SharePoint and the CARVER Matrix

The “CARVER Matrix” was developed by the United States special operations forces during the Vietnam War. “CARVER” is an acronym that stands for Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability and is a system to identify and rank specific targets so that attack resources can be efficiently used. This system was developed in order to aid “Special Operations Forces (SOF)” and more recently “Department of Energy (DOE)“, “Department of State (DOS)“, “Department of Homeland Security (DHS)” and various private and commercial security assets, in target selection and Risk/Vulnerability assessments by calculating the value of a given potential target and the ease with which such a target could be neutralized. Or in other words, it’s a logical way of looking at what one might want to do and whether or not it is possible, based on the resources one has to work with.

http://en.wikipedia.org/wiki/CARVER_matrix

Criticality
What is the value of the system? Will it cause significant impact if compromised?

Accessibility
How easily can I reach the target? Is the target system connected to the internet or a network?

Recuperability
How long will it take to recover from this type of attack or breach?

Vulnerability
What knowledge is needed to exploit the target? How vulnerable to this attack or subsequent attacks? Can I use known exploits or maybe possible zero-day exploits?

Effect
What is the total fallout that would result from malicious actions performed on the systems?

Recognizability
How easy was it to recognize the specific system and not a countermeasure system? Can the systems be easily identified?

The “CARVER Matrix” maps all these questions into an easy table, so you can see at a glance the rating for a particular system or threat. Of course the military would use this differently than I am going to, as their targets are not primarily SharePoint Farms.

The table itself is made up of the word “CARVER“, with the list of “TARGETS” or in our case the list of systems that make up the SharePoint Solution. We then rank each element of the six “CARVER” categories for each system, with 5 being the highest value to look at.

So based on my assessment of a fictitious SharePoint Environment, we can see that the high priority / value systems would be the SQL Server, Active Directory or the Email Server. Of course these three would come out top as they have the “keys to the kingdom” so to speak. However if we look at the scores, even though “Active Directory” is the highest value system, the score for it being accessible and the skill level needed means it is not a viable option for an entry point. We can also look at other scores, and we can see that our Web Servers come pretty close to being a target. This now helps me to not only identify the highest value systems but also those with a low score on how easy it is to penetrate the component.

This approach can be used for all kinds of things, not just checking our SharePoint Solutions. The following image comes from “HP“, where it asks the question “Are you defending the right things?”

http://h30499.www3.hp.com/t5/HP-Security-Products-Blog/CARVER-Analysis-Are-you-defending-the-right-things/ba-p/6475654#.VI9Ivntg7TA

Hopefully you can see that using this approach can help us as organizations to visually see the risk associated with elements of our solutions, and of course remember it can be applied to all aspects of a SharePoint Environment. If we expended the list we had earlier it could look like this:

Of course then our values may be different, but we would quite quickly the areas that need to improve to make our SharePoint Environment more secure.