An Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance

Presented by: John Banghart, Booz Allen HamiltonSCAP Validation Project Lead

Thoughts on Current State of Vulnerabilityand Configuration Management

Automation and communication is normally limited to a single discipline - vulnerability, compliance, configuration, and asset management remain compartmentalized

Automation and communication usually occurs through proprietary methods - therefore data sharing, analysis, aggregation, etc. is typically only possible within a product line

Increasing number of mandates - means increasing number of frameworks, standards, regulations, guidelines, sometimes these documents conflict

Relatively static number of security configurations Increasing number and complexity of vulnerabilities and

threats

Agenda Overview of the Security Content Automation Protocol (SCAP) Overview of the SCAP Standards SCAP Validation Program SCAP Use Cases

A Definition of SCAPSCAP is a suite of vulnerability management standards that together enable standardization and automation of vulnerability management, measurement, and technical policy compliance checking along with enhanced product and database integration capabilities with machine readable reporting.

Languages Enumerations

Security Content Automation Protocol (SCAP)Standardizing How We Communicate

CVECommon Vulnerability Enumeration

Standard nomenclature and dictionary of security related software flaws

CCECommon Configuration Enumeration

Standard nomenclature and dictionary of software misconfigurations

CPE Common Platform Enumeration

Standard nomenclature and dictionary for product naming

XCCDFeXtensible Checklist Configuration Description Format

Standard XML for specifying checklists and for reporting results of checklist evaluation

OVALOpen Vulnerability and Assessment Language

Standard XML for test procedures

CVSSCommon Vulnerability Scoring System

Standard for measuring the impact of vulnerabilities

Integrating IT and IT Security Through SCAP

AssetManagement

Vulnerability Management

ConfigurationManagement

CVE

CPE CCESCAP

OVALCVSS

Compliance Management

XCCDF

Misconfiguration

Linking Configuration to Compliance<Group id="IA-5" hidden="true"> <title>Authenticator Management</title> <reference>ISO/IEC 17799: 11.5.2, 11.5.3</reference> <reference>NIST 800-26: 15.1.6, 15.1.7, 15.1.9, 15.1.10,

15.1.11, 15.1.12, 15.1.13, 16.1.3, 16.2.3</reference> <reference>GAO FISCAM: AC-3.2</reference> <reference>DOD 8500.2: IAKM-1, IATS-1</reference> <reference>DCID 6/3: 4.B.2.a(7), 4.B.3.a(11)</reference></Group>

<Rule id="minimum-password-length" selected="false" weight="10.0">

<reference>CCE-100</reference> <reference>DISA STIG Section 5.4.1.3</reference> <reference>DISA Gold Disk ID 7082</reference> <reference>PDI IAIA-12B</reference> <reference>800-68 Section 6.1 - Table A-1.4</reference> <reference>NSA Chapter 4 - Table 1 Row 4</reference> <requires idref="IA-5"/> [pointer to OVAL test procedure]

Rationale for security configuration

Traceability to Mandates

Traceability to Guidelines

Keyed on SP800-53 Security Controls

Agenda Overview of the Security Content Automation Protocol (SCAP) Overview of the SCAP Standards SCAP Validation Program SCAP Use Cases

SCAP Enumerations and Benefits

Enable faster, more accurate correlation Facilitate information exchange

Requirements – what do we need to check for? Reporting – what did we find? Roll-up – how do standard elements map to local

needs? Allow increased automation

Diverse tools can share input and output

9

Enumerated Entities in SCAP

CVE - Vulnerabilities CCE - Configuration Settings CPE - Platforms

10

Common Vulnerability Enumeration (CVE)

Definition: CVE is a format to describe publicly known information security vulnerabilities and exposures. Using this format, new CVE Ids will be created, assigned, and referenced in content on an as-needed basis without a version change.

33,000 vulnerabilities (publicly accessible) Specification: http://cve.mitre.org Searchable Database: http://nvd.nist.gov XML Feeds: http://nvd.nist.gov

Common Configuration Enumeration (CCE)

Definition: CCE is a format to describe system configuration issues to facilitate correlation of configuration data across multiple information sources and tools.

