Presentation: Speaker: Date: Time: Track: Cybercrime, CVEs, OVAL, CWE and why you must care! Gary Miliefsky November 21, 2007 15: 00 - 16: 15 3 (RM 802 AB) Copyright © 2007, Net. Clarity, Inc. All rights reserved worldwide. 1
“One of the Three Most Innovative Network Security Companies in the World” – RSA Award, 2007 Sec. Tor Presentation Cybercrime, CVEs, OVAL, CWE and why you must care! Speaker: Gary Miliefsky (Founder & CTO, Net. Clarity) Date/Time: November 21, 2007 15: 00 - 16: 15 Track: 3 (RM 802 AB) Note: Portions Copyright © Mitre Corporation. Portions released for public educational purposes with funding from the U. S. Department of Homeland Security with credits to MITRE for http: //makingsecuritymeasurable. mitre. org. Copyright © 2007, Net. Clarity, Inc. All rights reserved worldwide. 2
About Me: Gary S. Miliefsky § Founder & CTO, Net. Clarity, Inc. Net. Clarity is the Maker of Five Star Best Buy Vulnerability Management, Clientless NAC and Intrusion Prevention Appliances § § § 20 Year Network Security Veteran Computer Scientist CISSP® Board Member: NAISG. org Board Member: OVAL. MITRE. org DHS is funding CVE® at MITRE (I am a founding member) Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 3
Quick Overview of Cyber. Crime Source: Net. Clarity Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 4
Google Searches Web's Dark Side • Malicious programs are installed by visits to a booby-trapped site • One in 10 web pages scrutinized by search giant Google contained malicious code that could infect a user's PC. • Researchers from the firm surveyed billions of sites, subjecting 4. 5 million pages to "in-depth analysis". • About 450, 000 were capable of launching so-called "drive-by downloads", sites that install malicious code, such as spyware, without a user's knowledge. • A further 700, 000 pages were thought to contain code that could compromise a user's computer, the team report. • To address the problem, the researchers say the company has "started an effort to identify all web pages on the internet that could be malicious". Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 5
New Attack – Infecting Web Servers Source: Google Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 6
Malware Kits are Point and Click Source: Infection. Vectors Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 7
Identity - Bought and Sold Online • IRC - Internet Relay Chat - the place where people talk about all different subjects. • But instead of talking about MP 3 s, sports or games, these IRC channels cc-visa, ccfull, ccpower and trade-cc are where deals are done. • The "cc" stands for "credit cards" and these are the virtual markets where thousands of stolen numbers are bought and sold all day, every day. Source: BBC Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 8
The Results: Cyber. Crime is Pandemic • Viruses are on the decline as Trojans and Botnets take over • Cyber criminals will increasingly turn their attention to the web and away from e-mail security in 2008, according to a new report. • The number of websites being infected with malware malicious software - is on the rise with Sophos uncovering an average of 5, 000 new URLs hosting malicious code each day. Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 9
Why Do They Attack Web Servers • Easy Target (Port 80, DMZ) • Launch Zombie Adware Campaigns • Obtain Credit Card Information • Break into Online Banks Ultimately for $$$ Illegal Profit $$$ Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 10
Stopping Cyber. Crime, Hackers & Malware CVEs, OVAL, CWE and Why You Must Care! “It’s time to make security measurable” – makingsecuritymeasurable. mitre. org Source: Net. Clarity Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 11
Making Security Measurable • MITRE, in collaboration with government, industry, and academic stakeholders, is improving the measurability of security through enumerating baseline security data, providing standardized languages as means for accurately communicating the information, and encouraging the sharing of the information with users by developing repositories. Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 12
Making Security Measurable Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 13
The Building Blocks Are: cwe. mitre. org Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 14
Common Vulnerabilities and Exposures (CVE) • CVE: Enabling fast, accurate correlation of vulnerability information across the security industry • Key tenets – one identifier for one vulnerability – dictionary of standardized descriptions for vulnerabilities and exposures – publicly accessible for review or download from the Internet – international scope – industry participation in open forum (editorial board) – compatibility program for products & services Foundation for NIST NVD Program Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 15
