QuickTime and a TIFF (Uncompressed) decompressor are needed to see this picture. Making Vulnerability Management Operational Track 1 11:45am-12:30pm/Ballroom A Robert A. Martin The MITRE Corporation
Preview of Key Points Strategically leveraging standards-based vulnerability, policy, and remediation capabilities Common Vulnerabilities and Exposures (CVE) Common Vulnerability Scoring Systems (CVSS) Open Vulnerability and Assessment Language (OVAL) XML Configuration Checklist Data Format (XCCDF) Developing standards-compliant test rules to drive assessment, remediation, and reporting DISA STIGS, CIS Benchmarks, Corporate Rules, & Software Vendor Vulnerability Advisories Capabilities of standards-compliant products Build a compliance process leveraging automation and standards MITRE 2006 Slide 2
Flaw Management Today s Flaw (in SW or Configuration) Management Processes IAVAs/STIGs Text-based vendor Advisory / Guidance distributed to customers and public Organizations report and track flaw status manually or with a variety of tools that don t integrate New Flaw Requirement Scanning tools, Enterprise Management Systems, or manual processes used Flaw Compliance Report IAVAs/STIGs Remediation performed manually, by checking tools, or by locally developed scripts Compliant System Assess Compliance Compliant? No Implement Change Yes
Use Standards to Provide Flexible, End-to-End Flaw Management Automated Flaw Management Today s Flaw (in SW or Configuration) Management Processes Text-based Vendor Advisories vendor and Guidance Advisory distributed / Guidance to customers and public in distributed standard, machine to readable format customers with unique and public CVE Names Scanning tools import and Scanning OVAL definitions tools, standardized Enterprise to their existing xccdf and New Management set of system OVAL Flaw New Systems, scan or definitions Requirement Vuln manual signatures for patches, Requirement processes and vulnerabilities, used OVAL Results configuration settings format Compliant System A Security Standards-enabled process Assess Compliance Systems Organizations publish results report in and standard machine track flaw readable status OVAL Results format manually and or with a send variety Compliance of tools to a that central don t Tracking integrate System Flaw Compliance Report Compliant? No Remediation management performed tools read manually, in OVAL by Results with its machine checking readable tools, or by list of systems locally developed scripts to remediate Implement Change Yes
DoD s Information Assurance Vulnerability Alerts (IAVAs) use CVE names CVE-names
DoD 8500.2 IA Implementation Instruction gives preference to products supporting CVE & OVAL Mission Assurance Category III Mission Assurance Category II Mission Assurance Category I The following appears for all three Mission Assurance Categories of DOD systems: VIVM-1 Vulnerability Management: A comprehensive vulnerability management process automated vulnerability assessment or state management tools regular internal and external assessments are conducted For improved interoperability, preference is given to tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and use the Open Vulnerability Assessment Language (OVAL) to test for the presence of vulnerabilities. http://www.nstissc.gov/html/library.htm
Details: DoD Enterprise Licenses for Scanning & Remediation Tools SCCVI DoD Vulnerability Scanning Tool SCRI DoD Remediation Tool MITRE 2006 Slide 7
Difficult to Integrate Information on Vulnerabilities and Exposures Vulnerability Scanners Priority Lists Research? Security Advisories??????????????????????? Vulnerability Web Sites & Databases? Software Vendor Patches Intrusion Detection Systems Incident Response & Reporting
