SCAP Security Content Automation Process. Presentation för SIS

Transcription

1 SCAP Security Content Automation Process Presentation för SIS

2 About Nexus Consulting Technology Nexus, Grundad 1982, Produkter (PKI, kryptering, messaging) Konsulttjänster (informationssäkerhet) Nexus Consulting AB Stockholm och Linköping Fem fokusområden Business Assurance Decentralized Security Management Identity Management Technical Business Assurance PCI DSS Forensics

3 Tillbakablick 10 år Säkerhetsscanners SATAN, ISS, Cybercop Scanner Security Baselining COPS, Axent OmniGuard Systemen tävlade om att gnälla mest

4 SCAP och CVSS varför då? En titt på en granskningsrapport CVSS Base: 8 CVSS Temporal: 7,2 Mäta säkerhetsproblematik CVSS Inte bara mäta, utan också styra SCAP

5 Vilka är standarderna i SCAP? extensible Configuration Checklist Description Format Open Vulnerability and Assessment Language Common Vulnerability Scoring System Standard XML for specifying checklists and for reporting results of checklist evaluation Standard XML for testing procedures for security related software flaws, configuration issues, and patches as well as for reporting the results of the tests Standard for conveying and scoring the impact of vulnerabilities

6 Vilka är standarderna i SCAP? Common Vulnerabilities and Exposures Common Configuration Enumeration Common Platform Enumeration Standard identifiers and dictionary for security vulnerabilities related to software flaws Standard identifiers and dictionary for system configuration issues related to security Standard identifiers and dictionary for platform/product naming

