500 likes | 819 Views
SCAP - Security content automation Protocol. ISSA Rochester NY 5-ApR-2011. Bob Hayden Xerox Corporation. Disclaimer: All screenshots and much text taken from web resources noted throughout. I don’t take credit for any original content whether I created it or not
E N D
SCAP - Security content automation Protocol ISSA Rochester NY 5-ApR-2011 Bob Hayden Xerox Corporation
Disclaimer: All screenshots and much text taken from web resources noted throughout. I don’t take credit for any original content whether I created it or not Thank you Google, Al Gore, Bill Gates, and so on. August 16, 2014 2 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
SCAP is… "…a suite of specifications that standardize the format and nomenclature by which security software products communicate software flaw and security configuration information."– NIST pub 800-126 Rev 1 "a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements." - http://cce.mitre.org/about/index.html “a suite of specifications for organizing, expressing, and measuring security-related information in standardized ways, as well as related reference data such as unique identifiers for vulnerabilities.” - http://scap.nist.gov/publications/index.html August 16, 2014 3 3 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
"…a suite of specifications that standardize the format and nomenclature by which security software products communicate software flaw and security configuration information.“ – NIST pub 800-126 Rev 1 The suite currently has six specifications: August 16, 2014 4 4 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
"…a suite of specifications that standardize the format and nomenclature by which security software products communicate software flaw and security configuration information." CVE – Common Vulnerability and Exposures CVSS – Common Vulnerability Scoring System August 16, 2014 5 5 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
"…a suite of specifications that standardize the format and nomenclature by which security software products communicate software flaw and security configuration information." CVE – Common Vulnerability and Exposures CVSS – Common Vulnerability Scoring System August 16, 2014 6 6 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
CVE is maintained at http://CVE.Mitre.org and currently holds 45611 vulnerabilities Free for use by taxpayers. August 16, 2014 7 7 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
CVE detail example: August 16, 2014 8 8 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
"…a suite of specifications that standardize the format and nomenclature by which security software products communicate software flaw and security configuration information." CVE – Common Vulnerability and Exposures CVSS – Common Vulnerability Scoring System August 16, 2014 9 9 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
CVSS provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Common uses of CVSS: prioritization of vulnerability remediation activities and calculating the severity of vulnerabilities discovered on one's systems. Some vendors (Qualys, ISS/X-Force, etc) use CVSS to score vulnerabilities. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities @ http://nvd.nist.gov/cvss.cfm August 16, 2014 10 10 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
Above we have a 4.9 CVSS score, and below we see some (but far from all) detail to support the score. Additionally organizations can customize results. August 16, 2014 11 11 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
"…a suite of specifications that standardize the format and nomenclature by which security software products communicate software flaw and security configuration information." CPE – Common Platform Enumeration CCE – Common Configuration Enumeration August 16, 2014 12 12 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
"…a suite of specifications that standardize the format and nomenclature by which security software products communicate software flaw and security configuration information." CPE – Common Platform Enumeration CCE – Common Configuration Enumeration August 16, 2014 13 13 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
“When dealing with information from multiple sources, use of consistent identifiers can improve data correlation; enable interoperability; foster automation; and ease the gathering of metrics for use in situational awareness, IT security audits, and regulatory compliance. For example, Common Vulnerabilities and Exposures (CVE) provides this capability for information security vulnerabilities.” “Similar to the CVE effort, CCE assigns a unique, common identifier to a particular security-related configuration issue. CCE identifiers are associated with configuration statements and configuration controls that express the way humans name and discuss their intentions when configuring computer systems. In this way, the use of CCE-IDs as tags provide a bridge between natural language, prose-based configuration guidance documents and machine-readable or executable capabilities such as configuration audit tools” http://cce.mitre.org August 16, 2014 14 14 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
CCE Attributes • CCE Identifier Number – "CCE-2715-1"• Description – a humanly understandable description of the configuration issue• Conceptual Parameters – parameters that would need to be specified in order to implement a CCE on a system• Associated Technical Mechanisms – for any given configuration issue there may be one or more ways to implement the desired result• References – pointers to the specific sections of the documents or tools in which the configuration issue is described in detail August 16, 2014 15 15 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
