architecting security measurement & management for compliance

1

A hit ti S itArchitecting Security Measurement &

Management for Compliance (i e Making Security Measurable)(i.e., Making Security Measurable)

Robert A. MartinArchitecting Security Measurement & Management for Compliance

2:45 pm - 3:45 pm, 27 April 2008

Compliance Standards….

Sarbanes-Oxley

2

2007 InformationWeek/Accenture Global Information Security Survey

Cyber Threats to the Enterprise


Published July 16, 2007

3

Many Types of Attacks…• against known vulnerabilities in


• against known vulnerabilities in OS & packaged applications; against mis-configured systems; against unknown vulnerabilities in developed apps; attacks are


in developed apps; attacks are aimed at data bases, applications, and web sites

Need to Master Many Technologies • firewalls; anti virus; anti spyware;


• firewalls; anti-virus; anti-spyware; application firewalls; Intrusion Detection Systems (IDS); Security Integration Management Systems (SIMS); vulnerability scans;


(SIMS); vulnerability scans; patching systems

4

More Vulnerable Because of…•exposed backend & homegrown


apps; increased sophistication & volume of attacks; more malicious intent; lack of senior attention; incompatible security

d t bl t d t


products; unable to adapt policies/configuration rules; outsourcing

Enterprise Networks

5

Real Enterprise Networks

Information Technology-BasedBusiness Capabilities As Conceived

6

Reality

automated probes/scans

binary encryption

executable code attacks (against browsers)

automated widespread attacks

widespread attacks on DNS infrastructure

widespread attacks using NNTP to distribute attack

“stealth”/advanced scanning techniquesemail propagation of malicious code DDoS attacks

increase in tailored wormssophisticated

command & control

Attack

Cyber Threats Emerged Over Time

disabling auditsback doors

sniffers

network mgmt. diagnostics

www attacks

techniques to analyze code for

GUI intruder tools

hijacking sessions

anti-forensic techniqueshome users targeted

distributed attack tools

increase in wide-scale Trojan horse distributionWindows-based remote

controllable Trojans (Back Orifice)

Intruder Knowledge

Attack Sophistication

diffuse spyware

1980’s 1990’s 2000’s

exploiting known vulnerabilitiespassword

guessing

techniques to analyze code for vulnerabilities without source codeInternet social

engineering attacks

burglaries

packet spoofing automated probes/scans

widespread denial-of-service

attackspassword cracking

2010’s

7

Solutions Also Emerged Over Time

automated probes/scans

binary encryptionemail propagation of malicious code

“stealth”/advanced scanning techniques

widespread attacks using NNTP to distribute attack

widespread attacks on DNS infrastructure

executable code attacks (against browsers)

automated widespread attacks

DDoS attacks

increase in tailored wormssophisticated

command & control

Attack

disabling auditsback doors

sniffers

www attacks

network mgmt. diagnostics

GUI intruder tools

hijacking sessions

techniques to analyze code for

anti-forensic techniqueshome users targeted

distributed attack tools

increase in wide-scale Trojan horse distributionWindows-based remote

controllable Trojans (Back Orifice)

Intruder Knowledge

Attack Sophistication

diffuse spyware

1980’s 1990’s 2000’s

password guessing

exploiting known vulnerabilities burglaries

Internet social engineering attacks

packet spoofing automated probes/scans

widespread denial-of-service

attacks

techniques to analyze code for vulnerabilities without source code

password cracking

2010’s

Like Security - Networks Evolved

Each new solution had to integrate with the existing solutions -->> every enterprise ends up with a

“unique” tapestry of solutions

8

But A More SupportableBut A More Supportable Solution Is Possible with Standards and Architecture Principles

Each Enterprise has its own tapestry of security solutions, processes, and data needs

9

Architecting Security

AssetAssetManagementManagement

VulnerabilityVulnerabilityManagementManagement

ConfiguratioConfigurationnManagementManagement

ThreatThreatManagementManagement

SystemSystemDevelopmentDevelopment

SystemSystemCertificationCertification

IntrusionIntrusionDetectionDetection

IncidentIncidentManagemenManagementt

ChangeChange C t lC t lChangeChangeManagementManagement

CentralCentralReportingReporting

In Summary: Today Every Organization Has a Different Way of Doing Cyber Security…

• Cyber security, tools, practices and technology have evolved dramatically over the last 10 years

• The result has been that most enterprises have been buying eachThe result has been that most enterprises have been buying each new tool & training their people on it & integrating it as they realize they need to address a new area of Cyber Security…

• Then they buy another tool & train their people on that one too & integrate it with the other tools…

• Repeat for each “type” of security tool/challenge that appears…• Result - each organization has a different tapestry of tools/processes

integrated together trying to do the Cyber Security jobintegrated together trying to do the Cyber Security job…– Assets, Configuration, Vulnerabilities, Patches, Intrusions, Malware,

Malicious Code, etc.