7 <?xml version="1.0" encoding="utf-8"?> - <oval_definitions xsi:schemalocation=" windows-definitions-schema.xsd independent-definitions-schema.xsd oval-definitions-schema.xsd oval-common-schema.xsd" xmlns=" xmlns:xsi=" xmlns:oval=" xmlns:oval-def=" - <generator> <oval:product_name>the OVAL Repository</oval:product_name> <oval:schema_version>5.3</oval:schema_version> <oval:timestamp> t09:39: :00</oval:timestamp> </generator> - <definitions> - <definition id="oval:org.mitre.oval:def:2069" class="vulnerability" version="1"> - <metadata> <title>vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution</title> - <affected family="windows"> <platform>microsoft Windows 2000</platform> <platform>microsoft Windows XP</platform> <platform>microsoft Windows Server 2003</platform> <platform>microsoft Windows Vista</platform> <product>microsoft XML Core Services</product> </affected> <reference source="cve" ref_id="cve " ref_url=" /> <description>microsoft XML Core Services (MSXML) 3.0 through 6.0 allows remote attackers to execute arbitrary code via the substringdata method on a (1) TextNode or (2) XMLDOM object, which causes an integer overflow that leads to a buffer overflow.</description> - <oval_repository> - <dates> - <submitted date=" t09:28:35"> <contributor organization="threatguard, Inc.">Robert L. Hollis</contributor> </submitted> <status_change date=" t15:55: :00">draft</status_change> - <modified comment="set datatype to version for ste:3517" date=" t08:24: :00"> <contributor organization="opsware, Inc.">Jeff Cheng</contributor> - <modified comment="set datatype to version for ste:3181" date=" t08:24: :00"> <contributor organization="opsware, Inc.">Jeff Cheng</contributor> - <modified comment="set datatype to version for ste:3861" date=" t08:24: :00"> <contributor organization="opsware, Inc.">Jeff Cheng</contributor> - <modified comment="set datatype to version for ste:3240" date=" t08:24: :00"> <contributor organization="opsware, Inc.">Jeff Cheng</contributor> <status_change date=" t08:57: :00">interim</status_change> <status_change date=" t07:56: :00">accepted</status_change> - <modified comment="ste:3181 changed from to " date=" t19:55: :00"> <contributor organization="secure Elements, Inc.">Sudhir Gandhe</contributor> <status_change date=" t19:55: :00">interim</status_change> </dates> <status>interim</status> </oval_repository> </metadata> - <criteria operator="or"> - <criteria comment="windows OS" operator="and"> <criterion test_ref="oval:org.mitre.oval:tst:99" comment="the installed operating system is part of the Microsoft Windows family" /> <criterion test_ref="oval:org.mitre.oval:tst:4170" comment="the version of msxml3.dll is less than " /> - <criteria comment="office 2003/2007 and SharePoint" operator="and"> - <criteria operator="or"> <extend_definition comment="microsoft Office 2003 is installed" definition_ref="oval:org.mitre.oval:def:233" /> <extend_definition comment="microsoft Office 2007 is installed" definition_ref="oval:org.mitre.oval:def:1211" /> <criterion comment="sharepoint Team Services are enabled (2K, XP, 2003)" negate="false" test_ref="oval:org.mitre.oval:tst:2379" /> <criterion test_ref="oval:org.mitre.oval:tst:3622" comment="the version of msxml5.dll is less than " /> - <criteria comment="xml Core Services 4" operator="and"> <extend_definition comment="microsoft XML Core Services 4 is installed" definition_ref="oval:org.mitre.oval:def:1002" /> <criterion test_ref="oval:org.mitre.oval:tst:3938" comment="the version of Msxml4.dll is less than " negate="false" /> - <criteria comment="xml Core Services 6" operator="and"> <extend_definition comment="microsoft XML Core Services 6 is installed" definition_ref="oval:org.mitre.oval:def:454" /> <criterion test_ref="oval:org.mitre.oval:tst:3716" comment="the version of Msxml6.dll is less than " negate="false" /> </definition> - <definition id="oval:org.mitre.oval:def:454" version="1" class="inventory"> - <metadata> <title>microsoft XML Core Services 6 is installed</title> - <affected family="windows"> <platform>microsoft Windows 2000</platform> <platform>microsoft Windows XP</platform> <platform>microsoft Windows Server 2003</platform> </affected> <reference source="cpe" ref_id="cpe:/a:microsoft:xml_core_services:6" /> <description>microsoft XML Core Services 6 is installed.</description> - <oval_repository> - <dates> - <submitted date=" t05:29:41"> <contributor organization="threatguard, Inc.">Robert L. Hollis</contributor> </submitted> <status_change date=" t14:55: :00">draft</status_change> <status_change date=" t19:35: :00">interim</status_change> <status_change date=" t21:27: :00">accepted</status_change> </dates> <status>accepted</status> </oval_repository> </metadata> - <criteria> <criterion comment="microsoft XML Core Services 6 is installed" negate="false" test_ref="oval:org.mitre.oval:tst:182" /> </definition> - <definition id="oval:org.mitre.oval:def:233" version="2" class="inventory"> - <metadata> <title>microsoft Office 2003 is installed</title> - <affected family="windows"> <platform>microsoft Windows 2000</platform> <platform>microsoft Windows XP</platform> <platform>microsoft Windows Server 2003</platform> </affected> <reference source="cpe" ref_id="cpe:/a:microsoft:office:2003" /> <description>the application Microsoft Office 2003 is installed.