Manage Vulnerabilities (VULN) Capability Data Sheet



Similar documents
Software Asset Management (SWAM) Capability Data Sheet

Software Asset Management (SWAM) Capability Description

HWAM Capability Data Sheet

Software Asset Management (SWAM) Illustrative Process

CDM Vulnerability Management (VUL) Capability

CDM Software Asset Management (SWAM) Capability

Management (CSM) Capability

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

SACM Vulnerability Assessment Scenario IETF 94 11/05/2015

CDM Hardware Asset Management (HWAM) Capability

BMC Client Management - SCAP Implementation Statement. Version 12.0

AUTOMATING THE 20 CRITICAL SECURITY CONTROLS

EFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA

Software Vulnerability Assessment

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013

Security Standard: Servers, Server-based Applications and Databases

Vulnerability Scanning Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

How To Use A Policy Auditor (Macafee) To Check For Security Issues

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

NIST National Institute of Standards and Technology

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

AHS Flaw Remediation Standard

Pragmatic Metrics for Building Security Dashboards

INSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.

CONTINUOUS MONITORING

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Critical Security Controls

ECS 235A Project - NVD Visualization Using TreeMaps

Security compliance automation with Red Hat Satellite

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise

How To Monitor Your Entire It Environment

Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT)

Attachment A. Identification of Risks/Cybersecurity Governance

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

1 Scope of Assessment

6. Exercise: Writing Security Advisories

Vulnerability Management Policy

Penetration Testing and Vulnerability Scanning

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

How To Improve Nasa'S Security

Office of Inspector General

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

Data Management Policies. Sage ERP Online

Server Security Checklist (2009 Standard)

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY

White Paper. Managing Risk to Sensitive Data with SecureSphere

The Value of Vulnerability Management*

White Paper. Understanding NIST FISMA Requirements

THE TOP 4 CONTROLS.

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Secunia Vulnerability Intelligence Manager (VIM) 4.0

How To Manage A Vulnerability Management Program

Federal Desktop Core Configuration (FDCC)

Penetration Testing Report Client: Business Solutions June 15 th 2015

Access FedVTE online at: fedvte.usalearning.gov

An Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance

Symantec Control Compliance Suite Standards Manager

1 Introduction Product Description Strengths and Challenges Copyright... 5

Enhancing Security for Next Generation Networks and Cloud Computing

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Enterprise Software Management Systems by Using Security Metrics

Obtaining Enterprise Cybersituational

Turn-key Vulnerability Management

2 Copyright 2015 M. E. Kabay. All rights reserved. 4 Copyright 2015 M. E. Kabay. All rights reserved.

Patch Management Policy

Information Security Program

Pentests more than just using the proper tools

STATE OF NEW JERSEY IT CIRCULAR

OCIE CYBERSECURITY INITIATIVE

BUILDING AN EFFECTIVE VULNERABILITY MANAGEMENT PROGRAM. Henrik Åkerstrand Account Executive Nordics

z/os VULNERABILITY SCANNING AND MANAGEMENT Key Resources, Inc. (312) KRI

Christine M. Frye, CIPP/US, CIPM, Chief Privacy Officer, Bank of America

IT Risk Management: Guide to Software Risk Assessments and Audits

GFI White Paper PCI-DSS compliance and GFI Software products

An Enterprise Continuous Monitoring Technical Reference Architecture

Defending the Database Techniques and best practices

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD

NERC CIP VERSION 5 COMPLIANCE

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

PII Compliance Guidelines

Information Security Office

SOFTWARE ASSET MANAGEMENT

Guide to Vulnerability Management for Small Companies

PCI DSS Reporting WHITEPAPER

Alberta Reliability Standard Cyber Security Configuration Change Management and Vulnerability Assessments CIP-010-AB-1

How To Audit The Mint'S Information Technology

Guide to Enterprise Patch Management Technologies

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Risk Analytics for Cyber Security

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

AUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System

CSUSB Vulnerability Management Standard CSUSB, Information Security & Emerging Technologies Office

Transcription:

Manage Vulnerabilities (VULN) Capability Data Sheet Desired State: - Software products installed on all devices are free of known vulnerabilities 1 - The list of known vulnerabilities is up-to-date Desired State Data Requirements: Authorized Hardware Inventory To identify what devices to check The associated Value for every device attribute 2 A version controlled and dated listing of all software products that have at least one known vulnerability to include: Vulnerable software product in same format as the Authorized Software Inventory (CPE or SWID equivalent) All CVEs associated with that software product To prioritize defects associated with devices. To detect known vulnerabilities present on the system For every locally defined 3 known vulnerability maintain a version controlled and dated listing to include: Vulnerable software product in same format as the Authorized Software Inventory (CPE or SWID equivalent) Identifier of all local vulnerabilities associated with that software product Severity for each local vulnerability (CVSS score equivalent) 1 Often it is not feasible to have no known vulnerabilities present (e.g., patch is not yet available), so the goal is to minimize their presence in the environment. 2 This value will initially be defined by the D/A for the SWAM capbility. Once the necessary data becomes available, it will be calculated from the value assigned by the D/A to assets. 1

