architecting security measurement & management for compliance
DESCRIPTION
The largest federal agencies are deploying new vulnerability, configuration and remediation management tools that support interoperability standards. Any organization (not just government agencies) can better measure their security and regulatory compliance by using tools, guidelines and standards provided the Security Content Automation Protocol for enabling automation of measurement and compliance evaluation, the Office of Management and Budget's FDCC mandate for securing desktops/laptops running Windows operating systems, NIST standards and more.TRANSCRIPT
1
A hit ti S itArchitecting Security Measurement &
Management for Compliance (i e Making Security Measurable)(i.e., Making Security Measurable)
Robert A. MartinArchitecting Security Measurement & Management for Compliance
2:45 pm - 3:45 pm, 27 April 2008
Compliance Standards….
Sarbanes-Oxley
2
2007 InformationWeek/Accenture Global Information Security Survey
Cyber Threats to the Enterprise
2007 InformationWeek/Accenture Global Information Security Survey
Published July 16, 2007
3
Many Types of Attacks…• against known vulnerabilities in
2007 InformationWeek/Accenture Global Information Security Survey
• against known vulnerabilities in OS & packaged applications; against mis-configured systems; against unknown vulnerabilities in developed apps; attacks are
Published July 16, 2007
in developed apps; attacks are aimed at data bases, applications, and web sites
Need to Master Many Technologies • firewalls; anti virus; anti spyware;
2007 InformationWeek/Accenture Global Information Security Survey
• firewalls; anti-virus; anti-spyware; application firewalls; Intrusion Detection Systems (IDS); Security Integration Management Systems (SIMS); vulnerability scans;
Published July 16, 2007
(SIMS); vulnerability scans; patching systems
4
More Vulnerable Because of…•exposed backend & homegrown
2007 InformationWeek/Accenture Global Information Security Survey
apps; increased sophistication & volume of attacks; more malicious intent; lack of senior attention; incompatible security
d t bl t d t
Published July 16, 2007
products; unable to adapt policies/configuration rules; outsourcing
Enterprise Networks
5
Real Enterprise Networks
Information Technology-BasedBusiness Capabilities As Conceived
6
Reality
automated probes/scans
binary encryption
executable code attacks (against browsers)
automated widespread attacks
widespread attacks on DNS infrastructure
widespread attacks using NNTP to distribute attack
“stealth”/advanced scanning techniquesemail propagation of malicious code DDoS attacks
increase in tailored wormssophisticated
command & control
Attack
Cyber Threats Emerged Over Time
disabling auditsback doors
sniffers
network mgmt. diagnostics
www attacks
techniques to analyze code for
GUI intruder tools
hijacking sessions
anti-forensic techniqueshome users targeted
distributed attack tools
increase in wide-scale Trojan horse distributionWindows-based remote
controllable Trojans (Back Orifice)
Intruder Knowledge
Attack Sophistication
diffuse spyware
1980’s 1990’s 2000’s
exploiting known vulnerabilitiespassword
guessing
techniques to analyze code for vulnerabilities without source codeInternet social
engineering attacks
burglaries
packet spoofing automated probes/scans
widespread denial-of-service
attackspassword cracking
2010’s
7
Solutions Also Emerged Over Time
automated probes/scans
binary encryptionemail propagation of malicious code
“stealth”/advanced scanning techniques
widespread attacks using NNTP to distribute attack
widespread attacks on DNS infrastructure
executable code attacks (against browsers)
automated widespread attacks
DDoS attacks
increase in tailored wormssophisticated
command & control
Attack