CCE Repository – sample of the content available August 16, 2014 16 16 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
CCE Excel format – note attributes are headers August 16, 2014 17 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
"…a suite of specifications that standardize the format and nomenclature by which security software products communicate software flaw and security configuration information." CPE – Common Platform Enumeration CCE – Common Configuration Enumeration August 16, 2014 18 18 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
http://cpe.mitre.org August 16, 2014 19 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
“I am running Windows. Am I vulnerable? Does this information apply?” ? August 16, 2014 20 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
“…to foster automation in security practice the community needs a more formal naming scheme, consistent and uniform, that allows tools (as well as humans) to clearly identify the IT platforms to which a vulnerability or element of guidance applies.” August 16, 2014 21 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
CPE establishes common names for applications… …as well as for operating systems. August 16, 2014 22 22 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
CPE establishes common names for applications… …as well as for operating systems. August 16, 2014 23 23 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
"…a suite of specifications that standardize the format and nomenclature by which security software products communicate software flaw and security configuration information." OVAL – Open Vulnerability Assessment Language XCCDF – eXtensible Configuration Checklist Description Format August 16, 2014 24 24 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
"…a suite of specifications that standardize the format and nomenclature by which security software products communicate software flaw and security configuration information." OVAL – Open Vulnerability Assessment Language XCCDF – eXtensible Configuration Checklist Description Format August 16, 2014 25 25 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
http://scap.nist.gov/specifications/xccdf/ What: XCCDF is a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification also defines a data model and format for storing results of benchmark compliance testing. August 16, 2014 26 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
eXtensible Configuration Checklist Description Format Why: The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The intent of XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices. August 16, 2014 27 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
Check Implementations: • Open Checklist Interactive Language (OCIL) • Open Vulnerability and Assessment Language (OVAL) August 16, 2014 28 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
Open Checklist Interactive Language OCIL is considered an emerging specification, so it is not currently included in SCAP. However, OCIL can still be used in conjunction with SCAP specifications such as XCCDF to help handle cases where lower-level checking languages such as OVAL are unable to automate a particular check. In short, OCIL provides a standardized approach to express and evaluate non-automated (i.e., manual) security checks. http://scap.nist.gov/specifications/ocil/index.html August 16, 2014 29 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
Example XCCDF document (always XML) “front matter” Example XCCDF document (always XML) rule August 16, 2014 30 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
http://checklists.nist.gov Note: Rev 2 of the NIST SP800-70 was published in Feb 2011 August 16, 2014 31 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
"…a suite of specifications that standardize the format and nomenclature by which security software products communicate software flaw and security configuration information." OVAL – Open Vulnerability Assessment Language XCCDF – eXtensible Configuration Checklist Description Format August 16, 2014 32 32 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
OVAL Use Cases • Security Advisory Distribution • Vulnerability Assessment • Patch Management • Configuration Management • Auditing and Centralized Audit Validation • Security Information Management Systems (SIMS) • System Inventory • Malware and Threat Indicator Sharing August 16, 2014 33 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
OVAL Capabilities Authoring Tool — A product that aids in the process of creating new OVAL files (including products that consolidate existing OVAL Definitions into a single file). Definition Evaluator — A product that uses an OVAL Definition to guide system evaluation and produce an OVAL Results document (full results) as output. Definition Repository — A repository of OVAL Definitions made available to the community (free or pay). Results Consumer — A product that accepts an OVAL Results document as input and either displays the results to the user, or uses the results to perform some action. System Characteristics Producer — A product that generates a valid OVAL System Characteristics file based on the details of a system http://oval.mitre.org August 16, 2014 34 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
OVAL Capabilities August 16, 2014 35 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
OVAL Definition Repository August 16, 2014 36 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
This one for robots, next page An OVAL Definition (for humans) August 16, 2014 37 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
The same OVAL Definition in XML. First, the “front matter” …then some of the detail August 16, 2014 38 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL
Is the puzzle almost solved? August 16, 2014 39 SCAP – SECURITY CONTENT AUTOMATION PROTOCOL