580 likes | 666 Views
Course 1 Learning Plan. Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment and testing Resource management Trust management. Public Resources: Learning Objectives.
E N D
Course 1 Learning Plan • Security overview and patching • Public vulnerability databases and resources • Secure software engineering • Security assessment and testing • Resource management • Trust management
Public Resources: Learning Objectives • Become familiar with vulnerability databases and online secure programming resources • Know how to use them • Know which ones to select and consult • Know how CVE numbers are used
Public Resources • Why and for who • Governmental and academic • Security vendor resources • Books
Why should you know about these resources? • For insight into how vulnerabilities get tracked • For situational awareness • Be ready to answer queries from customers who also saw that information • Get notification of vulnerabilities pertinent to your product • As a backup (should be rare) • The situation where developers learn first about a vulnerability through public sources should be covered in an organization's policy
Why should you know about these resources? (Cont.) • To proactively prevent vulnerabilities in your product by being informed about vulnerabilities in other products • Learn from other people's mistakes • For reference • For additional sources on best programming and software engineering practices • So you can grow and learn more about secure programming on your own • For other examples and ideas
Who should use them? • Vulnerability response coordinators or IT security (check policies) • At least one person from each team • Any developer or architect interested in learning more • Note that this material is insufficient for high assurance systems such as those with an Evaluation Assurance Level (EAL) of 5 or more (EALs will be discussed later)
Parts: Governmental and Academic Resources • MITRE's CVE • NIST's ICAT • Cassandra • CERT/CC • US-CERT • NIST documents • Secure programming howtos
MITRE's CVE • Common Vulnerabilities and Enumeration • http://cve.mitre.org • "A list of standardized names for vulnerabilities and other information security exposures — CVE aims to standardize the names for all publicly known vulnerabilities and security exposures." • CVE names are unique, standard names to be used by CERTs, vulnerability databases, intrusion detection systems, etc... to identify vulnerabilities
CVE Quality Assurance Process • MITRE employees gather information • Check for duplicates • That it is a real issue • often request vendor confirmation • That it is only one issue • That the description is correct • Can take weeks, but severe issues are given priority • Researchers and vendors can reserve CVE numbers ahead of time so that their announcements and advisories include a unique identifier
CVE Names • Two-state name system • Candidates (name is CAN-year-number) • Candidates need votes from editors to become mature • Editors from industry, government and academia • Voting can take months • Mature entries (name is CVE-year-number) • Entries renamed from CAN to CVE keep the same year and number if there were no problems
CVE Searches • Search by keyword or CVE name • Keywords are "translated" without user's knowledge and control • Results are often not what you would expect
Search Results for "Symantec" • Search engine is limited and results are inconsistent with those of other CVE-based tools • Description is very short, barely long enough to identify the issue N.B.: Symantec is used only for this example. Other companies will be used for other examples, in an effort to provide an overall vendor-neutral sampling. Nothing else is meant or implied by the choices.
CVE Download • CVE web site has versions in these formats: • HTML • Text • Comma-separated • MySQL format available elsewhere • http://www.cerias.purdue.edu/homes/pmeunier/CVEdump.sql • updated daily
CVE Change Log (CERIAS) • For people maintaining vulnerability databases • For day-to-day monitoring of the CVE • https://cassandra.cerias.purdue.edu/CVE_changes/ • Example: • date: 2004-03-18New candidate entries:2004-00792004-00812004-01122004-02362004-02372004-02382004-02392004-0240(...)
Exercise • Point your browser to cve.mitre.org • What is the number of the first vulnerability in 2004? • Make sure to type "2004-0001" with the correct number of zeros! • What operating system was involved in the first vulnerability of 2004? • What stage is it in? • Search for vulnerabilities in products from a company you know • Look at the entries returned, and the CVE web site FAQs. Why are there missing results? • What if the company name is not in the description?
Parts: Governmental and Academic Resources • MITRE's CVE • NIST's ICAT • Cassandra • CERT/CC • US-CERT • NIST documents • Secure programming howtos
NIST's ICAT • NIST: National Institute of Standards and Technology • Based on the CVE • Uses the CERIAS CVE change-log service for quick updates • Completes vendor and product information • Adds a classification of vulnerabilities • http://icat.nist.gov
ICAT Search Menu • Search by vendor, product or keyword, over a time period • Click on a letter to get a select popup with a narrowed down list of vendors or products
ICAT Search • Now click on a duration to get all the vulnerabilities in the selected vendor's products
ICAT Search Results • Click on a CVE number to get details
ICAT Vulnerability Entry (part 2) • Notice the link to where patches can be found:
Exercise • Do a search for vulnerabilities in Adobe Acrobat reader on ICAT • How many entries are there? • What is their severity? • How did the latest vulnerability happen (see vulnerability type)? • Go to the statistics section of ICAT. Approximately what percentage of vulnerabilities are remotely exploitable, year after year? • What do you have to do if you want to keep up to date on vulnerabilities in Symantec products?