disabling auditsback doors
sniffers
www attacks
network mgmt. diagnostics
GUI intruder tools
hijacking sessions
techniques to analyze code for
anti-forensic techniqueshome users targeted
distributed attack tools
increase in wide-scale Trojan horse distributionWindows-based remote
controllable Trojans (Back Orifice)
Intruder Knowledge
Attack Sophistication
diffuse spyware
1980’s 1990’s 2000’s
password guessing
exploiting known vulnerabilities burglaries
Internet social engineering attacks
packet spoofing automated probes/scans
widespread denial-of-service
attacks
techniques to analyze code for vulnerabilities without source code
password cracking
2010’s
Like Security - Networks Evolved
Each new solution had to integrate with the existing solutions -->> every enterprise ends up with a
“unique” tapestry of solutions
8
But A More SupportableBut A More Supportable Solution Is Possible with Standards and Architecture Principles
Each Enterprise has its own tapestry of security solutions, processes, and data needs
9
Architecting Security
AssetAssetManagementManagement
VulnerabilityVulnerabilityManagementManagement
ConfiguratioConfigurationnManagementManagement
ThreatThreatManagementManagement
SystemSystemDevelopmentDevelopment
SystemSystemCertificationCertification
IntrusionIntrusionDetectionDetection
IncidentIncidentManagemenManagementt
ChangeChange C t lC t lChangeChangeManagementManagement
CentralCentralReportingReporting
In Summary: Today Every Organization Has a Different Way of Doing Cyber Security…
• Cyber security, tools, practices and technology have evolved dramatically over the last 10 years
• The result has been that most enterprises have been buying eachThe result has been that most enterprises have been buying each new tool & training their people on it & integrating it as they realize they need to address a new area of Cyber Security…
• Then they buy another tool & train their people on that one too & integrate it with the other tools…
• Repeat for each “type” of security tool/challenge that appears…• Result - each organization has a different tapestry of tools/processes
integrated together trying to do the Cyber Security jobintegrated together trying to do the Cyber Security job…– Assets, Configuration, Vulnerabilities, Patches, Intrusions, Malware,
Malicious Code, etc.
Instead we should be architecting our security measurement and management method and get tools to implement and support it.
10
What Do The Building Blocks for “Architecting Security” Look Like?
• Standard ways for enumerating “things we care about”
• Languages/Formats for encoding/carrying highLanguages/Formats for encoding/carrying high fidelity content about the “things we care about”
• Repositories of this content for use in communities or individual organizations
• Adoption/branding and vetting programs toAdoption/branding and vetting programs to encourage adoption by tools and services
• Enumerations – Catalog the fundamental entities in IA, Cyber Security, and Software
Assurance• Vulnerabilities (CVE), misconfigurations (CCE), software packages (CPE),
malware (CME), attack patterns (CAPEC), weaknesses in code/design/architecture (CWE)
The Building Blocks Are:
g ( )• Languages/Formats
– Support the creation of machine-readable state assertions, assessment results, and messages• Configuration/vulnerability/patch/asset patterns (XCCDF & OVAL), results
from standards-based assessments (CRF), software security patterns (SBVR), event patterns (CEE), malware patterns (MAEC), risk of a vulnerability (CVSS), information messages (CAIF & *DEF)
• Knowledge Repositories– Packages of assertions supporting a specific application
• Vulnerability advisories & alerts, (US-CERT Advisories/IAVAs), configuration assessment (NIST Checklists, CIS Benchmarks, NSA Configuration Guides, DISA STIGS), asset inventory (NIST/DHS NVD), code assessment & certification (NIST SAMATE, DoD DIACAP & eMASS)