Difficult to Integrate Information on Vulnerabilities and Exposures Security Advisories Priority Lists ? Vulnerability Scanners ? Research ? ? ? ? ? ? ? ? Vulnerability Web Sites & Databases Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. Software Vendor Patches ? Intrusion Detection Systems ? Incident Response & Reporting ? 16
Finding and sharing vulnerability the Security The adoption of CVE Names by information has been difficult: The Same Problem, Different Community addresses this problem Names Along has the caused by the finds it, gets a finds it, names it” Which withbeenrule, “Whoever CVE name for it” Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 17
The CVE List provides a path for integrating information on Vulnerabilities and Exposures Security Advisories Priority Lists Vulnerability Scanners Software Vendor Patches CVE-1999 -0067 Intrusion Detection Systems Incident Response & Reporting Research Vulnerability Web Sites & Databases Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 18
Where the CVE Items Come From AXENT, Bind. View, Harris, Cisco, CERIAS Vulnerability Legacy Submissions ~ pre-1999 Hiverworld, Security. Focus, ISS, NAI, Symantec, Nessus Databases CVE Content Team New Submissions 650– 800 per/month Alerts & Advisories w/candidates 40– 150 per/month Zero Day Public Vulnerabilities New Public Vulnerabilities ISS, Security. Focus, Neohapsis, NIPC Cyber. Notes CVE Editorial Board Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. Items with Unique CVE Names ~27, 663 19
CVE Growth Unique CVE Names Status (as of Nov 6, 2007) Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights • 27, 663 unique CVE names reserved worldwide. 20
Do. D’s Information Assurance Vulnerability Alerts (IAVAs) use CVE names CVE-names Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 21
The SANS Institute Top Twenty Lists use CVE names Cross-Platform CVE-names Windows http: //www. sans. org/top 20/ Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 22 Version 6. 01 Released Oct 12, 2006
Do. D 8500. 2 IA Implementation Instruction gives preference to products supporting CVE & OVAL Mission Assurance Category III Mission Assurance Category I The following appears for all three Mission Assurance Categories of DOD systems: VIVM-1 Vulnerability Management: A comprehensive vulnerability management process … automated vulnerability assessment or state management tools … regular internal and external assessments are conducted … For improved interoperability, preference is given to tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and use the Open Vulnerability Assessment Language (OVAL) to test for the presence of vulnerabilities. http: //www. nstissc. gov/html/library. htm Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 23
National Institute of Standards and Technology (NIST): Policy on the Use of CVE and CVE-Compatible products . Federal departments and agencies should… 1. give substantial consideration to the acquisition and use of security-related IT products and services that are compatible with the CVE naming scheme. 2. periodically monitor their systems for applicable vulnerabilities listed in the CVE naming scheme. 3. use the CVE vulnerability naming scheme in their descriptions and communications of vulnerabilities http: //csrc. nist. gov/publications/nistpubs/800 -51/sp 800 -51. pdf Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 24
CVE Compatibility Program (as of 1 Nov 2007) cve. mitre. org/compatible/ Computer Associates, IBM/ISS Now at 280 products and services from 158 organizations 158 280 Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 25
Open Vulnerabilities and Assessment Language (OVAL) • OVAL Language – – express specific machine states standardize the transfer of information XML based defined by XML Schema compatibility program for products & services • OVAL Repository – promote open and publicly available content – central meeting place • open community standard – to facilitate sharing – open up the details – utilize community expertise Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. Foundation for NIST SCAP Program 26
OVAL Schema n Three separate XML schemas – OVAL System Characteristics Schema – OVAL Definition Schema – OVAL Results Schema n OVAL Board Schema structure – core schema – individual component schemas Natural for software authors to provide expertise in shaping these schemas. Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 27
The Language text Vulnerability Assessment Security Bulletin <XML > Configuration Guide details system Asset Description Asset Management Report Generation System Details RPMs Registry Files Processes Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 28
Vulnerability Assessment Configuration Management OVAL Expert in the Community Definition Field OVAL Definition Assessment Tool OVAL Remediation Compliance Tool Checker Results Security Information Management (SIM) Assessment Tool Compliance OVAL Results OV AL SC OVAL SIM Results Tool OVAL Results Centralized Audit Validation Checker Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. OV AL SC Database OV AL SC 29
