2010-12 SCAP Explained

  • 825 views
Uploaded on

2010-12 SCAP Explained …

2010-12 SCAP Explained
by Nick Hansen, Senior Software Developer, nCircle

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
825
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Nick Hansen Sr. Software Developer SCAP Explained Overview of the Security Content Automation Protocol, Where It’s Been and Where It’s Going© nCircle 2010. All rights reserved.
  • 2. Overview • Introduction • What is SCAP and Security Automation? • SCAP Specifications • SCAP Tools and Content • SCAP Community • SCAP Future2 © nCircle 2010 All rights reserved. nCircle Company Confidential
  • 3. Introduction • Nick Hansen nhansen@ncircle.com • Worked in Production Operations, Software Engineering and Management over past 10 years • Excite@Home, NOCpulse, Red Hat, Opsware, HP • Involved with SCAP since 20063 © nCircle 2010 All rights reserved. nCircle Company Confidential
  • 4. What is SCAP? • The Security Content Automation Protocol • Standards-based initiative for “organizing and expressing security-related information” • Grew out of the confluence of several well established, existing standards • Managed by the US National Institute of Standards and Technology (NIST) and sponsored by the Department of Homeland Security to foster interoperable specifications with a focus on community participation http://scap.nist.gov/index.html4 © nCircle 2010 All rights reserved. nCircle Company Confidential
  • 5. What is SCAP? (con’t) • Protocol: “A suite of six specifications that standardize the format and nomenclature by which security software communicates information about publicly known software flaws and security configurations annotated with common identifiers and embedded in XML” • Content: “software flaw and security configuration standard reference data” in the form of checklists and and SCAP “streams” • Specification: NIST SP 800-126 – http://csrc.nist.gov/publications/nistpubs/800-126/sp800-126.pdf5 © nCircle 2010 All rights reserved. nCircle Company Confidential
  • 6. Security Automation • Managing security across US Federal government and large enterprises is no small task • Automation needed to be able manage and secure many operating systems, applications and configurations • Continuous monitoring and auditing required to ensure best-possible security of the organization • Many tools available that perform specialized tasks but do not interoperate well to give complete picture • Requirements for compliance with multiple regulatory frameworks and guidelines6 © nCircle 2010 All rights reserved. nCircle Company Confidential
  • 7. SCAP 1.0 Specifications Languages: Open Vulnerability and Language for specifying MITRE provide a standardized means for Assessment Language low-level testing identifying what is to be (OVAL) 5.3 & 5.4 procedures used by evaluated and for expressing checklists how to check system state Extensible Configuration Language for specifying NSA & NIST Checklist Description checklists and reporting Format (XCCDF) 1.1.4 checklist results Enumerations: Common Vulnerabilities Nomenclature and MITRE provide a standardized and Exposures (CVE) dictionary of security- nomenclature and an related software flaws associated dictionary of items expressed using that Common Configuration Nomenclature and MITRE nomenclature Enumeration (CCE) 5 dictionary of system configuration issues Common Platform Nomenclature and MITRE Enumeration (CPE) 2.2 dictionary of product names and versions Vulnerability Common Vulnerability Specification for measuring FIRST measurement and Scoring System (CVSS) the relative severity of 2.0 software flaw vulnerabilities scoring systems: provide the ability within SCAP to measure and evaluate specific vulnerability characteristics to derive a vulnerability severity score.7 © nCircle 2010 All rights reserved. nCircle Company Confidential
  • 8. Common Vulnerabilities and Exposures (CVE) • The CVE is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities and exposures. The purpose of the CVE is to catalog all known vulnerabilities. • The CVE was started in 1999. It is currently sponsored by the United States Department of Homeland Security and managed by the MITRE Corporation. • CVE: http://cve.mitre.org • CVE Compatibility: http://cve.mitre.org/compatible Example: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-02498 © nCircle 2010 All rights reserved. nCircle Company Confidential
  • 9. Open Vulnerability and Assessment Language (OVAL) • OVAL is the standard used to encode and transmit security information and system details. It is based on three XML schemas that represent the three security vulnerability assessment process steps:  Representing system configuration  Expressing a specific machine state  Reporting the results of the assessment • Original purpose of OVAL was to describe how to identify specific vulnerabilities (i.e. CVEs) • Now supports general configuration settings and Patch installations • OVAL is managed by MITRE and is sponsored by the U.S. Department of Homeland Security Example: http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:68359 © nCircle 2010 All rights reserved. nCircle Company Confidential