Tools– Interpret IA, Cyber Security, and SwA content in context of enterprise network– Methods for assessing compliance to languages, formats, and enumerations
11
Configuration
ConfigurationGuidance
Knowledge Repositories
Operations Security Management Processes
ConfigurationGuidanceAnalysis
Operational Enterprise Networks
Centralized ReportingEnterprise ITChange Management
Enterprise IT Asset Management
12
AssetInventory
ConfigurationGuidanceAnalysis
VulnerabilityAnalysis
ThreatAnalysis
IntrusionDetection
IncidentManagement
CCE/OVAL/CRF/XCCDF/CPE
CVE/CWE/CVSS/CRF/CCE/CRF/OVAL/XCCDF/CPE
CVE/CWE/CVSS/CRF/CCE/OVAL/XCCDF/CPE/CME/CAPEC/MAEC
CVE/CWE/CVSS/CRF/.CCE/OVAL/XCCDF/CPE/CME/CAPEC/MAEC/CEE
CPE/OVAL/CRF
Assessment of System
Development,Integration, &Sustainment
Activitiesand
Certification &Accreditation
Operations Security Management ProcessesCPE MAEC MAEC/CEE
Enterprise IT Asset Management
Operational Enterprise Networks
Centralized ReportingEnterprise ITChange Management
Development & SustainmentSecurity ManagementProcesses
CVE/CWE/CVSS/CCE/OVAL/XCCDF/CPE/CME/CAPEC/MAEC/CEE/CRF
CVE/CWE/CVSS/CCE/OVAL/XCCDF/CPE/CME/CAPEC/MAEC/CEE/CRF
AssetInventory
ConfigurationGuidanceA l i
VulnerabilityAnalysis
ThreatAnalysis
IntrusionDetection
VulnerabilityAlert
ConfigurationGuidance
AssetDefinition
Knowledge Repositories
ThreatAlert
IncidentReport
IncidentManagement
CPE/OVAL XCCDF/OVAL/CCE
CVE/CWE/OVAL/CVSS
CVE/CWE/CVSS/CME/CAPEC/MAEC
Mitigating Risk ExposuresMitigating Risk Exposures Responding to Security ThreatsResponding to Security Threats
CAIF/IDMEF/IODEF/CVE/CWE/OVAL/CPE/CME/MAEC/CEE/CRF
Inventory Analysis Analysis Analysis Detection Management
Assessment of System
Development,Integration, &Sustainment
A ti iti
System &Software
AssuranceGuidance/
Requirements
Operations Security Management Processes
OVAL/XCCDF/CCE/CPE/CRF
CCE/OVAL/CRF/XCCDF/CPE
CVE/CWE/CVSS/CRF/ CCE/OVAL/XCCDF/CPE
CVE/CWE/CVSS/CRF/CCE/OVAL/XCCDF/CPE/CME/CAPEC/MAEC
CVE/CWE/CVSS/CRF/CCE/OVAL/XCCDF/CPE/CME/CAPEC/MAEC/CEE
CPE/OVAL/CRF
Operational Enterprise Networks
Centralized ReportingEnterprise ITChange Management
Development & SustainmentSecurity ManagementProcesses
Activitiesand
Certification &Accreditation
CWE/CAPEC/SBVR/MAEC
Enterprise IT Asset Management
CVE/CWE/CVSS/CCE/OVAL/XCCDF/CPE/CME/CAPEC/MAEC/CEE/CRF
CVE/CWE/CVSS/CCE/OVAL/XCCDF/CPE/CME/CAPEC/MAEC/CEE/CRF
13
VulnerabilityAlert
CVE/CWEOVAL/CVSS
VulnerabilityAnalysis
CVE/CWE/CVSS/CCE/OVAL/CRF/XCCDF/CPE
CCE/OVAL/CRF/XCCDF/CPE
Common Vulnerabilities and Exposures (CVE)
• CVE: Enabling fast, accurate correlation of vulnerability information across the security industry
• Key tenets– one identifier for one vulnerability– dictionary of standardized
descriptions for vulnerabilities and exposures
– publicly accessible for review or download from the Internet
d fd f– international scope– industry participation in open
forum (editorial board)– compatibility program for
products & services
Foundation forFoundation for NIST NIST NVDNVD ProgramProgram
14
Difficult to Integrate Information on Vulnerabilities and Exposures
SecuritySecurityAdvisoriesAdvisories
??????????????????
VulnerabilityVulnerabilityScannersScanners
Software VendorSoftware VendorPatchesPatches
Intrusion DetectionIntrusion DetectionSystemsSystems
PriorityPriorityListsLists
?????????
????????? ?????????
?????????????????? ?????????
??????????????????
?????????
?????????
?????????
????????? ??????????????????
?????????
?????????
?????????Incident ResponseIncident Response
& Reporting& Reporting
Vulnerability WebVulnerability WebSites & DatabasesSites & Databases
ResearchResearch ???????????????????????????
??????????????????
????????? ??????????????????