The adoption of CVE Names by the Security Finding and sharing vulnerability information has been Community difficult: The is Same starting Problem, to Different address Names this problem O rganization N am e CERT CyberSafe ISS AXEN T Bugtraq BindV iew Cisco IBM ERS CERIAS NAI CA-96.06.cgi_exam ple_code N etw ork: H TTP phf Attack http-cgi-phf phf CGI allow s rem ote com m and execution PH F A ttacks Fun and gam es for the w hole fam ily #107 cgi-phf #3200 W W W phf attack V ulnerability in N CSA /Apache Exam ple Code http_escshellcmd #10004 - W W W phf check Along Which with has the been new caused rule, Whoever by the rule, finds Whoever it, gets finds a CVE it, names for it it MITRE 2006 Slide 9
The CVE List provides a path for integrating information on Vulnerabilities and Exposures Security Advisories Priority Lists Software Vendor Patches Vulnerability Scanners CVE-1999 1999-0067 Intrusion Detection Systems Research Incident Response & Reporting Vulnerability Web Sites & Databases
Where the CVE Items Come From New Submissions 650 800 per/month AXENT, BindView, Harris, Cisco, CERIAS Vulnerability Legacy Submissions ~ pre-1999 Hiverworld, SecurityFocus, ISS, NAI, Symantec, Nessus Databases CVE Content Team Alerts & Advisories w/candidates 20 70 per/month Zero Day Public Vulnerabilities New Public Vulnerabilities ISS, SecurityFocus, Neohapsis, NIPC CyberNotes Items with Unique CVE Names ~15,630 Yes Yes Yes Editorial Board MITRE 2006 Slide 11
CVE Editorial Board
CVE Growth Unique CVE Names Status (as of Mar 13, 2006) 15,630 unique CVE names
An NVD Entry MITRE 2006 Slide 14
Timeline of CVE Compatibility Declarations CVE-compatible means: it includes CVE names in output for each item (CVE output) you can find items by CVE name (CVE searchable) it explains the CVE functionality (CVE documentation) item mappings are accurate (as of 20 Mar 2006) Now at 244 products and services from 148 organizations MITRE 2006 Slide 15
Certificates of CVE Compatibility Awarded to 33 Organizations from 7 Countries for 60 Products Alliance Qualite Logicel Foundstone, Inc. Harris Corp. Kingnet Security, Inc. NSFOCUS Information Tech. Co., Ltd The MITRE Corporation Qualys Red Hat Sintelli Ltd. Citadel Security Software Inc. eeye Digital Security Internet Security Systems, Inc. ncircle Network Security, Inc. PredatorWatch, Inc. SAINT Corporation Information Risk Management Plc Venus Information Technology, Inc. Symantec Corporation CA Dragonsoft Trend Micro, Inc. Venus Info Tech. Software in the Public Interest, Inc. Webzcan Skybox NX Security ArcSight ThreatGuard, Inc. netvigilance, Inc. DesktopStandard Corporation Lockdown Networks, Inc. Secure Elements Incorporated Beyond Security Ltd. MITRE 2006 Slide 16
Current State of Security for IT Systems Lots of problems are known. Guides, benchmarks, and other security recommendations are available. When all patches and guidance are applied, systems can resist many attacks. What s holding back good security? Systems are not all kept up to date and compliant with best practices because: guidance is applied incompletely or late fixes and updates are applied inconsistently or improperly sound practices are not maintained (often due to staff turnover or operational pressures) guidance is distorted or mis-translated on the path from SMEs and vendors out to administrators and end users responsible parties have no instruments to measure compliance and keep metrics MITRE 2006 Slide 17
Scenario 1, Community Guidance - Today Community group Security tool vendor Customer IT staff tool scripts guidance (english prose) Gov t Agency revised guidance Gov t IT staff MITRE 2006 Slide 18
Scenario 1, Community Guidance - Today What can go wrong? Community group Imprecise authoring Security tool vendor Manual translation tool scripts Customer IT staff guidance (english prose) Gov t Agency Manual customization revised guidance Gov t IT staff Manual testing and remediation MITRE 2006 Slide 19
General Requirements We need a language or languages to address these areas: Platform independent Platform dependent Support guidance tailoring and customization Collect, structure, and organize guidance Score and track general compliance Define tests to check compliance Define system-specific tests of system state Characterize low-level system state MITRE 2006 Slide 20
