Post on 11-Aug-2020
The INTERSECTION vulnerability DB
Salvatore D’Antonio – CINISalvatore D’Antonio – CINI
4th ETSI Security Workshop, January 13-14, 2009
The INTERSECTIUM Consortium
ACADEMY• Consorzio Interuniversitario Nazionale per
l’Informatica• Lancaster University• Fraunhofer Gesellschaft Zur Foerderung Der
Angewandten Forschung • Eidgenoessische Technische Hochschule • Eidgenoessische Technische Hochschule
Zuerich
INDUSTRY• Elsag Datamat (Coordinator)• Thales Research and Technology • ITTI (SME)
END USERS• Telefonica ID Investigación y Desarollo • Telespazio • Polska Telefonia Cyfrowa
Design and implement an integrated network security framework including different components and tools:
• detecting anomalous events;
• reacting to well-known, as well as new
Main objectives and principles
Identify and classify the vulnerabilities of heterogeneous and interconnected network infrastructures (wired, wireless, satellite, mobile networks)
• reacting to well-known, as well as new kinds of anomalies;
• deploying truly distributed countermeasures against ongoing attacks;
• providing systems with mechanisms for intrusion tolerance, i.e, preventing intrusions from generating a system failure
Create and maintain a vulnerability database
National Vulnerability Database
� NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP).
� NVD is a comprehensive cyber security vulnerability database that:that:
� integrates all publicly available U.S. Government vulnerability resources,
� provides references to industry resources (Cisco Secure Encyclopedia, MS Security Database),
� is based on and synchronized with the CVE vulnerability naming standard,
� http://nvd.nist.gov/
National Vulnerability Database
� NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.
� NVD is the U.S. government content repository for ISAP and SCAP. and SCAP.
� The Information Security Automation Program (ISAP) is a U.S. government multi-agency initiative to enable automation and standardization of technical security operations.
� The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation.
The SCAP protocol
� More specifically, SCAP is a suite of selected open standards that
� enumerate software flaws, security related configuration issues, and product names,
� measure systems to determine the presence of vulnerabilities,
� provide mechanisms to rank the results of these measurements in order to evaluate the impact of the discovered security issues.
The SCAP protocol
� SCAP defines how these standards are combined. The National Vulnerability Database provides a data repository that utilizes the SCAP standards.
� The U.S. National Institute of Standards and Technology (NIST) defines how to use the open standards within the SCAP context defines how to use the open standards within the SCAP context and specifies the mappings between the SCAP enumeration standards.
� These open standards were created and are maintained by a number of different institutions including the MITRE Corporation, the NSA, and a special interest group within the Forum of Incident Response and Security Teams (FIRST).
� NIST recommends the use of SCAP for security automation and policy compliance activities.
The SCAP standards
� SCAP is comprised of the following standards:
� Common Vulnerabilities and Exposures (CVE®)
� Common Configuration Enumeration (CCE™)
� Common Platform Enumeration (CPE™)� Common Platform Enumeration (CPE™)
� Common Vulnerability Scoring System (CVSS)
� Extensible Configuration Checklist Description Format (XCCDF)
� Open Vulnerability and Assessment Language (OVAL™)
The SCAP standards� CVE (Common Vulnerabilities and Exposures)-Standard
identifiers and dictionary for security vulnerabilities related to software flaws.
� CCE (Common Configuration Enumeration)-Standard identifiers and dictionary for system configuration issues related to security.CPE (Common Platform Enumeration)-Standard related to security.
� CPE (Common Platform Enumeration)-Standard identifiers and dictionary for platform/product naming.
� XCCDF (eXtensible Configuration Checklist Description Format)-Standard XML for specifying checklists and for reporting results of checklist evaluation.
� OVAL (Open Vulnerability and Assessment Language)-Standard XML for testing procedures for security related software flaws, configuration issues, and patches as well as for reporting the results of the tests.
� CVSS (Common Vulnerability Scoring System)-Standard for conveying and scoring the impact of vulnerabilities.