Instead we should be architecting our security measurement and management method and get tools to implement and support it.

10

What Do The Building Blocks for “Architecting Security” Look Like?

• Standard ways for enumerating “things we care about”

• Languages/Formats for encoding/carrying highLanguages/Formats for encoding/carrying high fidelity content about the “things we care about”

• Repositories of this content for use in communities or individual organizations

• Adoption/branding and vetting programs toAdoption/branding and vetting programs to encourage adoption by tools and services

• Enumerations – Catalog the fundamental entities in IA, Cyber Security, and Software

Assurance• Vulnerabilities (CVE), misconfigurations (CCE), software packages (CPE),

malware (CME), attack patterns (CAPEC), weaknesses in code/design/architecture (CWE)

The Building Blocks Are:

g ( )• Languages/Formats

– Support the creation of machine-readable state assertions, assessment results, and messages• Configuration/vulnerability/patch/asset patterns (XCCDF & OVAL), results

from standards-based assessments (CRF), software security patterns (SBVR), event patterns (CEE), malware patterns (MAEC), risk of a vulnerability (CVSS), information messages (CAIF & *DEF)

• Knowledge Repositories– Packages of assertions supporting a specific application

• Vulnerability advisories & alerts, (US-CERT Advisories/IAVAs), configuration assessment (NIST Checklists, CIS Benchmarks, NSA Configuration Guides, DISA STIGS), asset inventory (NIST/DHS NVD), code assessment & certification (NIST SAMATE, DoD DIACAP & eMASS)

Tools– Interpret IA, Cyber Security, and SwA content in context of enterprise network– Methods for assessing compliance to languages, formats, and enumerations

11

Configuration

ConfigurationGuidance

Knowledge Repositories

Operations Security Management Processes

ConfigurationGuidanceAnalysis

Operational Enterprise Networks

Centralized ReportingEnterprise ITChange Management

Enterprise IT Asset Management

12

AssetInventory


VulnerabilityAnalysis

ThreatAnalysis

IntrusionDetection

IncidentManagement

CCE/OVAL/CRF/XCCDF/CPE

CVE/CWE/CVSS/CRF/CCE/CRF/OVAL/XCCDF/CPE

CVE/CWE/CVSS/CRF/CCE/OVAL/XCCDF/CPE/CME/CAPEC/MAEC

CVE/CWE/CVSS/CRF/.CCE/OVAL/XCCDF/CPE/CME/CAPEC/MAEC/CEE

CPE/OVAL/CRF

Assessment of System

Development,Integration, &Sustainment

Activitiesand

Certification &Accreditation

Operations Security Management ProcessesCPE MAEC MAEC/CEE




Development & SustainmentSecurity ManagementProcesses

CVE/CWE/CVSS/CCE/OVAL/XCCDF/CPE/CME/CAPEC/MAEC/CEE/CRF


AssetInventory

ConfigurationGuidanceA l i


ThreatAnalysis

IntrusionDetection

VulnerabilityAlert


AssetDefinition

Knowledge Repositories

ThreatAlert

IncidentReport

IncidentManagement

CPE/OVAL XCCDF/OVAL/CCE

CVE/CWE/OVAL/CVSS

CVE/CWE/CVSS/CME/CAPEC/MAEC

Mitigating Risk ExposuresMitigating Risk Exposures Responding to Security ThreatsResponding to Security Threats

CAIF/IDMEF/IODEF/CVE/CWE/OVAL/CPE/CME/MAEC/CEE/CRF

Inventory Analysis Analysis Analysis Detection Management


Development,Integration, &Sustainment

A ti iti

System &Software

AssuranceGuidance/

Requirements

Operations Security Management Processes

OVAL/XCCDF/CCE/CPE/CRF


CVE/CWE/CVSS/CRF/ CCE/OVAL/XCCDF/CPE


CVE/CWE/CVSS/CRF/CCE/OVAL/XCCDF/CPE/CME/CAPEC/MAEC/CEE

CPE/OVAL/CRF



Development & SustainmentSecurity ManagementProcesses

Activitiesand


CWE/CAPEC/SBVR/MAEC




13

VulnerabilityAlert

CVE/CWEOVAL/CVSS


CVE/CWE/CVSS/CCE/OVAL/CRF/XCCDF/CPE


Common Vulnerabilities and Exposures (CVE)

• CVE: Enabling fast, accurate correlation of vulnerability information across the security industry

• Key tenets– one identifier for one vulnerability– dictionary of standardized

descriptions for vulnerabilities and exposures

– publicly accessible for review or download from the Internet

d fd f– international scope– industry participation in open

forum (editorial board)– compatibility program for

products & services

Foundation forFoundation for NIST NIST NVDNVD ProgramProgram

14

Difficult to Integrate Information on Vulnerabilities and Exposures

SecuritySecurityAdvisoriesAdvisories

??????????????????

