An Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance

Transcription

1 An Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance Presented by: John Banghart, Booz Allen Hamilton SCAP Validation Project Lead

2 Thoughts on Current State of Vulnerability and Configuration Management Automation and communication is normally limited to a single discipline - vulnerability, compliance, configuration, and asset management remain compartmentalized Automation and communication usually occurs through proprietary methods - therefore data sharing, analysis, aggregation, etc. is typically only possible within a product line Increasing number of mandates - means increasing number of frameworks, standards, regulations, guidelines, sometimes these documents conflict Relatively static number of security configurations Increasing number and complexity of vulnerabilities and threats

3 Agenda Overview of the Security Content Automation Protocol (SCAP) Overview of the SCAP Standards SCAP Validation Program SCAP Use Cases

4 A Definition of SCAP SCAP is a suite of vulnerability management standards that together enable standardization and automation of vulnerability management, measurement, and technical policy compliance checking along with enhanced product and database integration capabilities with machine readable reporting. Languages Enumerations

5 Security Content Automation Protocol (SCAP) Standardizing How We Communicate CVE CCE CPE XCCDF OVAL CVSS Common Vulnerability Enumeration Common Configuration Enumeration Common Platform Enumeration extensible Checklist Configuration Description Format Open Vulnerability and Assessment Language Common Vulnerability Scoring System Standard nomenclature and dictionary of security related software flaws Standard nomenclature and dictionary of software misconfigurations Standard nomenclature and dictionary for product naming Standard XML for specifying checklists and for reporting results of checklist evaluation Standard XML for test procedures Standard for measuring the impact of vulnerabilities

6 Integrating IT and IT Security Through SCAP Vulnerability Management CVE Misconfiguration OVAL CVSS Asset Management CPE SCAP CCE Configuration Management XCCDF Compliance Management

7 Linking Configuration to Compliance <Group id="ia-5" hidden="true"> <title>authenticator Management</title> <reference>iso/iec 17799: , </reference> <reference>nist : , , , , , , , , </reference> <reference>gao FISCAM: AC-3.2</reference> <reference>dod : IAKM-1, IATS-1</reference> <reference>dcid 6/3: 4.B.2.a(7), 4.B.3.a(11)</reference> </Group> Keyed on SP Security Controls Traceability to Mandates <Rule id="minimum-password-length" selected="false" weight="10.0"> <reference>cce-100</reference> <reference>disa STIG Section </reference> <reference>disa Gold Disk ID 7082</reference> <reference>pdi IAIA-12B</reference> <reference> Section Table A-1.4</reference> <reference>nsa Chapter 4 - Table 1 Row 4</reference> Rationale for security <requires idref="ia-5"/> configuration [pointer to OVAL test procedure] Traceability to Guidelines

8 Agenda Overview of the Security Content Automation Protocol (SCAP) Overview of the SCAP Standards SCAP Validation Program SCAP Use Cases

9 SCAP Enumerations and Benefits Enable faster, more accurate correlation Facilitate information exchange Requirements what do we need to check for? Reporting what did we find? Roll-up how do standard elements map to local needs? Allow increased automation Diverse tools can share input and output 9

10 Enumerated Entities in SCAP CVE - Vulnerabilities CCE - Configuration Settings CPE - Platforms 10

11 Common Vulnerability Enumeration (CVE) Definition: CVE is a format to describe publicly known information security vulnerabilities and exposures. Using this format, new CVE Ids will be created, assigned, and referenced in content on an as-needed basis without a version change. 33,000 vulnerabilities (publicly accessible) Specification: Searchable Database: XML Feeds:

12 Common Configuration Enumeration (CCE) Definition: CCE is a format to describe system configuration issues to facilitate correlation of configuration data across multiple information sources and tools. Specification: Schema Location:

13 Example CCE Assigns standardized identifiers to configuration issues, allowing comparability and correlation ID: CCE Description: The "restrict guest access to application log" policy should be set correctly. Technical Mechanisms: (1)HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\RestrictGuestAccess (2) defined by Group Policy Parameter: enabled/disabled 13

14 Common Platform Definition: CPE is a structured naming scheme for IT platforms (hardware, operating systems, and applications) for the purpose of identifying specific platform types. Specification: Schema Location: index.html Dictionary: Mailing list:

15 CPE Name Format cpe:/ part : vendor : product : version : update : edition : language Uniform Resource Identifier (URI) repeatable format 2 people in different rooms will come up with the same name name is built by using known information 7 (optional) components 15

16 Official CPE Dictionary Collection of known CPE Names help users determine which names exists help those creating new names enough information to identify the platform others can build more elaborate repositories based off dictionary Hosted by NIST at: 16

17 Security Data Without Enumerations Web Sites Guidance Document s Alerts & Advisories data correlation and product integration is: Mostly manual Key word driven Costly Error prone Pair-wise between data sets Unscalable Assessmen t Tools Managemen t Tools Reporting Tools result: Data is locked in proprietary repositories 17

18 Security Data With Enumeration common identifiers: Web Sites Guidance Document s Alerts & Advisories Community agree upon tags Easily added to legacy repositories & tools Assessmen t Tools Managemen t Tools Reporting Tools KEY: common identification enables correlation and product integration! Faster More accurate Less expensive 18