</description> - <oval_repository> - <dates> - <submitted date=" t12:05:33"> <contributor organization="threatguard, Inc.">Robert L. Hollis</contributor> </submitted> <status_change date=" t09:15: :00">interim</status_change> <status_change date=" t09:15: :00">accepted</status_change> - <modified comment="added CPE reference." date=" t07:48: :00"> <contributor organization="the MITRE Corporation">Jonathan Baker</contributor> <status_change date=" t07:52: :00">interim</status_change> - <modified comment="corrected ste:449 to use a pattern match and allow a major version of 11 and not check for other version components. Implemented by Jon Baker of the MITRE Corporation." date=" t08:38: :00"> <contributor organization="patchlink Corporation">Ken Lassesen</contributor> <status_change date=" t15:05: :00">accepted</status_change> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< </dates> <status>accepted</status> </oval_repository> </metadata> - <criteria> <criterion comment="microsoft Office 2003 is installed" test_ref="oval:org.mitre.oval:tst:487" /> </definition> - <definition id="oval:org.mitre.oval:def:1211" version="2" class="inventory"> - <metadata> <title>microsoft Office 2007 is installed</title> - <affected family="windows"> <platform>microsoft Windows 2000</platform> <platform>microsoft Windows XP</platform> <platform>microsoft Windows Server 2003</platform> <platform>microsoft Windows Vista</platform> <product>microsoft Office 2007</product> </affected> <reference source="cpe" ref_id="cpe:/a:microsoft:office:2007" /> <description>the application Microsoft Office 2007 is installed.</description> - <oval_repository> - <dates> - <submitted date=" t09:15: :00"> <contributor organization="the MITRE Corporation">Jonathan Baker</contributor> </submitted> <status_change date=" t09:15: :00">draft</status_change> <status_change date=" t16:16: :00">interim</status_change> <status_change date=" t13:44: :00">accepted</status_change> - <modified comment="changed tst:3839 to check a different registry key to determine if Office 2007 is installed." date=" t21:24: :00"> <contributor organization="threatguard, Inc.">Robert L. Hollis</contributor> <status_change date=" t21:25: :00">interim</status_change> - <modified comment="corrected cpe name in reference." date=" t15:38: :00"> <contributor organization="the MITRE Corporation">Jonathan Baker</contributor> <status_change date=" t21:36: :00">accepted</status_change> </dates> <status>accepted</status> </oval_repository> </metadata> - <criteria> <criterion comment="microsoft Office 2007 is installed" test_ref="oval:org.mitre.oval:tst:3839" /> </definition> - <definition id="oval:org.mitre.oval:def:1002" version="1" class="inventory"> - <metadata> <title>microsoft XML Core Services 4 is installed</title> - <affected family="windows"> <platform>microsoft Windows 2000</platform> <platform>microsoft Windows XP</platform> <platform>microsoft Windows Server 2003</platform> </affected> <reference source="cpe" ref_id="cpe:/a:microsoft:xml_core_services:4" /> <description>microsoft XML Core Services 4 is installed.</description> - <oval_repository> - <dates> - <submitted date=" t05:29:41"> <contributor organization="threatguard, Inc.">Robert L. Hollis</contributor> </submitted> <status_change date=" t14:55: :00">draft</status_change> <status_change date=" t19:35: :00">interim</status_change> <status_change date=" t21:27: :00">accepted</status_change> </dates> <status>accepted</status> </oval_repository> </metadata> - <criteria> <criterion comment="microsoft XML Core Services 4 is installed" negate="false" test_ref="oval:org.mitre.oval:tst:30" /> </definition> </definitions> - <tests> - <file_test id="oval:org.mitre.oval:tst:182" version="1" check_existence="at_least_one_exists" check="at least one" comment="microsoft XML Core Services 6 is installed." xmlns=" <object object_ref="oval:org.mitre.oval:obj:190" /> </file_test> - <registry_test id="oval:org.mitre.oval:tst:487" version="2" comment="microsoft Office 2003 is installed" check_existence="at_least_one_exists" check="at least one" xmlns=" <object object_ref="oval:org.mitre.oval:obj:418" /> <state state_ref="oval:org.mitre.oval:ste:449" /> </registry_test> - <registry_test id="oval:org.mitre.oval:tst:3839" version="2" check_existence="at_least_one_exists" check="at least one" comment="microsoft Office 2007 is installed" xmlns=" <object object_ref="oval:org.mitre.oval:obj:1826" /> <state state_ref="oval:org.mitre.oval:ste:3218" /> </registry_test> - <file_test id="oval:org.mitre.oval:tst:30" version="1" check_existence="at_least_one_exists" check="at least one" comment="microsoft XML Core Services 4 is installed." xmlns=" <object object_ref="oval:org.mitre.oval:obj:191" /> </file_test> - <family_test id="oval:org.mitre.oval:tst:99" version="1" comment="the