Alternative mitigation specification 4 for any known vulnerability where the source vendor provides a mitigation option that can be implemented instead of patching/reversioning the software to include: CVE or local identifier Associated system attributes Required/acceptable values Compliance definition To exclude vulnerabilities mitigated by alternative methods that can be automatically checked 5 from the score To determine compliance with each specific check Actual State: - Listing of all enumerated vulnerable software installed on all devices - All CVEs on all devices that are appropriately mitigated by alternative methods - Collection mechanisms and/or processes to detect and record/report the Actual State information Actual State Data Requirements: While not explicitly stated below, all Actual State Data elements must have a date/time associated with each collection instance of that element 6. The vulnerable software installed on every device. Devices that are compliant with alternative mitigation specifications to include the CVEs or local identifiers that are appropriately mitigated To identify defects To eliminate those vulnerabilities from the score 3 Departments and Agencies can define data requirements and associated defects for their local environment. This is done in coordination with the CMaaS contractor and these local defects are not reported to the Federal Dashboard. 4 Some known vulnerabilities can be equivalently mitigated by not installing sections of code, executables, or via configuration options. 5 If the check that determines implementation of the alternative mitigation method can be verified by checking registry settings, executable hashes, or configuration settings, then a specification can be defined to automatically determine that the vulnerability is not present. 6 Collection often occurs in batches, where the sensors collect from a set of devices at once. As long as a date/time can be provided for the data resulting from that collection to a reasonable precision (i.e., ± 1 hour), that is acceptable. 2

Data necessary to determine how long vulnerable software has been present on a device. At a minimum: Date/time it was first discovered Date/time it was last seen To determine how long vulnerabilities have been present on a device Defects: A defect is the existence of an installed software product that contains at least one known vulnerability or using out-dated/incomplete CVE data. The following are the defects for VULN: Defect Type: Device has vulnerable software product installed Why is this considered a risk condition? Device is vulnerable to exploitation Typical Mitigation 7 Option 1: Apply patch or upgrade software product Typical Mitigation Option 2: Otherwise, remove software product from the device Vulnerable software listing does not contain up to date CVE or local vulnerability data An important data element of the vulnerable software listing or alternative mitigation specificiation is missing Vulnerable software can not be reported within a set timeframe for a device (Non-reporting for Vulnerabilities) Device is vulnerable to exploitation but reported that it is not or scores do not adequately reflect risk A key piece of information used to score risk is unknown The Department or Agency s (D/A) ability to monitor vulnerabilities is limited Update the listing and implement process to perform timely updating If the data element is known, record the information Work with the sensor/collection managers or process owners to troubleshoot/resolve the problem. Otherwise, remediate the implementation issue with existing process Otherwise, determine or define the data element and record the information Otherwise, revoke or suspend the device s authorization 7 Risk acceptance is always an option. In the case of Option 1 and Option 2, the risk conditions and scores do not go away. They remain visible to ensure that the D/A understands the impact of their risk acceptance decisions over time and in aggregate. 3

Appendix A - Definitions Term Definition Authorized Hardware Inventory List Authorized Software Inventory Blacklist Common Platform Enumeration (CPE) Common Vulnerabilities and Exposures (CVE) Common Vulnerability Scoring System (CVSS) Compliance Definition Defect Device Device Attribute Manage Vulnerabilities (VULN) Capability List of authorized hardware assets for an organization or subnet. Managed software whitelists and blacklists for the organization and each device attribute. List of unauthorized software for a D/A or device. Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name. 8 Common Vulnerabilities and Exposures (CVE) is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. 9 CVSS measures the severity of a vulnerability compared to other vulnerabilities so remediation efforts can be prioritized. The logic associated with a check that expresses how to determine if an asset is compliant with the policy. A condition where the Desired State specification and the Actual State do not match in a manner that incurs risk to the organization. IP-addressable asset on the network or a non-addressable component (e.g. removable media) able to interact with the D/A s data and resources. Device attributes are a way to describe a set of labels, values, and hierarchies associated with dimensions or characteristics of a device. The attributes assigned to a device are used to determine the applicability of a defect check, the result domain of a defect check, or create the appropriate desired state specification for a defect check associated with that device. This capability is to ensure that vulnerabilities are identified and removed or remediated from devices to minimize exploitation. 8 http://nvd.nist.gov/cpe.cfm 9 http://cve.mitre.org/about/faqs.html#a1 4

Term National Vulnerability Database (NVD) Scoring Software Asset Management (SWAM) capability Software identification tag (SWID) Software product Vulnerability Whitelist Definition NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics. 10 The process of calculating the risk points for a defect. Identified defects will be scored based on the amount of perceived risk they create. The CDM program will be providing a scoring system that is generic across D/As. Each D/A may adapt this with additional D/A specific information to better prioritize defects for action. The CDM capability that ensures unauthorized and/or unmanaged software is 1) identified, 2) authorized, and 3) assigned for management, or 4) removed before it can be exploited compromising confidentiality, integrity, and availability. Software ID tags provide authoritative identifying information for installed software or other licensable item. 11 The level of abstraction by which software is typically licensed, listed in registries during installation, and executed by users. Software products are roughly equivalent to the software identified by the NIST Common Product Enumeration (CPE) codes, and also by the ISO SWIDs. A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy. List of authorized software for a D/A or device. 10 http://nvd.nist.gov/ 11 ISO/IEC 19770-2: Software identification tag 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information