Finding and sharing vulnerability information has been difficult: The Same Problem, Different Names
Organization Nam e
CERT CA -96.06.cgi_exam ple_code
The adoption of CVE Names by the Security Community addresses this problem
CyberSafe N etw ork: H TTP ‘phf’ A ttack
ISS http-cgi-phf
AX EN T phf CG I allow s rem ote com m and execution
Bugtraq PH F A ttacks – Fun and gam es for the w hole fam ily
BindV iew #107 – cgi-phf
C isco #3200 – W W W phf attack
IBM ERS V ulnerability in N CSA /Apache Exam ple Code
Which has been caused by the rule, “Whoever finds it, names it”
IBM ERS y p p
CERIAS http_escshellcmd
NA I #10004 - W W W phf check
Along with the rule, “Whoever finds it, gets a CVE name for it”
15
The CVE List provides a path for integrating information on Vulnerabilities and Exposures
SecuritySecurityAdvisoriesAdvisories
VulnerabilityVulnerabilityScannersScanners
Software VendorSoftware VendorPatchesPatches
Intrusion DetectionIntrusion DetectionSystemsSystems
PriorityPriorityListsLists
CVECVE--19991999--00670067
Incident ResponseIncident Response& Reporting& Reporting
Vulnerability WebVulnerability WebSites & DatabasesSites & Databases
ResearchResearch
Vulnerability Databases
Legacy SubmissionsAXENT, BindView,
Harris, Cisco, CERIASHiverworld, SecurityFocus, ISS, NAI, Symantec, Nessus
Where the CVE Items Come From
~ pre-1999
Alerts & Advisories
w/candidatesy
New Submissions650–800 per/month
ISS, SecurityFocus, Neohapsis, NIPC CyberNotes
New Public Vulnerabilities
CVE Content Team
p /ca d dates40–150
per/monthZero Day
Public Vulnerabilities
Items withUnique
CVE NCVE Editorial Board CVE Names~29,275~29,275
16
CVE Compatibility Program(as of 22 Feb 2008)
cve.mitre.org/compatible/
Now at 281 products and services from 159 organizations
Computer Associates, IBM/ISS
17
An NVD Entry
nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0952
Common Vulnerability Scoring System
www.first.org/cvss/
18
ConfigurationGuidance
XCCDF/OVAL/CCE
ConfigurationGuidanceAnalysis
CCE/CPE/ CCE/OVAL/CRF/XCCDF/CPE
CPE/OVAL/CRF
Open Vulnerabilities and Assessment Language (OVAL)
• OVAL Language– express specific machine states– standardize the transfer of information– XML based defined by XML Schema– compatibility program for products & services
• OVAL Repository– promote open and publicly available content– central meeting place
• open community standard– to facilitate sharing– open up the details– utilize community expertise
Foundation forFoundation for NIST NIST SCAPSCAP ProgramProgram
19
OVAL Board OVAL Board OVAL Schema
Three separate XML schemas– OVAL System Characteristics Schema– OVAL Definition Schema– OVAL Results Schema
Schema structure– core schema– individual component schemas
Natural for software authors to provide expertise
in shaping these schemas.
