CWRAF - Vignette Summary
The MITRE Corporation Copyright © 2013 https://cwe.mitre.org/cwraf/
|
|
CWRAF version: 0.8.3 |
Date: April 3, 2013 |
CWRAF - Vignette Summary
CWRAF - Vignette Summary
|
Within the Common Weakness Risk Analysis
Framework (CWRAF), a vignette
provides a shareable, formalized way to define a particular
environment, the role that software plays within that environment, and
an organization's priorities with respect to software security. It
identifies essential resources and capabilities, as well as their
importance relative to security principles such as confidentiality,
integrity, and availability.
Vignettes allow CWSS to
support diverse audiences who may have different requirements for how
to prioritize weaknesses. CWSS scoring can occur within the context of a vignette.
This page currently contains details for 23 vignettes that are
being actively developed for CWRAF. The CWRAF community will help to
refine these and develop others. Feedback is welcome.
banking-finance
Financial Trading Internet-facing, E-commerce provider of retail goods or services. Data-centric -
Database containing PII, credit card numbers, and inventory.
Online Banking The web-based interaction between a bank, credit union, or other financial
institution and its consumers for managing accounts, paying bills, and conducting
financial transactions.
chemical
Chemical Flow Control A SCADA-based flow control system for a chemical plant. Underlying technology -
heavy C usage. Systems developed in pre-Internet era with management consoles
interfacing to them.
ecomm
Web-Based Retail Provider Internet-facing, E-commerce provider of retail goods or services. Data-centric -
Database containing PII, credit card numbers, and inventory.
emerg-svc
First Responder First responder (such as fire, police, and emergency medical personnel) for a
disaster or catastrophe.
energy
Household Smart Meter Meter within the Smart Grid that records electrical consumption and communicates
this information to the supplier on a regular basis.
Regional Electricity Flow Control Flow control for an electricity network throughout a relatively large region, to
further connect suppliers and consumers. Power now enters the grid from both sides
(classic provider, but also home-to-provider e.g. home photo-voltaic and wind
turbines in homes and throughout the landscape). System needs to have "smarts" to
the load leveling capabilities of the grid which is basically a large distributed
SCADA-type system.
SCADA Historian Historian server for archival and analysis of data for a SCADA system. Contains a
database backend and is accessible via a web interface. Access to the server is
typically restricted to a DMZ or internal network.
Distributed Production Facility Management using SCADA Web-based HMI A web-based Human Machine Interface (HMI) for SCADA systems. Users can visualize
and control industrial automation processes in real-time from a control interface
directly in communication with remote sensors and data collection points. All facets
of production can be monitored and managed from a web browser.
The HMI uses various frameworks (Java, .NET, etc.) with Restful Architecture
(AJAX, XML, SOAP, XSL, and WML).
evoting
State or Local Elections using eVoting via Direct Recording Election Machines. DRE systems are not directly connected with the Internet. Vote data is uploaded to
a centralized server via modem. Election worker retrieves hardcopies of the voting
record from the machine and delivers the printouts to election officials. DRE
machines are programmed with firmware uploaded from a compact flash card. It is
generally accepted that the computer used to upload the firmware to the flash card
should not be connected to the Internet.
human-res
Employee Compensation Product for managing employee salary and bonuses. PII includes salary, financial
transaction (e.g. for direct deposit), social security number, home address,
etc.
natl-defense
Weapon system sensor Sensor for a weapons system that is connected to the Global Information Grid
(GIG).
pub-health
Medical Billing Medical encoding and billing. Data used includes Electronic Health Records (EHR),
financial management, and interactions with insurance companies.
Human Medical Devices Medical devices - "implantable" or "partially embedded" in humans, as well as
usage in clinic or hospital environments ("patient care" devices). Includes items
such as pacemakers and automatic drug delivery. Control or monitoring of the device
might be performed by smartphones. The devices are not in a physically secured
environment.
soc-media
Social Networking Web site for enabling a large community of people to post comments, create
profiles, exchange messages or pictures, and join affiliation groups, e.g. Facebook,
MySpace, Twitter, or LinkedIn. Free-form content, high connectivity between users,
private messaging. Heavy Web 2.0 usage.
Electronic Dating Web site for electronic dating. Users can create profiles with pictures, exchange
private email, participate in discussion forums, perform searches. Heavy Web
2.0.
telecom
More information is available — Please edit the custom filter or select a different filter.