; financial loss due to downtime. If DNS is
compromised, customers may be redirected to malicious sites.
| | DoS: unreliable execution | Enterprise | |
| | DoS: resource consumption | System | 7 | Customers experience delays in reaching site; performance is very slow;
possible reduction in number of simultaneous users of the site.
| | DoS: resource consumption | Application | 7 | Customers experience delays in reaching site; performance is very slow;
possible reduction in number of simultaneous users of the site.
| | DoS: resource consumption | Network | 7 | Customers experience delays in reaching site; performance is very slow;
possible reduction in number of simultaneous users of the site.
| | DoS: resource consumption | Enterprise | |
| | Execute unauthorized code or commands | System | 10 | Modification or theft of all sensitive data; ability to shut down service
or use system to attack other systems.
| | Execute unauthorized code or commands | Application | |
| | Execute unauthorized code or commands | Network | |
| | Execute unauthorized code or commands | Enterprise | |
| | Gain privileges / assume identity | System | |
| | Gain privileges / assume identity | Application | 8 | Pose as other users; delete profiles or change privacy settings;
administer the application.
| | Gain privileges / assume identity | Network | |
| | Gain privileges / assume identity | Enterprise | |
| | Bypass protection mechanism | System | |
| | Bypass protection mechanism | Application | 8 | Avoid detection of attacks; possibly steal or modify sensitive data; pose
as other users.
| | Bypass protection mechanism | Network | |
| | Bypass protection mechanism | Enterprise | |
| | Hide activities | System | 3 | Cannot obtain sufficient evidence for criminal prosecution.
| | Hide activities | Application | 3 | Cannot obtain sufficient evidence for criminal prosecution.
| | Hide activities | Network | 3 | Cannot obtain sufficient evidence for criminal prosecution.
| | Hide activities | Enterprise | 3 | Cannot obtain sufficient evidence for criminal prosecution.
|
Vignette Definition: Electronic Dating
| Name | Electronic Dating
| | ID | elec-date
| | Maturity | example
| | Domain | soc-media
| | Desc | Web site for electronic dating. Users can create profiles with pictures, exchange
private email, participate in discussion forums, perform searches. Heavy Web
2.0.
| | Archetypes | Service-oriented architecture, Web browser, Web server |
| Business Value Context (BVC) | Confidentiality is probably the most important concern. Keeping identity
information private is very important for personal safety. Mail messages or chat
logs between participants are expected to be private. Credit card information may be
stored for subscription-based services.
Availability is important for users to access the site, since it is the only
means of contact between users in initial stages, until other communication channels
are used.
Integrity can have some impact on users - modification of profile information
could hamper the search for compatible contacts (e.g. through gender or age
preferences), delete messages/chat logs between participants, or enable harrassment
(e.g. by modifying pictures or descriptions of desired partners).
| | Notes |
| | References | No references recorded.
|
Technical Impact Scorecard
| Impact | Layer | Subscore | Notes
| | Modify data | System | |
| | Modify data | Application | |
| | Modify data | Network | |
| | Modify data | Enterprise | |
| | Read data | System | |
| | Read data | Application | |
| | Read data | Network | |
| | Read data | Enterprise | |
| | DoS: unreliable execution | System | |
| | DoS: unreliable execution | Application | |
| | DoS: unreliable execution | Network | |
| | DoS: unreliable execution | Enterprise | |
| | DoS: resource consumption | System | |
| | DoS: resource consumption | Application | |
| | DoS: resource consumption | Network | |
| | DoS: resource consumption | Enterprise | |
| | Execute unauthorized code or commands | System | |
| | Execute unauthorized code or commands | Application | |
| | Execute unauthorized code or commands | Network | |
| | Execute unauthorized code or commands | Enterprise | |
| | Gain privileges / assume identity | System | |
| | Gain privileges / assume identity | Application | |
| | Gain privileges / assume identity | Network | |
| | Gain privileges / assume identity | Enterprise | |
| | Bypass protection mechanism | System | |
| | Bypass protection mechanism | Application | |
| | Bypass protection mechanism | Network | |
| | Bypass protection mechanism | Enterprise | |
| | Hide activities | System | |
| | Hide activities | Application | |
| | Hide activities | Network | |
| | Hide activities | Enterprise | |
|
More information is available — Please edit the custom filter or select a different filter.
|
