A New Approach to Vulnerability Management, Configuration Management, and Technical Policy Complianc

1
A New Approach to Vulnerability Management,
Configuration Management, and Technical Policy
Compliance

• presented by Peter Mell
• National Institute of Standards and Technology

2
Agenda

• Information Security Current State
• Security Content Automation Protocol Introduction
• Current Stakeholders
• Use Cases
• Validation Program Background and Status
• Possible Future Directions for SCAP
• Summary

3
Current State Security Operations

• OCIO
• Compliance Management
• Vulnerability Management
• Configuration Management
• Asset Management

Operations Team
4
What is SCAP?

• How
• Standardizing the format by which we communicate
• Protocol

• What
• Standardizing the information we communicate
• Content

• http//nvd.nist.gov
• 70 million hits per year
• 20 new vulnerabilities per day, over 6,000 per
  year
• Mis-configuration cross references
• Reconciles software flaws from US CERT and MITRE
  repositories
• Produces XML feed for NVD content

5
Convergent Evolution of Post-Compilation Software
Maintenance

• 2008 NVD will become production-ready for SCAP
  version 1.0
• 2007 OMB mandates use of SCAP validated tools
  for assessing Federal Desktop Core Configuration
  (FDCC)
• 2007 NCP legacy checklists become available
  through NVD Web site
• 2007 NCP promotes SCAP as the preferred format
  for all new checklists
• 2006-07 Announcements that the following
  guidelines will be available in SCAP format
• DISA Security Technical Implementation Guides
  (STIG)
• JTF-GNO Information Assurance Vulnerability
  Management (IAVM) alerts
• RedHat Security Guides
• 2006 NVD becomes reference data for SCAP
• 2006 SCAP reaches Beta formulation with
  publication of the NIST Draft Interagency Report
  (IR) 7343
• 2005 iCAT becomes NVD
• 2002 NCP established through Cyber Security RD
  Act of 2002
• 1999 iCAT established

6
National Checklist Program Hosted at National
Vulnerability Database Website
7
How SCAP Works
Report XCCDF Platform CPE
Misconfiguration CCE Software Flaw CVE
Specific Impact CVSS Results Specific Impact
CVSS Results
Test Procedures OVAL
Patches OVAL
8
Linking Configuration to Compliance

• ltGroup id"IA-5" hidden"true"gt
• lttitlegtAuthenticator Managementlt/titlegt
• ltreferencegtISO/IEC 17799 11.5.2,
  11.5.3lt/referencegt
• ltreferencegtNIST 800-26 15.1.6, 15.1.7,
  15.1.9, 15.1.10, 15.1.11, 15.1.12, 15.1.13,
  16.1.3, 16.2.3lt/referencegt
• ltreferencegtGAO FISCAM AC-3.2lt/referencegt
• ltreferencegtDOD 8500.2 IAKM-1,
  IATS-1lt/referencegt
• ltreferencegtDCID 6/3 4.B.2.a(7),
  4.B.3.a(11)lt/referencegt
• lt/Groupgt
• ltRule id"minimum-password-length"
  selected"false" weight"10.0"gt
• ltreferencegtCCE-100lt/referencegt
• ltreferencegtDISA STIG Section
  5.4.1.3lt/referencegt
• ltreferencegtDISA Gold Disk ID 7082lt/referencegt
• ltreferencegtPDI IAIA-12Blt/referencegt
• ltreferencegt800-68 Section 6.1 - Table
  A-1.4lt/referencegt
• ltreferencegtNSA Chapter 4 - Table 1 Row
  4lt/referencegt
• ltrequires idref"IA-5"/gt
• pointer to OVAL test procedure
• lt/Rulegt

9
Federal Risk Management Framework
Starting Point
FIPS 199 / SP 800-60
SP 800-37 / SP 800-53A
FIPS 200 / SP 800-53
Categorize Information System
Monitor Security Controls
Select Security Controls
Define criticality /sensitivity of information
system according to potential impact of loss
Continuously track changes to the information
system that may affect security controls and
reassess control effectiveness
Select baseline (minimum) security controls to
protect the information system apply tailoring
guidance as appropriate
SP 800-37
SP 800-53 / SP 800-30
Authorize Information System
Supplement Security Controls
Use risk assessment results to supplement the
tailored security control baseline as needed to
ensure adequate security and due diligence
Determine risk to agency operations, agency
assets, or individuals and, if acceptable,
authorize information system operation
SP 800-53A
SP 800-18
SP 800-70
Assess Security Controls
Document Security Controls
Implement Security Controls
Determine security control effectiveness (i.e.,
controls implemented correctly, operating as
intended, meeting security requirements)
Document in the security plan, the security
requirements for the information system and the
security controls planned or in place
Implement security controls apply security
configuration settings
10
Integrating IT and IT Security Through SCAP
Vulnerability Management
Common Vulnerability Enumeration Common Platform
Enumeration Common Configuration
Enumeration eXtensible Checklist Configuration
Description Format Open Vulnerability and
Assessment Language Common Vulnerability Scoring
System
CVE
Misconfiguration
OVAL CVSS
Asset Management
Configuration Management
SCAP
CPE
CCE
XCCDF
Compliance Management
11
Agility in a Digital World
12
Stakeholder and Contributor Landscape
IndustryProduct Teams and Content Contributors
Ai Metrix
13
Stakeholder and Contributor Landscape Federal
AgenciesSCAP Infrastructure, Beta Tests, Use
Cases, and Early Adopters
14
Use Case The Office of Secretary of
DefenseComputer Network Defense Data Pilot
15
Use Case The Office of Management and
BudgetFederal Desktop Core Configuration
OMB 31 July 2007 Memo to CIOs Establishment of
Windows XP and VISTA Virtual Machine and
Procedures for Adopting the Federal Desktop Core
Configurations