19 extensible Checklist Configuration Definition: XCCDF is an XML-based language for representing security checklists in a machine-readable form. An XCCDF document represents a structured collection of security checks. Designed for three purposes: driving system security checking tools generating human-readable documents and reports scoring and tracking compliance Specification: Schema Location:

20 XCCDF Use Cases Docume nt XCC DF HTML XML Other tools Compliance tools

21 XCCDF and Checking Engines XCCDF does not specify platform-specific system rule checking logic. The Rule/check element contains information for driving a platform-specific checking engine. XCCDF Benchma rk XCCDF Benchmark Compliance Tester Tailoring values, Tests to perform Test results Target system Platform-specific checking engine 21

22 Open Vulnerability Assessment Language (OVAL) Definition: OVAL is a XML-based language used for communicating the details of vulnerabilities, patches, security configuration settings, and other machine states in a machine-readable form. Specification: Schema Location: download/schema/version5.3/index.html

23 Structure of an OVAL Definition 23

24 Common Vulnerability Scoring System (CVSS) Definition: CVSS is a scoring system that provides an open framework for determining the impact of information technology vulnerabilities and a format for communicating vulnerability characteristics. Specification: ir7435/nistir-7435.pdf SCAP CVSS Base Scores:

25 Metrics and Scores

26 National Vulnerability Database CVSS

27 Agenda Overview of the Security Content Automation Protocol (SCAP) Overview of the SCAP Standards SCAP Validation Program SCAP Use Cases

28 SCAP Validation Program Provides product conformance testing for Security Content Automation Protocol (SCAP) and the SCAP component standards National Voluntary Laboratory Accreditation Program Independent testing laboratories Reports validated by NIST (Validation Program) (Validated Products)

29 Currently being validated FDCC Scanner Authenticated Vulnerability and Patch Scanner Authenticated Configuration Scanner Unauthenticated Vulnerability Scanner Mis-configuration Remediation Vulnerability Database Mis-configuration Database Common Vulnerabilities and Exposures (CVE) Common Configuration Enumeration (CCE) Common Platform Enumeration (CPE)* Common Vulnerability Scoring System (CVSS) extensible Configuration Checklist Document Format (XCCDF) Open Vulnerability Assessment Language (OVAL) * Not currently available for validation SCAP Validation Capabilities Currently on list, not yet being validated Intrusion Detection and Prevention Systems (IDPS)* Patch Remediation* Malware Tool* Asset Scanner* SCAP Component Standards

30 19 SCAP Validated Products from 13 Vendors SCAP Validation Program was started February 2008

31 Reference Implementations NIST XCCDF interpreter Java based Uses MITRE OVAL interpreter for processing MITRE OVAL Interpreter Open source BSD licenses

32 Agenda Overview of the Security Content Automation Protocol (SCAP) Overview of the SCAP Standards SCAP Validation Program SCAP Use Cases

33 National Vulnerability Database NVD is the U.S. government repository of public vulnerability management information. It is designed to be based on and support vulnerability management standards (especially SCAP) It receives 69 million hits per year Used by Payment Card Industry, Federal Desktop Core Configuration, DHS, GSA Smartbuy, and security products

34 NVD Program Areas Vulnerability Database Security related software flaws 33,000 vulnerabilities National Checklist Program Repository of low level checklists for securing OSs and applications 132 checklists Federal Desktop Core Configuration (FDCC) support Validation Program Product conformance to the Security Content Automation Protocol (SCAP)

35

36

37 National Checklist Program Hosted by the National Vulnerability Database

38 Computer Network Defense Streamline and automate vulnerability and configuration management across the U.S. Department of Defense (DOD) Draft DOD CONOPS for SCAP SCAP enable the NIST National Vulnerability Database (NVD) SCAP enable the DISA Vulnerability Management System (VMS) Integrate NVD and VMS

39 Use Case: The Office of Secretary of Defense Computer Network Defense Data Pilot

40 NVD and DISA Vulnerability Management System Integration

41 Relationship between the Federal Desktop Core Configuration (FDCC) and SCAP. FDCC: A set of configuration settings designed to secure Windows XP and Windows Vista (policy) SCAP: A method for representing configuration and/or vulnerability information in machinereadable format (technology) Together: FDCC represented in machinereadable format using SCAP (technology enabling policy)

42 FDCC XML Sample <Rule id="at.exepermissions" selected="false" weight="10.0"> <title>at.exe Permissions</title> <description>failure to properly configure ACL file and directory permissions, allows the possibility of unauthorized and anonymous modification to the operating system and installed applications.</description> <reference> <dc:type>gpo</dc:type> <dc:source>computer Configuration\Windows Settings\Security Settings\File System</dc:source> </reference> <requires idref="cm-6"/> reference > OVAL <requires idref="ac-3"/> <ident system=" -- CCE <check system=" <check-content-ref href="fdcc-winxp-oval.xml" name="oval:gov.nist.fdcc.xp:def:129"/ </check> </Rule>

43 Summary SCAP gives us a transparent, interoperable, repeatable, and ultimately automated way to assess security software flaws and misconfiguration in the enterprise Efficiencies gained through SCAP give our IT security teams additional cycles to address other important aspects of IT security By linking compliance to configuration, SCAP makes compliance reporting a byproduct of good security, allowing IT security teams to focus on securing the enterprise

44 Questions? Presenter: John Banghart SCAP Validation Project Lead SCAP Homepage: SCAP Validation Tools: SCAP Validation Homepage: National Vulnerability Database: