Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Classification of vulnerabilities

3,297 views

Published on

Classification of vulnerabilities Using CVE, CWE and CVSS.
Important links.

Published in: Internet
  • My brother found Custom Writing Service ⇒ www.WritePaper.info ⇐ and ordered a couple of works. Their customer service is outstanding, never left a query unanswered.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Have u ever tried external professional writing services like ⇒ www.HelpWriting.net ⇐ ? I did and I am more than satisfied.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I would absolutely recommend this program. You get lots of support and tools, and you get to be open and share, but you never feel embarrassed or ashamed. Everyone is so accepting and kind. It's just a wonderful community. Joining the program was the best thing I did to help my recovery. ●●● http://ishbv.com/bulimiarec/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Classification of vulnerabilities

  1. 1. 1 Classification of vulnerabilities Using CVE, CWE and CVSS 26/03/2015 Mayur Mehta
  2. 2. 2 Index > Introduction > Building Blocks > Acronyms > Heartbleed bug example > CVE > CWE > CVSS > Main differences
  3. 3. 3 Everything is Connected
  4. 4. 4 Cyber Threats Emerged Over Time
  5. 5. 5 Solutions Also Emerged Over Time
  6. 6. 6 Architecting Security with Information Standards
  7. 7. 7 Building Blocks > Enumerations : Standard ways for enumerating “things we care about” > Catalog the fundamental entities in IA, Cyber Security, and Software Assurance - Vulnerabilities (CVE), misconfigurations (CCE), software packages (CPE), malware (CME), attack patterns (CAPEC), weaknesses in code/design/architecture (CWE) > Languages/Formats: Languages/Formats for encoding/carrying high fidelity content about the “things we care about” > Support the creation of machine-readable state assertions, assessment results, and messages - Configuration/vulnerability/patch/asset patterns (XCCDF & OVAL), results from standards-based assessments (CRF), software security patterns (SBVR), event patterns (CEE), malware patterns (MAEC), risk of a vulnerability (CVSS), information messages (CAIF & *DEF) > Repositories: Repositories of this content for use in communities or individual organizations > Packages of assertions supporting a specific application - Vulnerability advisories & alerts, (US-CERT Advisories/IAVAs), configuration assessment (NIST Checklists, CIS Benchmarks, NSA Configuration Guides, DISA STIGS), asset inventory (NIST/DHS NVD), code assessment & certification (NIST SAMATE, DoD DIACAP & eMASS)
  8. 8. 8 Acronyms Security Content Automation Protocol (SCAP)
  9. 9. 9 Heartbleed bug example > Taking the Heartbleed bug as an example, this particular vulnerability is listed under a specific CVE identifier of CVE-2014-0160. It is also classified under the more general CWE-200: Information Exposure weakness. In addition, it has been given an CVSS Score of 6.4.
  10. 10. 10 CVE The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. MITRE Corporation maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security.[1] CVE is used by the Security Content Automation Protocol, and CVE IDs are listed on MITRE's system[2] as well as the US National Vulnerability Database. Wiki link: http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures Year wise data: http://www.cvedetails.com/browse-by-date.php
  11. 11. 11 CWE Common Weakness Enumeration is a software community project that aims at creating a catalog of software weaknesses and vulnerabilities. The goal of the project is to better understand flaws in software and to create automated tools that can be used to identify, fix, and prevent those flaws.[1]The project is sponsored by Mitre Corporation. In order to obtain CWE Compatible status a product or a service must meet 4 out of 6 requirements, shown below: Wiki link: http://en.wikipedia.org/wiki/Common_Weakness_Enumeration MITRE database: http://cwe.mitre.org/data/slices/2000.html
  12. 12. 12 CVSS Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. It is under the custodianship of NIST.[1] It attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilities, so efforts can be prioritized. The scores are based on a series of measurements (called metrics) based on expert assessment. The scores range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are High, those in the range 4.0-6.9 as Medium, and 0-3.9 as Low. Versions: CVSSv1 – 2004, CVSSv2 – (the current version) launched in 2007, CVSSv3 – expected to be released in late 2015. The CVSS assessment measures three areas of concern: 1. Base Metrics for qualities intrinsic to a vulnerability 2. Temporal Metrics for characteristics that evolve over the lifetime of vulnerability 3. Environmental Metrics for vulnerabilities that depend on a particular implementation or environment Wiki link: http://en.wikipedia.org/wiki/CVSS Calculator: https://nvd.nist.gov/CVSS-v2-Calculator?vector=%28AV:L/AC:H/Au:N/C:N/I:P/A:C%29
  13. 13. 13 Main differences > Main differences between the three standards CVE CWE CVSS Full Name Common Vulnerabilities and Exposures Common Weaknesses Enumeration Common Vulnerabilities Scoring System What is it? A dictionary of publicly known security vulnerabilities and exposures. A community-developed dictionary of software weakness types. A vendor-agnostic industry open- standard designed to convey vulnerability severity. Main Benefit Easier to share vulnerability data across different databases and tools. Different security tools can now “talk” to each other using a common language. Provides a standard measuring stick for software security. Helps determine urgency and priority of response when vulnerabilities are detected. Solution Provides a baseline for evaluating the coverage of an organization’s security tools. Provides a common baseline for weaknesses identification, mitigation and prevention efforts. Solves the problem of multiple incompatible scoring systems. More information http://cve.mitre.org/index.html https://cwe.mitre.org http://www.first.org/cvss
  14. 14. 14

×