an approach to vulnerability management, … approach to vulnerability management, configuration...
TRANSCRIPT
An Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance
Presented by: John Banghart, Booz Allen HamiltonSCAP Validation Project Lead
Thoughts on Current State of Vulnerabilityand Configuration Management
Automation and communication is normally limited to a single discipline - vulnerability, compliance, configuration, and asset management remain compartmentalized
Automation and communication usually occurs through proprietary methods - therefore data sharing, analysis, aggregation, etc. is typically only possible within a product line
Increasing number of mandates - means increasing number of frameworks, standards, regulations, guidelines, sometimes these documents conflict
Relatively static number of security configurations Increasing number and complexity of vulnerabilities and
threats
Agenda Overview of the Security Content Automation Protocol (SCAP) Overview of the SCAP Standards SCAP Validation Program SCAP Use Cases
A Definition of SCAPSCAP is a suite of vulnerability management standards that together enable standardization and automation of vulnerability management, measurement, and technical policy compliance checking along with enhanced product and database integration capabilities with machine readable reporting.
Languages Enumerations
Security Content Automation Protocol (SCAP)Standardizing How We Communicate
CVECommon Vulnerability Enumeration
Standard nomenclature and dictionary of security related software flaws
CCECommon Configuration Enumeration
Standard nomenclature and dictionary of software misconfigurations
CPE Common Platform Enumeration
Standard nomenclature and dictionary for product naming
XCCDFeXtensible Checklist Configuration Description Format
Standard XML for specifying checklists and for reporting results of checklist evaluation
OVALOpen Vulnerability and Assessment Language
Standard XML for test procedures
CVSSCommon Vulnerability Scoring System
Standard for measuring the impact of vulnerabilities
Integrating IT and IT Security Through SCAP
AssetManagement
Vulnerability Management
ConfigurationManagement
CVE
CPE CCESCAP
OVALCVSS
Compliance Management
XCCDF
Misconfiguration
Linking Configuration to Compliance<Group id="IA-5" hidden="true"> <title>Authenticator Management</title> <reference>ISO/IEC 17799: 11.5.2, 11.5.3</reference> <reference>NIST 800-26: 15.1.6, 15.1.7, 15.1.9, 15.1.10,
15.1.11, 15.1.12, 15.1.13, 16.1.3, 16.2.3</reference> <reference>GAO FISCAM: AC-3.2</reference> <reference>DOD 8500.2: IAKM-1, IATS-1</reference> <reference>DCID 6/3: 4.B.2.a(7), 4.B.3.a(11)</reference></Group>
<Rule id="minimum-password-length" selected="false" weight="10.0">
<reference>CCE-100</reference> <reference>DISA STIG Section 5.4.1.3</reference> <reference>DISA Gold Disk ID 7082</reference> <reference>PDI IAIA-12B</reference> <reference>800-68 Section 6.1 - Table A-1.4</reference> <reference>NSA Chapter 4 - Table 1 Row 4</reference> <requires idref="IA-5"/> [pointer to OVAL test procedure]
Rationale for security configuration
Traceability to Mandates
Traceability to Guidelines
Keyed on SP800-53 Security Controls
Agenda Overview of the Security Content Automation Protocol (SCAP) Overview of the SCAP Standards SCAP Validation Program SCAP Use Cases
SCAP Enumerations and Benefits
Enable faster, more accurate correlation Facilitate information exchange
Requirements – what do we need to check for? Reporting – what did we find? Roll-up – how do standard elements map to local
needs? Allow increased automation
Diverse tools can share input and output
9
Enumerated Entities in SCAP
CVE - Vulnerabilities CCE - Configuration Settings CPE - Platforms
10
Common Vulnerability Enumeration (CVE)
Definition: CVE is a format to describe publicly known information security vulnerabilities and exposures. Using this format, new CVE Ids will be created, assigned, and referenced in content on an as-needed basis without a version change.
33,000 vulnerabilities (publicly accessible) Specification: http://cve.mitre.org Searchable Database: http://nvd.nist.gov XML Feeds: http://nvd.nist.gov
Common Configuration Enumeration (CCE)
Definition: CCE is a format to describe system configuration issues to facilitate correlation of configuration data across multiple information sources and tools.
