Title: A New Approach to Vulnerability Management, Configuration Management, and Technical Policy Complianc
1A New Approach to Vulnerability Management,
Configuration Management, and Technical Policy
Compliance
- presented by Peter Mell
- National Institute of Standards and Technology
2Agenda
- Information Security Current State
- Security Content Automation Protocol Introduction
- Current Stakeholders
- Use Cases
- Validation Program Background and Status
- Possible Future Directions for SCAP
- Summary
3Current State Security Operations
- OCIO
- Compliance Management
- Vulnerability Management
- Configuration Management
- Asset Management
Operations Team
4What is SCAP?
- How
- Standardizing the format by which we communicate
- Protocol
- What
- Standardizing the information we communicate
- Content
- http//nvd.nist.gov
- 70 million hits per year
- 20 new vulnerabilities per day, over 6,000 per
year - Mis-configuration cross references
- Reconciles software flaws from US CERT and MITRE
repositories - Produces XML feed for NVD content
5Convergent Evolution of Post-Compilation Software
Maintenance
- 2008 NVD will become production-ready for SCAP
version 1.0 - 2007 OMB mandates use of SCAP validated tools
for assessing Federal Desktop Core Configuration
(FDCC) - 2007 NCP legacy checklists become available
through NVD Web site - 2007 NCP promotes SCAP as the preferred format
for all new checklists - 2006-07 Announcements that the following
guidelines will be available in SCAP format - DISA Security Technical Implementation Guides
(STIG) - JTF-GNO Information Assurance Vulnerability
Management (IAVM) alerts - RedHat Security Guides
- 2006 NVD becomes reference data for SCAP
- 2006 SCAP reaches Beta formulation with
publication of the NIST Draft Interagency Report
(IR) 7343 - 2005 iCAT becomes NVD
- 2002 NCP established through Cyber Security RD
Act of 2002 - 1999 iCAT established
6National Checklist Program Hosted at National
Vulnerability Database Website
7How SCAP Works
Report XCCDF Platform CPE
Misconfiguration CCE Software Flaw CVE
Specific Impact CVSS Results Specific Impact
CVSS Results
Test Procedures OVAL
Patches OVAL
8Linking Configuration to Compliance
- ltGroup id"IA-5" hidden"true"gt
- lttitlegtAuthenticator Managementlt/titlegt
- ltreferencegtISO/IEC 17799 11.5.2,
11.5.3lt/referencegt - ltreferencegtNIST 800-26 15.1.6, 15.1.7,
15.1.9, 15.1.10, 15.1.11, 15.1.12, 15.1.13,
16.1.3, 16.2.3lt/referencegt - ltreferencegtGAO FISCAM AC-3.2lt/referencegt
- ltreferencegtDOD 8500.2 IAKM-1,
IATS-1lt/referencegt - ltreferencegtDCID 6/3 4.B.2.a(7),
4.B.3.a(11)lt/referencegt - lt/Groupgt
- ltRule id"minimum-password-length"
selected"false" weight"10.0"gt - ltreferencegtCCE-100lt/referencegt
- ltreferencegtDISA STIG Section
5.4.1.3lt/referencegt - ltreferencegtDISA Gold Disk ID 7082lt/referencegt
- ltreferencegtPDI IAIA-12Blt/referencegt
- ltreferencegt800-68 Section 6.1 - Table
A-1.4lt/referencegt - ltreferencegtNSA Chapter 4 - Table 1 Row
4lt/referencegt - ltrequires idref"IA-5"/gt
- pointer to OVAL test procedure
- lt/Rulegt
9Federal Risk Management Framework
Starting Point
FIPS 199 / SP 800-60
SP 800-37 / SP 800-53A
FIPS 200 / SP 800-53
Categorize Information System
Monitor Security Controls
Select Security Controls
Define criticality /sensitivity of information
system according to potential impact of loss
Continuously track changes to the information
system that may affect security controls and
reassess control effectiveness
Select baseline (minimum) security controls to
protect the information system apply tailoring
guidance as appropriate
SP 800-37
SP 800-53 / SP 800-30
Authorize Information System
Supplement Security Controls
Use risk assessment results to supplement the
tailored security control baseline as needed to
ensure adequate security and due diligence
Determine risk to agency operations, agency
assets, or individuals and, if acceptable,
authorize information system operation
SP 800-53A
SP 800-18
SP 800-70
Assess Security Controls
Document Security Controls
Implement Security Controls
Determine security control effectiveness (i.e.,
controls implemented correctly, operating as
intended, meeting security requirements)
Document in the security plan, the security
requirements for the information system and the
security controls planned or in place
Implement security controls apply security
configuration settings
10Integrating IT and IT Security Through SCAP
Vulnerability Management
Common Vulnerability Enumeration Common Platform
Enumeration Common Configuration
Enumeration eXtensible Checklist Configuration
Description Format Open Vulnerability and
Assessment Language Common Vulnerability Scoring
System
CVE
Misconfiguration
OVAL CVSS
Asset Management
Configuration Management
SCAP
CPE
CCE
XCCDF
Compliance Management
11Agility in a Digital World
12Stakeholder and Contributor Landscape
IndustryProduct Teams and Content Contributors
Ai Metrix
13Stakeholder and Contributor Landscape Federal
AgenciesSCAP Infrastructure, Beta Tests, Use
Cases, and Early Adopters
14Use Case The Office of Secretary of
DefenseComputer Network Defense Data Pilot
15Use Case The Office of Management and
BudgetFederal Desktop Core Configuration
OMB 31 July 2007 Memo to CIOs Establishment of
Windows XP and VISTA Virtual Machine and
Procedures for Adopting the Federal Desktop Core
Configurations
- As we noted in the June 1, 2007 follow-up policy
memorandum M-07-18, Ensuring New Acquisitions
Include Common Security Configurations, a
virtual machine would be established to provide
agencies and information technology providers
access to Windows XP and VISTA images. The
National Institute of Standards and Technology
(NIST), Microsoft, the Department of Defense, and
the Department of Homeland Security have now
established a website hosting the virtual machine
images, which can be found at http//csrc.nist.go
v/fdcc. - Your agency can now acquire information
technology products that are self-asserted by
information technology providers as compliant
with the Windows XP VISTA FDCC, and use NISTs
Security Content Automation Protocol (S-CAP) to
help evaluate providers self-assertions.