XCCDF: Extensible Configuration Checklist Description Format An object model and XML specification for expressing security benchmarks, checklists and related documents, and recording checklist results. Designed for three purposes: driving system security checking tools generating human-readable documents and reports scoring and tracking compliance Joint work by NSA, CIS, and MITRE, with input from CIS volunteers, NIST, industry representatives, DISA, and others. The expected/default checking technology for XCCDF is OVAL. http://csrc.nist.gov/checklists/xccdf.html
User Communities for XCCDF System, OS, and Application vendors common format provides a standardized vehicle for crafting and disseminating security hardening rules and recommendations Security Analysts common format allows comparison of different guidance, tailoring and extension, and common dissemination vehicle Security Tool Vendors common format saves effort, allows quicker support for newly issued guidance, may promote coordination and interoperability System Owners and Users common format allows integration of guidance from different sources, quicker and more uniform application of benchmarks MITRE 2006 Slide 22
Scenario 1, Community Guidance - Future Community group Security tool vendor Customer IT staff XCCDF & OVAL in Tool Update guidance (XCCDF and OVAL) Gov t Agency tailored XCCDF & OVAL Gov t IT staff MITRE 2006 Slide 23
Scenario 1, Community Guidance - Future Community group precision authoring Security tool vendor No Translation XCCDF & OVAL in Tool Update Customer IT staff Automated Test & Remediate guidance (XCCDF and OVAL) Gov t Agency Controlled Tailoring tailored XCCDF & OVAL Gov t IT staff Automated Test & Remediate MITRE 2006 Slide 24
XCCDF Object Details: Rule XCCDF does not specify platform-specific system rule checking logic. The Rule/check element contains information for driving a platform-specific checking engine. XCCDF Benchmark Target system XCCDF Benchmark Compliance Tester Tailoring values, Tests to perform Test results Platform-specific checking engine MITRE 2006 Slide 25
The XCCDF And OVAL Link OVAL referenced through an XCCDF <Rule> element. <cdf:rule id="unsigned-driver-installation" selected="1"> <cdf:title>unsigned Driver Installation Behavior</cdf:title> <cdf:description> </cdf:description> <cdf:question> </cdf:question> <cdf:fixtext> </cdf:fixtext> <cdf:fix> </cdf:fix> <cdf:check system="http://oval.mitre.org/xmlschema/oval"> <cdf:check-export value-id="unsigned-driver-installation" export-name="oval:mitre.org.oval:var:1" /> <cdf:check-content-ref herf="oval.definitions.xml" name="oval:org.mitre.oval:def:1001" /> </cdf:check> </cdf:rule> MITRE 2006 Slide 26
OVAL and XCCDF System Security Guidance OVAL OVAL is how is guidance how XCCDF about talks the to security the system of a system that a talks guide is to written the system for. that the guidance is written for. Configuration Configuration Benchmark Document Benchmark & Document List of Vulnerabilities XCCDF XCCDF and IAVAs/SANS Top 20 OVAL System Settings MITRE 2006 Slide 27
Focus of OVAL How can we be sure an assessment tool is using the correct test for an issue? How can an organization specify security policy in a standard way that assessment and configuration management tools will understand? How can OS and application vendors precisely identify the types of systems that need a new patch? How can security researchers share their knowledge without spreading exploit code? MITRE 2006 Slide 28
OVAL Concept - The Open Vulnerability and Assessment Language Initiative Community-based collaboration Precise definitions to test for each vulnerability, misconfiguration, policy, or patch Standard schema of security-relevant configuration information OVAL schema and definitions freely available for download, public review, and comment Security community suggests new definitions and schema OVAL board considers proposed schema modifications http://oval.mitre.org Public unveiling - December 2002
OVAL Board MITRE 2006 Slide 30