installed operating system is part of the Microsoft Windows family" check_existence="at_least_one_exists" check="only one" xmlns=" <object object_ref="oval:org.mitre.oval:obj:99" /> <state state_ref="oval:org.mitre.oval:ste:99" /> </family_test> - <file_test id="oval:org.mitre.oval:tst:4170" version="2" check="at least one" comment="the version of Msxml3.dll is less than " check_existence="at_least_one_exists" xmlns=" <object object_ref="oval:org.mitre.oval:obj:3" /> <state state_ref="oval:org.mitre.oval:ste:3517" /> </file_test> - <file_test id="oval:org.mitre.oval:tst:3938" version="3" check="at least one" comment="the version of Msxml4.dll is less than " check_existence="at_least_one_exists" xmlns=" <object object_ref="oval:org.mitre.oval:obj:191" /> <state state_ref="oval:org.mitre.oval:ste:3181" /> </file_test> - <file_test id="oval:org.mitre.oval:tst:3716" version="2" check="at least one" comment="the version of Msxml6.dll is less than " check_existence="at_least_one_exists" xmlns=" <object object_ref="oval:org.mitre.oval:obj:190" /> <state state_ref="oval:org.mitre.oval:ste:3861" /> </file_test> - <file_test id="oval:org.mitre.oval:tst:3622" version="2" check="at least one" comment="the version of Msxml5.dll is less than " check_existence="at_least_one_exists" xmlns=" <object object_ref="oval:org.mitre.oval:obj:47" /> <state state_ref="oval:org.mitre.oval:ste:3240" /> </file_test> - <registry_test id="oval:org.mitre.oval:tst:2379" version="1" check="at least one" comment="sharepoint Team Services are enabled (2K, XP, 2003)" check_existence="at_least_one_exists" xmlns=" <object object_ref="oval:org.mitre.oval:obj:1361" /> <state state_ref="oval:org.mitre.oval:ste:2228" /> </registry_test> </tests> - <objects> - <registry_object id="oval:org.mitre.oval:obj:418" version="1" xmlns=" <hive>hkey_local_machine</hive> <key>software\microsoft\windows\currentversion\uninstall\{ d3-8cfe c9}</key> <name>displayversion</name> </registry_object> - <registry_object id="oval:org.mitre.oval:obj:1826" version="0" xmlns=" <hive>hkey_local_machine</hive> <key>software\microsoft\office\12.0\common\installroot</key> <name>installcount</name> </registry_object> <family_object id="oval:org.mitre.oval:obj:99" version="1" comment="this is the default family object. Only one family object should exist." xmlns=" /> - <file_object id="oval:org.mitre.oval:obj:3" version="1" xmlns=" <path var_ref="oval:org.mitre.oval:var:200" /> <filename>msxml3.dll</filename> </file_object> - <file_object id="oval:org.mitre.oval:obj:191" version="1" xmlns=" <path var_ref="oval:org.mitre.oval:var:200" /> <filename>msxml4.dll</filename> </file_object> - <file_object id="oval:org.mitre.oval:obj:190" version="1" xmlns=" <path var_ref="oval:org.mitre.oval:var:200" /> <filename>msxml6.dll</filename> </file_object> - <file_object id="oval:org.mitre.oval:obj:47" version="1" xmlns=" <path var_ref="oval:org.mitre.oval:var:200" /> <filename>msxml5.dll</filename> </file_object> - <registry_object id="oval:org.mitre.oval:obj:219" version="1" comment="this registry key identifies the system root." xmlns=" <hive>hkey_local_machine</hive> <key>software\microsoft\windows NT\CurrentVersion</key> <name>systemroot</name> </registry_object> - <registry_object id="oval:org.mitre.oval:obj:1361" version="1" xmlns=" <hive>hkey_local_machine</hive> <key operation="equals">software\microsoft\shared Tools\Web Server Extensions\Setup Packages</key> <name operation="equals">sharepoint</name> </registry_object> </objects> - <states> - <registry_state id="oval:org.mitre.oval:ste:449" version="2" xmlns=" <value operation="pattern match">^11\..+</value> </registry_state> - <registry_state id="oval:org.mitre.oval:ste:3218" version="0" xmlns=" <value datatype="int" operation="greater than">0</value> </registry_state> - <family_state id="oval:org.mitre.oval:ste:99" version="1" comment="microsoft Windows family" xmlns=" <family>windows</family> </family_state> - <file_state id="oval:org.mitre.oval:ste:3517" version="2" xmlns=" <version operation="less than" datatype="version"> </version> </file_state> - <file_state id="oval:org.mitre.oval:ste:3181" version="3" xmlns=" <version operation="less than" datatype="version"> </version> </file_state> - <file_state id="oval:org.mitre.oval:ste:3861" version="2" xmlns=" <version operation="less than" datatype="version"> </version> </file_state> - <file_state id="oval:org.mitre.oval:ste:3240" version="2" xmlns=" <version operation="less than" datatype="version"> </version> </file_state> - <registry_state id="oval:org.mitre.oval:ste:2228" version="1" xmlns=" <value operation="equals">installed</value> </registry_state> </states> - <variables> - <local_variable id="oval:org.mitre.oval:var:200" version="1" comment="windows system 32 directory" datatype="string"> - <concat> <object_component item_field="value" object_ref="oval:org.mitre.oval:obj:219" /> <literal_component>\system32</literal_component> </concat> </local_variable> </variables> </oval_definitions><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< OVAL