Specification: http://cce.mitre.org Schema Location: http://cce.mitre.org
Example CCE
Assigns standardized identifiers to configuration issues, allowing comparability and correlation
ID: CCE-3121-1Description: The "restrict guest access to application log" policy should be set correctly. Technical Mechanisms:(1)HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\RestrictGuestAccess(2) defined by Group PolicyParameter: enabled/disabled
13
Common Platform Definition: CPE is a structured naming scheme for IT
platforms (hardware, operating systems, and applications) for the purpose of identifying specific platform types.
Specification: http://cpe.mitre.org Schema Location: http://cpe.mitre.org/specification/
index.html Dictionary: http://nvd.nist.gov/cpe.cfm Mailing list: http://cpe.mitre.org/registration.html
CPE Name Format
Uniform Resource Identifier (URI) repeatable format
2 people in different rooms will come up with the same name name is built by using known information
7 (optional) components
15
cpe:/ part : vendor : product : version : update : edition : language
Official CPE Dictionary
Collection of known CPE Names help users determine which names exists help those creating new names enough information to identify the platform
others can build more elaborate repositories based off dictionary Hosted by NIST at: http://nvd.nist.gov/cpe.cfm
16
Security Data Without Enumerations
data correlation and product integration is:
Mostly manual Key word driven Costly Error prone Pair-wise between data
sets Unscalable
result: Data is locked in
proprietary repositories
17
Web Sites
Guidance Documents
Assessment Tools
Management Tools
Alerts & Advisories
Reporting Tools
Security Data With Enumeration
common identifiers: Community agree upon
“tags” Easily added to legacy
repositories & tools
KEY: common identification enables correlation and product integration!
Faster More accurate Less expensive
18
Web Sites
Assessment Tools
Management Tools
Alerts & Advisories
Reporting Tools
Guidance Documents
eXtensible Checklist Configuration Definition: XCCDF is an XML-based language
for representing security checklists in a machine-readable form. An XCCDF document represents a structured collection of security checks.
Designed for three purposes: driving system security checking tools generating human-readable documents and reports scoring and tracking compliance
Specification: http://nvd.nist.gov/xccdf.cfm Schema Location: http://nvd.nist.gov/xccdf.cfm
XCCDF
Document
HTML
XML Other tools
Compliance tools
XCCDF Use Cases
XCCDF and Checking Engines XCCDF does not specify platform-specific system rule
checking logic. The Rule/check element contains information for driving a
platform-specific checking engine.
21
XCCDF Benchmark Compliance Tester
XCCDFBenchmark
Platform-specificchecking engine
Targetsystem
Tailoring values,Tests to perform
Test results
Open Vulnerability Assessment Language (OVAL)
Definition: OVAL is a XML-based language used for communicating the details of vulnerabilities, patches, security configuration settings, and other machine states in a machine-readable form.
Specification: http://oval.mitre.org Schema Location: http://oval.mitre.org/language/
download/schema/version5.3/index.html
Structure of an OVAL Definition
23
Common Vulnerability Scoring System (CVSS)
Definition: CVSS is a scoring system that provides an open framework for determining the impact of information technology vulnerabilities and a format for communicating vulnerability characteristics.