XCCDF-OVAL Connection XCCDF OVAL <Rule id="Require. CTRL_ALT_DEL" > <definition id="oval: gov. nist. 1: def: 69"> <Title> <metadata> Interactive logon: Require CTRL+ALT+DEL <title> Require CTRL_ALT_DEL <Reference> CCE-133 <reference> CCE-133 <Description> <criteria> Disabling the Ctrl+Alt+Del security attention sequence can compromise … Windows family, Windows XP, SP 2, 32 bit <Check> HKLMSoftwareMicrosoftWindows Current. VersionPoliciesSystem Disable. CAD = 0 oval: gov. nist. 1: def: 69 Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 30
Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 31
OVAL Compatibility Program (version 5 launched June 2006) oval. mitre. org/compatible/ Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 32
XML Output: Common Format Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 33
Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 34
It’s All About Automation… Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 35
…and Measurability. Enter CVSS… www. first. org/cvss/ Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 36
Common Vulnerability Scoring System (CVSS) • A universal way to convey vulnerability severity and help determine urgency and priority of responses • A set of metrics and formulas • Solves problem of multiple, incompatible scoring systems in use today • Under the custodial care of FIRST CVSS-SIG • Open, usable, and understandable by anyone • Version 2 released on June 20 th, 2007 Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 37
CVSS Overview Assigns impact ratings in three categories: • Base Score – Most fundamental qualities of a vulnerability – Does not change; intrinsic and immutable – Represents general vulnerability severity – Assigned to CVEs by NVD • Temporal Score (optional) – Time-dependent qualities of a vulnerability – Represents urgency at a specific point in time • Environmental Score (optional) – Qualities of a vulnerability specific to a particular IT environment Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 38
Common Platform Enumeration (CPE) • CPE Name Format – Allows creation of standard names for platform types – Built from seven (optional) components – cpe: / part : vendor : product : version : update : edition : language • part = a(pplication), o(perating system) or h(ardware) – “prefix property” allows matching more-specific names with more general names • CPE Dictionary – collection of agreed CPE Names – Ex: cpe: /a: microsoft: excel: 2003: sp 2 • CPE Language – used to combine CPE Names to identify complex platform types – E. g. a particular application running on a particular OS Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 39
Common Configuration Enumeration (CCE) • Assigns standardized identifiers to configuration issues, allowing comparability and correlation • An entry includes: – ID – Definition - Describes the configuration control… • … but does not assert a recommendation – Technical Mechanisms - Describes software constructs used to achieve the intended affect – Parameter – Describes conceptual range of values – References • Over 1000 entries for Windows operating systems and apps • Unix issues under discussion – Red Hat and/or Apple OSX CCEs likely soon Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 40
CCE & Configuration Guidance Documents CIS Benchmark v 1. 3 - Section 1. 3 Install SSH cd /etc/ssh cat <<EOCli. Config >>ssh_config Host * Protocol 2 EOCli. Config awk '/^Protocol/ { $2 = "2" }; /^X 11 Forwarding/ { $2 = "yes" }; /^Max. Auth. Tries/ { $2 = "3" }; /^Max. Auth. Tries. Log/ { $2 = "0" }; /^Ignore. Rhosts/ { $2 = "yes" }; /^Rhosts. Authentication/ { $2 = "no" }; /^Rhosts. RSAAuthentication/ { $2 = "no" }; /^Permit. Root. Login/ { $2 = "no" }; /^Permit. Empty. Passwords/ { $2 = "no" }; /^#Banner/ { $1 = "Banner" } { print }' sshd_config > sshd_config. new mv sshd_config. new sshd_config chown root: sys sshd_config chmod 600 sshd_config • THEN… • Primary Audience: – Human admins – NOT tools • Multiple reasonable technical interpretations of guidance 41
CCE & Configuration Guidance Documents CIS Benchmark (XCCDF) RULE: Configure SSH OVAL-DEF-ID: 78334 CIS Benchmark (OVAL) OVAL-DEF-ID: 78334: Configure SSH OVAL-TEST-ID: 84739: SSH uses protocol 2 only? OVAL-TEST-ID: 99383: SSH daemon restricts root login? OVAL-TEST-ID: 49488: SSH client has the proper global protocol configuration? OVAL-TEST-ID: 28274: SSH daemon maximum authorization tries is properly configure? • NOW… • XCCDF & OVAL foster a more structured expression of configs • Content more consumable by tools • BUT… 42