Information technology providers must use S-CAP
validated tools, as they become available, to
certify their products do not alter these
configurations, and agencies must use these tools
when monitoring use of these configurations.
16SCAP Validation Labs and Products
- Validated Products
- 5 vendors
- 6 products
- 7 capabilities-based validations
- 2 standards-based validations
- Accredited Laboratories
- Electronic Warfare Associates (EWA) Canada
- ICSA Labs - an independent division of Verizon
Business - Science Applications International Corporation
(SAIC) - ATSEC Information Security Corporation
- COACT Incorporated, CAFE Laboratory
17SCAP Validation In-Progress and Potential
18Where Can SCAP Go?
- Continue to reduce the boundary between written
specifications and action - Expand to implementation and remediation of
vulnerabilities and security configurations - Extend into additional security technologies
(e.g., IDS/IPS, firewall) and into other IT
technologies (e.g., asset and configuration
management) - We are open to additional use cases
19Summary
- SCAP gives us a transparent, interoperable,
repeatable, and ultimately automated way to
assess security software flaws and
misconfiguration in the enterprise - Efficiencies gained through SCAP give our IT
security teams additional cycles to address other
important aspects of IT security - By linking compliance to configuration, SCAP
makes compliance reporting a byproduct of good
security, allowing IT security teams to focus on
securing the enterprise
20More Information
21Contact Information
- 100 Bureau Drive Mailstop 8930
- Gaithersburg, MD USA 20899-8930
- Steve Quinn Peter Mell
- (301) 975-6967 (301) 975-5572 stephen.quinn
_at_nist.gov mell_at_nist.gov - Karen Scarfone Murugiah Souppaya
- (301) 975-8136 (301) 975-4758
- karen.scarfone_at_nist.gov murugiah.souppaya_at_nist.
gov - Matt Barrett Information and Feedback
- (301) 975-3390 Web http//scap.nist.gov
- matthew.barrett_at_nist.gov Comments
scap-update_at_nist.gov
22Additional Information
23Current State Compliance and Configuration
Management
Compliance Management Configuration M
anagement
Finite Set of Possible Known IT Risk Controls
Application Configuration Options
Agency Tailoring Mgmt, Operational, Technical
Risk Controls
High
Enterprise
Millions of settings to manage
Mobile
Moderate
SP1
Stand Alone
Low
XP
SSLF
Windows
SP2
OS or Application
Version/ Role
Major Patch Level
Environment
Impact Rating or MAC/CONF
24Current State Vulnerability Trends
A 20-50 increase over previous years
- Decreased timeline in exploit development
- Increased prevalence of zero day exploits
- Three of the SANS Top 20 Internet Security Attack
Targets 2006 were categorized as configuration
weaknesses. Many of the remaining 17 can be
partially mitigated via proper configuration.
25Security Content Automation Protocol
(SCAP)Standardizing How We Communicate
Cisco, Qualys, Symantec, Carnegie Mellon
University
26Existing Federal ContentStandardizing What We
Communicate
- Over 70 million hits per year
- 29,000 vulnerabilities
- About 20 new vulnerabilities per day
- Mis-configuration cross references to
- NIST SP 800-53 Security Controls (All 17 Families
and 163 controls) - DoD IA Controls
- DISA VMS Vulnerability IDs
- Gold Disk VIDs
- DISA VMS PDI IDs
- NSA References
- DCID
- ISO 17799
- Reconciles software flaws from
- US CERT Technical Alerts
- US CERT Vulnerability Alerts (CERTCC)
- MITRE OVAL Software Flaw Checks
- MITRE CVE Dictionary
- Produces XML feed for NVD content
- In response to NIST being named in the Cyber
Security RD Act of 2002 - Encourages vendor development and maintenance of
security guidance - Currently hosts 114 separate guidance documents
for over 141 IT products - Translating this backlog of checklists into the
Security Content Automating Protocol (SCAP) - Participating organizations DISA, NSA, NIST,
Hewlett-Packard, CIS, ITAA, Oracle, Sun, Apple,
Microsoft, Citadel, LJK, Secure Elements,
ThreatGuard, MITRE Corporation, G2, Verisign,
Verizon Federal, Kyocera, Hewlett-Packard,
ConfigureSoft, McAfee, etc.
27SCAP Validation Program Capabilities
NOTE Xs indicate some degree of testing, but
not necessarily all-inclusive testing, for the
indicated standard NOTE Grey font indicates
capabilities that are not yet available for test
28SCAP Value