Parts: Governmental and Academic Resources • MITRE's CVE • NIST's ICAT • Cassandra • CERT/CC • US-CERT • NIST documents • Secure programming howtos
Cassandra • Vulnerability notification service based on ICAT and Secunia advisories • Secunia advisories are more timely • Main idea: remove the need for polling ICAT every day for new vulnerabilities • Make a list of products and keywords • A search is done every night • Results are emailed to you • https://cassandra.cerias.purdue.edu/main/index.html
Creating a Profile • After creating a new account and logging in, you are taken to the profile management page:
Managing a Profile • You can select to receive information from ICAT, Secunia, and whether you want all the information emailed to you • Click on the profile name to change its contents
Adding Entries to a Profile • Choose a vendor • Choose products from this vendor
A Sample Profile • These products are now part of the profile:
Keywords • Enter a keyword
Keywords List • Technologies • Issues • Interests (e.g., "remote", "path")
Searches • By duration • New entries since last search • Search results (notice both ICAT and Secunia links):
Discussion • How does information flow before you get a notification by Cassandra? • How long does that take? • Why were Secunia advisories added as a source of information? • Why not advisories from another source (e.g., CERT)?
Discussion Sample Answers • How does information flow before you get a notification by Cassandra? • Public disclosure, MITRE, CERIAS, NIST, Cassandra • How long does that take? • It can take a month or more, although important issues are prioritized and may take "only" a week • Why were Secunia advisories added as a source of information? • For timeliness • Why not advisories from another source (e.g., CERT)? • Data not in a machine-parsable format
Parts: Governmental and Academic Resources • MITRE's CVE • NIST's ICAT • Cassandra • CERT/CC • US/CERT • NIST documents • Secure programming howtos
CERT Coordination Center • http://www.cert.org/ • based at Carnegie-Mellon University • Operated by the Software Engineering Institute • Links to various SEI products for sale • Used to produce: • Advisories • CERT advisory mailing list being phased out • Incident Notes • Vulnerability Notes • Now "partner" with US-CERT • most links on CERT/CC's web site now refer to US-CERT
Parts: Governmental and Academic Resources • MITRE's CVE • NIST's ICAT • Cassandra • CERT/CC • US/CERT • NIST documents • Secure programming howtos
US-CERT • http://www.us-cert.gov • Your Cyber Security Everything • "Technical Cyber Security Alerts" • "Non-technical Cyber Security Alerts" • e.g., "Understanding Firewalls", like a "Firewalls for dummies" • Cyber Security Bulletins • Cyber Security Tips • US-CERT Vulnerability Notes • (why aren't they "cyber security vulnerability notes"? I don't know)
US-CERT Vulnerability Notes • The old CERT/CC Vulnerability Notes renamed • http://www.kb.cert.org/vuls/ • Well written • Informative • Not exhaustive • Mailing list • Database • No customized notification mechanism
Searching the US-CERT Vulnerability Notes • Enter a keyword, vendor name, etc:
Example Vulnerability Note • http://www.kb.cert.org/vuls/id/948750 • Vulnerability Note VU#948750 • Microsoft Outlook Web Access contains vulnerability in HTML redirection query • Overview • A cross-site scripting vulnerability in Microsoft Exchange 5.5 Outlook Web Access (OWA) could allow an attacker to execute arbitrary scripting code in the victim's browser
Searching for "Sun" • Results list whenever Sun was involved:
Question • If you are looking for vulnerabilities in your favorite vendor's products, what are the limitations of Vulnerability Notes? • Hint: Did all the entries obtained when searching for "Sun" relate to Sun products?
Question Answers • If you are looking for vulnerabilities in your favorite vendor's products, what are the limitations of Vulnerability Notes? • Results are not exhaustive • Only the most "serious" vulnerabilities have notes • Lists every involvement of the vendor even when some other vendor is at fault • Security vendors typically get listed when they publish an advisory • and OS vendors typically get listed when there's a problem with another company's product for their platform
Exercise • Find both the CVE number and VU# of an AOL Instant Messenger vulnerability on the US-CERT Vulnerability Notes web site • http://www.kb.cert.org/vuls/
Question • Why do you particularly not want to have your product mentioned in a US-CERT Vulnerability Note (choose the most important reason)? • because only the most severe vulnerabilities are mentioned • because it is highly visible • because it is government interference with the industry (and your company)
Question Answer • Why do you particularly not want to have your product mentioned in a US-CERT Vulnerability Note? • a) because only the most severe vulnerabilities are mentioned • That means you made a big mistake!
Parts: Governmental and Academic Resources • MITRE's CVE • NIST's ICAT • Cassandra • CERT/CC • US-CERT • NIST Documents • Secure programming howtos
NIST Security Documents • http://csrc.nist.gov/publications/nistpubs/index.html • SP 800-64 Security Considerations in the Information System Development Life Cycle, October 2003 • SP 800-55 Security Metrics Guide for Information Technology Systems, July 2003 • SP 800-51 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme, September 2002 • SP 800-47 Security Guide for Interconnecting Information Technology Systems, September 2002 • And many others...
Exercises • Find a NIST publication that describes how your customers might select information security products • What is the title of special publication 800-27? Download it and open it. • Who is the intended audience? • Which principle are we directly addressing today? • Quote another principle that you already knew and explain it to the class, or select one that is relevant to your work and explain to the class why you think it is relevant. (Instructor: it is suggested to start student reports after about 15-20 minutes, and give up to 2 minutes for each student to quote a principle )