Security Advisories Sources and examples - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Security Advisories Sources and examples

Description:

A security advisory is a formal message issued by a vendor or a third party to ... The solution implementation, such as patching and configuring, according to the ... – PowerPoint PPT presentation

Number of Views:50
Avg rating:3.0/5.0
Slides: 21
Provided by: sru7
Learn more at: https://www.cs.odu.edu
Category:

less

Transcript and Presenter's Notes

Title: Security Advisories Sources and examples


1
Security Advisories Sources and examples
  • Presented by
  • Srujan Baddam

2
Outline
  • Introduction
  • Scorecard approach
  • Goal-Question Metric (GQM) Technique
  • Examples
  • Conclusions

3
Introduction
  • A security advisory is a formal message issued by
    a vendor or a third party to alert a products
    user community about security problems associated
    with the product and to provide information about
    how to avoid, minimize, or recover from any
    damage.
  • Vulnerability disclosure
  • Assigning security rating to security advisories
  • Security advisories dont help user and system
    administrators effectively manage and assess the
    impact of vulnerability disclosures.
  • Here comes the scorecard approach.

4
Scorecard Approach
  • The main goal is to help users and system
    administrators efficiently manage and assess the
    impact of vulnerability disclosures, which is
    based on the Goal-Question-Metric technique.
  • It is designed to let users record useful
    information and security response centers publish
    advisories in a way that will help the community
    respond more efficiently.

5
The unreadability of security bulletins
6
The unreadability of security bulletins
(Contd..)
  • The survey of various security bulletin boards
    shows that each has a completely different view
    about what to publish, what information to
    include, and how to organize the data.
  • Similar values at the various bulletin boards for
    specific vendors have been recorded an average
    of 45 for Cisco, 72 for Microsoft, and 44 for
    FreeBSD for each of the past three years. For
    general, non-vendor-specific informational
    postings, we recorded 37 advisories for CERT, 734
    for Australian CERT (Aus Cert), 56 for Symantec,
    and 1,568 for CVE
  • The unexpectedly high difference between these
    numbers indicate that there is no clear rule on
    what is considered as a security advisory.

7
A metrics-based scorecard
  • The vendors bulletin boards do not provide a
    practical guide on how to read, evaluate and
    handle a security advisory which can mislead the
    user communities.
  • The scorecard approach provides a solution for
    this problem by defining the series of metrics.
  • It contains 9 categories of metrics ,ordered by
    their evaluation sequence, and gives a complete
    picture of both the vulnerability and relevant
    risk.

8
Metrics based Scorecard contd..
  • Vulnerabilitys target
  • Logical
  • Physical
  • Applicability-scope
  • Exploitation preconditions
  • Organization factors
  • Exploitation impact
  • Community impact
  • Solution requirements
  • Solution impact
  • Conclusions impact

9
Action sequence for handling security advisories
10
A metrics-based scorecardcontd..
  • There are two phases in the metrics based
    scorecard method
  • 1.Assessment Phase
  • 2.Implementation phase
  • Assessment phase has the following metrics
  • 1.Target
  • Logical targets refer to informational and
    processing resources. Physical targets refer to
    hardware, to local area network infrastructure or
    to the entire Internet infrastructure.
  • 2.Applicability scope
  • The applicability of a security advisory,
    depends on hardware type, OS, software installed
    and various configuration settings. It is usually
    clearly indicated in the text provided by the
    advisory.

11
A metrics-based scorecardcontd..
  • 3.Expliotation preconditions
  • The exploitation of a vulnerability is
    usually performed remotely, either location
    independently only within specific logical or
    physical limits, such as an Intranet logical
    area, a LAN or a switched LAN segment. In other
    cases the exploitation may succeed only by
    normally registered users or by physical access.
  • 4.Organization factors.
  • These factors may considerably mitigate the
    impact of a vulnerability, by providing the means
    for better information dissemination and response
    procedures.

