Software Process Improvement Overview

1
OCTAVESM Process 5Background on Vulnerability
Evaluations

• Software Engineering Institute
• Carnegie Mellon University
• Pittsburgh, PA 15213
• Sponsored by the U.S. Department of Defense

2
Vulnerability Evaluation Topics

• Terminology
• Vulnerability tools
• Vulnerability reports
• Strategies for conducting vulnerability
  evaluations

3
Terminology

• Technology vulnerability
• weakness in a system that can directly lead to
  unauthorized action
• Exploit
• process of using a technology vulnerability to
  violate security policy

4
Vulnerability Tools

• Vulnerability tools identify
• known weaknesses in technology
• misconfigurations of well known administrative
  functions, such as
• file permissions on certain files
• accounts with null passwords
• what an attacker can determine about your systems
  and networks

5
What Vulnerability Tools Identify
Operational Practice Areas
Physical Security
Information Technology Security
Staff Security
Physical Security Plans and Procedures Physical
Access Control Monitoring and Auditing Physical
Security
System and Network Management Monitoring and
Auditing IT Security Authentication and
Authorization Encryption Vulnerability
Management System Administration Tools Security
Architecture and Design
Incident Management General Staff Practices
6
What Vulnerability Identification Tools Do Not
Identify

• Misapplied or improper system administration
  (users, accounts, configuration settings)
• Unknown vulnerabilities in operating systems,
  services, applications, and infrastructure
• Incorrect adoption or implementation of
  organizational procedures

7
Vulnerability Evaluation Tools

• Operating system scanners
• Network infrastructure scanners
• Specialty, targeted, and hybrid scanners
• Checklists
• Scripts

8
Operating System Scanners

• Operating system scanners target specific
  operating systems, including
• Windows NT/2000
• Sun Solaris
• Red Hat Linux
• Apple Mac OS

9
Network Infrastructure Scanners

• Network infrastructure scanners target the
  network infrastructure components, including
• routers and intelligent switches
• DNS servers
• firewall systems
• intrusion detection systems

10
Specialty, Targeted, and Hybrid Scanners

• Specialty, targeted, and hybrid scanners target a
  range of services, applications, and operating
  system functions, including
• web servers (CGI, JAVA)
• database applications
• registry information (Windows NT/2000)
• weak password storage and authentication services

11
Checklists

• Checklists provide the same functionality as
  automated tools.
• Checklists are manual, not automated.
• Checklists require a consistent review of the
  items being checked and must be routinely updated

12
Scripts

• Scripts provide the same functionality as
  automated tools but they usually have a singular
  function.
• The more items you test, the more scripts youll
  need.
• Scripts requires a consistent review of the items
  being checked and must be routinely updated.

13
Vulnerability Tool Reports

• Vulnerability reports usually provide
• identification and ranking of the severity of
  technological weaknesses found
• mitigation and corrective steps to eliminate
  vulnerabilities
• Determine what information you require, and then
  match your requirements to the report(s) provided
  by the tool(s).

14
Sample Report
15
Other Report Data
16
Scoping Vulnerability Evaluations

• You need to scope a vulnerability evaluation.
• Two approaches are
• examining every component of your computing
  infrastructure over a defined period of time
  (comprehensive vulnerability evaluation)
• grouping similar components into categories and
  examining selected components from each category
  (targeted vulnerability evaluation)

17
Targeted Vulnerability Evaluation Strategies

• Strategies for targeted vulnerability evaluations
  include grouping similar components into
  categories.
• Categories can include
• how components are used
• the primary operators of components
• classes of components

18
OCTAVE Phase 2 Strategy

• Phase 2 of OCTAVE is a targeted vulnerability
  evaluation.
• Key classes of components are identified by
  considering how critical assets are
• stored
• processed
• transmitted