© 2001 by Carnegie Mellon University SS5 -1

OCTAVESM Process 5

Background on Vulnerability Evaluations

Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

Sponsored by the U.S. Department of Defense

© 2001 by Carnegie Mellon University SS5 -2

Vulnerability Evaluation Topics

• Terminology

• Vulnerability tools

• Vulnerability reports

• Strategies for conducting vulnerability evaluations

© 2001 by Carnegie Mellon University SS5 -3

Terminology

Technology vulnerability• weakness in a system that can directly lead to

unauthorized action

Exploit• process of using a technology vulnerability to violate

security policy

© 2001 by Carnegie Mellon University SS5 -4

Vulnerability Tools

Vulnerability tools identify• known weaknesses in technology• misconfigurations of ‘well known’ administrative

functions, such as- file permissions on certain files- accounts with null passwords

• what an attacker can determine about your systems and networks

© 2001 by Carnegie Mellon University SS5 -5

What Vulnerability Tools Identify

Physical Security

Information Technology

Security

Staff Security

Operational Practice Areas

System and Network Management

Monitoring and Auditing IT Security

Authentication and Authorization

Encryption

Vulnerability Management

System Administration Tools

Security Architecture and Design

Incident Management

General Staff Practices

Physical Security Plans and Procedures

Physical Access Control

Monitoring and Auditing Physical Security

© 2001 by Carnegie Mellon University SS5 -6

What Vulnerability Identification Tools Do Not Identify

Misapplied or improper system administration (users, accounts, configuration settings)

Unknown vulnerabilities in operating systems, services, applications, and infrastructure

Incorrect adoption or implementation of organizational procedures

© 2001 by Carnegie Mellon University SS5 -7

Vulnerability Evaluation Tools

Operating system scanners

Network infrastructure scanners

Specialty, targeted, and hybrid scanners

Checklists

Scripts

© 2001 by Carnegie Mellon University SS5 -8

Operating System Scanners

Operating system scanners target specific operating systems, including

• Windows NT/2000• Sun Solaris• Red Hat Linux• Apple Mac OS

© 2001 by Carnegie Mellon University SS5 -9

Network Infrastructure Scanners

Network infrastructure scanners target the network infrastructure components, including

• routers and intelligent switches• DNS servers• firewall systems• intrusion detection systems

© 2001 by Carnegie Mellon University SS5 -10

Specialty, Targeted, and Hybrid Scanners

Specialty, targeted, and hybrid scanners target a range of services, applications, and operating system functions, including

• web servers (CGI, JAVA)• database applications• registry information (Windows NT/2000)• weak password storage and authentication services

© 2001 by Carnegie Mellon University SS5 -11

Checklists

Checklists provide the same functionality as automated tools.

Checklists are manual, not automated.

Checklists require a consistent review of the items being checked and must be routinely updated

© 2001 by Carnegie Mellon University SS5 -12

Scripts

Scripts provide the same functionality as automated tools but they usually have a singular function.

The more items you test, the more scripts you’ll need.

Scripts requires a consistent review of the items being checked and must be routinely updated.

© 2001 by Carnegie Mellon University SS5 -13

Vulnerability Tool Reports

Vulnerability reports usually provide:• identification and ranking of the severity of

technological weaknesses found• mitigation and corrective steps to eliminate

vulnerabilities

Determine what information you require, and then match your requirements to the report(s) provided by the tool(s).

© 2001 by Carnegie Mellon University SS5 -14

Sample Report

© 2001 by Carnegie Mellon University SS5 -15

Other Report Data

© 2001 by Carnegie Mellon University SS5 -16

Scoping Vulnerability Evaluations

You need to scope a vulnerability evaluation.

Two approaches are• examining every component of your computing

infrastructure over a defined period of time (comprehensive vulnerability evaluation)

• grouping similar components into categories and examining selected components from each category (targeted vulnerability evaluation)

© 2001 by Carnegie Mellon University SS5 -17

Targeted Vulnerability Evaluation Strategies

Strategies for targeted vulnerability evaluations include grouping similar components into categories.

Categories can include• how components are used• the primary operators of components• classes of components

© 2001 by Carnegie Mellon University SS5 -18

OCTAVE Phase 2 Strategy

Phase 2 of OCTAVE is a targeted vulnerability evaluation.

Key classes of components are identified by considering how critical assets are• stored• processed• transmitted