Download - The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

Transcript
Page 1: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

The INTERSECTION vulnerability DB

Salvatore D’Antonio – CINISalvatore D’Antonio – CINI

4th ETSI Security Workshop, January 13-14, 2009

Page 2: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

The INTERSECTIUM Consortium

ACADEMY• Consorzio Interuniversitario Nazionale per

l’Informatica• Lancaster University• Fraunhofer Gesellschaft Zur Foerderung Der

Angewandten Forschung • Eidgenoessische Technische Hochschule • Eidgenoessische Technische Hochschule

Zuerich

INDUSTRY• Elsag Datamat (Coordinator)• Thales Research and Technology • ITTI (SME)

END USERS• Telefonica ID Investigación y Desarollo • Telespazio • Polska Telefonia Cyfrowa

Page 3: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

Design and implement an integrated network security framework including different components and tools:

• detecting anomalous events;

• reacting to well-known, as well as new

Main objectives and principles

Identify and classify the vulnerabilities of heterogeneous and interconnected network infrastructures (wired, wireless, satellite, mobile networks)

• reacting to well-known, as well as new kinds of anomalies;

• deploying truly distributed countermeasures against ongoing attacks;

• providing systems with mechanisms for intrusion tolerance, i.e, preventing intrusions from generating a system failure

Create and maintain a vulnerability database

Page 4: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

National Vulnerability Database

� NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP).

� NVD is a comprehensive cyber security vulnerability database that:that:

� integrates all publicly available U.S. Government vulnerability resources,

� provides references to industry resources (Cisco Secure Encyclopedia, MS Security Database),

� is based on and synchronized with the CVE vulnerability naming standard,

� http://nvd.nist.gov/

Page 5: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

National Vulnerability Database

� NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.

� NVD is the U.S. government content repository for ISAP and SCAP. and SCAP.

� The Information Security Automation Program (ISAP) is a U.S. government multi-agency initiative to enable automation and standardization of technical security operations.

� The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation.

Page 6: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

The SCAP protocol

� More specifically, SCAP is a suite of selected open standards that

� enumerate software flaws, security related configuration issues, and product names,

� measure systems to determine the presence of vulnerabilities,

� provide mechanisms to rank the results of these measurements in order to evaluate the impact of the discovered security issues.

Page 7: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

The SCAP protocol

� SCAP defines how these standards are combined. The National Vulnerability Database provides a data repository that utilizes the SCAP standards.

� The U.S. National Institute of Standards and Technology (NIST) defines how to use the open standards within the SCAP context defines how to use the open standards within the SCAP context and specifies the mappings between the SCAP enumeration standards.

� These open standards were created and are maintained by a number of different institutions including the MITRE Corporation, the NSA, and a special interest group within the Forum of Incident Response and Security Teams (FIRST).

� NIST recommends the use of SCAP for security automation and policy compliance activities.

Page 8: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

The SCAP standards

� SCAP is comprised of the following standards:

� Common Vulnerabilities and Exposures (CVE®)

� Common Configuration Enumeration (CCE™)

� Common Platform Enumeration (CPE™)� Common Platform Enumeration (CPE™)

� Common Vulnerability Scoring System (CVSS)

� Extensible Configuration Checklist Description Format (XCCDF)

� Open Vulnerability and Assessment Language (OVAL™)

Page 9: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

The SCAP standards� CVE (Common Vulnerabilities and Exposures)-Standard

identifiers and dictionary for security vulnerabilities related to software flaws.

� CCE (Common Configuration Enumeration)-Standard identifiers and dictionary for system configuration issues related to security.CPE (Common Platform Enumeration)-Standard related to security.

� CPE (Common Platform Enumeration)-Standard identifiers and dictionary for platform/product naming.

� XCCDF (eXtensible Configuration Checklist Description Format)-Standard XML for specifying checklists and for reporting results of checklist evaluation.

� OVAL (Open Vulnerability and Assessment Language)-Standard XML for testing procedures for security related software flaws, configuration issues, and patches as well as for reporting the results of the tests.

� CVSS (Common Vulnerability Scoring System)-Standard for conveying and scoring the impact of vulnerabilities.