CCE & Configuration Guidance Documents CIS Benchmark (XCCDF) RULE: Configure SSH OVAL-DEF-ID: 78334 NIST CHECKLIST Benchmark (XCCDF) RULE: SSH protocol 2 OVAL-DEF-ID: 28274 RULE: SSH rhosts OVAL-DEF-ID: CCE-1234 SSH root 18474 RULE: login CIS Benchmark (OVAL) OVAL-DEF-ID: 29883 OVAL-DEF-ID: 78334: Configure SSH RULE: SSH client configuration OVAL-TEST-ID: 84739: SSH uses protocol 2 only? OVAL-DEF-ID: 74736 OVAL-TEST-ID: 99383: SSH daemon restricts root login? NIST CHECKLIST (OVAL) OVAL-TEST-ID: 49488: SSH client has the proper OVAL-DEF-ID: 28274: SSH protocol 2 global protocol configuration? OVAL-DEF-ID: 18474: SSH rhosts OVAL-TEST-ID: 28274: SSH daemon maximum authorization tries is properly configure? OVAL-DEF-ID: 29883: SSH root login OVAL-DEF-ID: 74736: SSH client configuration • … Different organizations can produce different XCCDF/OVAL content • Common identification enables correlation 43
CCE and Other Configuration Tools XCCDF/OVAL Config Guidance Text-based Config Guidance – NSA Security Guides – Center for Internet Security – NIST Checklists – NSA Security Guides – DISA Stigs – Vendor Websites – Internal Checklists CCE-1234 ? Add CCE ids to text and reference fields OVAL Compatible Tools Legacy Tools – Arc. Sight, Big. Fix, Citadel, KACE, – Red Hat, Secure Elements, – Threat. Guard, Net. Clarity – DISA Gold Disk – Legacy COTS (many) 44
CCE and Other Configuration Tools XCCDF/OVAL Config Guidance Text-based Config Guidance – NSA Security Guides – Center for Internet Security – NIST Checklists – NSA Security Guides – DISA Stigs – Vendor Websites – Internal Checklists CCE-1234 OVAL Compatible Tools Legacy Tools – Arc. Sight, Big. Fix, Citadel, KACE, – Red Hat, Secure Elements, – Threat. Guard, Net. Clarity – DISA Gold Disk – Legacy COTS (many) • Common identification enables correlation 45
CCE and Compliance ISO 17799 COBIT NISTsp 800 -53 BITS Do. D 8500. 2 CCE standardizes references for configuration controls Requirements Traceability? Simplified traceability XCCDF/OVAL Config Guidance OVAL Compatible Tools CCE-1234 Text-based Config Guidance Legacy Tools • Common identification enables correlation 46
Common Weakness Enumeration (CWE) • dictionary of weaknesses – weaknesses that can lead to exploitable vulnerabilities (i. e. CVEs) – the things we don’t want in our code, design, or architecture – web site with XML of content, sources of content, and process used • structured views – currently provide hierarchical view into CWE dictionary content – will evolve to support alternate views cwe. mitre. org • open community process – to facilitate common terms /concepts/facts and understanding – allows for vendors, developers, system owners and acquirers to understand tool capabilities /coverage and priorities – utilize community expertise Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. Foundation for other DHS, NSA, OSD, NIST, OWASP, SANS, SEI, and OMG Sw. A Efforts 47
Vulnerability Type Trends: A Look at the CVE List (2001 - 2006) 48
Removing and Preventing the Vulnerabilities Requires More Specific Definitions…CWEs Cross-site scripting (XSS) (79) • Basic XSS (80) • XSS in error pages (81) • Script in IMG tags (82) • XSS using Script in Attributes (83) • XSS using Script Via Encoded URI Schemes (84) • Doubled character XSS manipulations, e. g. '<<script’ (85) • Invalid Characters in Identifiers (86) • Alternate XSS syntax (87) • Mobile Code: Invoking untrusted mobile code (494) Buffer Errors (119) • Unbounded Transfer (classic overflow) (120) • Write-what-where condition (123) • Boundary beginning violation ('buffer underwrite') (124) • Out-of-bounds Read (125) • Wrap-around error (128) • Unchecked array indexing (129) • Length Parameter Inconsistency (130) • Other length calculation error (131) • Miscalculated null termination (132) • String Errors (133) • Often Misused: Path Manipulation (249) Relative Path Traversal (22) • Path Issue - dot slash - '. . /filedir’ (24) • Path Issue - leading dot slash - '/. . /filedir’ (25) • Path Issue - leading directory dot slash - '/directory/. . /filename’ (26) • Path Issue - directory doubled dot slash - 'directory/. . /filename’ (27) • Path Issue - dot backslash - '. . filename’ (28) • Path Issue - leading dot backslash - '. . filename’ (29) • Path Issue - leading directory dot backslash - 'directory. . filename’ (30) • Path Issue - directory doubled dot backslash - 'directory. . filename’ (31) • Path Issue - triple dot - '. . . ’ (32) • Path Issue - multiple dot - '. . ’ (33) • Path Issue - doubled dot slash - '. . //’ (34) • Path Issue - doubled triple dot slash - '. . . //’ (35) 49
PLOVER CWE draft 5 CWE draft 7 The Preliminary List Of Vulnerability Examples for. Researchers (PLOVER) evolving into the Common Weakness Enumeration (CWE) 300 nodes Aug 2005 627 nodes 500 nodes Dec 2006 Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. Oct 2007 50
To subscribe, see: http: //cwe. mitre. org/community/registration. html or just send an email to listserv@lists. mitre. org with the command: subscribe CWE-RESEARCH-LIST Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 51
