© 2001 by carnegie mellon university ss5 -1 octave sm process 5 background on vulnerability...
TRANSCRIPT
© 2001 by Carnegie Mellon University SS5 -1
OCTAVESM Process 5
Background on Vulnerability Evaluations
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213
Sponsored by the U.S. Department of Defense
© 2001 by Carnegie Mellon University SS5 -2
Vulnerability Evaluation Topics
• Terminology
• Vulnerability tools
• Vulnerability reports
• Strategies for conducting vulnerability evaluations
© 2001 by Carnegie Mellon University SS5 -3
Terminology
Technology vulnerability• weakness in a system that can directly lead to
unauthorized action
Exploit• process of using a technology vulnerability to violate
security policy
© 2001 by Carnegie Mellon University SS5 -4
Vulnerability Tools
Vulnerability tools identify• known weaknesses in technology• misconfigurations of ‘well known’ administrative
functions, such as- file permissions on certain files- accounts with null passwords
• what an attacker can determine about your systems and networks
© 2001 by Carnegie Mellon University SS5 -5
What Vulnerability Tools Identify
Physical Security
Information Technology
Security
Staff Security
Operational Practice Areas
System and Network Management
Monitoring and Auditing IT Security
Authentication and Authorization
Encryption
Vulnerability Management
System Administration Tools
Security Architecture and Design
Incident Management
General Staff Practices
Physical Security Plans and Procedures
Physical Access Control
Monitoring and Auditing Physical Security
© 2001 by Carnegie Mellon University SS5 -6
What Vulnerability Identification Tools Do Not Identify
Misapplied or improper system administration (users, accounts, configuration settings)
Unknown vulnerabilities in operating systems, services, applications, and infrastructure
Incorrect adoption or implementation of organizational procedures
© 2001 by Carnegie Mellon University SS5 -7
Vulnerability Evaluation Tools
Operating system scanners
Network infrastructure scanners
Specialty, targeted, and hybrid scanners
Checklists
Scripts
© 2001 by Carnegie Mellon University SS5 -8
Operating System Scanners
Operating system scanners target specific operating systems, including
• Windows NT/2000• Sun Solaris• Red Hat Linux• Apple Mac OS
© 2001 by Carnegie Mellon University SS5 -9
Network Infrastructure Scanners
Network infrastructure scanners target the network infrastructure components, including
• routers and intelligent switches• DNS servers• firewall systems• intrusion detection systems
© 2001 by Carnegie Mellon University SS5 -10
Specialty, Targeted, and Hybrid Scanners
Specialty, targeted, and hybrid scanners target a range of services, applications, and operating system functions, including
• web servers (CGI, JAVA)• database applications• registry information (Windows NT/2000)• weak password storage and authentication services
© 2001 by Carnegie Mellon University SS5 -11
Checklists
Checklists provide the same functionality as automated tools.
Checklists are manual, not automated.
Checklists require a consistent review of the items being checked and must be routinely updated
© 2001 by Carnegie Mellon University SS5 -12
Scripts
Scripts provide the same functionality as automated tools but they usually have a singular function.
The more items you test, the more scripts you’ll need.
Scripts requires a consistent review of the items being checked and must be routinely updated.
© 2001 by Carnegie Mellon University SS5 -13
Vulnerability Tool Reports
Vulnerability reports usually provide:• identification and ranking of the severity of
technological weaknesses found• mitigation and corrective steps to eliminate
vulnerabilities
Determine what information you require, and then match your requirements to the report(s) provided by the tool(s).
© 2001 by Carnegie Mellon University SS5 -14
Sample Report
© 2001 by Carnegie Mellon University SS5 -15
Other Report Data
© 2001 by Carnegie Mellon University SS5 -16
Scoping Vulnerability Evaluations
You need to scope a vulnerability evaluation.
Two approaches are• examining every component of your computing
infrastructure over a defined period of time (comprehensive vulnerability evaluation)
• grouping similar components into categories and examining selected components from each category (targeted vulnerability evaluation)
© 2001 by Carnegie Mellon University SS5 -17
Targeted Vulnerability Evaluation Strategies
Strategies for targeted vulnerability evaluations include grouping similar components into categories.
Categories can include• how components are used• the primary operators of components• classes of components
© 2001 by Carnegie Mellon University SS5 -18
OCTAVE Phase 2 Strategy
Phase 2 of OCTAVE is a targeted vulnerability evaluation.
Key classes of components are identified by considering how critical assets are• stored• processed• transmitted