Specification: http://csrc.nist.gov/publications/nistir/ir7435/NISTIR-7435.pdf
SCAP CVSS Base Scores: http://nvd.nist.gov
Metrics and Scores
NationalVulnerability
DatabaseCVSS
http://nvd.nist.gov/cvss.cfm?calculator&version=2
Agenda Overview of the Security Content Automation Protocol (SCAP) Overview of the SCAP Standards SCAP Validation Program SCAP Use Cases
SCAP Validation Program Provides product conformance testing for Security Content
Automation Protocol (SCAP) and the SCAP component standards
National Voluntary Laboratory Accreditation Program Independent testing laboratories Reports validated by NIST
http://nvd.nist.gov/validation.cfm (Validation Program) http://nvd.nist.gov/scapproducts.cfm (Validated Products)
SCAP Validation Capabilities
Currently being validated Currently on list, not yet being validatedFDCC Scanner Intrusion Detection and Prevention Systems (IDPS)*Authenticated Vulnerability and Patch Scanner Patch Remediation*Authenticated Configuration Scanner Malware Tool*Unauthenticated Vulnerability Scanner Asset Scanner*Mis-configuration RemediationVulnerability DatabaseMis-configuration Database
SCAP Component StandardsCommon Vulnerabilities and Exposures (CVE) http://cve.mitre.orgCommon Configuration Enumeration (CCE) http://cce.mitre.orgCommon Platform Enumeration (CPE)* http://cpe.mitre.orgCommon Vulnerability Scoring System (CVSS) http://www.first.org/cvss/index.htmleXtensible Configuration Checklist Document Format (XCCDF)
http://nvd.nist.gov/xccdf.cfm
Open Vulnerability Assessment Language (OVAL) http://oval.mitre.org* Not currently available for validation
19 SCAP Validated Products from 13 Vendors
SCAP Validation Program was started February 2008
Reference Implementations NIST XCCDF interpreter
Java based Uses MITRE OVAL interpreter for processing
MITRE OVAL Interpreter Open source BSD licenses
Agenda Overview of the Security Content Automation Protocol (SCAP) Overview of the SCAP Standards SCAP Validation Program SCAP Use Cases
National Vulnerability Database NVD is the U.S. government repository of public
vulnerability management information. It is designed to be based on and support vulnerability
management standards (especially SCAP) It receives 69 million hits per year Used by Payment Card Industry, Federal Desktop Core
Configuration, DHS, GSA Smartbuy, and security products
NVD Program Areas Vulnerability Database
Security related software flaws 33,000 vulnerabilities
National Checklist Program Repository of low level checklists for securing OSs and
applications 132 checklists Federal Desktop Core Configuration (FDCC) support
Validation Program Product conformance to the Security Content Automation Protocol
(SCAP)
National Checklist Program Hosted by theNational Vulnerability Database
Computer Network Defense Streamline and automate vulnerability and
configuration management across the U.S. Department of Defense (DOD)
Draft DOD CONOPS for SCAP SCAP enable the NIST National Vulnerability
Database (NVD) SCAP enable the DISA Vulnerability Management
System (VMS) Integrate NVD and VMS
Use Case: The Office of Secretary of DefenseComputer Network Defense Data Pilot
NVD and DISA Vulnerability Management System Integration
Relationship between the Federal Desktop Core Configuration (FDCC) and SCAP.
FDCC: A set of configuration settings designed to secure Windows XP and Windows Vista (policy)
SCAP: A method for representing configuration and/or vulnerability information in machine-readable format (technology)
Together: FDCC represented in machine-readable format using SCAP (technology enabling policy)
FDCC XML Sample <Rule id="at.exePermissions" selected="false" weight="10.0"> <title>at.exe Permissions</title> <description>Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications.</description> <reference> <dc:type>GPO</dc:type> <dc:source>Computer Configuration\Windows Settings\Security Settings\File System</dc:source> </reference> <requires idref="CM-6"/> 800-53 reference <requires idref="AC-3"/> <ident system="http://cce.mitre.org">CCE-393</ident> -- CCE <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref href="fdcc-winxp-oval.xml" name="oval:gov.nist.fdcc.xp:def:129"/> OVAL </check> </Rule>
Summary
SCAP gives us a transparent, interoperable, repeatable, and ultimately automated way to assess security software flaws and misconfiguration in the enterprise
Efficiencies gained through SCAP give our IT security teams additional cycles to address other important aspects of IT security
By linking compliance to configuration, SCAP makes compliance reporting a byproduct of good security, allowing IT security teams to focus on securing the enterprise
Questions?
Presenter:John BanghartSCAP Validation Project [email protected][email protected]
SCAP Homepage: http://nvd.nist.gov/scap.cfm SCAP Validation Tools: http://nvd.nist.gov/scapproducts.cfmSCAP Validation Homepage: http://nvd.nist.gov/validation.cfmNational Vulnerability Database: http://nvd.nist.gov