text
The Language
S it B ll ti
<XML>
Vulnerability Assessment
System Details
Security Bulletin
Configuration Guide
Asset Description
>Asset Management
Report Generation
system
details
Registry
Files
RPMs
Processes
20
Expert in the
Field
OVAL
Definition
Configuration Management
OVAL
Community
OVAL
Definition
Vulnerability Assessment
Compliance
Checker
Definition
Assessment
Tool
Remediation
Tool
OVAL
Results
R
OVAL
Results
Assessment
Security Information Management (SIM)
OVALSC
Centralized Audit Validation
RResultsTool
Assessment
Tool
Compliance
Checker
R
OVAL
Results
R
OVAL
Results
SIM
ToolDatabase
OVALSC
OVALSC
OVALSC
OVALSC
21
SCAP Languages Requirements
Support guidance tailoring and customizationctur
eza
tion
Collect, structure, and organize guidance
Score and track general compliance
Define tests to check compliance
Support guidance tailoring and customization
Gui
danc
e St
ruan
d C
usto
miz
tem
men
t
Define system-specific tests of system state
Characterize low-level system state
End-
Syst
Ass
essm
SCAP Languages Requirements
Support guidance tailoring and customizationctur
eza
tion
Collect, structure, and organize guidance
Score and track general compliance
Define tests to check compliance
Support guidance tailoring and customization
Gui
danc
e St
ruan
d C
usto
miz
tem
men
t
Define system-specific tests of system state
Characterize low-level system state
End-
Syst
Ass
essm
22
XCCDF-OVAL-CCE ConnectionXCCDF
<Rule id="RequireCTRL_ALT_DEL" >
OVAL
<definition id="oval:gov.nist.1:def:69">
<Title>
Interactive logon:Require CTRL+ALT+DEL
<Description>
Disabling the Ctrl+Alt+Del securityattention sequence can compromise …
<criteria>
Windows family, Windows XP, SP2, 32 bit
<metadata>
<title> Require CTRL_ALT_DEL
<reference> CCE-Winv2.0-390
<Check>
oval:gov.nist.1:def:69
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableCAD = 0
OVAL Compatibility Program(version 5 launched June 2006)
oval.mitre.org/compatible/
23
Assessment of System
Development,
SystemAssuranceGuidance/Mandates/
Requirements
OVAL/XCCDF/CCE/CPE/CRF
Integration, &Sustainment
Activitiesand
Certification &Accreditation
CWE/CAPEC/SBVR
24
Common Weakness Enumeration(CWE)
• dictionary of weaknesses– weaknesses that can lead to exploitable vulnerabilities (i.e. CVEs)– the things we don’t want in our code, design, or architecture– web site with XML of content, sources of content, and process used
• structured views– currently provide hierarchical view into CWE dictionary content – will evolve to support alternate views
• open community process– to facilitate common terms
/concepts/facts and understanding Foundation for otherFoundation for otherg
– allows for vendors, developers, system owners and acquirers
to understand tool capabilities/coverage and priorities
– utilize community expertise
DHS, NSA, OSD, NIST, DHS, NSA, OSD, NIST, OWASP, SANS, SEI, and OWASP, SANS, SEI, and
OMG OMG SwASwA EffortsEfforts
Vulnerability Type Trends:A Look at the CVE List (2001 -
2006)
25
Removing and Preventing the Vulnerabilities Requires More Specific Definitions…CWEs
Cross-site scripting (XSS) (79)• Basic XSS (80)• XSS in error pages (81)• Script in IMG tags (82)• XSS using Script in Attributes (83)• XSS using Script Via Encoded URI Schemes (84)• Doubled character XSS manipulations, e.g. '<<script’ (85)• Invalid Characters in Identifiers (86)Invalid Characters in Identifiers (86)• Alternate XSS syntax (87)• Mobile Code: Invoking untrusted mobile code (494)
Buffer Errors (119)• Unbounded Transfer (classic overflow) (120)• Write-what-where condition (123)• Boundary beginning violation ('buffer underwrite') (124)• Out-of-bounds Read (125)• Wrap-around error (128)• Unchecked array indexing (129) • Length Parameter Inconsistency (130) • Other length calculation error (131) • Miscalculated null termination (132) • String Errors (133) • Often Misused: Path Manipulation (249)O te sused at a pu at o ( 9)
Relative Path Traversal (22)• Path Issue - dot dot slash - '../filedir’ (24)• Path Issue - leading dot dot slash - '/../filedir’ (25)• Path Issue - leading directory dot dot slash - '/directory/../filename’ (26)• Path Issue - directory doubled dot dot slash - 'directory/../../filename’ (27)• Path Issue - dot dot backslash - '..\filename’ (28)• Path Issue - leading dot dot backslash - '\..\filename’ (29)• Path Issue - leading directory dot dot backslash - '\directory\..\filename’ (30)• Path Issue - directory doubled dot dot backslash - 'directory\..\..\filename’ (31)• Path Issue - triple dot - '...’ (32)• Path Issue - multiple dot - '....’ (33)• Path Issue - doubled dot dot slash - '....//’ (34)• Path Issue - doubled triple dot slash - '.../...//’ (35)
7 Kingdoms
CLASPMicrosoft
PLOVEROWASP
ProtectionAnalysis
RISOS
Weber
7 KingdomsBishop
Landwehr
Aslam
Tool BWASC
Tool A
Landwehr
26
Using A Unilateral NDA with MITRE to Bring in Info
Purpose: • Sharing the proprietary/company confidential information contained in the
underlying Knowledge Repository of the Knowledge Owner’s Capability for the sole purpose of establishing a public Common Weakness Enumeration (CWE) dictionary that can be used by vendors customers and researchers todictionary that can be used by vendors, customers, and researchers to describe software, design, and architecture related weaknesses that have security ramifications.