VulnerabilityVulnerabilityScannersScanners

Software VendorSoftware VendorPatchesPatches

Intrusion DetectionIntrusion DetectionSystemsSystems

PriorityPriorityListsLists

?????????

????????? ?????????

?????????????????? ?????????

??????????????????

?????????

?????????

?????????

????????? ??????????????????

?????????

?????????

?????????Incident ResponseIncident Response

& Reporting& Reporting

Vulnerability WebVulnerability WebSites & DatabasesSites & Databases

ResearchResearch ???????????????????????????

??????????????????

????????? ??????????????????

Finding and sharing vulnerability information has been difficult: The Same Problem, Different Names

Organization Nam e

CERT CA -96.06.cgi_exam ple_code

The adoption of CVE Names by the Security Community addresses this problem

CyberSafe N etw ork: H TTP ‘phf’ A ttack

ISS http-cgi-phf

AX EN T phf CG I allow s rem ote com m and execution

Bugtraq PH F A ttacks – Fun and gam es for the w hole fam ily

BindV iew #107 – cgi-phf

C isco #3200 – W W W phf attack

IBM ERS V ulnerability in N CSA /Apache Exam ple Code

Which has been caused by the rule, “Whoever finds it, names it”

IBM ERS y p p

CERIAS http_escshellcmd

NA I #10004 - W W W phf check

Along with the rule, “Whoever finds it, gets a CVE name for it”

15

The CVE List provides a path for integrating information on Vulnerabilities and Exposures

SecuritySecurityAdvisoriesAdvisories

VulnerabilityVulnerabilityScannersScanners

Software VendorSoftware VendorPatchesPatches

Intrusion DetectionIntrusion DetectionSystemsSystems

PriorityPriorityListsLists

CVECVE--19991999--00670067

Incident ResponseIncident Response& Reporting& Reporting

Vulnerability WebVulnerability WebSites & DatabasesSites & Databases

ResearchResearch

Vulnerability Databases

Legacy SubmissionsAXENT, BindView,

Harris, Cisco, CERIASHiverworld, SecurityFocus, ISS, NAI, Symantec, Nessus

Where the CVE Items Come From

~ pre-1999

Alerts & Advisories

w/candidatesy

New Submissions650–800 per/month

ISS, SecurityFocus, Neohapsis, NIPC CyberNotes

New Public Vulnerabilities

CVE Content Team

p /ca d dates40–150

per/monthZero Day

Public Vulnerabilities

Items withUnique

CVE NCVE Editorial Board CVE Names~29,275~29,275

16

CVE Compatibility Program(as of 22 Feb 2008)

cve.mitre.org/compatible/

Now at 281 products and services from 159 organizations

Computer Associates, IBM/ISS

17

An NVD Entry

nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0952

Common Vulnerability Scoring System

www.first.org/cvss/

18


XCCDF/OVAL/CCE


CCE/CPE/ CCE/OVAL/CRF/XCCDF/CPE

CPE/OVAL/CRF

Open Vulnerabilities and Assessment Language (OVAL)

• OVAL Language– express specific machine states– standardize the transfer of information– XML based defined by XML Schema– compatibility program for products & services

• OVAL Repository– promote open and publicly available content– central meeting place

• open community standard– to facilitate sharing– open up the details– utilize community expertise

Foundation forFoundation for NIST NIST SCAPSCAP ProgramProgram

19

OVAL Board OVAL Board OVAL Schema

Three separate XML schemas– OVAL System Characteristics Schema– OVAL Definition Schema– OVAL Results Schema

Schema structure– core schema– individual component schemas

Natural for software authors to provide expertise

in shaping these schemas.