8 CVSS potential for loss of life, The physical greaterassets, the proportion productivity of vulnerable or systems, revenue. the higher the score Limited/serious/catastrophic adverse effect on organization/individuals Unproven, of of concept, Official functional, Fix, Temporary high Fix, (=no Workaround, Unconfirmed, Local, Adjacent exploit needed), Unavailable, Network, Not Not defined Uncorroborated, DefinedConfirmed, Network High, Medium, Not defined Low Multiple, Single, None None, Partial, Complete

9 CVSS värdering av sårbarheter Low severity CVSS base score 0,0-3,9 Medium severity CVSS base score 4,0-6,9 High severity CVSS base score 7,0-10,0.

10 Sammanfattning SCAP Security Content Automation Process För en specifik plattform Common Platform Enumeration (CPE)..kan man lista identifierade sårbarheter Common Vulnerabilities and Exposures (CVE)..och säkerhetsmässigt rekommenderad konfiguration Common Configuration Enumeration (CCE) Sårbarheter kan graderas Common Vulnerability Scoring System (CVSS) och man avgör om den existerar i egen miljö genom Open Vulnerability and Assessment Language (OVAL) och åtgärdar den genom Extensible Configuration Checklist Description Format (XCCDF)

11 What s in it for me? Lokalt, eller över nätverk? Granska eller åtgärda? Vilken SCAP-profil? Rapportering?

12 Ett varningens finger. Sårbarhetsberoenden: Om Apache 2.0.xx körs tillsammans med Tomcat 5.0.yy uppstår sårbarheten xyz Apache är välpatchad och rätt konfigurerad Tomcat är välpatchad och rätt konfigurerad False Positives är erkänt svåra att hantera.

13 Vad behöver parterna göra? Systemleverantörer Skapa SCAP-beskrivningar av sina produkter Göra det möjligt att acceptera SCAPautomatiserade konfigurationer Communities, organisationer, Skapa OVAL-beskrivningar för nyupptäckta sårbarheter, integrera i verktyg Skapa XCCDF-checklistor Slutanvändaren Välja/implementera checklistor (med förnuft!) Mäta hur CVSS-talet går ned i den egna organisationen

14 Summa Summarum Vad mäts? Teknisk motståndskraft mot angrepp Varför mäts det? Ger stark möjlighet att skapa uppfattning om trender i säkerhetsförvaltningen Ger möjlighet att grovt uppskatta ett systems motståndskraft mot angrepp Ger möjlighet att skapa mål för säkerhetsinnehållet i systemadministrationen För vem mäts det? Systemägare, CSO, CIO, informationsägare

15 Länktips National Vulnerability Database CVSS OVAL