CWE Compatibility & Effectiveness Program ( launched Feb 2007) cwe. mitre. org/compatible/ 22 Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 12 52
CWE Draft 8 - initial scope • Add difference reports for each new release of CWE • Rewrite all “attack-ish” weaknesses to be about the weakness (i. e. , xss, csrf) • Add weakness covered by CAPEC but not yet in CWE • Add direct references to CAPEC IDs for attacks relevant to CWEs • Other scrub-based clean ups as available Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 53
Building A Common Enumeration GMU IBM Previously Published Vulnerability Taxonomy Work Stanford SEI VERACODE UC Berkeley Purdue NSA/CTC SPI Dynamics JMU Coverity Core Security Kestrel Technology Parasoft MIT LL Watchfire Security Institute Unisys Oracle Cenzic KDM Analytics UMD NCSU CVE and NVD using CWEs Cigital’s Gary Mc. Graw’s Work and Taxonomy CVE-based PLOVER Work OWASP’s Checklist and Taxonomy Secure Software’s John Viega’s CLASP and Taxonomy Fortify’s Brian Chess’s Work and Taxonomy Dictionary Microsoft’s Mike Howard’s Work and Taxonomy Klocwork’s Checklist and Taxonomy Ounce Lab’s Taxonomy Gramma Tech’s Checklist and Taxonomy DHS’s BSI Web site DHS’s Sw. A CBK & Acq Guide Common Weakness Enumeration (CWE) ----------------------------- SEI CERT call & count the same enable metrics & measurement Sw. A SIG OWASP & WASC CWE Compatibility CWEs that a Tool finds DHS/NIST SAMATE Tool Assessment S ecure Coding Standards Effort SANS National Secure Programming Skills Center for Assured SW Reference Dataset Assessment ISO/IEC JTC 1/SC 22's OWGV - Other Working Group on Vulnerabilities 54
What is CAPEC? • MITRE hosted Community effort targeted at: – Standardizing the capture and description of attack patterns – Collecting known attack patterns into an integrated enumeration that can be consistently and effectively leveraged by the community – Classifying attack patterns such that users can easily identify the subset of the entire enumeration that is appropriate for their context • Where is CAPEC today? – http: //capec. mitre. org – Currently 101 patterns – Future plans • • • New patterns Align patterns with other resources Formalize patterns to finer granularity to support bridging with the malware and incident response communities Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 55
Attack Patterns Overview • Represent common approaches to attack • Abstracted from actual exploits and attacks • Gives you an attacker’s perspective you may not have on your own • Excellent resource for many key activities – – Abuse Case development Architecture attack resistance analysis Risk-based security testing Red team penetration testing • Resources – – – Attack Patterns article series on Build Security In website (buildsecurityin. uscert. gov) Common Attack Pattern Enumeration and Classification (CAPEC) Exploiting Software [Hoglund & Mc. Graw 04] • Primarily attack-centric testing methods Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 56
What do Attack Patterns Look Like? • Primary Schema Elements – Identifying Information • Supporting Schema Elements • Attack Pattern ID • Attack Pattern Name – Describing Information • • • Description Related Weaknesses (CWE IDs) Related Vulnerabilities (CVE IDs) Method of Attack Examples-Instances References – Prescribing Information • Solutions and Mitigations – Scoping and Delimiting Information • • Typical Severity Typical Likelihood of Exploit Attack Prerequisites Attacker Skill or Knowledge Required Resources Required Attack Motivation-Consequences Context Description Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. – Describing Information • • Injection Vector Payload Activation Zone Payload Activation Impact – Diagnosing Information • Probing Techniques • Indicators-Warnings of Attack • Obfuscation Techniques – Enhancing Information • • Related Attack Patterns Relevant Security Requirements Relevant Design Patterns Relevant Security Patterns 57
What Have We Learned? • Cyber. Crime is on the rise! • Without measurability of INFOSEC, we fail. • How can we measure twice and cut once? Leverage the work MITRE is doing: • enumerating baseline security data, • providing standardized languages as means for accurately communicating the information • encouraging the sharing of the information with users by developing repositories. Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 58
Making Security Measurable Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 59
Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 60
Thank You! A copy of this Powerpoint is Available from the Sec. Tor Conference team. If you need a copy or more information, please also feel free to send me an email: garym@netclarity. net Copyright © 2007, MITRE and portions by Net. Clarity, Inc. All rights reserved worldwide. 61
Скачать презентацию Presentation Speaker Date Time Track Cybercrime CVEs OVAL
24969409418898df514e7416a4c56fd1.ppt