2010-12 SCAP Explained

© nCircle 2010. All rights reserved.

SCAP Explained

Overview of the Security Content Automation Protocol, Where It’s Been and Where It’s Going

Nick HansenSr. Software Developer

2 © nCircle 2010 All rights reserved. nCircle Company Confidential

• Introduction• What is SCAP and Security Automation?• SCAP Specifications• SCAP Tools and Content• SCAP Community• SCAP Future

Overview


• Nick Hansen [email protected]• Worked in Production Operations, Software Engineering

and Management over past 10 years• Excite@Home, NOCpulse, Red Hat, Opsware, HP• Involved with SCAP since 2006

Introduction

mailto:[email protected]


• The Security Content Automation Protocol • Standards-based initiative for “organizing and expressing

security-related information”• Grew out of the confluence of several well established,

existing standards• Managed by the US National Institute of Standards and

Technology (NIST) and sponsored by the Department of Homeland Security to foster interoperable specifications with a focus on community participation

http://scap.nist.gov/index.html

What is SCAP?

http://scap.nist.gov/index.html


• Protocol: “A suite of six specifications that standardize the format and nomenclature by which security software communicates information about publicly known software flaws and security configurations annotated with common identifiers and embedded in XML”

• Content: “software flaw and security configuration standard reference data” in the form of checklists and and SCAP “streams”

• Specification: NIST SP 800-126– http://csrc.nist.gov/publications/nistpubs/800-126/sp800-126.pdf

What is SCAP? (con’t)

http://csrc.nist.gov/publications/nistpubs/800-126/sp800-126.pdf


• Managing security across US Federal government and large enterprises is no small task

• Automation needed to be able manage and secure many operating systems, applications and configurations

• Continuous monitoring and auditing required to ensure best-possible security of the organization

• Many tools available that perform specialized tasks but do not interoperate well to give complete picture

• Requirements for compliance with multiple regulatory frameworks and guidelines

Security Automation


SCAP 1.0 Specifications

Languages: provide a standardized means for identifying what is to be evaluated and for expressing how to check system state

Open Vulnerability and Assessment Language (OVAL) 5.3 & 5.4

Language for specifying low-level testing procedures used by checklists

MITRE

Extensible Configuration Checklist Description Format (XCCDF) 1.1.4

Language for specifying checklists and reporting checklist results

NSA & NIST

Enumerations:provide a standardized nomenclature and an associated dictionary of items expressed using that nomenclature

Common Vulnerabilities and Exposures (CVE)

Nomenclature and dictionary of security- related software flaws

MITRE

Common Configuration Enumeration (CCE) 5

Nomenclature and dictionary of system configuration issues

MITRE

Common Platform Enumeration (CPE) 2.2

Nomenclature and dictionary of product names and versions

MITRE

Vulnerability measurement and scoring systems:provide the ability within SCAP to measure and evaluate specific vulnerability characteristics to derive a vulnerability severity score.

Common Vulnerability Scoring System (CVSS) 2.0

Specification for measuring the relative severity of software flaw vulnerabilities

FIRST


Common Vulnerabilities and Exposures (CVE)

• The CVE is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities and exposures. The purpose of the CVE is to catalog all known vulnerabilities.

• The CVE was started in 1999. It is currently sponsored by the United States Department of Homeland Security and managed by the MITRE Corporation.

• CVE: http://cve.mitre.org • CVE Compatibility: http://cve.mitre.org/compatible

Example: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0249

http://cve.mitre.org/

http://cve.mitre.org/compatible


Open Vulnerability and Assessment Language (OVAL)

• OVAL is the standard used to encode and transmit security information and system details. It is based on three XML schemas that represent the three security vulnerability assessment process steps: Representing system configuration Expressing a specific machine state Reporting the results of the assessment

• Original purpose of OVAL was to describe how to identify specific vulnerabilities (i.e. CVEs)

• Now supports general configuration settings and Patch installations• OVAL is managed by MITRE and is sponsored by the U.S.

