1 / 20

SCAP Explained

Nick Hansen Sr. Software Developer. SCAP Explained. Overview of the S ecurity C ontent A utomation P rotocol, Where It’s Been and Where It’s Going. Overview. Introduction What is SCAP and Security Automation? SCAP Specifications SCAP Tools and Content SCAP Community SCAP Future.

vida
Download Presentation

SCAP Explained

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Nick Hansen Sr. Software Developer SCAP Explained Overview of the Security Content Automation Protocol, Where It’s Been and Where It’s Going

  2. Overview • Introduction • What is SCAP and Security Automation? • SCAP Specifications • SCAP Tools and Content • SCAP Community • SCAP Future

  3. Introduction • Nick Hansen nhansen@ncircle.com • Worked in Production Operations, Software Engineering and Management over past 10 years • Excite@Home, NOCpulse, Red Hat, Opsware, HP • Involved with SCAP since 2006

  4. What is SCAP? • The Security Content Automation Protocol • Standards-based initiative for “organizing and expressing security-related information” • Grew out of the confluence of several well established, existing standards • Managed by the US National Institute of Standards and Technology (NIST) and sponsored by the Department of Homeland Security to foster interoperable specifications with a focus on community participation http://scap.nist.gov/index.html

  5. What is SCAP? (con’t) • Protocol: “A suite of six specifications that standardize the format and nomenclature by which security software communicates information about publicly known software flaws and security configurations annotated with common identifiers and embedded in XML” • Content: “software flaw and security configuration standard reference data” in the form of checklists and and SCAP “streams” • Specification: NIST SP 800-126 • http://csrc.nist.gov/publications/nistpubs/800-126/sp800-126.pdf

  6. Security Automation • Managing security across US Federal government and large enterprises is no small task • Automation needed to be able manage and secure many operating systems, applications and configurations • Continuous monitoring and auditing required to ensure best-possible security of the organization • Many tools available that perform specialized tasks but do not interoperate well to give complete picture • Requirements for compliance with multiple regulatory frameworks and guidelines

  7. SCAP 1.0 Specifications

  8. Common Vulnerabilities and Exposures (CVE) • The CVE is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities and exposures. The purpose of the CVE is to catalog all known vulnerabilities. • The CVE was started in 1999. It is currently sponsored by the United States Department of Homeland Security and managed by the MITRE Corporation. • CVE: http://cve.mitre.org • CVE Compatibility: http://cve.mitre.org/compatible Example: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0249

  9. Open Vulnerability and Assessment Language (OVAL) • OVAL is the standard used to encode and transmit security information and system details. It is based on three XML schemas that represent the three security vulnerability assessment process steps: • Representing system configuration • Expressing a specific machine state • Reporting the results of the assessment • Original purpose of OVAL was to describe how to identify specific vulnerabilities (i.e. CVEs) • Now supports general configuration settings and Patch installations • OVAL is managed by MITRE and is sponsored by the U.S. Department of Homeland Security Example: http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:6835

  10. Extensible Configuration Checklist Description Format (XCCDF) • XCCDF is an XML specification for structured collections of security configuration rules used by OS and application platforms • Uses OVAL and CPE to build profiles that systems can be validated against • Development of the XCCDF specification is led by the U.S. National Security Agency (NSA), published by NIST, and developed with contributions from the security community

  11. OVAL and XCCDF Links • OVAL Homepage: http://oval.mitre.org • OVAL Compatibility: http://oval.mitre.org/compatible • NVD XCCDF/OVAL data feed: http://nvd.nist.gov/scapchecklists.cfm • XCCDF Standard: http://nvd.nist.gov/xccdf.cfm • NIST National Checklist Program: http://nvd.nist.gov/ncp.cfm • NVD XCCDF/OVAL data feed: http://nvd.nist.gov/scapchecklists.cfm

  12. Common Platform Enumeration (CPE) • CPE is a naming convention for hardware, operating system (OS), and application products. cpe:/ {part} : {vendor} : {product} : {version} : {update} : {edition} : {language} Example - cpe:/o:microsoft:windows_xp:::pro • The CPE is managed by MITRE is sponsored by the U.S. Department of Defense • CPE Homepage: http://cpe.mitre.org • NVD CPE data feed: http://nvd.nist.gov/download.cfm#Dictionary

  13. Common Configuration Enumeration (CCE) • The CCE is a dictionary of names for software security configuration issues – for example, access control settings and password policy settings. By providing unique identifiers for system configuration issues, the CCE facilitates fast and accurate correlation of configuration data across multiple information sources and tools. • The CCE is managed by MITRE and is sponsored by the U.S. Department of Defense. • CCE Homepage: http://cce.mitre.org

  14. Common Vulnerability Scoring System (CVSS) • The CVSS is a standard severity scoring system for information security vulnerabilities. CVSS includes three groups of metrics: Base, Temporal, and Environmental. • CVSS is under the custodial care of the Forum of Incident Response and Security Teams (FIRST). However, it is a completely free and open standard. • CVSS Homepage: http://www.first.org/cvss/index.html • CVSS Specification: http://www.first.org/cvss/cvss-guide.html • NVD CVSS data feed: http://nvd.nist.gov/cvss.cfm

  15. SCAP Content • Utilizes parts of all 6 specifications to create a “stream” of compliance content • XCCDF is the glue that ties it all together • Several official streams are currently available from the NVD • Federal Desktop Core Configuration (FDCC) • United States Government Configuration Baseline (USGCB) • http://web.nvd.nist.gov/view/ncp/repository • Vendors are creating and using proprietary SCAP content

  16. National Vulnerability Database (NVD) • The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics. • The NVD contains data feeds for each SCAP standard that can be used license free by the security community. The NVD also contains SCAP security checklist data that can be used in conjunction with SCAP compatible tools.

  17. FDCC & USGCB • FDCC is focused on Windows XP and Vista • Developed to address 2007 OMB mandate for securing all Windows system in US Federal government • First officially approved SCAP stream of content • USGCB is currently focused on Windows 7 and IE 8 • Will be adding new platforms soon • Evolved from the FDCC

  18. SCAP Tools • Vendors create tools that can process SCAP-expressed content and report standardized results • Tools are certified via the SCAP Validation Program • Independent testing labs are contracted by vendors to test tools and report results directly to NIST • Tool capabilities that can be validated • FDCC Scanner • Authenticated and Unauthenticated Configuration Scanner • Authenticated Patch and Vulnerability Scanner

  19. SCAP Community • Each specification has an independent community of contributors from academia, business and government supporting them • CVE and OVAL are most active • No single vendor has “control” of any of the specifications • MITRE is non-profit overseer and leads a great deal of discussions • IT Security Automation Conference • Annual conference covering SCAP and many other initiatives related to Security Automation • http://scap.nist.gov/events/2010/itsac/presentations/index.html

  20. SCAP Future • Emerging Specifications • Asset Reporting Format (ARF) • Open Checklist Interactive Language (OCIL) • Open Checklist Reporting Language (OCRL) • Common Configuration Scoring System (CCSS) • Common Misuse Scoring System (CMSS) • The Holy Grail • Common Remediation Enumeration (CRE) • Extended Remediation Information (ERI)

More Related