Identify Targets with CARVER
One of the methods you can use to start identifying security issues is the CARVER Matrix.
CARVER is an acronym that stands for Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability. It’s a system used to assess targets and decide which one needs to be secured first. Let me write down what each component means in terms of computer security:
- The target value. How vital is this to the overall organisation? A target is critical when its compromise or destruction has a highly significant impact in the overall organisation.
- How easily can I reach the target? What are the defences? Do I need an insider? Is the target computer accessible via a network?
- How long will it take for the organisation to replace, repair, or bypass the destruction or damage caused to the target? Once the compromise is found, how long will it take for the system to recuperate from the breach?
- What is the degree of knowledge needed to exploit the target? Can I use known exploits or should I invest in new, possible zero-day exploits?
- What’s the impact of the attack on the organisation? Similar to the first point (Criticality) this point should also analyze possible reactions from the organisation.
- Can I identify the target as such? How easy is it to recognise that a specific system, network, or device is the target and not a security countermeasure?