Protiviti / SharePoint Blog

SharePoint Blog

April 10
SharePoint Security: CARVER Matrix - Part 1

The “CARVER Matrix” was developed by the United States special operations forces during the Vietnam War. “CARVER” is an acronym that stands for Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability and is a system to identify and rank specific targets so that attack resources can be efficiently used. This system was developed in order to aid “Special Operations Forces (SOF)” and more recently “Department of Energy (DOE)“, “Department of State (DOS)“, “Department of Homeland Security (DHS)” and various private and commercial security assets, in target selection and Risk/Vulnerability assessments by calculating the value of a given potential target and the ease with which such a target could be neutralized. Or in other words, it’s a logical way of looking at what one might want to do and whether or not it is possible, based on the resources one has to work with.


What is the value of the system? Will it cause significant impact if compromised?


How easily can I reach the target? Is the target system connected to the internet or a network?


How long will it take to recover from this type of attack or breach?


What knowledge is needed to exploit the target? How vulnerable to this attack or subsequent attacks? Can I use known exploits or maybe possible zero-day exploits?


What is the total fallout that would result from malicious actions performed on the systems?


How easy was it to recognize the specific system and not a countermeasure system? Can the systems be easily identified?

The “CARVER Matrix” maps all these questions into an easy table, so you can see at a glance the rating for a particular system or threat. Of course the military would use this differently than I am going to, as their targets are not primarily SharePoint Farms.

The table itself is made up of the word “CARVER“, with the list of “TARGETS” or in our case the list of systems that make up the SharePoint Solution. We then rank each element of the six “CARVER” categories for each system, with 5 being the highest value to look at.


So based on my assessment of a fictitious SharePoint Environment, we can see that the high priority value systems would be the SQL Server, Active Directory or the Email Server. Of course these three would come out top as they have the “keys to the kingdom” so to speak. However if we look at the scores, even though “Active Directory” is the highest value system, the score for it being accessible and the skill level needed means it is not a viable option for an entry point. We can also look at other scores, and we can see that our Web Servers come pretty close to being a target. This now helps me to not only identify the highest value systems but also those with a low score on how easy it is to penetrate the component.

This approach can be used for all kinds of things, not just checking our SharePoint Solutions. The following image comes from “HP“, where it asks the question “Are you defending the right things?


Hopefully you can see that using this approach can help us as organizations to visually see the risk associated with elements of our solutions, and of course remember it can be applied to all aspects of a SharePoint Environment. If we expended the list we had earlier it could look like this:LiamC4.PNG

Of course then our values may be different, but we would quite quickly know the areas that we need to improve to make our SharePoint Environment more secure.

In the next few posts we will look at Security within SharePoint, with a deeper look at the various layers of Protection that we need to focus on. 

Liam is an Associate Director within Protiviti’s Software Services team. He is the Senior Solution Architect within Protiviti’s SharePoint practice and is recognized as an eight time Microsoft SharePoint MVP. You can learn more about Liam by following him on Twitter @helloitsliam​ or his blog  


Quick Launch

© Protiviti 2020. All rights reserved.   |   Privacy Policy