Department of Homeland Security

Example: http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:6835


Extensible Configuration Checklist Description Format (XCCDF)

• XCCDF is an XML specification for structured collections of security configuration rules used by OS and application platforms

• Uses OVAL and CPE to build profiles that systems can be validated against

• Development of the XCCDF specification is led by the U.S. National Security Agency (NSA), published by NIST, and developed with contributions from the security community


OVAL and XCCDF Links

• OVAL Homepage: http://oval.mitre.org • OVAL Compatibility: http://oval.mitre.org/compatible • NVD XCCDF/OVAL data feed: http://nvd.nist.gov/scapchecklists.cfm

• XCCDF Standard: http://nvd.nist.gov/xccdf.cfm • NIST National Checklist Program: http://nvd.nist.gov/ncp.cfm • NVD XCCDF/OVAL data feed: http://nvd.nist.gov/scapchecklists.cfm

http://oval.mitre.org/

http://oval.mitre.org/compatible

http://nvd.nist.gov/scapchecklists.cfm

http://nvd.nist.gov/xccdf.cfm

http://nvd.nist.gov/ncp.cfm

http://nvd.nist.gov/scapchecklists.cfm


Common Platform Enumeration (CPE)

• CPE is a naming convention for hardware, operating system (OS), and application products.cpe:/ {part} : {vendor} : {product} : {version} : {update} : {edition} : {language}

Example - cpe:/o:microsoft:windows_xp:::pro

• The CPE is managed by MITRE is sponsored by the U.S. Department of Defense

• CPE Homepage: http://cpe.mitre.org • NVD CPE data feed:

http://nvd.nist.gov/download.cfm#Dictionary

http://cpe.mitre.org/

http://nvd.nist.gov/download.cfm#Dictionary


Common Configuration Enumeration (CCE)

• The CCE is a dictionary of names for software security configuration issues – for example, access control settings and password policy settings. By providing unique identifiers for system configuration issues, the CCE facilitates fast and accurate correlation of configuration data across multiple information sources and tools.

• The CCE is managed by MITRE and is sponsored by the U.S. Department of Defense.

• CCE Homepage: http://cce.mitre.org

http://cce.mitre.org/


Common Vulnerability Scoring System (CVSS)

• The CVSS is a standard severity scoring system for information security vulnerabilities. CVSS includes three groups of metrics: Base, Temporal, and Environmental.

• CVSS is under the custodial care of the Forum of Incident Response and Security Teams (FIRST). However, it is a completely free and open standard.

• CVSS Homepage: http://www.first.org/cvss/index.html • CVSS Specification:

http://www.first.org/cvss/cvss-guide.html • NVD CVSS data feed: http://nvd.nist.gov/cvss.cfm

http://www.first.org/cvss/index.html

http://www.first.org/cvss/cvss-guide.html

http://nvd.nist.gov/cvss.cfm


• Utilizes parts of all 6 specifications to create a “stream” of compliance content

• XCCDF is the glue that ties it all together• Several official streams are currently available from the

NVD– Federal Desktop Core Configuration (FDCC)– United States Government Configuration Baseline (USGCB)– http://web.nvd.nist.gov/view/ncp/repository

• Vendors are creating and using proprietary SCAP content

SCAP Content

http://web.nvd.nist.gov/view/ncp/repository

http://web.nvd.nist.gov/view/ncp/repository


National Vulnerability Database (NVD)

• The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.

• The NVD contains data feeds for each SCAP standard that can be used license free by the security community. The NVD also contains SCAP security checklist data that can be used in conjunction with SCAP compatible tools.


FDCC & USGCB

• FDCC is focused on Windows XP and Vista• Developed to address 2007 OMB mandate for securing

all Windows system in US Federal government• First officially approved SCAP stream of content

• USGCB is currently focused on Windows 7 and IE 8• Will be adding new platforms soon • Evolved from the FDCC


• Vendors create tools that can process SCAP-expressed content and report standardized results

• Tools are certified via the SCAP Validation Program• Independent testing labs are contracted by vendors to

test tools and report results directly to NIST• Tool capabilities that can be validated

– FDCC Scanner– Authenticated and Unauthenticated Configuration Scanner– Authenticated Patch and Vulnerability Scanner

SCAP Tools


• Each specification has an independent community of contributors from academia, business and government supporting them

• CVE and OVAL are most active• No single vendor has “control” of any of the

specifications• MITRE is non-profit overseer and leads a great deal of

discussions• IT Security Automation Conference

– Annual conference covering SCAP and many other initiatives related to Security Automation

• http://scap.nist.gov/events/2010/itsac/presentations/index.html

SCAP Community


• Emerging Specifications– Asset Reporting Format (ARF)– Open Checklist Interactive Language (OCIL)– Open Checklist Reporting Language (OCRL)– Common Configuration Scoring System (CCSS)– Common Misuse Scoring System (CMSS)

• The Holy Grail– Common Remediation Enumeration (CRE)– Extended Remediation Information (ERI)

SCAP Future