• As we noted in the June 1, 2007 follow-up policy
  memorandum M-07-18, Ensuring New Acquisitions
  Include Common Security Configurations, a
  virtual machine would be established to provide
  agencies and information technology providers
  access to Windows XP and VISTA images. The
  National Institute of Standards and Technology
  (NIST), Microsoft, the Department of Defense, and
  the Department of Homeland Security have now
  established a website hosting the virtual machine
  images, which can be found at http//csrc.nist.go
  v/fdcc.
• Your agency can now acquire information
  technology products that are self-asserted by
  information technology providers as compliant
  with the Windows XP VISTA FDCC, and use NISTs
  Security Content Automation Protocol (S-CAP) to
  help evaluate providers self-assertions.
  Information technology providers must use S-CAP
  validated tools, as they become available, to
  certify their products do not alter these
  configurations, and agencies must use these tools
  when monitoring use of these configurations.

16
SCAP Validation Labs and Products

• Validated Products
• 5 vendors
• 6 products
• 7 capabilities-based validations
• 2 standards-based validations

• Accredited Laboratories
• Electronic Warfare Associates (EWA) Canada
• ICSA Labs - an independent division of Verizon
  Business
• Science Applications International Corporation
  (SAIC)
• ATSEC Information Security Corporation
• COACT Incorporated, CAFE Laboratory

17
SCAP Validation In-Progress and Potential
18
Where Can SCAP Go?

• Continue to reduce the boundary between written
  specifications and action
• Expand to implementation and remediation of
  vulnerabilities and security configurations
• Extend into additional security technologies
  (e.g., IDS/IPS, firewall) and into other IT
  technologies (e.g., asset and configuration
  management)
• We are open to additional use cases

19
Summary

• SCAP gives us a transparent, interoperable,
  repeatable, and ultimately automated way to
  assess security software flaws and
  misconfiguration in the enterprise
• Efficiencies gained through SCAP give our IT
  security teams additional cycles to address other
  important aspects of IT security
• By linking compliance to configuration, SCAP
  makes compliance reporting a byproduct of good
  security, allowing IT security teams to focus on
  securing the enterprise

20
More Information
21
Contact Information

• 100 Bureau Drive Mailstop 8930
• Gaithersburg, MD USA 20899-8930
• Steve Quinn Peter Mell
• (301) 975-6967 (301) 975-5572 stephen.quinn
  _at_nist.gov mell_at_nist.gov
• Karen Scarfone Murugiah Souppaya
• (301) 975-8136 (301) 975-4758
• karen.scarfone_at_nist.gov murugiah.souppaya_at_nist.
  gov
• Matt Barrett Information and Feedback
• (301) 975-3390 Web http//scap.nist.gov
• matthew.barrett_at_nist.gov Comments
  scap-update_at_nist.gov

22
Additional Information
23
Current State Compliance and Configuration
Management
Compliance Management Configuration M
anagement
Finite Set of Possible Known IT Risk Controls
Application Configuration Options
Agency Tailoring Mgmt, Operational, Technical
Risk Controls
High
Enterprise
Millions of settings to manage
Mobile
Moderate
SP1
Stand Alone
Low
XP
SSLF
Windows
SP2
OS or Application
Version/ Role
Major Patch Level
Environment
Impact Rating or MAC/CONF
24
Current State Vulnerability Trends
A 20-50 increase over previous years

• Decreased timeline in exploit development
• Increased prevalence of zero day exploits
• Three of the SANS Top 20 Internet Security Attack
  Targets 2006 were categorized as configuration
  weaknesses. Many of the remaining 17 can be
  partially mitigated via proper configuration.

25
Security Content Automation Protocol
(SCAP)Standardizing How We Communicate
Cisco, Qualys, Symantec, Carnegie Mellon
University
26
Existing Federal ContentStandardizing What We
Communicate

• Over 70 million hits per year
• 29,000 vulnerabilities
• About 20 new vulnerabilities per day
• Mis-configuration cross references to
• NIST SP 800-53 Security Controls (All 17 Families
  and 163 controls)
• DoD IA Controls
• DISA VMS Vulnerability IDs
• Gold Disk VIDs
• DISA VMS PDI IDs
• NSA References
• DCID
• ISO 17799
• Reconciles software flaws from
• US CERT Technical Alerts
• US CERT Vulnerability Alerts (CERTCC)
• MITRE OVAL Software Flaw Checks
• MITRE CVE Dictionary
• Produces XML feed for NVD content

• In response to NIST being named in the Cyber
  Security RD Act of 2002
• Encourages vendor development and maintenance of
  security guidance
• Currently hosts 114 separate guidance documents
  for over 141 IT products
• Translating this backlog of checklists into the
  Security Content Automating Protocol (SCAP)
• Participating organizations DISA, NSA, NIST,
  Hewlett-Packard, CIS, ITAA, Oracle, Sun, Apple,
  Microsoft, Citadel, LJK, Secure Elements,
  ThreatGuard, MITRE Corporation, G2, Verisign,
  Verizon Federal, Kyocera, Hewlett-Packard,
  ConfigureSoft, McAfee, etc.

27
SCAP Validation Program Capabilities
NOTE Xs indicate some degree of testing, but
not necessarily all-inclusive testing, for the
indicated standard NOTE Grey font indicates
capabilities that are not yet available for test
28
SCAP Value