text

The Language

S it B ll ti

<XML>

Vulnerability Assessment

System Details

Security Bulletin

Configuration Guide

Asset Description

>Asset Management

Report Generation

system

details

Registry

Files

RPMs

Processes

20

Expert in the

Field

OVAL

Definition

Configuration Management

OVAL

Community

OVAL

Definition

Vulnerability Assessment

Compliance

Checker

Definition

Assessment

Tool

Remediation

Tool

OVAL

Results

R

OVAL

Results

Assessment

Security Information Management (SIM)

OVALSC

Centralized Audit Validation

RResultsTool

Assessment

Tool

Compliance

Checker

R

OVAL

Results

R

OVAL

Results

SIM

ToolDatabase

OVALSC

OVALSC

OVALSC

OVALSC

21

SCAP Languages Requirements

Support guidance tailoring and customizationctur

eza

tion

Collect, structure, and organize guidance

Score and track general compliance

Define tests to check compliance

Support guidance tailoring and customization

Gui

danc

e St

ruan

d C

usto

miz

tem

men

t

Define system-specific tests of system state

Characterize low-level system state

End-

Syst

Ass

essm

SCAP Languages Requirements

Support guidance tailoring and customizationctur

eza

tion

Collect, structure, and organize guidance

Score and track general compliance

Define tests to check compliance

Support guidance tailoring and customization

Gui

danc

e St

ruan

d C

usto

miz

tem

men

t

Define system-specific tests of system state

Characterize low-level system state

End-

Syst

Ass

essm

22

XCCDF-OVAL-CCE ConnectionXCCDF

<Rule id="RequireCTRL_ALT_DEL" >

OVAL

<definition id="oval:gov.nist.1:def:69">

<Title>

Interactive logon:Require CTRL+ALT+DEL

<Description>

Disabling the Ctrl+Alt+Del securityattention sequence can compromise …

<criteria>

Windows family, Windows XP, SP2, 32 bit

<metadata>

<title> Require CTRL_ALT_DEL

<reference> CCE-Winv2.0-390

<Check>

oval:gov.nist.1:def:69

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

DisableCAD = 0

OVAL Compatibility Program(version 5 launched June 2006)

oval.mitre.org/compatible/

23


Development,

SystemAssuranceGuidance/Mandates/

Requirements

OVAL/XCCDF/CCE/CPE/CRF

Integration, &Sustainment

Activitiesand


CWE/CAPEC/SBVR

24

Common Weakness Enumeration(CWE)

• dictionary of weaknesses– weaknesses that can lead to exploitable vulnerabilities (i.e. CVEs)– the things we don’t want in our code, design, or architecture– web site with XML of content, sources of content, and process used

• structured views– currently provide hierarchical view into CWE dictionary content – will evolve to support alternate views

• open community process– to facilitate common terms

/concepts/facts and understanding Foundation for otherFoundation for otherg

– allows for vendors, developers, system owners and acquirers

to understand tool capabilities/coverage and priorities

– utilize community expertise

DHS, NSA, OSD, NIST, DHS, NSA, OSD, NIST, OWASP, SANS, SEI, and OWASP, SANS, SEI, and

OMG OMG SwASwA EffortsEfforts

Vulnerability Type Trends:A Look at the CVE List (2001 -

2006)

25

Removing and Preventing the Vulnerabilities Requires More Specific Definitions…CWEs

Cross-site scripting (XSS) (79)• Basic XSS (80)• XSS in error pages (81)• Script in IMG tags (82)• XSS using Script in Attributes (83)• XSS using Script Via Encoded URI Schemes (84)• Doubled character XSS manipulations, e.g. '<<script’ (85)• Invalid Characters in Identifiers (86)Invalid Characters in Identifiers (86)• Alternate XSS syntax (87)• Mobile Code: Invoking untrusted mobile code (494)

Buffer Errors (119)• Unbounded Transfer (classic overflow) (120)• Write-what-where condition (123)• Boundary beginning violation ('buffer underwrite') (124)• Out-of-bounds Read (125)• Wrap-around error (128)• Unchecked array indexing (129) • Length Parameter Inconsistency (130) • Other length calculation error (131) • Miscalculated null termination (132) • String Errors (133) • Often Misused: Path Manipulation (249)O te sused at a pu at o ( 9)

Relative Path Traversal (22)• Path Issue - dot dot slash - '../filedir’ (24)• Path Issue - leading dot dot slash - '/../filedir’ (25)• Path Issue - leading directory dot dot slash - '/directory/../filename’ (26)• Path Issue - directory doubled dot dot slash - 'directory/../../filename’ (27)• Path Issue - dot dot backslash - '..\filename’ (28)• Path Issue - leading dot dot backslash - '\..\filename’ (29)• Path Issue - leading directory dot dot backslash - '\directory\..\filename’ (30)• Path Issue - directory doubled dot dot backslash - 'directory\..\..\filename’ (31)• Path Issue - triple dot - '...’ (32)• Path Issue - multiple dot - '....’ (33)• Path Issue - doubled dot dot slash - '....//’ (34)• Path Issue - doubled triple dot slash - '.../...//’ (35)