• The individual contributions from numerous organizations, based on their proprietary/company-confidential information, will be combined into a consolidated collection of weakness descriptions and definitions with the resultant collection being shared publicly.
• The consolidated collection of knowledge about weaknesses in software, design, and architecture will make no reference to the source of the information used to describe, define, and explain the individual weaknesses.
Coverity
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
• Apple• AppSIC• Aspect Security• Booz Allen Hamilton Inc.• Cenzic • CERIAS/Purdue University
• NIST• NSA• OMG• Oracle • Ounce Labs• OWASP
Current Community Contributing to the Common Weakness Enumeration
CERIAS/Purdue University• CERT/CC • Cigital• CodescanLabs• Core Security• Coverity• Fortify • Gramma Tech• IBM • Interoperability Clearing House• JHU/APL• JMU
OWASP • Palamida• Parasoft• PolySpace Technologies• proServices Corporation• SANS Institute• SecurityInnovation• Secure Software• Security University• Semantic Designs • SofCheck• SPI DynamicsJMU
• Kestrel Technology• KDM Analytics• Klocwork• McAfee• Microsoft • MIT Lincoln Labs • MITRE• North Carolina State University
SPI Dynamics • SureLogic, Inc.• Symantec• UNISYS• VERACODE• Watchfire • WASC• Whitehat Security, Inc.• Tim Newsham
To join send e-mail to [email protected]
27
CWE Compatibility & Effectiveness Program ( launched Feb 2007)
1222
cwe.mitre.org/compatible/
Building A Common Enumeration
Building A Common Enumeration
Previously Published Vulnerability Taxonomy
WorkSecure
Software’s John
Viega’s CLASP and Taxonomy
Cigital’s Gary
McGraw’s Work and Taxonomy
Microsoft’s Mike
Howard’s Work and
OWASP’s Checklist
and Taxonomy
CVE-based PLOVER Work
Fortify’s Brian
Chess’s Work and Taxonomy
Kestrel Technology
NSA/CTC
Watchfire
Stanford
MIT LL
SEIPurdue
GMUIBM
O l
JMU
UC Berkeley
Unisys
Core SecurityCoverity SPI Dynamics
Parasoft
VERACODE
Security Institute
DHS’s SwACBK & Acq Guide
Taxonomy
Dictionary
Common WeaknessEnumeration (CWE)
Klocwork’s Checklist
and Taxonomy
Ounce Lab’s
Taxonomy
Gramma Tech’s
Checklist and
Taxonomy
DHS’s BSI Web site
OracleKDM Analytics
Unisys
UMD NCSU
CenzicSecurity Institute
CVE and NVD using CWEs
ISO/IEC JTC 1/SC 22's OWGV - Other Working Group on Vulnerabilities
Skills Assessment
SANS National Secure Programming
Skills Assessment
Standards Effort
SEI CERT S
ecure Coding Standards Effort
OWASP&
WASC
DHS/NISTSAMATE
ToolAssessment Reference
Dataset
Center forAssured SW
ReferenceDataset
SwA SIGCWE
Compatibility
CWEs that a
Tool finds
Enumeration (CWE)---------------------------------------------------------
call & count the sameenable metrics & measurement
28
ThreatAlert
CVE/CWE/CVSS/CME/CAPEC/MAEC
ThreatAnalysis
CVE/CWE/CVSS/CRF/CCE/OVAL/XCCDF/CPE/CME/CAPEC/MAEC
29
[makingsecuritymeasurable.mitre.org]
Robert A. MartinArchitecting Security Measurement & Management for Compliance
2:45 pm - 3:45 pm, 27 April 2008