What can OVAL do? Test for a specific machine state vulnerability exists compliant with organizational policy a specific patch should be installed locked in a secure room If the state is machine-verifiable, then you can write it in OVAL. MITRE 2006 Slide 31
How is OVAL structured? Three separate XML schemas OVAL System Characteristics Schema OVAL Definition Schema OVAL Results Schema Schema structure core schema individual component schemas Natural for software authors to provide expertise in shaping these schemas. MITRE 2006 Slide 32
OVAL System Characteristics XML encoding of the details of a system file versions running processes patches installed etc. provides a snapshot of the system save for auditing purposes use for analysis MITRE 2006 Slide 33
OVAL Definitions composed of meta-data Affected family, platforms, and products. Description CVE identifier or other reference and the set of tests (also known as the criteria) Tests can be written to describe any retrievable system information. rpm information registry values file permissions metabase contents MITRE 2006 Slide 34
OVAL Results XML encoding of the results of an analysis which systems are vulnerable? which systems are non-compliant? which patches should be installed? Includes the details why are you vulnerable? why are you non-compliant? why should a patch be installed? MITRE 2006 Slide 35
The OVAL Process MITRE 2006 Slide 36
OVAL Schemas & Definitions 1,506 definitions Vulnerability (1,456) Compliance (50) XML & Pseudo Code Version 4.2 Schemas (12-2-05) Version 5.0 (02-02-06) 6th draft Schemas for: (Core, Independent) Microsoft Windows Sun Solaris Red Hat Linux Debian Linux Cisco IOS Apple Macintosh HP-UX Unix OVAL Open Source Tools XML Definition Interpreters XML Definition Writer http://oval.mitre.org/oval/definitions/data/oval566.html
OVAL - Industry Adoption (OVAL Compatibility) Compatible Products and Services ArcSight ArcSight ESM 3.0 BigFix Enterprise Suite Citadel Security Software Hercules KACE Networks KBOX IT Management Suite Qualys QualysGuard Enterprise QualysGuard Express QualysGuard Consultant QualysGuard MSP ThreatGuard ThreatGuard Vulnerability Management System ThreatGuard Traveler Declarations of Compatibility Assuria Limited DesktopStandard eeye Digital Security ncircle Network Security NetClarity Patchlink Preventsys Sintelli MITRE 2006 Slide 38
OVAL Assessment Tools MITRE 2006 Slide 39
Working with OVAL Definitions in Commercial Tools MITRE 2006 Slide 40
OVAL Results Feeding CIM and Remediation Tools MITRE 2006 Slide 41
For More Information OVAL paper: Transformational Vulnerability Management Through Standards http://stsc.hill.af.mil/crosstalk/2005/05/0505martin.html CVE paper: Managing Vulnerabilities in Networked Systems QuickTime and a TIFF (Uncompressed) decompressor are needed to see this picture. http://cve.mitre.org/docs/cvearticleieeecomputer.pdf CIS web site http://www.cisecurity.org CVE web site http://cve.mitre.org OVAL web site http://oval.mitre.org csrc.nist.gov/checklists/xccdf.html XCCDF web site http://csrc.nist.gov/ checklists/xccdf.html MITRE 2006 Slide 42
Acronyms from this Presentation AFAir Force C3I Communications, Command, Control and Intelligence CIS Center for Internet Security CVE Common Vulnerabilities and Exposures DHS Department of Homeland Security DISA Defense Information Systems Agency DoD Department of Defense FBI Federal Bureau of Investigation FISMA Federal Information Security Management Act FSO Field Services Organization GBLA Graham Leach Billey Act GSA General Services Agency HIPPA Health Insurance Portability and Accountability Act IA Information Assurance IAVA Information Assurance Vulnerability Alert NIST National Institute of Science and Technology NSA National Security Agency OVAL Open Vulnerability and Assessment Language SANS SysAdmin, Audit, Network, Security SOX Sarbanes-Oxley SQL Sequel Query Language USAF United States Air Force WH White House XCCDF Extensible Configuration Checklist Description Format XML Extensible Markup Language MITRE 2006 Slide 43