An Extension of Haruspex to Cover Vulnerabilities in Application Environments

摘要

Haruspex is a suite of tools that assesses ICT risk through a scenario approach. Each scenario includes the target system and some threat agents that compose the attacks enabled by the system vulnerabilities to reach some predefined goals. The suite applies a Monte Carlo method with multiple simulations of the agent attacks against the target system. The simulation applies a formal model of the target system that describes the system nodes, the components with their vulnerabilities, and the logical topology. This paper proposes an extension to model in a more accurate way how the relations and the interactions among applications affect the agent attacks. After introducing this extension, we show how it supports the modeling of web applications. Then, we adopt the new model to assess a critical infrastructure that supervises and manages gas distribution.