The SCAP standards
Enumeration Evaluation Measuring Reporting Content
CVE • •CCE • •CCE • •CPE • •
XCCDF • • •OVAL • • •CVSS • •
CVE and CCE� The Common Vulnerabilities and Exposures (CVE) standard is
a list or dictionary that provides common identifiers for publicly known information security vulnerabilities and exposures. Using a common identifier makes it easier to share data across separate databases and tools. CVE ID Structure: CVE-YYYY-NNNN, where YYYY is the year in which the vulnerability has been where YYYY is the year in which the vulnerability has been discovered and NNNN is a progressive number (Ex: CVE-2008-0001)
� The Common Configuration Enumeration (CCE) provides common identifiers to system configurations in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. CCE is primarily used to identify security related configuration issues. For example, CCE Identifiers could be used to associate checks in configuration assessment tools with statements in configuration best-practice documents.
CPE and CVSS
� The Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. CPE is simply a standards based dictionary of software product names (e.g., vendor names, product names, version numbers, (e.g., vendor names, product names, version numbers, and editions).
� The Common Vulnerability Scoring System (CVSS) is an open standard for assigning scores to a vulnerability that indicates its relative severity compared to other vulnerabilities. NVD publishes CVSS scores for all CVE and CCE vulnerabilities (software flaws and configurations issues).
CVSS metrics
� CVSS is composed of three metric groups: Base, Temporal, and Environmental
� Base: represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environmentstime and user environments
� Temporal: represents the characteristics of a vulnerability that change over time but not among user environments
� Environmental: represents the characteristics of a vulnerability that are relevant and unique to a particular user's environment
XCCDF and OVAL� The Extensible Configuration Checklist Description Format
(XCCDF) is a specification language for writing security checklists and benchmarks. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring.The Open Vulnerability and Assessment Language (OVAL) is � The Open Vulnerability and Assessment Language (OVAL) is an open standard XML language to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. The language standardizes the three main steps of the assessment process: � representing configuration information of systems for testing; � analyzing the system for the presence of the specified machine state
(vulnerability, configuration, patch state, etc.); � and reporting the results of this assessment.
Automated Security Measurement System
AutomatedMeasurementSystem
Definition ofWhat it means to Be SecureBe Secure
VulnerabilityChecking Tools
Impact to theSystem
INTERSECTION Vulnerability Database
� INERSECTION Vulnerability Database (IVD) is based on the CVE (Common Vulnerabilities and Exposures) vulnerability naming standard and uses the following SCAP (Security Content Automation Protocol) standards:standards:
� Common Configuration Enumeration (CCE)
� Common Platform Enumeration (CPE)
� Common Vulnerability Scoring System (CVSS)
INTERSECTION Vulnerability Database (2)
� The use of such standards enables automated vulnerability management, measurement, and policy compliance evaluation and allows the INTERSECTION vulnerability database to interoperate with other databases, such as NVD (National Vulnerability Database) and OSVDB (Open Source Vulnerability Vulnerability Database) and OSVDB (Open Source Vulnerability Database)
� The INTERSECTION Vulnerability Database is accessible by end-users, such as telecom providers and network operators. Access to the database information is available via web browser
� IVD enables most of standard database functionalities (browsing, querying), however some of the functionalities will be available for registered users only.
Relational schema
IVD Home Page
Vulnerability look & feel
Vulnerability description
IVD users - 1
� IVD design specifies only two kinds of IVD users: � IVD Admin: person responsible for vulnerability database
maintenance (approving new vulnerabilities, making or rejecting changes suggested by end-user). There could be many IVD database administrators. Each of them is many IVD database administrators. Each of them is subscribed to IVD mailing list so she (or her) is notified about new vulnerability or end-user inquiry
� Plain not registered user: This kind of user has only read rights and cannot modify database content directly but via admin only. To cope with that situation IVD provides mailing mechanism to notify admin about new vulnerability (or necessity of modifications) proposed by user
IVD users - 2� NEW_VULNERABILITY_NOTIFICATION
� This type of notification is generated when user is requesting new vulnerability to be added into IVD. This notification consist of:
� detailed information about vulnerability
� URL to IVD webpage where vulnerability may be approved or rejected by adminor rejected by admin
� sender’s e-mail address
� user’s explanation
� USER_INQUIR_NOTIFICATION� This type of notification is sent when user has doubts whether
information displayed on webpage is valid and up to date. This kind of notification is also sent when user is requesting vulnerability modification or deletion
Contact info
� http://www.intersection-project.eu
� info@intersction-project.eu
Thank you!