Specification: http://cce.mitre.org Schema Location: http://cce.mitre.org

Example CCE

Assigns standardized identifiers to configuration issues, allowing comparability and correlation

ID: CCE-3121-1Description: The "restrict guest access to application log" policy should be set correctly. Technical Mechanisms:(1)HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\RestrictGuestAccess(2) defined by Group PolicyParameter: enabled/disabled

13

Common Platform Definition: CPE is a structured naming scheme for IT

platforms (hardware, operating systems, and applications) for the purpose of identifying specific platform types.

Specification: http://cpe.mitre.org Schema Location: http://cpe.mitre.org/specification/

index.html Dictionary: http://nvd.nist.gov/cpe.cfm Mailing list: http://cpe.mitre.org/registration.html

CPE Name Format

Uniform Resource Identifier (URI) repeatable format

2 people in different rooms will come up with the same name name is built by using known information

7 (optional) components

15

cpe:/ part : vendor : product : version : update : edition : language

Official CPE Dictionary

Collection of known CPE Names help users determine which names exists help those creating new names enough information to identify the platform

others can build more elaborate repositories based off dictionary Hosted by NIST at: http://nvd.nist.gov/cpe.cfm

16

Security Data Without Enumerations

data correlation and product integration is:

Mostly manual Key word driven Costly Error prone Pair-wise between data

sets Unscalable

result: Data is locked in

proprietary repositories

17

Web Sites

Guidance Documents

Assessment Tools

Management Tools

Alerts & Advisories

Reporting Tools

Security Data With Enumeration

common identifiers: Community agree upon

“tags” Easily added to legacy

repositories & tools

KEY: common identification enables correlation and product integration!

Faster More accurate Less expensive

18

Web Sites

Assessment Tools

Management Tools

Alerts & Advisories

Reporting Tools

Guidance Documents

eXtensible Checklist Configuration Definition: XCCDF is an XML-based language

for representing security checklists in a machine-readable form. An XCCDF document represents a structured collection of security checks.

Designed for three purposes: driving system security checking tools generating human-readable documents and reports scoring and tracking compliance

Specification: http://nvd.nist.gov/xccdf.cfm Schema Location: http://nvd.nist.gov/xccdf.cfm

XCCDF

Document

HTML

XML Other tools

Compliance tools

XCCDF Use Cases

XCCDF and Checking Engines XCCDF does not specify platform-specific system rule

checking logic. The Rule/check element contains information for driving a

platform-specific checking engine.

21

XCCDF Benchmark Compliance Tester

XCCDFBenchmark

Platform-specificchecking engine

Targetsystem

Tailoring values,Tests to perform

Test results

Open Vulnerability Assessment Language (OVAL)

Definition: OVAL is a XML-based language used for communicating the details of vulnerabilities, patches, security configuration settings, and other machine states in a machine-readable form.

Specification: http://oval.mitre.org Schema Location: http://oval.mitre.org/language/

download/schema/version5.3/index.html

Structure of an OVAL Definition

23

Common Vulnerability Scoring System (CVSS)

Definition: CVSS is a scoring system that provides an open framework for determining the impact of information technology vulnerabilities and a format for communicating vulnerability characteristics.

Specification: http://csrc.nist.gov/publications/nistir/ir7435/NISTIR-7435.pdf

SCAP CVSS Base Scores: http://nvd.nist.gov

Metrics and Scores

NationalVulnerability

DatabaseCVSS

http://nvd.nist.gov/cvss.cfm?calculator&version=2

Agenda Overview of the Security Content Automation Protocol (SCAP) Overview of the SCAP Standards SCAP Validation Program SCAP Use Cases

SCAP Validation Program Provides product conformance testing for Security Content

Automation Protocol (SCAP) and the SCAP component standards

National Voluntary Laboratory Accreditation Program Independent testing laboratories Reports validated by NIST

http://nvd.nist.gov/validation.cfm (Validation Program) http://nvd.nist.gov/scapproducts.cfm (Validated Products)

