Title: Security Advisories Sources and examples
1Security Advisories Sources and examples
- Presented by
- Srujan Baddam
2Outline
- Introduction
- Scorecard approach
- Goal-Question Metric (GQM) Technique
- Examples
- Conclusions
3Introduction
- A security advisory is a formal message issued by
a vendor or a third party to alert a products
user community about security problems associated
with the product and to provide information about
how to avoid, minimize, or recover from any
damage. - Vulnerability disclosure
- Assigning security rating to security advisories
- Security advisories dont help user and system
administrators effectively manage and assess the
impact of vulnerability disclosures. - Here comes the scorecard approach.
4Scorecard Approach
- The main goal is to help users and system
administrators efficiently manage and assess the
impact of vulnerability disclosures, which is
based on the Goal-Question-Metric technique. - It is designed to let users record useful
information and security response centers publish
advisories in a way that will help the community
respond more efficiently.
5The unreadability of security bulletins
6The unreadability of security bulletins
(Contd..)
- The survey of various security bulletin boards
shows that each has a completely different view
about what to publish, what information to
include, and how to organize the data. - Similar values at the various bulletin boards for
specific vendors have been recorded an average
of 45 for Cisco, 72 for Microsoft, and 44 for
FreeBSD for each of the past three years. For
general, non-vendor-specific informational
postings, we recorded 37 advisories for CERT, 734
for Australian CERT (Aus Cert), 56 for Symantec,
and 1,568 for CVE - The unexpectedly high difference between these
numbers indicate that there is no clear rule on
what is considered as a security advisory.
7A metrics-based scorecard
- The vendors bulletin boards do not provide a
practical guide on how to read, evaluate and
handle a security advisory which can mislead the
user communities. - The scorecard approach provides a solution for
this problem by defining the series of metrics. - It contains 9 categories of metrics ,ordered by
their evaluation sequence, and gives a complete
picture of both the vulnerability and relevant
risk.
8 Metrics based Scorecard contd..
- Vulnerabilitys target
- Logical
- Physical
- Applicability-scope
- Exploitation preconditions
- Organization factors
- Exploitation impact
- Community impact
- Solution requirements
- Solution impact
- Conclusions impact
9Action sequence for handling security advisories
10A metrics-based scorecardcontd..
- There are two phases in the metrics based
scorecard method - 1.Assessment Phase
- 2.Implementation phase
- Assessment phase has the following metrics
- 1.Target
- Logical targets refer to informational and
processing resources. Physical targets refer to
hardware, to local area network infrastructure or
to the entire Internet infrastructure. - 2.Applicability scope
- The applicability of a security advisory,
depends on hardware type, OS, software installed
and various configuration settings. It is usually
clearly indicated in the text provided by the
advisory. -
11A metrics-based scorecardcontd..
- 3.Expliotation preconditions
- The exploitation of a vulnerability is
usually performed remotely, either location
independently only within specific logical or
physical limits, such as an Intranet logical
area, a LAN or a switched LAN segment. In other
cases the exploitation may succeed only by
normally registered users or by physical access. - 4.Organization factors.
- These factors may considerably mitigate the
impact of a vulnerability, by providing the means
for better information dissemination and response
procedures.
12A metrics-based scorecardcontd..
- 5.Exploitation Impact (Damage)
- Exploitation Impact refers to the basic
security properties, i.e. the availability, the
integrity and the confidentiality of the
information and the infrastructure. - Exploitation may also result to unauthorized
action and system misuse, such as the code
execution and the bypass of authentication and
authorization controls. - In other cases the exploitation may provoke
spreading to neighbor systems, erroneous
transmission (e.g. network disruption, traffic
redirection, transmission out-of-sequence) or
physical damage.
13A metrics-based scorecardcontd..
- 6. Community Impact
- Community Impact can be
- Financial loss, i.e. direct theft, down-time
cost or restoration cost - Loss of trust against the information system
- 7. Solution Requirements
- The solution requirements focus on
- The solution implementation, such as patching
and configuring, according to the relevant
security advisories - Additional protection measures may be required,
such as the use of ACLs, an IDS, firewalls,
cryptography, VPNs and antivirus applications
14A metrics-based scorecardcontd..
- 8.Solution Impact
- The implementation of a proposed solution
can have the following impacts - Cost in terms of money, labor time, system
availability and organization functionality - The time margin to take action and according to
the severity of the impact it would be immediate,
short-term or long-term. - 9.Conclusions Impact
- The conclusions that will arise after the
assessment and the implementation phases of a
security advisory are either informational or
indicating further action.
15Goal-Question Metric approach
- A multidimensional framework for describing,
implementing and managing strategy at all levels
of an organization. - It is a common analysis tool in software
engineering and quality management. - The GQM user sets an objective goal that cant be
directly interpreted, but rather is described by
a series of questions. Each question is answered,
in turn, by a series of metrics, which are either
quantitative (obtain absolute values) or
qualitative (answered by subjective judgments or
comparable values).
16Goal-Question Metric approach (Contd..)
- The goal has four parts
- An issue relates to a security parameter (such as
the impact) - A reference object is the source of the analysis
- A perspective establishes how to interpret the
issuein terms of its impact on a service,
process, system - An intention determines how to evaluate or change
the objects parameter (assess, test)
17Example- http//www.microsoft.com/technet/security
/bulletin/MS02-030.mspx
18Conclusions
- A way to improve handling and reporting security
advisories is proposed. - A homogenized and stable security advisory
publication scheme (using a common XML format)
can be evolved by the response centers and
vendors.
19References
- Arbaugh W., Fithen W., McHugh J., Windows of
Vulnerability A Case Study Analysis, IEEE
Computer, Vol. 33, No. 12, pp. 52-59, 2000 - Gritzalis S., Information Systems Security in
Distributed Environments, Ph.D. Thesis, National
and Kapodistrian University of Athens, May 1998 - Lindqvist U. and Jonsson E., How to
Systematically Classify Computer Security
Intrusions, In Proceedings of the 1997 IEEE
Symposium on Security Privacy, pp.154-163, May
4-7, 1997. - Howard J., Longstaff T., A Common Language for
Computer Security Incidents, Sandia
International Laboratories, Report No.
SAND98-8667, 1998 - Katsikas S., Risk management of Information
Systems, In Kiountouzis E. (Ed.) Information
Security Technical, Legal and Social issues, EPY
editions, Athens, 1995 - Venter H., Eloff J., A taxonomy for information
security technologies, Computers Security,
Vol.22, No.4, pp.299-307, May 2003 - http//www.syros.aegean.gr/users/lekkas/cve200_sco
ring2.htm
20