The INTERSECTION vulnerability DB - ETSI 2009-01-14آ  National Vulnerability Database NVD includes...

download The INTERSECTION vulnerability DB - ETSI 2009-01-14آ  National Vulnerability Database NVD includes databases

of 25

  • date post

    11-Aug-2020
  • Category

    Documents

  • view

    0
  • download

    0

Embed Size (px)

Transcript of The INTERSECTION vulnerability DB - ETSI 2009-01-14آ  National Vulnerability Database NVD includes...

  • The INTERSECTION vulnerability DB

    Salvatore D’Antonio – CINISalvatore D’Antonio – CINI

    4th ETSI Security Workshop, January 13-14, 2009

  • The INTERSECTIUM Consortium

    ACADEMY • Consorzio Interuniversitario Nazionale per

    l’Informatica • Lancaster University • Fraunhofer Gesellschaft Zur Foerderung Der

    Angewandten Forschung • Eidgenoessische Technische Hochschule • Eidgenoessische Technische Hochschule

    Zuerich

    INDUSTRY • Elsag Datamat (Coordinator) • Thales Research and Technology • ITTI (SME)

    END USERS • Telefonica ID Investigación y Desarollo • Telespazio • Polska Telefonia Cyfrowa

  • Design and implement an integrated network security framework including different components and tools:

    • detecting anomalous events;

    • reacting to well-known, as well as new

    Main objectives and principles

    Identify and classify the vulnerabilities of heterogeneous and interconnected network infrastructures (wired, wireless, satellite, mobile networks)

    • reacting to well-known, as well as new kinds of anomalies;

    • deploying truly distributed countermeasures against ongoing attacks;

    • providing systems with mechanisms for intrusion tolerance, i.e, preventing intrusions from generating a system failure

    Create and maintain a vulnerability database

  • National Vulnerability Database

    � NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP).

    � NVD is a comprehensive cyber security vulnerability database that:that:

    � integrates all publicly available U.S. Government vulnerability resources,

    � provides references to industry resources (Cisco Secure Encyclopedia, MS Security Database),

    � is based on and synchronized with the CVE vulnerability naming standard,

    � http://nvd.nist.gov/

  • National Vulnerability Database

    � NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.

    � NVD is the U.S. government content repository for ISAP and SCAP. and SCAP.

    � The Information Security Automation Program (ISAP) is a U.S. government multi-agency initiative to enable automation and standardization of technical security operations.

    � The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation.

  • The SCAP protocol

    � More specifically, SCAP is a suite of selected open standards that

    � enumerate software flaws, security related configuration issues, and product names,

    � measure systems to determine the presence of vulnerabilities,

    � provide mechanisms to rank the results of these measurements in order to evaluate the impact of the discovered security issues.

  • The SCAP protocol

    � SCAP defines how these standards are combined. The National Vulnerability Database provides a data repository that utilizes the SCAP standards.

    � The U.S. National Institute of Standards and Technology (NIST) defines how to use the open standards within the SCAP context defines how to use the open standards within the SCAP context and specifies the mappings between the SCAP enumeration standards.

    � These open standards were created and are maintained by a number of different institutions including the MITRE Corporation, the NSA, and a special interest group within the Forum of Incident Response and Security Teams (FIRST).

    � NIST recommends the use of SCAP for security automation and policy compliance activities.

  • The SCAP standards

    � SCAP is comprised of the following standards:

    � Common Vulnerabilities and Exposures (CVE®)

    � Common Configuration Enumeration (CCE™)

    � Common Platform Enumeration (CPE™)� Common Platform Enumeration (CPE™)

    � Common Vulnerability Scoring System (CVSS)

    � Extensible Configuration Checklist Description Format (XCCDF)

    � Open Vulnerability and Assessment Language (OVAL™)

  • The SCAP standards � CVE (Common Vulnerabilities and Exposures)-Standard

    identifiers and dictionary for security vulnerabilities related to software flaws.

    � CCE (Common Configuration Enumeration)-Standard identifiers and dictionary for system configuration issues related to security. CPE (Common Platform Enumeration)-Standard related to security.

    � CPE (Common Platform Enumeration)-Standard identifiers and dictionary for platform/product naming.

    � XCCDF (eXtensible Configuration Checklist Description Format)-Standard XML for specifying checklists and for reporting results of checklist evaluation.

    � OVAL (Open Vulnerability and Assessment Language)- Standard XML for testing procedures for security related software flaws, configuration issues, and patches as well as for reporting the results of the tests.

    � CVSS (Common Vulnerability Scoring System)-Standard for conveying and scoring the impact of vulnerabilities.

  • The SCAP standards

    Enumeration Evaluation Measuring Reporting Content

    CVE • • CCE • •CCE • • CPE • •

    XCCDF • • • OVAL • • • CVSS • •

  • CVE and CCE � The Common Vulnerabilities and Exposures (CVE) standard is

    a list or dictionary that provides common identifiers for publicly known information security vulnerabilities and exposures. Using a common identifier makes it easier to share data across separate databases and tools. CVE ID Structure: CVE-YYYY-NNNN, where YYYY is the year in which the vulnerability has been where YYYY is the year in which the vulnerability has been discovered and NNNN is a progressive number (Ex: CVE-2008- 0001)

    � The Common Configuration Enumeration (CCE) provides common identifiers to system configurations in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. CCE is primarily used to identify security related configuration issues. For example, CCE Identifiers could be used to associate checks in configuration assessment tools with statements in configuration best-practice documents.

  • CPE and CVSS

    � The Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. CPE is simply a standards based dictionary of software product names (e.g., vendor names, product names, version numbers, (e.g., vendor names, product names, version numbers, and editions).

    � The Common Vulnerability Scoring System (CVSS) is an open standard for assigning scores to a vulnerability that indicates its relative severity compared to other vulnerabilities. NVD publishes CVSS scores for all CVE and CCE vulnerabilities (software flaws and configurations issues).

  • CVSS metrics

    � CVSS is composed of three metric groups: Base, Temporal, and Environmental

    � Base: represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environmentstime and user environments

    � Temporal: represents the characteristics of a vulnerability that change over time but not among user environments

    � Environmental: represents the characteristics of a vulnerability that are relevant and unique to a particular user's environment

  • XCCDF and OVAL � The Extensible Configuration Checklist Description Format

    (XCCDF) is a specification language for writing security checklists and benchmarks. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The Open Vulnerability and Assessment Language (OVAL) is � The Open Vulnerability and Assessment Language (OVAL) is an open standard XML language to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. The language standardizes the three main steps of the assessment process: � representing configuration information of systems for testing; � analyzing the system for the presence of the specified machine state

    (vulnerability, configuration, patch state, etc.); � and reporting the results of this assessment.

  • Automated Security Measurement System

    Automated Measurement System

    Definition of What it means to Be SecureBe Secure

    Vulnerability Checking Tools

    Impact to the System

  • INTERSECTION Vulnerability Database

    � INERSECTION Vulnerability Database (IVD) is based on the CVE (Common Vulnerabilities and Exposures) vulnerability naming standard and uses the following SCAP (Security Content Automation Protocol) standards:standards:

    � Common Configuration Enumeration (CCE)

    � Common Platform Enumeration (CPE)

    � Common Vulnerability Scoring System (CVSS)

  • INTERSECTION Vulnerability Database (2)

    � The use of such standards enables automated vulnerability management, measurement, and policy compliance evaluation and allows the INTERSECTION vul