classification of vulnerabilities

1

Classification of vulnerabilitiesUsing CVE, CWE and CVSS

26/03/2015 Mayur Mehta

2

Index

> Introduction> Building Blocks> Acronyms> Heartbleed bug example> CVE> CWE> CVSS> Main differences

3

Everything is Connected

4

Cyber Threats Emerged Over Time

5

Solutions Also Emerged Over Time

6

Architecting Security with Information Standards

7

Building Blocks

> Enumerations : Standard ways for enumerating “things we care about”> Catalog the fundamental entities in IA, Cyber Security, and Software Assurance

- Vulnerabilities (CVE), misconfigurations (CCE), software packages (CPE), malware (CME), attack patterns (CAPEC), weaknesses in code/design/architecture (CWE)

> Languages/Formats: Languages/Formats for encoding/carrying high fidelity content about the “things we care about”

> Support the creation of machine-readable state assertions, assessment results, and messages- Configuration/vulnerability/patch/asset patterns (XCCDF & OVAL), results from standards-based

assessments (CRF), software security patterns (SBVR), event patterns (CEE), malware patterns (MAEC), risk of a vulnerability (CVSS), information messages (CAIF & *DEF)

> Repositories: Repositories of this content for use in communities or individual organizations

> Packages of assertions supporting a specific application- Vulnerability advisories & alerts, (US-CERT Advisories/IAVAs), configuration assessment (NIST

Checklists, CIS Benchmarks, NSA Configuration Guides, DISA STIGS), asset inventory (NIST/DHS NVD), code assessment & certification (NIST SAMATE, DoD DIACAP & eMASS)

8

Acronyms

Security Content Automation Protocol (SCAP)

9

Heartbleed bug example

> Taking the Heartbleed bug as an example, this particular vulnerability is listed under a specific CVE identifier of CVE-2014-0160. It is also classified under the more general CWE-200: Information Exposure weakness. In addition, it has been given an CVSS Score of 6.4.

10

CVE

The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. MITRE Corporation maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security. [1] CVE is used by the Security Content Automation Protocol, and CVE IDs are listed on MITRE's system [2] as well as the US National Vulnerability Database.

Wiki link: http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures Year wise data: http://www.cvedetails.com/browse-by-date.php

11

CWE

Common Weakness Enumeration is a software community project that aims at creating a catalog of software weaknesses and vulnerabilities. The goal of the project is to better understand flaws in software and to create automated tools that can be used to identify, fix, and prevent those flaws. [1]The project is sponsored by Mitre Corporation. In order to obtain CWE Compatible status a product or a service must meet 4 out of 6 requirements, shown below:

Wiki link: http://en.wikipedia.org/wiki/Common_Weakness_Enumeration MITRE database: http://cwe.mitre.org/data/slices/2000.html

12

CVSS

Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. It is under the custodianship of NIST. [1] It attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilities, so efforts can be prioritized. The scores are based on a series of measurements (called metrics) based on expert assessment. The scores range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are High, those in the range 4.0-6.9 as Medium, and 0-3.9 as Low.

Versions: CVSSv1 – 2004, CVSSv2 – (the current version) launched in 2007, CVSSv3 – expected to be released in late 2015.

The CVSS assessment measures three areas of concern:1. Base Metrics for qualities intrinsic to a vulnerability2. Temporal Metrics for characteristics that evolve over the lifetime of vulnerability3. Environmental Metrics for vulnerabilities that depend on a particular implementation or environmentWiki link: http://en.wikipedia.org/wiki/CVSS Calculator: https://nvd.nist.gov/CVSS-v2-Calculator?vector=%28AV:L/AC:H/Au:N/C:N/I:P/A:C%29

13

Main differences

> Main differences between the three standards

CVE CWE CVSS

Full Name Common Vulnerabilities and Exposures

Common Weaknesses Enumeration

Common Vulnerabilities Scoring System

What is it? A dictionary of publicly known security vulnerabilities and exposures.

A community-developed dictionary of software weakness types.

A vendor-agnostic industry open-standard designed to convey vulnerability severity.

Main Benefit Easier to share vulnerability data across different databases and tools. Different security tools can now “talk” to each other using a common language.

Provides a standard measuring stick for software security.

Helps determine urgency and priority of response when vulnerabilities are detected.

Solution Provides a baseline for evaluating the coverage of an organization’s security tools.

Provides a common baseline for weaknesses identification, mitigation and prevention efforts.

Solves the problem of multiple incompatible scoring systems.

More information http://cve.mitre.org/index.html https://cwe.mitre.org http://www.first.org/cvss

14