7 Kingdoms

CLASPMicrosoft

PLOVEROWASP

ProtectionAnalysis

RISOS

Weber

7 KingdomsBishop

Landwehr

Aslam

Tool BWASC

Tool A

Landwehr

26

Using A Unilateral NDA with MITRE to Bring in Info

Purpose: • Sharing the proprietary/company confidential information contained in the

underlying Knowledge Repository of the Knowledge Owner’s Capability for the sole purpose of establishing a public Common Weakness Enumeration (CWE) dictionary that can be used by vendors customers and researchers todictionary that can be used by vendors, customers, and researchers to describe software, design, and architecture related weaknesses that have security ramifications.

• The individual contributions from numerous organizations, based on their proprietary/company-confidential information, will be combined into a consolidated collection of weakness descriptions and definitions with the resultant collection being shared publicly.

• The consolidated collection of knowledge about weaknesses in software, design, and architecture will make no reference to the source of the information used to describe, define, and explain the individual weaknesses.

Coverity

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

• Apple• AppSIC• Aspect Security• Booz Allen Hamilton Inc.• Cenzic • CERIAS/Purdue University

• NIST• NSA• OMG• Oracle • Ounce Labs• OWASP

Current Community Contributing to the Common Weakness Enumeration

CERIAS/Purdue University• CERT/CC • Cigital• CodescanLabs• Core Security• Coverity• Fortify • Gramma Tech• IBM • Interoperability Clearing House• JHU/APL• JMU

OWASP • Palamida• Parasoft• PolySpace Technologies• proServices Corporation• SANS Institute• SecurityInnovation• Secure Software• Security University• Semantic Designs • SofCheck• SPI DynamicsJMU

• Kestrel Technology• KDM Analytics• Klocwork• McAfee• Microsoft • MIT Lincoln Labs • MITRE• North Carolina State University

SPI Dynamics • SureLogic, Inc.• Symantec• UNISYS• VERACODE• Watchfire • WASC• Whitehat Security, Inc.• Tim Newsham

To join send e-mail to [email protected]

27

CWE Compatibility & Effectiveness Program ( launched Feb 2007)

1222

cwe.mitre.org/compatible/

Building A Common Enumeration

Building A Common Enumeration

Previously Published Vulnerability Taxonomy

WorkSecure

Software’s John

Viega’s CLASP and Taxonomy

Cigital’s Gary

McGraw’s Work and Taxonomy

Microsoft’s Mike

Howard’s Work and

OWASP’s Checklist

and Taxonomy

CVE-based PLOVER Work

Fortify’s Brian

Chess’s Work and Taxonomy

Kestrel Technology

NSA/CTC

Watchfire

Stanford

MIT LL

SEIPurdue

GMUIBM

O l

JMU

UC Berkeley

Unisys

Core SecurityCoverity SPI Dynamics

Parasoft

VERACODE

Security Institute

DHS’s SwACBK & Acq Guide

Taxonomy

Dictionary

Common WeaknessEnumeration (CWE)

Klocwork’s Checklist

and Taxonomy

Ounce Lab’s

Taxonomy

Gramma Tech’s

Checklist and

Taxonomy

DHS’s BSI Web site

OracleKDM Analytics

Unisys

UMD NCSU

CenzicSecurity Institute

CVE and NVD using CWEs

ISO/IEC JTC 1/SC 22's OWGV - Other Working Group on Vulnerabilities

Skills Assessment

SANS National Secure Programming

Skills Assessment

Standards Effort

SEI CERT S

ecure Coding Standards Effort

OWASP&

WASC

DHS/NISTSAMATE

ToolAssessment Reference

Dataset

Center forAssured SW

ReferenceDataset

SwA SIGCWE

Compatibility

CWEs that a

Tool finds

Enumeration (CWE)---------------------------------------------------------

call & count the sameenable metrics & measurement

28

ThreatAlert

CVE/CWE/CVSS/CME/CAPEC/MAEC

ThreatAnalysis


29

[makingsecuritymeasurable.mitre.org]

Robert A. MartinArchitecting Security Measurement & Management for Compliance

2:45 pm - 3:45 pm, 27 April 2008

architecting security measurement & management for compliance

Economy & Finance