SCAP Validation Capabilities

Currently being validated Currently on list, not yet being validatedFDCC Scanner Intrusion Detection and Prevention Systems (IDPS)*Authenticated Vulnerability and Patch Scanner Patch Remediation*Authenticated Configuration Scanner Malware Tool*Unauthenticated Vulnerability Scanner Asset Scanner*Mis-configuration RemediationVulnerability DatabaseMis-configuration Database

SCAP Component StandardsCommon Vulnerabilities and Exposures (CVE) http://cve.mitre.orgCommon Configuration Enumeration (CCE) http://cce.mitre.orgCommon Platform Enumeration (CPE)* http://cpe.mitre.orgCommon Vulnerability Scoring System (CVSS) http://www.first.org/cvss/index.htmleXtensible Configuration Checklist Document Format (XCCDF)

http://nvd.nist.gov/xccdf.cfm

Open Vulnerability Assessment Language (OVAL) http://oval.mitre.org* Not currently available for validation

19 SCAP Validated Products from 13 Vendors

SCAP Validation Program was started February 2008

Reference Implementations NIST XCCDF interpreter

Java based Uses MITRE OVAL interpreter for processing

MITRE OVAL Interpreter Open source BSD licenses

Agenda Overview of the Security Content Automation Protocol (SCAP) Overview of the SCAP Standards SCAP Validation Program SCAP Use Cases

National Vulnerability Database NVD is the U.S. government repository of public

vulnerability management information. It is designed to be based on and support vulnerability

management standards (especially SCAP) It receives 69 million hits per year Used by Payment Card Industry, Federal Desktop Core

Configuration, DHS, GSA Smartbuy, and security products

NVD Program Areas Vulnerability Database

Security related software flaws 33,000 vulnerabilities

National Checklist Program Repository of low level checklists for securing OSs and

applications 132 checklists Federal Desktop Core Configuration (FDCC) support

Validation Program Product conformance to the Security Content Automation Protocol

(SCAP)

National Checklist Program Hosted by theNational Vulnerability Database

Computer Network Defense Streamline and automate vulnerability and

configuration management across the U.S. Department of Defense (DOD)

Draft DOD CONOPS for SCAP SCAP enable the NIST National Vulnerability

Database (NVD) SCAP enable the DISA Vulnerability Management

System (VMS) Integrate NVD and VMS

Use Case: The Office of Secretary of DefenseComputer Network Defense Data Pilot

NVD and DISA Vulnerability Management System Integration

Relationship between the Federal Desktop Core Configuration (FDCC) and SCAP.

FDCC: A set of configuration settings designed to secure Windows XP and Windows Vista (policy)

SCAP: A method for representing configuration and/or vulnerability information in machine-readable format (technology)

Together: FDCC represented in machine-readable format using SCAP (technology enabling policy)

FDCC XML Sample <Rule id="at.exePermissions" selected="false" weight="10.0"> <title>at.exe Permissions</title> <description>Failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications.</description> <reference> <dc:type>GPO</dc:type> <dc:source>Computer Configuration\Windows Settings\Security Settings\File System</dc:source> </reference> <requires idref="CM-6"/> 800-53 reference <requires idref="AC-3"/> <ident system="http://cce.mitre.org">CCE-393</ident> -- CCE <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref href="fdcc-winxp-oval.xml" name="oval:gov.nist.fdcc.xp:def:129"/> OVAL </check> </Rule>

Summary

SCAP gives us a transparent, interoperable, repeatable, and ultimately automated way to assess security software flaws and misconfiguration in the enterprise

Efficiencies gained through SCAP give our IT security teams additional cycles to address other important aspects of IT security

By linking compliance to configuration, SCAP makes compliance reporting a byproduct of good security, allowing IT security teams to focus on securing the enterprise

Questions?

Presenter:John BanghartSCAP Validation Project LeadJohn.banghart@nist.govBanghart_john@bah.com

SCAP Homepage: http://nvd.nist.gov/scap.cfm SCAP Validation Tools: http://nvd.nist.gov/scapproducts.cfmSCAP Validation Homepage: http://nvd.nist.gov/validation.cfmNational Vulnerability Database: http://nvd.nist.gov