12
A metrics-based scorecardcontd..
  • 5.Exploitation Impact (Damage)
  • Exploitation Impact refers to the basic
    security properties, i.e. the availability, the
    integrity and the confidentiality of the
    information and the infrastructure.
  • Exploitation may also result to unauthorized
    action and system misuse, such as the code
    execution and the bypass of authentication and
    authorization controls.
  • In other cases the exploitation may provoke
    spreading to neighbor systems, erroneous
    transmission (e.g. network disruption, traffic
    redirection, transmission out-of-sequence) or
    physical damage.

13
A metrics-based scorecardcontd..
  • 6. Community Impact
  • Community Impact can be
  • Financial loss, i.e. direct theft, down-time
    cost or restoration cost
  • Loss of trust against the information system
  • 7. Solution Requirements
  • The solution requirements focus on
  • The solution implementation, such as patching
    and configuring, according to the relevant
    security advisories
  • Additional protection measures may be required,
    such as the use of ACLs, an IDS, firewalls,
    cryptography, VPNs and antivirus applications

14
A metrics-based scorecardcontd..
  • 8.Solution Impact
  • The implementation of a proposed solution
    can have the following impacts
  • Cost in terms of money, labor time, system
    availability and organization functionality
  • The time margin to take action and according to
    the severity of the impact it would be immediate,
    short-term or long-term.
  • 9.Conclusions Impact
  • The conclusions that will arise after the
    assessment and the implementation phases of a
    security advisory are either informational or
    indicating further action.

15
Goal-Question Metric approach
  • A multidimensional framework for describing,
    implementing and managing strategy at all levels
    of an organization.
  • It is a common analysis tool in software
    engineering and quality management.
  • The GQM user sets an objective goal that cant be
    directly interpreted, but rather is described by
    a series of questions. Each question is answered,
    in turn, by a series of metrics, which are either
    quantitative (obtain absolute values) or
    qualitative (answered by subjective judgments or
    comparable values).

16
Goal-Question Metric approach (Contd..)
  • The goal has four parts
  • An issue relates to a security parameter (such as
    the impact)
  • A reference object is the source of the analysis
  • A perspective establishes how to interpret the
    issuein terms of its impact on a service,
    process, system
  • An intention determines how to evaluate or change
    the objects parameter (assess, test)

17
Example- http//www.microsoft.com/technet/security
/bulletin/MS02-030.mspx
18
Conclusions
  • A way to improve handling and reporting security
    advisories is proposed.
  • A homogenized and stable security advisory
    publication scheme (using a common XML format)
    can be evolved by the response centers and
    vendors.

19
References
  • Arbaugh W., Fithen W., McHugh J., Windows of
    Vulnerability A Case Study Analysis, IEEE
    Computer, Vol. 33, No. 12, pp. 52-59, 2000
  • Gritzalis S., Information Systems Security in
    Distributed Environments, Ph.D. Thesis, National
    and Kapodistrian University of Athens, May 1998
  • Lindqvist U. and Jonsson E., How to
    Systematically Classify Computer Security
    Intrusions, In Proceedings of the 1997 IEEE
    Symposium on Security Privacy, pp.154-163, May
    4-7, 1997.
  • Howard J., Longstaff T., A Common Language for
    Computer Security Incidents, Sandia
    International Laboratories, Report No.
    SAND98-8667, 1998
  • Katsikas S., Risk management of Information
    Systems, In Kiountouzis E. (Ed.) Information
    Security Technical, Legal and Social issues, EPY
    editions, Athens, 1995
  • Venter H., Eloff J., A taxonomy for information
    security technologies, Computers Security,
    Vol.22, No.4, pp.299-307, May 2003
  • http//www.syros.aegean.gr/users/lekkas/cve200_sco
    ring2.htm

20
  • Thank you
Write a Comment
User Comments (0)
About PowerShow.com