  • 10. Extensible Configuration Checklist Description Format (XCCDF) • XCCDF is an XML specification for structured collections of security configuration rules used by OS and application platforms • Uses OVAL and CPE to build profiles that systems can be validated against • Development of the XCCDF specification is led by the U.S. National Security Agency (NSA), published by NIST, and developed with contributions from the security community10 © nCircle 2010 All rights reserved. nCircle Company Confidential
  • 11. OVAL and XCCDF Links • OVAL Homepage: http://oval.mitre.org • OVAL Compatibility: http://oval.mitre.org/compatible • NVD XCCDF/OVAL data feed: http://nvd.nist.gov/scapchecklists.cfm • XCCDF Standard: http://nvd.nist.gov/xccdf.cfm • NIST National Checklist Program: http://nvd.nist.gov/ncp.cfm • NVD XCCDF/OVAL data feed: http://nvd.nist.gov/scapchecklists.cfm11 © nCircle 2010 All rights reserved. nCircle Company Confidential
  • 12. Common Platform Enumeration (CPE) • CPE is a naming convention for hardware, operating system (OS), and application products. cpe:/ {part} : {vendor} : {product} : {version} : {update} : {edition} : {language} Example - cpe:/o:microsoft:windows_xp:::pro • The CPE is managed by MITRE is sponsored by the U.S. Department of Defense • CPE Homepage: http://cpe.mitre.org • NVD CPE data feed: http://nvd.nist.gov/download.cfm#Dictionary12 © nCircle 2010 All rights reserved. nCircle Company Confidential
  • 13. Common Configuration Enumeration (CCE) • The CCE is a dictionary of names for software security configuration issues – for example, access control settings and password policy settings. By providing unique identifiers for system configuration issues, the CCE facilitates fast and accurate correlation of configuration data across multiple information sources and tools. • The CCE is managed by MITRE and is sponsored by the U.S. Department of Defense. • CCE Homepage: http://cce.mitre.org13 © nCircle 2010 All rights reserved. nCircle Company Confidential
  • 14. Common Vulnerability Scoring System (CVSS) • The CVSS is a standard severity scoring system for information security vulnerabilities. CVSS includes three groups of metrics: Base, Temporal, and Environmental. • CVSS is under the custodial care of the Forum of Incident Response and Security Teams (FIRST). However, it is a completely free and open standard. • CVSS Homepage: http://www.first.org/cvss/index.html • CVSS Specification: http://www.first.org/cvss/cvss- guide.html • NVD CVSS data feed: http://nvd.nist.gov/cvss.cfm14 © nCircle 2010 All rights reserved. nCircle Company Confidential
  • 15. SCAP Content • Utilizes parts of all 6 specifications to create a “stream” of compliance content • XCCDF is the glue that ties it all together • Several official streams are currently available from the NVD – Federal Desktop Core Configuration (FDCC) – United States Government Configuration Baseline (USGCB) – http://web.nvd.nist.gov/view/ncp/repository • Vendors are creating and using proprietary SCAP content15 © nCircle 2010 All rights reserved. nCircle Company Confidential
  • 16. National Vulnerability Database (NVD) • The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics. • The NVD contains data feeds for each SCAP standard that can be used license free by the security community. The NVD also contains SCAP security checklist data that can be used in conjunction with SCAP compatible tools.16 © nCircle 2010 All rights reserved. nCircle Company Confidential
  • 17. FDCC & USGCB • FDCC is focused on Windows XP and Vista • Developed to address 2007 OMB mandate for securing all Windows system in US Federal government • First officially approved SCAP stream of content • USGCB is currently focused on Windows 7 and IE 8 • Will be adding new platforms soon • Evolved from the FDCC17 © nCircle 2010 All rights reserved. nCircle Company Confidential
  • 18. SCAP Tools • Vendors create tools that can process SCAP-expressed content and report standardized results • Tools are certified via the SCAP Validation Program • Independent testing labs are contracted by vendors to test tools and report results directly to NIST • Tool capabilities that can be validated – FDCC Scanner – Authenticated and Unauthenticated Configuration Scanner – Authenticated Patch and Vulnerability Scanner18 © nCircle 2010 All rights reserved. nCircle Company Confidential
  • 19. SCAP Community • Each specification has an independent community of contributors from academia, business and government supporting them • CVE and OVAL are most active • No single vendor has “control” of any of the specifications • MITRE is non-profit overseer and leads a great deal of discussions • IT Security Automation Conference – Annual conference covering SCAP and many other initiatives related to Security Automation • http://scap.nist.gov/events/2010/itsac/presentations/index.html19 © nCircle 2010 All rights reserved. nCircle Company Confidential
  • 20. SCAP Future • Emerging Specifications – Asset Reporting Format (ARF) – Open Checklist Interactive Language (OCIL) – Open Checklist Reporting Language (OCRL) – Common Configuration Scoring System (CCSS) – Common Misuse Scoring System (CMSS) • The Holy Grail – Common Remediation Enumeration (CRE) – Extended Remediation Information (ERI)20 © nCircle 2010 All rights reserved. nCircle Company Confidential