Page 10: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

The SCAP standards

Enumeration Evaluation Measuring Reporting Content

CVE • •CCE • •CCE • •CPE • •

XCCDF • • •OVAL • • •CVSS • •

Page 11: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

CVE and CCE� The Common Vulnerabilities and Exposures (CVE) standard is

a list or dictionary that provides common identifiers for publicly known information security vulnerabilities and exposures. Using a common identifier makes it easier to share data across separate databases and tools. CVE ID Structure: CVE-YYYY-NNNN, where YYYY is the year in which the vulnerability has been where YYYY is the year in which the vulnerability has been discovered and NNNN is a progressive number (Ex: CVE-2008-0001)

� The Common Configuration Enumeration (CCE) provides common identifiers to system configurations in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. CCE is primarily used to identify security related configuration issues. For example, CCE Identifiers could be used to associate checks in configuration assessment tools with statements in configuration best-practice documents.

Page 12: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

CPE and CVSS

� The Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. CPE is simply a standards based dictionary of software product names (e.g., vendor names, product names, version numbers, (e.g., vendor names, product names, version numbers, and editions).

� The Common Vulnerability Scoring System (CVSS) is an open standard for assigning scores to a vulnerability that indicates its relative severity compared to other vulnerabilities. NVD publishes CVSS scores for all CVE and CCE vulnerabilities (software flaws and configurations issues).

Page 13: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

CVSS metrics

� CVSS is composed of three metric groups: Base, Temporal, and Environmental

� Base: represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environmentstime and user environments

� Temporal: represents the characteristics of a vulnerability that change over time but not among user environments

� Environmental: represents the characteristics of a vulnerability that are relevant and unique to a particular user's environment

Page 14: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

XCCDF and OVAL� The Extensible Configuration Checklist Description Format

(XCCDF) is a specification language for writing security checklists and benchmarks. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring.The Open Vulnerability and Assessment Language (OVAL) is � The Open Vulnerability and Assessment Language (OVAL) is an open standard XML language to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. The language standardizes the three main steps of the assessment process: � representing configuration information of systems for testing; � analyzing the system for the presence of the specified machine state

(vulnerability, configuration, patch state, etc.); � and reporting the results of this assessment.

Page 15: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

Automated Security Measurement System

AutomatedMeasurementSystem

Definition ofWhat it means to Be SecureBe Secure

VulnerabilityChecking Tools

Impact to theSystem

Page 16: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

INTERSECTION Vulnerability Database

� INERSECTION Vulnerability Database (IVD) is based on the CVE (Common Vulnerabilities and Exposures) vulnerability naming standard and uses the following SCAP (Security Content Automation Protocol) standards:standards:

� Common Configuration Enumeration (CCE)

� Common Platform Enumeration (CPE)

� Common Vulnerability Scoring System (CVSS)

Page 17: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

INTERSECTION Vulnerability Database (2)

� The use of such standards enables automated vulnerability management, measurement, and policy compliance evaluation and allows the INTERSECTION vulnerability database to interoperate with other databases, such as NVD (National Vulnerability Database) and OSVDB (Open Source Vulnerability Vulnerability Database) and OSVDB (Open Source Vulnerability Database)

� The INTERSECTION Vulnerability Database is accessible by end-users, such as telecom providers and network operators. Access to the database information is available via web browser

� IVD enables most of standard database functionalities (browsing, querying), however some of the functionalities will be available for registered users only.

Page 18: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

Relational schema

Page 19: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

IVD Home Page

Page 20: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

Vulnerability look & feel

Page 21: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

Vulnerability description

Page 22: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

IVD users - 1

� IVD design specifies only two kinds of IVD users: � IVD Admin: person responsible for vulnerability database

maintenance (approving new vulnerabilities, making or rejecting changes suggested by end-user). There could be many IVD database administrators. Each of them is many IVD database administrators. Each of them is subscribed to IVD mailing list so she (or her) is notified about new vulnerability or end-user inquiry

� Plain not registered user: This kind of user has only read rights and cannot modify database content directly but via admin only. To cope with that situation IVD provides mailing mechanism to notify admin about new vulnerability (or necessity of modifications) proposed by user

Page 23: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

IVD users - 2� NEW_VULNERABILITY_NOTIFICATION

� This type of notification is generated when user is requesting new vulnerability to be added into IVD. This notification consist of:

� detailed information about vulnerability

� URL to IVD webpage where vulnerability may be approved or rejected by adminor rejected by admin

� sender’s e-mail address

� user’s explanation

� USER_INQUIR_NOTIFICATION� This type of notification is sent when user has doubts whether

information displayed on webpage is valid and up to date. This kind of notification is also sent when user is requesting vulnerability modification or deletion

Page 24: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

Contact info

� http://www.intersection-project.eu

[email protected]

Page 25: The INTERSECTION vulnerability DB - ETSI · 2009-01-14 · National Vulnerability Database NVD includes databases of security checklists, security related software flaws, misconfigurations,

Thank you!